SecuritySkeptic.COM: Dave Piscitello's Security Journal October 2003

This page uses style sheets created by Ruthsarian Labs

Thu, 30 Oct 2003 00:00:00 00, 155

Satisfying CIS Windows Security Benchmarks

I've been tinkering with the CIS (Center for Internet Security) Windows Security Scoring Tool for a while now, incrementally struggling my way to a perfect 10. The tool and accompanying templates help you attain the "baseline minimum level of prudent due care" when securing a Windows computer.

I set out with the goal of configuring my server to satisfy the configuration criteria in the Win2kSrvGold_R1.0.1.inf template. I chose this template because it seemed to be the more demanding of the two criteria among the templates CIS bundles with the tool (the other is an NSA template). I also chose to implement a security template using the Windows 2000 Security Configuration and Analysis Toolset.

From my modest initial score, I climbed my way to a 7.9. At this point, I had to customize the template in the following manner:

I customized both the Legal Notice Text and Caption.
I set RequireLogonToChangePassword=0 because I could find no way to do this using Windows 2000 (and the documented method for Windows NT did not apply).
I modified the available services list to automatic start FTP, IIS, and W3SVC, since I'm securing a public access web server and an intranet-accessible FTP service.

I have a handful of registry and file permission inconsistencies to investigate to turn my 9.4 score to a 10. CIS provides a Benchmark document that describes the Windows 2000 server configuration settings in detail. I loathe registry editing, but will plod through these nonetheless.

Why am I doing this, you ask? Eating my own dog food. I carp constantly about implementing security measures close to assets. I believe these efforts pay off. I know much more now than I ever imagined I would about the server I run, and this is A Good Thing.

FWIW, CIS has done a really good job creating these baselines, and the documentation, while not perfect, is very effective. I'm looking forward to the completion of the XP security templates.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID155 by Dave Piscitello

Theft via USB Media

John Bumgarner and Mitch Kabay explain the threat USB media pose to organizations. Compact Flash, Secure Digital Cards, and their brethren provide tremendous portable capacity in ultra small form factors. They can be used to steal sensitive information if physical access to a computer that supports USB can be had.

This threat is considered different from other removable media because USB devices are easily concealed and a single theft can drain a company of gigabytes of sensitive information. But let's acknowledge the basic fact that physical

Gone in a Flash is a two part article: Part 1 describes the threat, and Part 2 describes policies and countermeasures.

Good reading.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID156 by Dave Piscitello

Wed, 29 Oct 2003 00:00:00 00, 154

P2P makes SANS Top 20 - Why now?

Grant Gross, IDG News Service, reports that peer-to-peer software has been included for the first time on the SANS Institute's annual list of the 20 most exploited vulnerabilities. Outlook was included as well, which surprises no one.

I published an article in BCR magazine about the dangers of peer to peer applications exactly a year ago ( Security And Peer-To-Peer Applications).

I know the SANS experts are as security savvy as I am, so why did it take so long for P2P to rise to the Top 20? Bad public relations team?

Nope. Until the RIAA began suing MP3 sharers, corporations and consumers shared a "no harm, no foul" attitude; more precisely, "it's not a foul if the ref doesn't see it". Now that litigation is in play, the corporate risk profile for P2P as changed to, "this could cost us serious money", so it's only natural that SANS would raise P2P's status.

What's truly remarkable about the SANS list is that Outlook has been omitted from the Top 20 for so long. Since its introduction, Outlook has become universally perceived as synonymous with Internet worms: I could have used this {word, definition} pair in my Inaugural Security Puzzle as a "gimme".

Sad and deplorable...

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID154 by Dave Piscitello

Mon, 27 Oct 2003 00:00:00 00, 153

Security Crossword

If you've been faithfully reading my blog, you are ready to tackle YoDave's Inaugural Security Crossword Puzzle.

I will publish the solution next week.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID153 by Dave Piscitello

Does once-a-month patching work for you?

