Category: Security

This is beyond stupid and irresponsible now.  I’m tired of seeing these stories.  A few days ago we heard that 15 laptops were stolen from the HSE, 2 of which were unencrypted and contained personal information of patients.  Now we hear that 4 unencrypted laptops with 75,000 customer’s banking details were stolen from Bord Gáis. 

What the hell is new about encrypting laptops anymore?  It should be a matter of practice: Buy/build a laptop and encrypt it.  But oh no, these lazy organizations don’t want to do that or some inept managers just don’t care.

Brendam Drumm of the HSE should be sacked (without his massive pay rise) anyway.  But we were promised all laptops would be encrypted by September of last year.  Was that done?  No.  Who would think a government agent would lie or fail like that?  SACK HIM!

We need some new laws:

1. It should be mandatory to encrypt all business laptops by law.  Trying to get just those with personal data hasn’t worked.  Data is movement is too fluid.
2. There should be employment law protection for whistle blowers; that’s needed anyway, e.g. the financial system.
3. It should be a mandatory requirement for the Data Protection Commissioner to prosecute the directors of companies where unencrypted laptops are stolen.  There will be a fixed, non-negotiable punishment.  That’ll get ‘em worried. 
4. Failure to prosecute will be a prosecutable offense regardless or not if the data protection commissioner is still in office or not.  Prosecution will be mandatory as will the punishment.  That’ll take care of the cronyism that’s rife in our country.

Organisations like the HSE probably have MS Software Assurance.  If they then then deploy MS’s Windows Enterprise edition and enable BitLocker.  If not, go have a look at a 3rd party solution.

The WSUS team blogged about the RC program for WSUS SP2 on Connect.  Lots of new features, the important one being support for Windows Server 2008 R2 and easier setup with SQL 2008.

Service Pack 2 for Windows Server 2008 (when it is released) will allow you to installed WSUS 3.0 SP1 via Server Manager.  There is more information on this on the WSUS blog.

Security wizard, Steve Riley, posted on his blog that he was a victim of the second round of layoffs.  Steve is best known for his entertaining but highly educational talks on security in Microsoft networks.  It’s sad to see someone like this lose their job but he’s the sort of person that’ll land on his feet and find something excellent elsewhere.  Best of luck and thanks for the work Steve!

Was the Fox News website compromised with a virus?  Is their site dangerous to browse?  Are Rupert Murdoch and Dick Cheney the servants of Satan?  Will these question marks that I’m using the same way Fox News does ever end?

I didn’t even know there were volumes 1 to 5!  Anyway, I’m sure this would be interesting reading on a long train journey or flight.

“Volume 6 of the SIR focuses on the second half of 2008 (from July – December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from hundreds of millions of computers worldwide, and some of the busiest online services on the Internet, this report provides an in-depth perspective on trends in software vulnerability disclosures as well as trends in the malicious and potentially unwanted software landscape, and an update on trends in software vulnerability exploits”.

I’ve been reading on forums that people are suspecting if Conficker is being hyped by bored newsrooms and antivirus companies eager to keep subscriptions going in a downwards economy.  I’ve just been watching CNN and I’m leaning towards the cynical point of view *how strange for me!*

There is a real threat.  No doubt there.  But is it really as bad as reported?  I’ve just been watching CNN and it’s up there with the “Is this the End of Days” reporting from a few years ago.  Newsrooms thrive on fear.  People are addicted to it.  It sells papers, drives up web page hits and most importantly, it sells advertising.

CNN had some AV guy on who suggested everyone buy AV software and subscriptions.  What a shocker!  They read some Twitter tweets.  Everyone questioned the reality of the threat except one message from a security consultant.  CNN’s advice was pathetic:

• Check your email attachments: Great.  What about USB sticks and RPC ports?
• Use complex passwords: That won’t help one bit with Conficker.  It doesn’t give a damn about your password.
• Install/update your antivirus: Woohoo, sell some licenses.

The one bit they did get right was how to tell if you’re “owned”.  Try open a antivirus web page such as Trend Micro or AVG.  If you can’t:

• Ensure your Internet connection is working.
• If it is then you’re probably infected with Conficker or something else.

The best defence is to ensure that your Automatic Updates is working.  Microsoft released an update last October to defend against this thing, long before it was on the Internet.  If you think you have Conficker then download the Malicious Software Removal Tool from Microsoft.  The best defensive strategy:

• Make sure the firewall on your Internet connection is working correctly and blocking all but the required inbound traffic.
• Raise your Windows Firewall to defend against threats.  Administrators can force this in “public” or non-domain mode using Group Policy.
• Run Automatic Update to ensure you have all security updates from Microsoft and reboot after the installations.  The install isn’t complete until you reboot.
• Disable autorun in Windows.  This will help stop Conficker from getting on your system from removable storage, e.g. USB sticks.

