Archive | Security

Security is not a feature; it’s a process. Notes on issues, patches and essays on security.

Microsoft Patch Tuesday, May 2007

It’s the nineteeth week of the year, and Microsoft issues fixes #23 through #27, running a bit ahead of the pace from the last couple of years. And “Remote Code Execution” is obviously the goal of the bad guys. Here’s the list:

  1. MS07-023 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)
  2. MS07-024 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)
  3. MS07-025 – Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
  4. MS07-026 – Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)
  5. MS07-027 – Cumulative Security Update for Internet Explorer (931768)
  6. MS07-028 – Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
  7. MS07-029 – Vulnerability in RPC on Windows DNS Server Could Allow

Here’s the Microsoft summary, with links for more details. The Internet Storm Center at the SANS Institute is rating most of these as “Patch Now!” with few contraindications. As usual, make backups, and get patching!

Notes from MerriLUG, 15-March-2007, Matt Brodeur on PGP/GPG Encryption and key-signing

Nineteen attendees participated in the March meeting of the Merrimack Valley Linux User Group, MerriLUG, held as usual on the third Thursday of the month at Martha’s Exchange in Nashua, NH.

Matt Brodeur gave a presentation on GNU Privacy Guard, GPG, the Free/Open Source implementation of the Pretty Good Privacy algorithms and protocols. Matt pushed the presentation pretty quickly, as he wanted to ensure we had time for the keysigning, as well. Matt’s presentation is available from his website and that link, in turn is on the GNHLUG Wiki along with the announcements and instructions.

Following the presentation, Matt and Heather Brodeur organized the key-signing. Nearly a dozen of us had prepared and registered our PGP certificates in advance, and we read out-loud our identifying information, practicing our phonetic alphabet and confirming that I should have brought my reading glasses. Following that phase, we lined up in two queues and exchanged identification to confirm we had IDs that matched our names on the certificates. Heather was the caller for this slow-motion folk dance and kept us on task despite our urge to chat and socialize. An odd number of attendees and one additional volunteer made the sequence interesting, and we completed successfully.

Overall, I think the keysigning went quite well, by the number of signed keys I’ve received in the last week. I suspect we’ll have some feedback for Matt, too, on whether there might be some way we could make the follow-up key exchange easier. This was a lot of work, and I want to express my personal thanks to Matt and Heather for all the work. Thanks too, for all who attended and participated and asked questions, and thanks to Martha’s for providing the facilities.

FireFox gets a new update; FF 1.5 run nearly over

mozilla.org news reports “Firefox 2.0.0.3 and Firefox 1.5.0.11 Security and Stability Update”

“As part of Mozilla Corporations ongoing stability and security update process, Firefox 1.5.0.11 and Firefox 2.0.0.3 are now available for Windows, Mac, and Linux for free download from http://getfirefox.com… Due to the security fixes, we strongly recommend that all Firefox users upgrade to these latest releases… Note: Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. All users are encouraged to upgrade to Firefox 2. Firefox 1.5.0.11 is available for download from http://www.mozilla.com/firefox/all-older.html.”

So, there’s only about 5 weeks left of FF 1.5 support. Get testing your apps under 2.x. And get patching for the latest releases!

CentraLUG notes from Andy Bair’s Digital Forensic File Carving presentation

Our thanks to Andy Bair for making the trip north from Massachusetts to present to the Central New Hampshire Linux User Group on March 5th, 2007, the first Monday of the month, at the New Hampshire Technical Institute’s Library. Andy announced that his work at MITRE was done and that he would be starting a job at Korelogic in the immediate future.

Andy worked with several friends at KoreLogic to take on the Digital Forensic Research Workshop (DFRWS) 2006 File Carving Challenge. They were supplied with a 50 megabyte “chunk” from a hard drive with the assignment to find as many files in that chunk as possible. The DFRWS’ motivation was to move the state of the art forward, and all participants were required to supply the source code of the applications they developed. Andy and his team won the challenge, beating out a number of other teams, notably Simson Garfinkel, who came in second. Andy demonstrated the procedures they worked out, talked about the algorithms they used, and showed the graphing of the results that made boundary detection and anomaly detection more easy to pick out. Andy and his team extended the UNIX magic technique to detect patterns in files, extending magic to XMagic which included regular expressions and more sophisticated rules to match files to the patterns. It was a very interesting presentation, presented well. Andy’s presentation, the source code and original data can be found at this link [Updated link – tr, 15-Feb-2010].