John Hogan, Site Editor for SearchWin2000.com, wrote an editorial concerning Microsoft's announced intention to issue patches on a monthly basis, with exceptions for emergency cases. John asks how this policy is being received by the folks in Windows shops; specifically:

Does once-a-month patching work for you?

You should voice an opinion and take the poll.

I sent John the following in an e-mail:

John,

Ask yourself whether once a month works for you with other safety measures:

- gas leaks (it's a minor leak, you'll be fine until November 1st)

- carpenter ants (how much could they destroy in a few weeks' time?)

- plumbing (only a few drops are leaking onto the ceiling below, we

can probably wait until the end of the month).

- home security (the camera's off center, we only have a partial

view of the vault, let's

I can't help but conclude you are always better off (a) receiving

notification and forewarning of a problem as early as possible, and (b) investing the time to remedy a problem as early as practical.

It's also important to get patches as early as possible so that you can TEST them before installing them on production systems.

We don't have good criteria for judging whether vulnerabilities are critical or benign, and it may well be that individual organizations' criteria will draw different conclusions than "general consensus".

I think this is an effort to simplify both Microsoft's distribution, multiple patch confusion, and administrative overhead. But ultimately, as an administrator, I would want to be notified quickly, have the patch made available quickly, have TIME TO EVALUATE IMPACT and TEST the patch, and finally, decide for my organization whether the vulnerability merits immediate attention.

------------

I'm curious, too, so drop me an email as well.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID152 by Dave Piscitello

Wed, 22 Oct 2003 00:00:00 00, 151

Don't leak your web server's private IP address

During the information gathering phase of a web application attack, a would-be intruder will study HTTP headers returned in basic request operations. One useful bit of information - the server's IP address - can be gleaned from the "200 OK" response.

By default, IIS (4.0 and 5.0) will insert the server's IP address in the HTTP Content-location header of a 200 OK message. Why (when) is this undesirable? If you are NATing servers behind a firewall, Content-location will return the server's private IP address. This tells the would-be attacker something about your topology. With a offline browser (WebZip), the attacker can collect all your web pages, and study these to determine whether you are running a single or many servers, and from this, where web (and other) content, CGIs and applications reside.

You are much better off having Content-location return the fully qualified domain name of the server. Microsoft Knowledge Base Article 218180 describes several ways modify the IIS metabase to change the default behavior and return FQDN.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID151 by Dave Piscitello

Tue, 21 Oct 2003 00:00:00 00, 149

21 Best Ways to Lose Your Information

Kevin Beaver's cynical column from August 2002 is in the spotlight again at SecurityFocus. I thought of some corollaries to his list:

To #3, don't patch your software, add, "but if you must, patch immediately on production systems, there's little point testing a patch - after all, how often do vendors botch the patch itself?".

To #10, rely solely on technology, add, "never read the manuals or help files, they can't possibly assist you in configuring your system correctly".

To #12, don't monitor your systems, add, "but if you must, don't bother reviewing log and event data, most of it's 'noise' anyway..."

To #13, don't back up your data add, "and while you're at it, don't back up your configuration data as well".

If you think of any to add, let me know...

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID149 by Dave Piscitello

Mon, 20 Oct 2003 00:00:00 00, 150

Transparent, Bridging Firewall Devices

Matthew Tanase's article discusses the merits of transparent or bridging firewalls. When a device bridges rather than routes, it's not identifiable in the IP level packet stream (no TTL decrement, for example). Bridging is also helpful in topologies where addressing is a problem. A good read.

Matthew also hosts The Security Blog. I found some interesting reading there as well.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID150 by Dave Piscitello

Thu, 16 Oct 2003 00:00:00 00, 147

Enough with The Microsoft Factor: Broaden the Scope!

