Upcoming ISSA Ireland Special Event

ISSA Ireland are hosting a special event next Wednesday the 10th of June.  The event is being run in conjunction with Microsoft and will focus on the security features of the Windows platforms.  There are some really good talks lined up which will prove to be very useful to those of you charged with securing a Windows environment.  In these days of recession and cut backs you will find out about some of the inherent security features of Windows that you can employ at little or no cost and perhaps save you having to purchase third party tools.

The talks are;

  • Security Improvements in Windows 7 and Windows Server 2008
  • How Microsoft Manages Information Security
  • Microsoft’s Malware Research: Conficker a Case Study

There will also be series of lighting talks given by members on their favourite free security tools for the Windows platform.

The event will kick off at 2 p.m. and finish at 5 p.m.  It will be held in the Academy Buildingat 42 Pearse St.  More details of the location can be found on the Academy‘s website or see the map below.  To register for the event you should go to the ISSA Ireland website.

If you cannot make it to the event, or even if you can, and want more information on how to use the security features of Windows don’t forget that I cover these in detail in my latest book, “Implementing ISO 27001 In a Windows Environment“.  The book is available from either Amazon or the IT Governance Website.

View Larger Map

Microsoft Warn of New Attacks Against MS08-067

Microsoft are again urging PC users to apply the MS08-067 emergency patch issued last October due to an increase in attacks aimed at exploiting that vulnerability.  In particular a new worm Worm:Win32/Conficker.A. has been noted as causing a rise in the number of attacks.
Once a PC is infected the Worm:Win32/Conficker.A. will patch the vulnerability to prevent the PC from being exploited by another worm or attacker and will also reset the system restore point to make it more difficult to recover the infected PC.
More details are available on the Microsoft Malware Protection Center Blog at http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
If you have not yet applied this patch it is strongly recommended that you do.

Microsoft Release Critical Out-Of-Band Patch

Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle.  For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to. 

I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “

The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems.  This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way.  Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability. 

It is recommended that you patch your systems ASAP.  However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems.  Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems?  If we patch we may have problems, if we don’t we may have a security breach.  Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;

  1. A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
  2. Whatever solution is decided upon needs to be agreed to and signed off by senior management.
  3. An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
  4. Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
  5. Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
  6. Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
  7. Ensure that all Anti-Virus signatures and software is up to date.
  8. Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
  9. Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
  10. Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.

I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it.  It also may be worth keeping on high alert even after deploying the patch as;

  1. Other new vulnerabilities could still be found in this feature of Windows.
  2. Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.

More details are available from the Microsoft Security Response Center and also from the Internet Storm Center.  It is a pity that we do not have our own CERT here in Ireland to help coordinate a response to this issue and help Irish businesses better protect themselves.

Microsoft Windows XP Service Pack 3 Now Available

Microsoft has released the latest service pack for Windows XP.  Service Pack 3 includes all the updates and hot-fixes released since Service Pack 2 and also a number of new security features. most notably;

“Black Hole” Router Detection, whereby Windows XP will now by default detect routers that silently discarding packets.

Network Access Protection (NAP) which is currently in Windows Vista and Windows Server 2008 and is now also available for Windows XP.  NAP can enable you to enforce compliance on end user computers before they join the network ensuring that items such as anti-virus signatures and patches are up to date.

It will be interesting to see how organisations manage to deploy Service Pack 3 and in particular how many will roll out NAP to better secure their environment.  Given that many organisations are still running Windows XP and that Service Pack 3 will no doubt extend the life of XP in those environments, this may be the jolt in the arm that end point policy enforcement solutions need.   

I also wait to see how third party vendors of NAC solutions react to this development and whether they will decide to compete head on or complement their own solutions with NAP.

Microsoft Windows XP Service Pack 3 is available for download and comes in at 316 MB.  The release notes for the service pack are also available.

Targeted Attacks Using Unpatched Vulnerability in MS Excel

The Microsoft Security Response Centre has just released an advisory alerting us to targetted attacks using an unpatched vulnerability that affects Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and Microsoft Excel 2004 for Mac.

Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007 and Microsoft Excel 2008 for Mac are not impacted.  This vulnerability is being actively exploited at the moment in attacks targeting specific organisations.  That is not to say however that a more widespread attack could not happen.

If you cannot upgrade your systems to the non-affected versions it may be prudent to block incoming emails or Internet downloads of Excel into your network until more details emerge and/or Microsoft release a patch.

The advisory also contains a number of suggested workarounds.

Most Popular Posts

Seeing as it is the beginning of a New Year I have reviewed the past year or so of the Security Watch Blog’s existence and thought I would highlight the most popular posts.  I picked these posts based on on a combination of the number of comments on each post, the number of links to a particular post and the number of views to a post.  In no particular order we have;

An Overview of Information Security Standards

List of Security Certifications

Safari Incident Response

Microsoft Security

Information Security – Overhyped?

Call for Breach Disclosure Laws in Ireland

Why use ISO 27001?

Botnets – Digital Weapons of Mass Destruction?

Security & Google Docs

Details of TJX Hack Emerge – Wireless Networks the Weak Point

Free Web Application Security Testing Tool from Microsoft

One of the highlights of the RSA Europe Conference was meeting with a very interesting gentleman who works for Microsoft.  Simon Rose Femerling works with the Microsoft Ace Team.  We had some really interesting conversations about security, including research conducted in the hotel bar at 3 a.m. to try and determine the motivation of the average consumer in buying a computer and whether or not security is one of their criteria.  Needless to say that is one research paper that won’t get published.

One thing that really impressed me about Simon was his dedication and enthusiasm to improve computer security for us all while at the same time understanding the real world challenges facing businesses and system administrators.

Not only does Simon work with his colleagues in Microsoft in helping developers understand that security needs to be built into applications from the beginning, Simon is also heavily involved in the Open Web Application Security Project (OWASP).  Within the OWASP project Simon runs the Pantera Web Assessment Studio Project, which is a web application penetration testing tool.  If you are working in the web application area I strongly recommend you have a look at the Pantera Web Assessment Studio Project.

While chatting over a few beers Simon gave me an insight into the work he and his colleagues are doing.  One of the projects is now available for free from the team’s Blog.  It is their XSSDetect tool which runs as a Visual Studio plug-in to enable developers detect XSS (cross site scripting) attack vulnerabilities within their code.

Given that web application attacks are becoming more and more prevalent, indeed recent research shows that 70% of web attacks are at the application layer, the above tools and the work that Simon and his colleagues are doing are becoming more and more important.

If you are working with .NET I recommend that you download the XSSDetect tool and have a look at it.  It may save you a few embarrassing situations in the future.  If you find any issues with it then feed it back to the Microsoft Ace Team so they can improve the tool.

Over the past few months I have been increasingly impressed by Microsoft‘s improvements in security.  My impressions have not been formed or shaped by the Microsoft marketing machine but based on the people I have met who work for Microsoft.  People like Simon, and those I met while keynote speaker at Microsoft Ireland’s IT Professional Security Training Event, demonstrate to me that Microsoft have people working for them that really care about security.  And of course the way Microsoft release their patches is an example other vendors should be following.  Anyone from Apple or Oracle should take heed. 

So well done Simon, the Microsoft (Application, Consulting and Engineering) ACE Team and the rest of your colleagues.  As is often said “security is not a destination but a journey” but from where I am sitting it looks like Microsoft are well on their way.