Slashdot Mirror

You can measure it in terms of raw numbers of defects found.

That's a pretty bad metric. Defects found is most certainly not the same as defects existing, or we wouldn't have the security situation we have today.

Granted, yes, we know those defects are in there because those defects are eventually found... by someone... but the huge elephant in the room is that 80% of security defects are not found by the company which wrote the code. In any other industry that kind of failure rate would be not just criminal but verging on hostile military action.

What we need is positive proof that defects simply aren't there, rather than knowing that an unknown number of possibly catastrophic defects are there but are likely to be found by the bad guys first. And we can get there using mathematics, but not using the languages which we're currently using, because they're mathematically intractable.

C and C++ are fast. But fast and full of 0-days just means you get rooted quicker. It's not good enough any more to say "but there's no alternative to C/C++". If there's no alternative to C, there's no alternative to a global infosys apocalypse. We can do better, and we need to if the Internet is going to survive.

This feature doesn't let websites run native code on your machine.

Well, that's CLEARLY enough. Because we all fully know and understand that non-native interpreted code can never EVER break out of its sandbox and run native shellcode. Never.

I find the SANS site very good as well. I usually have their "Storm Centre", "@Risk" and "NewBytes" in my daily RSS intake. It's a good overview of security happenings in general patch announcements, and the status of upcoming and unknown attacks that people are reporting. It's quite concise in the RSS format as well.

some sites:

http://www.securitywizardry.com/radar.htm
(a little heavy on the java)

https://isc.sans.edu/

You could subscribe to the CERT messages, but they kinda lag. There are some good security related mail lists which
I can't remember at the moment...

Check available updates for packages and kernel...
Look at mod_security for apache

If you're running wordpress or some other CRM app, be careful on how much you rely on third party packages

If you have phpadmin or webadmin installed, you may want to limit what IP's have access to it.

If you're running sshd, you may want to block bruteforce attempts after a certain number of bad tries, You should
probably just use certificate based authentication instead of passwords.

Interesting article at the Internet Storm Center "Why Flame is Lame"
http://isc.sans.edu/diary.html?storyid=13342#comment

The color thing has been dropped by DHS:
The National Terrorism Advisory System, or NTAS, replaces the color-coded Homeland Security Advisory System (HSAS).

The ISC is a little slow on the uptake, but isn't government.

For Windows, I've been writing up such guides since 1997 to present, ala -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&qs=ns&form=QBLH & YES, it really does work (on very common-sense principles too largely, & largely with tools ALREADY PRESENT in the OS itself).

(The originals are from 2001 -> http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text & from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml )

Yes - The same goes for Apple/MacOS X:

http://isc.sans.edu/diary.html?storyid=12616

And, yes - The same goes for Linux variants:

http://www.bing.com/search?q=%22HOW+TO+Secure+Linux%22&go=&qs=ns&form=QBLH

* NONE OF THEM SHIP AS SECURED AS IS POSSIBLE "outta-the-box/oem-stock" is why... & as you can see? Folks in the community out there (like myself shown above) for years have been putting out guides for securing Windows (and the same goes for MacOS X &/or Linux too) - &, per the single example above from Apple? So do the oem's of these OS!

APK

P.S.=> The OEM's of these OS ship them that way so that "things just work right off" when you setup your machines & Operating Systems is my guess, but... it's "on you", as the end-users, to do the rest typically's all!

... apk

Midway through http://isc.sans.edu/diary.html?storyid=12127 it says "UPDATE 8/12/2011" in bold, underlined letters.

So because I only linked one source, it must be the ONLY one?