After reading Fred Avolio's NetSec Letter #29 and blog on A Linux Desktop, I sent the following in an email to Fred, and copied Marcus Ranum:

IMO, too much attention and emphasis are being placed on the terrible consequences of homogeneity and too little on improving (secure) coding practices. Last time I looked, which is *recently*, exploits continue to be disclosed for every *NIX operating system, at a pace arguably close to Windows exploit disclosures. The notion that we'll somehow insulate society from massive computing meltdown by diversifying across dozens of exploitable operating systems doesn't hold water. If I were an organization motivated enough to attack a cyber-infrastructure, and that infrastructure was heterogeneous, I'd simply through more cycles at developing an attack that would succeed on multiple platforms. The fact that this hasn't been done yet isn't enough to convince me it can't be done. Windows happens to be perceived to be the low-hanging fruit, the 90-lb. weakling, and the target of amateurs.

I can make the same or stronger argument for user-introduced consequences. Windows or *NIX, we are simply awful at securely configuring systems. We're lazy. We don't RTFM. And it's been my experience (which I'll claim is extensive, since I have evaluated dozens of appliances and software products) that often as not, when we do RTFM we discover features are documented incorrectly, or not documented at all. If everyone took 30 minutes and exerted the modest effort required to install and configure a PFW and AV software, exploit frequency would fall dramatically.

I'm also tired of hearing about *Nix superiority w/r/t security. I run a Win2k server and desktops. I invest a considerable effort to see it is secured, but no more so than anyone must to secure Linux. I've run a Linux server, and after running both, I will tell you that I feel more confident with Win2K than I did with Linux. I had better access to resources, documentation, assessment tools, security templates, etc. Your results will probably vary, but I believe this is so because you were weaned on Linux and I on Windows (well, Mac, then Windows). The largest financial firms run windows servers and they are tight as a drum. They could make Linux servers tight as a drum as well, because they have time, talent, approval, and motivation to develop and implement secure operations and practices.

The sad fact is that all commercial operating systems fail to meet secure computing criteria. Even if any *one* OS met the criteria, I believe it will be a long time before the general population would be able to maintain them securely *and* be productive. Being secure and productive takes time and thoughtful action. We don't want to invest either.

As expected, nay, anticipated, Marcus offered yet another example of why I love email threads of this sort:

It's a complex problem in many variables - worrying about any one of

them preferentially is going to just leave you open someplace else.

The problem is about:

bad code

bad defaults

bad policies

bad administration

bad documentation

bad users

bad marketing

... etc.

If we apply pressure to any one, two, or three of those, we won't

make any actual progress. But we'll have some limited and

transient success. (viz: M$ secure coding initiative. firewalls, etc)

The question I am now mulling over isn't whether limited and transient success puts us in a better place than we are now (strongly agree) but whether it's the best we can expect...

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID147 by Dave Piscitello

Wed, 15 Oct 2003 00:00:00 00, 146

What Broadcast Traffic Reveals

Messages broadcast over LANs are useful to you, and a would-be attacker. Some broadcast traffic may not be useful to you at all, and only serves to inhibit network performance. This article illustrates what broadcast Ethernet traffic reveals, and recommends measures eliminate unnecessary traffic to better protect yourself and tweak performance.

This column was originally published as a WatchGuard LiveSecurity Editorial, 14 August 2003.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID146 by Dave Piscitello

A Friendly Alternative To Registry Editing

Many users don't know how to harden Windows 2000/XP desktop and laptop computers. In this column for WatchGuard, I explain how to improve your security policy without having to contend with registry editing.

This column was originally published as a WatchGuard LiveSecurity Editorial, 25 July 2003.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID145 by Dave Piscitello

Tue, 14 Oct 2003 00:00:00 00, 143

WLAN Security Checklist for SMBs

Compiled, updated and improved over time, this "form" lists the security considerations small and medium businesses should consider when deploying wireless LANs. We distinguish SMB from large enterprise by an assumption of security budget: SMBs have stricter budgets and satisfy security requirements with smaller staff and less expensive equipment. Small office budgets in particular tend to make consumer WLAN products tempting substitutes for more expensive but more secure APs and firewalls.