Thanks to Andy for the presentation, to Bill Sconce for supplying the projector, and to the New Hampshire Technical Institute for providing the facilities.

Upcoming presentations include:

  1. Bill Stearns demonstrating Logical Volume Management April 2nd,
  2. Seth Cohn presenting Drupal on May 7th, and
  3. Ben Scott presenting OpenWRT on June 4th.

We plan to meet at the usual location, but keep an eye out for a more detailed announcement as the date gets closer.

Microsoft’s Tuesday the 13th Security Bulletin

********************************************************************
Title: Microsoft Security Bulletin Summary for March 2007
Issued: March 13, 2007
Version Number: 1.0
Bulletin Summary: http://go.microsoft.com/fwlink/?LinkId=85543
********************************************************************

Summary:
========

Microsoft has not released any security bulletins on March 13, 2007.

Wow. Imagine that. Division by zero.

Netcraft: WordPress Distribution Compromised, Update Released

Netcraft: WordPress Distribution Compromised, Update Released

“A recent distribution of the popular blogging software WordPress was compromised during a server intrusion, the development team said late Friday. All WordPress users who have downloaded and installed version 2.1.1 are urged to immediately upgrade to version 2.1.2. Earlier versions of WordPress are not affected.”

Ouch! Get patching. I had downloaded but not yet upgraded. There’s a patch to avoid.

BBC NEWS | Technology | Microsoft fixes 20 security holes

BBC NEWS | Technology | Microsoft fixes 20 security holes“Windows users are being urged to install Microsofts February security update which contains 12 patches for 20 vulnerabilities… The bumper package includes fixes for loopholes that malicious hackers are known to be already exploiting.”

An astounding list of “Remote Code Exploit” bugs includes HTML Help’s ActiveX control (who ever thought making the browser an “integral part of the operating system” was a good idea?), Word, MDAC, the Microsoft Malware Protection Engine (how’s that for irony?), and more. Security Bulletins MS07-06 through -016 detail the mess. (It’s the sixth week of 2007, for those keeping score.)

Windows users – get patching! http://www.microsoft.com/technet/security is a good place to start for more information.

Notes from CentraLUG meeting, 5-Feb-2007: Matt Brodeur and GNUPrivacyGuard

We were lucky last night to have Matt Brodeur drive up from his day job at RedHat in Westford, MA to present a meeting on GPG, the open source implementation of OpenPGP, the Pretty Good Privacy algorithms and utilities. Matt had a slideshow in OpenOffice.org 2 Impress (available at http://www.nexttime.com/mbrodeur/GPG2007) and in PDF here.

Eleven attendees made it to the meeting. Matt briefly discussed the origins of PGP, and then dove right into the process and utilities of how Privacy Guard works. Matt also had brought some scripts he replayed to walk through the sequence of generating a key pair, signing another’s key, sharing keys to a keyserver. Matt walked us through the concepts behind the Web of Trust and the issues and processes of revoking keys. During the presentation and following, there were a fair number of questions and Matt dealt with them well.

Although we had hoped to have a keysigning as part of the meeting, we elected to postpone that portion to future meetings. As the group is fairly small, we agreed we can do individual signings as needed.

Future meetings: March 5th will feature Andy Bair talking about “Digital Forensics File Carving,” a popular topic he’s presented at several other groups. On April 2nd, William Stearns will do a presentation on Logical Volume Management. I saw Bill do an LVM presentation at DLSLUG back in 2005, and he had a great presentation. Looking forward to seeing both presentations!

Florida to scrap touchscreens; convictions in Ohio recount-rigging

Ars Technica: Florida to scrap touchscreens; convictions in Ohio recount-rigging

Rumor has it that Florida governor Charlie Crist will announce tomorrow that his state plans to scrap tens of millions of dollars worth of touchscreen voting equipment and move to a system based completely on optical scan ballots. The Miami Herald claims that the total tab for overhauling the states electoral system could be as high as $35 million.

I hope the rumors are true. Optical scan means that voters can see what they voted and mechanical and manual recounts are possible. While there’s still a danger of someone tampering with the optical scanner software/firmware, there’s at least a possiblity of audits.

On the vote rigging, it’s worth reading the entire original article to hear how lame-brained it was. It’s sad to think that the higher officials who ordered/sanctioned/approved or were oblivious to this behavior when they shouldn’t have been, got away scot-free. While the vast majority of voting officials are hard-working honest folks, everything they do has to be transparent and above-board to avoid scandals like this.

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.