Odds are, this is more Y2K hype but it doesn’t hurt to be careful and to stay careful.

EDIT #1:

Thanks to Enda Flynn (TechNet Ireland Manager) for this link from MS.  It contains informaton on how to defend yourself from Conficker.

Microsoft released a news update on Conficker.D.  This is a new variant and appears to only be able to target machines that were vulnerable to older variants.  If you have MS08-067 on your systems along with up to date and functional AV then you’re protected.

Silicon Republic is reporting on a survey by IT Force that says 47.8% of IT managers are still fearful of staff stealing or losing data.  Hacking is #2 at 34.8%.

Before we go further: the real chance of getting hacked if you’ve taken the normal precautions are minimal.  You still should take precautions such as firewalls and server hardening.  Really though, you need to look at application development, software patching and most importantly, physical security.  What’s the easiest way to steal data?  Take out the disks.  Who has the most access to your building?  The least paid staff who also don’t work for you: the security guards and cleaners.  And despite what movies with Sandra Bullock/Harrison Ford and TV shows like 24 would have us believe, 3/4 of all computer crime is really perpetrated by people in the building.

Right, let’s go over this again.

• Use BitLocker, Iron Mountain DataDefense or SafeBoot to encrypt data on the disk or the entire disk.  This applies to desktops, laptops and servers.  So even if you do lose physical control of the disk or machine you can be sure it’s encrypted.  IRM DataDafense takes it one step further: you can remotely wipe the data (to NSA standards) when the machine next comes online.
• Use AD Rights Management Services to control who can read what document, email, etc.  You can control this inside and outside of the organisation, e.g. prevent an email or document from being read by someone outside of your network even if it’s forwarded to them.
• Use device access controls (Vista or DeviceLock) to lock down ports.  Vista does an OK job at this.  DeviceLock rules at this.  You can put permissions on all the ports of your machines, e.g. disable USB devices but allow USB printers and keyboards/mice, disable bluetooth, etc.  DeviceLock allows normal group permission controls and AD GPO management.
• Force USB device encryption using Windows 7 BitLocker-To-Go or a new version of IRM DataDefense.  Windows 7 allows you to force encryption using GPO.  I’ve not been briefed yet on this new feature of the IRM solution.
• Centralise access auditing using OpsMgr 2007 Audit Collection Services.  You can gather important security events into a simple central SQL database for security/audit to review and generate reports from.
• Use Exchange 2007 native or 3rd party services to journal what is being sent or received.  This gives you a history of what’s going on.
• Use a proxy filter to restrict access to webmail services that bypass mail auditing.  I hate SurfControl as do most people I know.  Everyone I know likes WebSense.
• Use a passphrase system instead of traditional password rules.  It’s easier for end users and more secure.
• Physical security for servers is critical.  Where you cannot do this, consider centralisation or using servers with BitLocker and Read-Only Domain Controllers.
• SQL 2008 has loads of security stuff in it that’s new.  I’m not a DBA so I’m not the best person to talk about those.

It’s possible that cloned machines (even sysprepped ones) won’t appear in the WSUS console.  Here’s some trouble shooting steps.

 

• If using the FQDN of the WSUS server then ensure the client can resolve the computer name to an IP address.  Check DNS (NSLOOKUP), ping and/or the hosts file.
• Ensure that you can telnet from the client to the WSUS server on port 8530, e.g. telnet 10.0.0.10 8530.  That will check connectivity.  This assumes you’re using the default port of 8530 for WSUS connectivity.  Use netstat –an to verify this.
• Ensure that the application log on the WSUS server is clean.
• Check the WindowsUpdate log in C:Windows on the client.  Make sure it is connecting to <WSUS Server>:8530.
• Run wuauclt /detectnow on the client and check the WindowsUpdate log again.
• If the client does not appear then the SUSCliendID may not be valid.  You can reset this by running this .BAT script on the affected client:

@echo off
Echo Save the batch file "AU_Clean_SID.cmd". This batch file will do the following:
Echo 1.    Stop the wuauserv service
Echo 2.    Delete the AccountDomainSid registry key (if it exists)
Echo 3.    Delete the PingID registry key (if it exists)
Echo 4.    Delete the SusClientId registry key (if it exists)
Echo 5.    Restart the wuauserv service
Echo 6.    Resets the Authorization Cookie

Pause
@echo on
net stop wuauserv
REG DELETE "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate" /v PingID /f
REG DELETE "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow
Pause

Refresh the console view by clicking on <REFRESH> (don’t press <F5>) and it should appear.