How about this one from 2008? https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032393979&CountryCode=US

Or this one from last year? http://blogs.technet.com/b/msrc/archive/2010/09/30/q-amp-a-from-the-september-2010-out-of-band-security-release-webcast.aspx

Or this one from waaay back in 2006? http://blogs.technet.com/b/msrc/archive/2006/09/26/459194.aspx

And someone other than Microsoft: http://isc.sans.edu/diary.html?storyid=8062

And someone else: http://my.opera.com/wikipedian/blog/2011/09/28/for-reasons-unknown-microsoft-has-released

And someone else: http://www.dataprotectioncenter.com/antivirus/sunbelt/microsoft-will-do-out-of-band-patch-for-lnk-vulnerability/

Need I go on?

BIND is written by Internet Systems Consortium aka ISC, a non-profit that does various public benefit things for the Internet. The summary links to an alert from the Internet Storm Center aka ISC, a project of the SANS Technology Institute. There is no relation between these two ISC's, in this case the first authors the software, and the second tracks vulnerabilities. I'm sure by using a link to SANS many people on /. who are not familiar with these two ISC's will get them confused.

The link in the summary also goes to a preliminary version of the advisory. The correct, full summary is available on Internet Systems Consortium's web site as CVE-2011-4313.

I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something, and that is used by bad-actors before the vendor is aware and able to fix the issue. In this case the bug simply crashes the server; there's no remote root or other exploit, and at this time there is no evidence of bad-actors using this bug at all. Rather it appears something interesting (unusual, perhaps put there intentionally) appeared in the DNS, and it triggered a bug in the software.

Some historical context may help. BIND8, for those who used it, was a pile of poo. It had a huge number of security issues and other problems and was generally a nightmare for sysadmins. Many people stayed on BIND 4.9.x for a very long time because of the issues in BIND8. When ISC launched BIND9, they wanted to change this perception. The action relevant to this bug is that BIND9 was designed to be full of assertions and other checks in the code. The goal was to catch any badness early, and if it was uncorrectable crash in a predictable way. The thought was that crashing with a core dump where you can fix the problem is far better than running off with bad data that could eventually be used in some sort of remote-root exploit.

This issue is sort of the payoff of that philosophy. Rather than taking this bad data and giving a remote hacker access to the machine BIND9 caught it with an assert, logs a useful message and core dumps. This is a big part of why 0-day leaves the wrong impression with me, "denial of service vector" seems to perhaps be a more accurate description. Sure, we could have a lively debate about if crashing is preferred or not, but I think most of the administrators who lived through BIND8 prefer the BIND9 procedures.

Internet Software Consortium also offers support for BIND (and DHCP). I'm amazed how many people run large, production name servers on BIND yet don't have a cheap support contract. If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.

BIND is written by Internet Systems Consortium aka ISC, a non-profit that does various public benefit things for the Internet. The summary links to an alert from the Internet Storm Center aka ISC, a project of the SANS Technology Institute. There is no relation between these two ISC's, in this case the first authors the software, and the second tracks vulnerabilities. I'm sure by using a link to SANS many people on /. who are not familiar with these two ISC's will get them confused.

The link in the summary also goes to a preliminary version of the advisory. The correct, full summary is available on Internet Systems Consortium's web site as CVE-2011-4313.

I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something, and that is used by bad-actors before the vendor is aware and able to fix the issue. In this case the bug simply crashes the server; there's no remote root or other exploit, and at this time there is no evidence of bad-actors using this bug at all. Rather it appears something interesting (unusual, perhaps put there intentionally) appeared in the DNS, and it triggered a bug in the software.

Some historical context may help. BIND8, for those who used it, was a pile of poo. It had a huge number of security issues and other problems and was generally a nightmare for sysadmins. Many people stayed on BIND 4.9.x for a very long time because of the issues in BIND8. When ISC launched BIND9, they wanted to change this perception. The action relevant to this bug is that BIND9 was designed to be full of assertions and other checks in the code. The goal was to catch any badness early, and if it was uncorrectable crash in a predictable way. The thought was that crashing with a core dump where you can fix the problem is far better than running off with bad data that could eventually be used in some sort of remote-root exploit.