Our checklist identifies features that should help SMBs make an informed decision.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID143 by Dave Piscitello

Mon, 13 Oct 2003 00:00:00 00, 144

802.1x and EAP Primer

Provided as a handout at the ISSA South Carolina Chapter meeting (October 13), this article explains the IEEE 802.1x features, services, and message flow.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID144 by Dave Piscitello

Fri, 10 Oct 2003 00:00:00 00, 141

Windows 2000 Server Drivers for Dell Dimensions

Howard Flank, a visitor to my weblog, informs me that the elusive Windows 2000 Server drivers for Dell Dimension series PCs I complained so bitterly about in blog # 13 are finally available from Dell. Howard says, "you seem to have to enter your service tag no. (which an auto-download will determine for you)." Here is the direct link The USB 2.0 drivers are available from Micro$oft.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID141 by Dave Piscitello

Tue, 07 Oct 2003 00:00:00 00, 142

ComDex 2003 Las Vegas

In my role as track chairman, I will be moderating three security sessions at ComDex 2003 in Las Vegas:

Intrusion Prevention Systems, with Abhishek Chauhan and Conrad Herrmann,
Dealing with SPAM, with Michael Ostermann and Dr. Paul Judge, and
Security for Handheld PDAs, with Caleb Sima and Tom Goodman.

I will also be teaching a workshop on Secure Access using SSL VPNs.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID142 by Dave Piscitello

Mon, 06 Oct 2003 00:00:00 00, 140

Cheap Tricks - USB External Enclosures for Hard Drives

I recently purchased a Coolmax Gemini CD-309 Series External Enclosure for 3.5" IDE drives. This is one of those under $40 purchases I can't help but recommend.

If you have a spare hard drive - perhaps you've cannibalized a dead or time-to-retire PC, or found one for cheap on eBay - you can create an enormous and reliable removable/portable storage device.

Installation is so simple it's printed on the back of the packaging: remove back panel, slide out HDD tray, connect IDE cable to HDD, connect power cable, and close the case. Plug the USB into a computer and power up the drive. Windows 2000/XP PnP recognizes it as removable storage. Yes, there are screws involved, but you don't have to fret about Evil Static Electricity, and there's really nothing you can break.

I found myself wondering why I'm buying 128 and 256 MByte Compact Flash and Secure Digital cards when I can have 10 Gigabytes for under $100 (including case and hard drive).

Then I remember I have a digital camera and MP3 player... O.K., so I use many removable media.

But with the portable HDD, I can back up reams of information on spare hard drives, or create and store system partition images for all my systems, a bootable forensics partition, or just back up the hundreds of music files I've ripped (from my CDs, emusic.com, and other authorized music distributors, thank you...).

It's a small price to pay for contingency and continuity planning...

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID140 by Dave Piscitello

Sat, 04 Oct 2003 00:00:00 00, 139

Glorifying Exploits is Misguided

Afred Huger posts lists of articles at SecurityFocus as they become available. Recently, he noted the publication of the first of thre articles entitled Exploiting Cisco Routers.

The column is very interesting, as it reveals several exploits and vulnerabilities that are not particularly new, but troublesome still.

In my opinion, this column would have been so much more valuable to the security community if written in a constructive manner.

The title itself disheartens me: "Exploiting cisco routers" is an "I'm sooo kewl look how easily I can crack your box" perspective that only encourages people that this is the true merit of pen-testing. Further into the column, I read the section entitled "Brute-Forcing Services: SNMP is always fun". Fun? How many networks can you probe and discover the same missing patch, or configuration error before you think, "this is sad..." rather than "oh, what fun!"? (Perseveration is symptomatic of psychological and language disorders, but now I stray from the topic...)

If I wanted to make a case for distinguishing pen-testing from security auditing, I can't help but feel columns like this reinforce the attitude that pen-testing is an amateur's activity. This is sad, too.

If SecurityFocus wants its portals and lists to continue to be a resource for people interested in securing systems, its editors might want to consider exerting some influence and encourage authors to write in terms of identifying and eliminating vulnerabilities than exploiting them.

