Monday, February 9, 2004

There seems to be some new people reading these pages. Evidently, there is a small spike in our readership, as shown by the log file analyzer kindly provided by our hosts, and as shown by the visitor count up over there. In case you haven't read a very short and humble blurb about me, my profession is an information security officer for a local government agency. So I am always looking into ways that will help protect the information at the work network from undesirables. (And it's also given me a bit of background into the little fictional story I wrote about the Internet meltdown.)

One of the things I did today at work was a bit of research into wireless security. Or, more properly, the difficulties in securing wireless networks. Wireless security, or any information security, is not just the hardware and software you can put on your network. It is also policies, procedures, and user education. One of the places I go to get some good information is the SANS site. They have some excellent training sessions that are at least a week long, so they are very thorough. I've been to two of their classes; both were seven days. In one of them, I got the material and information about various U.S. felonies a network guy can violate unless you are protected by company policies and user notification. That presentation is the "Is There a Felony in Your Computer" paper available here.

The site also the "Reading Room". This is an area where security dudes (and dudettes) write papers on various security subjects as part of their certification. The quality standards are fairly high, so most of them contain some very useful information. And the other thing that you will find there is sample information security policies. You can use them as a starting point for security policies for your business.

So today's tasks included some research about wireless networks. There were some good papers in there, and also a starting template for a wireless security policy. I was able to gain a bit of knowledge, and some starting points for further research. If you are interested in information security, the SANS site is a good place to start. And if you have any questions or comments about all of this, you can always click on the mailbox icon here.

You regular readers (yes, both of you) might notice that I missed yesterday's post. It was quite a busy day. It started out with the usual Sunday morning church leadership meetings, then the regular meetings. Although there was a break to get home for lunch betore the afternoon meeting block. After church, it was time to prepare dinner and wait for Christine and Jared and those two adorable grandchildren to arrive for dinner and Joelle's (now 4) birthday party. A good time was had by all until they left a bit after 9pm. I was a bit tired by then. I started falling asleep in front of the TV shortly thereafter. (Although I didn't fall asleep at my computer desk like John D.). So I didn't have enough energy for the normal daily post.

After work today, we stopped by Sam's Club with my digital camera and used their photo machine to get some prints of the grandkids. Then we went next door to WalMart to get a few things for a Valentine's care package for Stacy (in Rexburg Idaho at college). She got in a minor rear-ender this last weekend, and has a bit of a sore neck, so some cheering up is in order. (And if you are reading this, Stacy, that's all I am going to tell you.) She is in the Nursing program there, and is doing quite well (3.94 GPA), although the program is pretty difficult.

The pictures turned out quite well. The kiosk for the picture machine is fairly easy to use, and allows for editing, basic touch-ups, and cropping. The best part is that a 4x6 inch print only costs 14 cents, and is ready in an hour. That is pretty inexpensive, and the quality is better than most ink jet printers even when using photo paper. I sometimes edit the photos using Adobe Photoshop Elements, then save them to CD or USB hard drive and take them there for developing.

After dinner, a friend came over to get some help with his Quicken data (that's Pam's specialty), while I did some Church-related paperwork while watching a bit of TV. Which is what I am doing now: watching an old "Magnum, P.I." rerun while typing this. Magnum is almost done, so so am I. But there will be something tomorrow.

In the meantime, send mail (using our mail form, which helps protect email addresses) by clicking on the mailbox. Or read the "Digital Choke" story, or the "back-issues" here.

Tuesday, February 10, 2004

Just the usual stuff at work today. Except there was the monthly Microsoft patch release (each month, second Tuesday). My first take on the updates were that they should be installed, but it was not a 'drop everything and do it now' type of thing.

But I've been doing a bit of research on one of the updates. It seems that the "ASN.1" problem may be a bit more widespread. Subsequent information seems to indicate that this problem is pretty deep into many applications, which is why it took a while to issue the fix. Here's what the Internet Security Center said in their diary entry for today (remember that around here, all links open up new browser window):

The most critical of the three is entitled "ASN.1 Vulnerability Could Allow Code Execution (828028)" and affects all Windows operating systems based on the NT core (NT, 2000, XP, and Server 2003):

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-007.asp

Essentially, there are multiple possible overflow conditions that exist within the ASN.1 implementation inside Microsoft's MSASN1.DLL.

Affected software that uses this library includes:

- Microsoft Internet Explorer
- Outlook express
- Outlook
- IIS (using SSL as in https)
- Microsoft's Kerberos implementation
- NTLMv2 authentication
- Third party software using encryption certificates

This is a critical issue and should be addressed immediately, exploits are expected soon.

