Everything Changes

Daylight Saving Disaster

everythingchanges — Sun, 25 Feb 2007 15:15:05 +0000

Sorry it has been so long since I have posted anything. I have been working to address the Dalight Saving Time issue at my place of employment. It has been a rather difficult and at times frustrating process to make sure all the workstations and servers are appropriately addressed. This underscores the need for enterprise class patch management frameworks and support for timely patching of servers and workstations. I would argue that patching only when a system upgrade occurs or in response to an issue is an irresponsible approach. I am not sighting anything at my current place of employment, but rather in the enterprise environment as a whole. Administrators must take the time to patch their Windows, Linux, and Unix systems on a proactive basis, and not reactive. We must also acknowledge and address the fact that vulnerabilities do not just exist in our operating systems. Recently there have been a score of issues identified in old faithfulls like Microsoft Internet Explorer and Microsoft Word, but also Mozilla Firefox, Adobe Acrobat Reader, and Symantec’s AntiVirus (relax Symantec fanboys…I do acknowledge the recently announced serious issue detected in Microsoft’s security products.).

Have we not learned anything from Nimda, Welchia, SQL Slammer…programmers will continue to improve (hopefully) and design safer code, but it is still critical to patch where necessary. We do ourselves a disservice by not patching our systems and undermine the entire concept of confidentiality, integrity, and availability in doing that.

I am also aware that vendors will be vendors and will simply say they have not tested something, so it cannot be implemented. I believe security professionals everywhere should take this as a challenge and point this behavior out to all the CIO/CTOs out there who have to sign those huge support contracts on a yearly basis. If you pay a company $250,000 a year to support a system they should be able to test patches and help you keep their solution functional. They do us a “favor” by selling us solutions, but we do them a “favor” by paying for that solution.

Ok. Enough of a rant. Time to get back to DST patching.

More Patient Data Thefts Reported

everythingchanges — Mon, 19 Feb 2007 16:30:50 +0000

Laptop Stolen With 22,000 Kaiser Patients’ Data
(CBS 5) OAKLAND In yet another instance of laptop theft potentially endangering personal data, Kaiser Permanente is in the process of notifying as many as 22,000 patients of a possible breach of their private medical information.

Second hospital reports lost data
St. Mary’s notifies 130,000, days after Hopkins’ notice
ORIGINALLY PUBLISHED FEBRUARY 13, 2007
A second Maryland hospital has reported losing sensitive computerized data on tens of thousands of patients, raising another alarm about how consumer information is protected.

Homeland Security Humor

everythingchanges — Sun, 18 Feb 2007 15:22:10 +0000

For those looking for a humor break this site is good for a laugh or two.

Microsoft’s Safety and Security Online Magazine

everythingchanges — Sat, 17 Feb 2007 16:08:56 +0000

Microsoft has recently released the first edition of an online magazine intended to educate average users on appropriate safety mechanisms for online use. Unfortunately this item has not had a large amount of publicity to this point. Hopefully Microsoft will do a better job moving forward to provide access to this document to those who need it.

View it online in here in PDF format.

Microsoft Patching Protection Software

everythingchanges — Sat, 17 Feb 2007 15:53:54 +0000

Microsoft patches include a surprise
One of the fixes, a patch for bug in the Malware Protection Engine, had been slipped out unannounced just before the launch of Vista.

Read the article here.

Another Heavy Microsoft Patch Tuesday

everythingchanges — Wed, 14 Feb 2007 04:38:27 +0000

Microsoft released various security patches today addressing a total of 20 vulnerabilities in multple products. Included within this batch of patches are fixes for multiple Microsoft Office “zero-day” vulnerabilities and a fix for the Microsoft Live OneCare product. Although there were no patches for Windows Vista, Microsoft Live OneCare is intended for use on Vista and could place Vista systems at risk as a result.

You should review the Microsoft notification page to take appropriate actions to protect your system.
http://www.microsoft.com/technet/security/bulletin/ms07-feb.mspx

US-CERT Alert Page
http://www.us-cert.gov/cas/techalerts/TA07-044A.html

Solaris Telnet Vulnerability

everythingchanges — Mon, 12 Feb 2007 17:20:18 +0000

This article may be of interest to those using Telnet over the internet or within your environment on a Solaris platform. Obviously you should consider more secure alternatives if moving away from Telnet is possible.

* Another good reason to stop using telnet
Published: 2007-02-12,
Last Updated: 2007-02-12 12:32:54 UTC
by donald smith (Version: 1)
There is a major zero day bug announced in solaris 10 and 11 with the telnet and login combination.

http://isc.sans.org/diary.html?storyid=2220

Wireless Security Testing/Exploitation Tool

everythingchanges — Sun, 11 Feb 2007 19:26:33 +0000

I found this post on ZDnet to be interesting. Please note the reason why they are reporting law enforcement ordering of this device. That is interesting on it’s own, and probably a whole different issue completely.

Wi-Fi hacking, with a handheld PDA by ZDNet‘s Ryan Naraine — The palm-sized PDA tucked away in Justine Aitel’s pocketbook just might be the most scary device on display at this year’s RSA security conference.

Watch What You Do

everythingchanges — Sat, 10 Feb 2007 04:57:28 +0000

Once again there are examples of security being compromised due to convenience or just a lack of common sense. The following two items appeared related to the recent RSA Security Conference in San Francisco, California.

Conference Attendees Drop Ball on Wi-Fi Security
More than half of the wireless LAN devices being used at this week’s RSA Conference on information security are themselves unsecured.
http://www.pcworld.com/article/id,128921-pg,1/article.html

When Security Companies Fail
SAN FRANCISCO: Security Fix has long pontificated on the necessity of Microsoft Windows users setting up their machines to run under “limited user” accounts. It is considered a fairly effective method for warding off spyware and virus infections on your average Windows PC.
http://blog.washingtonpost.com/securityfix/ (Half Way Down Page)

RSA Conference 2007 Roundup

everythingchanges — Sat, 10 Feb 2007 04:48:48 +0000

This past week I attended the RSA Security Conference in San Francisco, California. This was my first RSA Conference and likely not the only RSA Conference I will attend in some capacity.

The main componets of the conference were the educational sessions, keynote speakers, and vendor exposition. The education sessions introduced attendees to a wide variety of material that spans large swaths of the “information security” field. Sessions dedicated to encryption implementation attracted those with a desire to explore the more technical content while basic introductions to concepts such as patch management allow for something for almost everyone.

Keynote speeches by individuals such as; Bill Gates (Microsoft), Deborah Platt Majoras (Chairman of the Federal Trade Commission), Whitfield Diffie (Sun Microsystems, Inc.), Martin Hellman (Standford University), Adi Shamir (Weizmann Institute of Science, Israel), Ron Rivest (MIT), General Colin L. Powell (Former U.S. Secretary Of State) and many others created a long list of noteworthy speakers to the conference.

At times the vendor exposition was more of a Marti Gras like experience at times than the stereotypical dry collection of information security solutions. Once you get past the costumes, free “swag”, and assorted other geek bait the amount of true technical value was overwhelming at times. Staple vendors such as Microsoft, RSA, and Cisco were present in force while an exciting collection of other vendors lined the surrounding areas with less showy presentations, but an exciting collection of possible products to consider.

If you absorb the session material, collect the vendor material, and become refreshed/imspired by the keynotes then the cost of the conference is more than worth it. I would encourage those interested to visit the RSA Conference website to seek additional information and look to the future to determine if you want to attent the RSA Conference 2008.

RSA Conference 2007
http://www.rsaconference.com/2007/US/