Imagine how positive and more widespread an influence these same columns might make if they were titled "Identifying and Mitigating Cisco Router Vulnerabilities".

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID139 by Dave Piscitello

Fri, 03 Oct 2003 00:00:00 00, 138

Mission-Critical Planning

Matthew Liotine's new book, Mission Critical Planning will be released shortly.

My Foreword is available here, and now.

This is an excellent book, and provides very practical and useful advise for anyone involved in business, network, and services continuity planning. I reviewed every chapter, and refer to the pre-production manuscript still. I'm looking forward to receiving my copy soon.

You can order a copy at Amazon.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID138 by Dave Piscitello

Rush Limbaugh is a Big Fat Bigot

John Ridley offered a spot-on commentary about Rush Limbaugh today on NPR. By nearly all accounts, Limbaugh's comments regarding NFL Quarterback Donovan McNabb were racist: certainly the ones the liberal media printed were. But of course Rush claims these are precisely the people responsible for all this trouble. Thankfully, he's gone from ESPN's broadcast team and I can watch football again.

IMO, Ridley correctly classifies Rush as a member of the "frightened bigoted wing of the establishment" who both blame affirmative action for all that's wrong in America while simultaneously crediting the program and not the individual whenever a minority is successful at anything.

Al Franken only got it partly right: Rush is a Big Fat Bigoted Idiot.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID137 by Dave Piscitello

Thu, 02 Oct 2003 00:00:00 00, 136

Legal View of WiFi Scanning ("netstumbling")

The subject of whether scanning for WiFi networks was an illegal act came up three times in casual conversation this week. I recall having saved a post to the pen-test mailing list hosted by SecurityFocus.com. According to the posting, it's not illegal to scan RF and stumble upon SSIDs, channels in use, etc. However, once a theft of service, denial of service, or theft of information occurs, then the act becomes a federal violation. See Title 18, Chapter 47, Section 1030 of the US Criminal Code .

So if you stumble onto a WiFi network while performing a site survey, you are not violating a law. If you join an open system for a "free ride", capture or interfere with traffic on a network you've stumbled upon, you can find yourself in a heap o' trubble of the "fine or imprisonment or both" kind.

The posting claims that this is an FBI response garnered from a San Francisco office special agent, who is also an Infraguard coordinator.

I'm now comforted that I won't be 'cuffed and hauled away next time I'm in the Atlanta Marriott Marquis hotel trying to legitimately avail myself of the iBahn WiFi services by stumbling because neither the concierge, desk staff, or business office can offer anything other than a blank stare when I ask about for the SSID (BTW, it's STSN).

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID136 by Dave Piscitello

Wed, 01 Oct 2003 00:00:00 00, 135

If 50 Million isn't a Mandate, 43.6 Million isn't as well...

NPR will run a program later this week commenting on the number of Americans without private health care insurance, which increased for the second, third, or fourth straight year, (depending on your source, but try WISTV.com).

However many years you choose, the fact that it's up over 6% over the past year, to 43.6 Million, is a dreadful indictment on our sorry sense of democracy in action. People are "choosing" to go without health insurance.

I imagine some people are choosing to drive flashy cars. My heart goes out to the many choosing to eat...

Instead of arguing over ~$20 Billion for re-buidling Iraq, perhaps we could budget half of that amount for healthcare.

Frankly, I like the sound of Leave No Healthy Child Behind...

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID135 by Dave Piscitello

Dave Piscitello founded Core Competence, Inc. in 1993 and is now an occasional consultant for the company. He is currently ICANN's Senior Security Technologist and serves on the ICANN Security and Stability Advisory Committee (SSAC). A 30-year network, Internet and security veteran, Dave provides advisory and consulting services to security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published hundreds of articles, product reviews, and editorials for print and online publications, including BCR, Network World, Infoworld, WatchGuard Technologies' Live Security, SecurityPipeline, LOOP, ISSA Journal, and Information Security Magazine. Dave maintains a security infoblog at http://www.securityskeptic.com/weblogindex.htm

The Security Skeptic