I was looking at an article on Wired News, and that seemed also to verify that perhaps this one needs to be a bit higher on the priority list. One of the executive security dweebs at Microsoft said this:

A Microsoft security executive, Stephen Toulouse, said the flawed software was "an extremely deep and pervasive technology in Windows," and urged customers to apply the patch immediately.

And this article from CNET is also interesting, although some of the statements from the anti-virus guys sometimes seem a bit self-serving.

The flaw bears a resemblance to the one that allowed MSBlast to spread in August 2003, said Stephen Toulouse, security program manager at Microsoft's security response center

At home here, the computers are set up for installing the automatic updates without asking. At the office, all the workstations are supposed to be similarly configured to get their updates automatically from our Software Update Server (SUS). That's a Windows 2K server on our network that is the source for all Microsoft operating system updates -- sort of our own Windows Update system. By making certain registry entries on the workstations, we can configure them to check for updates every day, and then install them silently. It's a good way to ensure that the updates are installed on workstations, without using up Internet bandwidth with each computer accessing the Microsoft Windows Update site (assuming you can get users to do that on a regular basis).

So, I'll probably revise today's security notice that I sent out to the other network admins. It may be the impetus to get everyone to get the workstations configured to use SUS. Some of the articles I've read on this set of patches (and it's a bit early) hint of a vulnerability similar to Blaster.

Then there is the "DoomJuice" worm, which seems to be related to "MyDoom", but put it's source code on your computer. Here's one analysis from Sophos (an anti-virus vendor; their researchers have this theory):

The Doomjuice worm drops a copy of the prevalent W32/MyDoom-A's source code onto infected computers, possibly in an attempt to make it more difficult to convict the true author.

You'll probably hear a bit more about this theory (here's another story); I haven't done enough research on this one yet. But it may be worthwhile to keep your eye on these issues.

In the meantime, you are all assigned to get the updates installed on your computers. Ditto. Ditto. "What I say three times is true."

Pam and I got home early enough, and the days are getting a bit longer, so Pam quickly made up some meat loaf to stick in the oven, and we went on a 30 minute walk around the neighborhood. The weather here has been nice and sunny, with temps in the low 60's. When we got home, dinner was just about ready. The meat loaf was quite good; we had some baked potatoes and green beans and french bread. It was quite tasty.

After dinner, I went over to a neighbor's house to help her with getting some data from Quicken/Mac to Quicken/Windows. Then home again to relax. I did my usual "geek potato" thing, while Pam read. The usual ending to days around here.

Now, go update your computer. I've already done mine, and it's time for "Magnum, P.I."

Wednesday, February 11, 2004

I am getting some new projects that will be a good improvement to the security of the network at work. It's not appropriate to include details at this time. But the project will be interesting, and I'll report on my experiences in these pages.

I also spent a bit of time using the LogParser program. The program can take apart various types of log files, and save the output in other formats. I'm using it to look at the web access logs for the Software Update Server. The intent is to gather information on which computers are getting their software updates.

The program uses a SQL-like syntax to select the portion of the log files that you want. The output can be directed to the screen, or file, or a CSV (Comma Separated Values) file that you can import into a spreadsheet or database. You can also specify a template file so you can format the output using HTML codes.

I'm not a SQL expert, although I can hack my way around a SQL statement. So I've been able to extract the workstation IP Address and date/time from the log files. I also wanted to get the user name and computer name, but at first those fields were blank. Then I remembered that those fields are not normally stored in the log files. So I went to that server and modified the settings so that the user and computer name will be part of the log file. I'll see how that works tomorrow.

But I did get the program to output a simple HTML page with the data in a table, complete with column headings. I'm an old batch-file kind of guy, and have done a lot of programming in the past, so this was an interesting project.

There was also the usual stuff. Email, spam, and some research about viruses. I looked at some more security-related sites (including those not associated with anti-virus vendors), and they all seemed to agree that the Windows "ASN.1" vulnerability has the potential to be significant.

Some of the 'pundits' and press are grumbling about the fact that Microsoft waited quite a while to release the fix after being notified. But I think that Microsoft was just being careful. The ASN.1 problem is deep into many aspects of several Windows programs, so the fix needed significant testing to make sure that the problem was truly fixed, and that the fix didn't break other parts of applications. The people that found the problem had a exploit for the problem, but nobody else had figured out the vulnerability. I am sure that they were actively monitoring the various hacker sites for any indication that others had found the problem. If so, the patch might have been released earlier. So the extra time was put to good use by doing extensive testing of the patch.

Today was a nice day, weather-wise. Sunny, clear, and highs in the mid-60's (F). Pam and I were able to get home in time to fire up the BBQ and cook some chicken breasts with a BBQ sauce. I have a propane BBQ, which makes it easy and fast to get it up to the proper grilling temperature. I know that some people think that charcoal or wood is best for barbecuing, but I like the speed (and less mess) of mine. It can be ready to go in five minutes. You can't do that with a charcoal BBQ.