This issue is sort of the payoff of that philosophy. Rather than taking this bad data and giving a remote hacker access to the machine BIND9 caught it with an assert, logs a useful message and core dumps. This is a big part of why 0-day leaves the wrong impression with me, "denial of service vector" seems to perhaps be a more accurate description. Sure, we could have a lively debate about if crashing is preferred or not, but I think most of the administrators who lived through BIND8 prefer the BIND9 procedures.

Internet Software Consortium also offers support for BIND (and DHCP). I'm amazed how many people run large, production name servers on BIND yet don't have a cheap support contract. If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.

From what I understand, the Diginotor CRL isn't to be trusted at this point. Logs were deleted as part of the hack, and they're not completely sure which fraudulent certificates were issued.

Their OCSP servers were modified to consider all certificates as revoked, except for those on a whitelist. This is the opposite of how OCSP usually works, and the correct approach in this situation. However, CRLs can only be used as a blacklist.

Source: http://isc.sans.edu/diary.html?storyid=11512

The real question is what happens to everybodies work when you do "a system restore" and you must have some sort of miracle network and hardware that can shove an entire image down to the disk, write it to the disk and restart in under 10 minutes. Yeah we know that 90% of the world uses windows and that's why we have so many problems with spam, ddos, virus etc, Please go back to restoring you systems in under ten minutes MULTIPLE TIMES a day because the average time that windows system remain uncompromised is about 10 minutes ( http://isc.sans.edu/survivaltime.html)

3, Sonicwall is not a good example... Take a read of :
http://isc.sans.edu/diary.html?storyid=5419
and several more examples can be found via google, basically sonicwall see fit to disable functionality of their products if they believe your firewall to not be correctly licensed, even when that belief is based on buggy code...
Any protection provided by a sonicwall device is liable to get disabled next time they have a license server failure, leaving your organisation open to attack. Do you really want to trust a vendor that is willing to screw you on suspicion that your license is invalid?
At the very least, if a device believes itself to be unlicensed it should just warn the users... it should never automatically open up the user to attack! that's totally irresponsible.

1/2/4 - most organisations already do this, it doesnt generally help much and these places still get owned...

2, its extremely hard to secure an active directory domain... because of how the system is designed, you typically only need a single weakness to get in.. look at how organisations like rsa or google were hacked, starting from a single unimportant workstation.
If you have lots of machines, then you probably don't have budget to ensure that every piece of software on every machine is up to date and appropriately configured, and that every user is appropriately educated and that there are no unprotected network ports etc...

5, run wsus across a few hundred workstations, ensure it believes everything is up to date...
Now, run an authenticated scan with nessus across those workstations... You will typically find that some machines are still missing updates, and that in many cases windows thinks an update has been applied but some or all of the files installed by the update are not there. If you find issues like this, you can manually compare the versions of the files on the system with the versions that should be installed by the patch (most ms knowledgebase articles list the file versions).

You make a point on moving away from IE6, but you forget the most important aspect - MAKE SURE A SITUATION LIKE THIS NEVER HAPPENS AGAIN! - and that means ensuring that any new applications you deploy are standards compliant and cross platform, so you won't find yourself tied to any insecure proprietary crap again in the future.

According to SANS: http://isc.sans.edu/diary.html?storyid=10642&rss , only sites running MS SQL Server 2003/05 (and PHP, obviously) are targeted.

(alphabetically)

SANS Internet Storm Center (I can't get the graph working, ymmv)
SenderBase
SpamCop (a feed to SenderBase)
Symantec
ThreatPost (TFA)
Websense Monthly reports (December not yet available, Websense is TFA's source)

An observation: spammers celebrate holidays too; it's hard to recover from a series of shutdowns while dealing with family affairs. I hope their holidays were joyful and full of lasting distractions...