"Monk" is on tonight, and as usual, it is quite humorous. Tony Shalhoub plays the obsessive-compulsive detective very well. The story line is usually clever, and Sharona is a pleasant visual addition to the show.

And today is the weekly McAfee virus data file update. This one protects against the new "DoomJuice" worm. Virus updates are always important. Go forth and update. And your comments are always welcomed -- just click on the mailbox icon.

Thursday, February 12, 2004

A couple of interesting things I found while doing the 'geek potato' thing.

From the Security News Portal site (an interesting place) reports on the major problem in the Sophos Anti-Virus program that lets a virus through if the email message is not formatted correctly. Oops. And then their anti-virus engine can be used to launch a denial of service attack against your own computer. Oops again. This information was originally disclosed at Techworld.com . Sophos has issued a patch; you should install it.

Then there's this story from The Register:

A new variant of the Nachi worm which attempts to cleanse computers infected by MyDoom and download Microsoft security patches to unprotected computers has careened onto the Net this morning.

Now, that's what we need. Remember "Nachi"? The one that was supposed to fix "Blaster"? The one that ended up causing even more problems?

Here's an idea. Why don't the virus writers go after the spammers, and the both of them can leave us all alone.

Sometimes I think my little story has more than a little of the truth in it.

Sigh.

On a more pleasant subject, I've got the Google tool bar installed on my browser. And I just noticed that there are little hearts in the Google search window. And one of the o's in "Google" has been replaced by a little red heart.

This continues a long tradition of Google logos that commemorate holidays and traditions. Some of them are quite nice; you can look at them here.

Friday, February 13, 2004

Short post tonight, because it is quite late (almost tomorrow).

Work was unremarkable, although busy. Although I do have some worries about our protection against the ASN exploit. I'm getting some things into place to cut down on the risk.

After work, Pam and I went over to the kid's house to watch the kids while they went out to a church function. They took our car, and we took their van (with carseats) to the Golden Arches restaurant for dinner. Then a quick trip to Costco for a couple of things, then back home. Liam (2 yrs) was pretty tired by that time; he has stopped taking naps. So we got home about 7:45pm and he was asleep so we put him to bed. Joelle (4 yrs) was getting tired also, so she cuddled on the couch with Pam and fell asleep a bit later.

So it was a quiet babysitting gig. It started out a bit rambunctious; they kids are always excited to see us, so there is much giggling and climbing all over me. But they are such fun, so I don't mind.

We didn't get home until after 10pm. I had to do a bit of mailing for my church calling. And the laptop is running a bit slower than usual. So I installed "Spybot Search and Destroy", which is an excellent remover of spyware and adware. And it is free, although donations are accepted. I got rid of some junk, mostly adware, although there was a mention of a DCOM vulnerability. I'll have to look into that tomorrow. But the program is recommended.

A three-day weekend, courtesy of presidents that had birthdays. That will be nice.

Saturday, February 14, 2004

Happy Valentine's Day! (Although many of you might read this on Sunday.) We had a nice low-key celebration, but it is still early.

We started out by sleeping late this morning. No kids to bound into the room to wake us up. Then breakfast, some cleaning of the kitchen (by Pam) and vacuuming (me), then Pam was off to the hairdresser. I stayed home and worked a bit on straightening up the garage. Then off to Home Depot for a few things before having lunch with Pam at "Red Robin". I had a chicken breast on a bun, with BBQ sauce, onion ring shreds, cheese, bacon, lettuce, tomato. Very good and very filling. Pam had a mushroom burger. There were a lot of people there, but the service was good.

Then Pam went off shopping while I returned home. I got a rack for hanging up shovels and rakes, it uses a S-shaped hook that holds onto the handle. Under $10, and it works quite well. I also got some big hooks that I'll use to hang the extension ladder on the garage wall. I'll probably get those up on Monday (it's a holiday for us -- and U.S.). And I did a bit of "Round-Up" for some small weeds in the patio and sidewalk. So, we both had a productive day.

On the security news front, I notice that these is a DOS exploit of the Microsoft AFN problem. Details are at the Internet Storm Center; they are continually updating that page with more information about the exploit. The exploit kills the "lsass" process, which:

Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.

The current exploit is probably just the first of many. What is interesting about this is that the exploit was released about 4 days after Microsoft released the patch. That does not bode well for those that delay in applying patches. This is just the beginning of the news about this one. It may get huge. Insert here the usual warnings to get your patches installs.

On a similar subject, Microsoft released a patch today that removes traces of MyDoom/DoomJuice from an infected computer. Details are here.

... more later ...
Last Week	Latest	Next Week	mail	bookmark	The Digital Choke story