This isn't true though. For example, CVE-2010-0840 is a Java hashmap vulnerability that has been used, in the wild. "A user only needs to browse to an infected webpage, and the exploit pulls down a series of .exe files" http://ics.sans.edu/diary.html?storyid=9916 http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit:Java/CVE-2010-0840.A&threatid=2147640548

It was a fiber cut. Poor weather caused delays in getting repairs made. See: http://isc.sans.edu/diary.html?storyid=9655 Given the fact that there is more than one root server I find this a bit of a non-story. Obviously the internet continued to function as it should.

Lets see, the last 5 wireless routers I've seen installed in people's houses had the default password still there, no encryption set and their SSID was something like Linksys or Netgear.

When I asked the owner about it, the response was either
1. I don't know how to change that.
2. I know how to change it, but I just stopped screwing with it once I was connected.
3. My house is far from the street, I don't think anyone can get a signal, I barely can.

as for 3. with the huge range on N routers and laptops, then add the range you get with a good external/directional antenna, and I can sit in my house and get a dozen hits, and I'm in a rural area. I digress.

Now consider how lazy these people are, how many of them are going to get a dedicated or personal firewall installed once their ISP drops in a router that lets every computer have it's public IP that's completely routeable. None of them. All they know now is their torrents are going to start working and their slingbox is going to start working at the office without any of that confusing port forwarding.

Yeah, NAT isn't security, but it sure did help. Imagine how bad the virii/worms are going to be once they have direct access to EVERY UNPATCHED WINDOWS MACHINE ON THE INTERNET.

So many people are currently protected by NAT and it's 'good enough.'

Sure, you can argue that it's their problem, and it won't affect you, but that's false. Once these computers are opened up, they ALL become servers. Virus hosting, spam sending servers. Do you know what that's going to do to the available bandwidth?

Imagine this when NAT is gone
http://isc.sans.edu/survivaltime.html

Has anybody written a test to verify that Microsoft's fix has been properly applied? It would be a simple DLL with that pops up a message, and simple EXE that loads the DLL (which has new unique name). Or even two versions of the DLL, one with a good message and one with a bad message. One goes in the system path, one goes in the same path as the EXE, a temp folder.

The MS kb patch has one typo, you add a new DWORD value to the registry, not a new key.
http://support.microsoft.com/kb/2264107

MS fixed the other typo mentioned here:
http://isc.sans.edu/diary.html?storyid=9445

1) http://blogs.pcmag.com/securitywatch/2010/08/unpatched_vulnerability_in_all.php
2) http://www.zdnet.com/blog/security/microsoft-warns-of-serious-unpatched-windows-7-flaw/6474
3) http://blogs.pcmag.com/securitywatch/2010/08/unpatched_vulnerability_in_all.php
4) http://www.computerworld.com/s/article/9176944/Microsoft_warns_of_bug_in_64_bit_Windows_7?source=rss_security
5) http://isc.sans.edu/diary.html?storyid=8023
6) http://news.cnet.com/8301-1009_3-10170962-83.html
7) http://www.geek.com/articles/chips/17-year-old-unpatched-windows-vulnerability-discovered-20100120/
8) http://arstechnica.com/microsoft/news/2010/03/exploits-of-unpatched-ie6-ie7-flaw-on-the-rise.ars
9) http://www.h-online.com/security/news/item/Several-known-vulnerabilities-to-remain-unpatched-on-forthcoming-Microsoft-patch-day-947191.html
10) http://www.myce.com/news/microsoft-confirms-windows-shortcut-zero-day-exploit-32107/?utm_source=myce&utm_medium=frontpage&utm_campaign=related_posts

There, 10 vulnerabilities, which either took Microsoft months after visibility to patch, or still aren't patched.

Now, STFU.

I was a techie, now a senior manager. There are a number of free resources available at http://www.sans.edu/resources/leadershiplab No expertise claimed, as I didn't know what to do about something, I researched it and wrote it down. Maybe it will help. And the best piece of advice I was ever given, use outlook, every time you tell someone to do something copy the body of the message into the calendar and set a reminder, once you start managing over ten people you will be amazed how poor your short term memory gets. Good luck!

How about SANS.edu??