[SecurityRatty] tag: servers

Massive Coordinated Patch Effort To DNS System Flaw

Tue, 08 Jul 2008 13:56:25 +0000

The DNS client and server patch in today's Microsoft monthly patches wasn't just a Microsoft problem. It was part of a coordinated effort to patch numerous DNS servers for a series of problems that are common to DNS implementations. The US-Cert advisory on the problem describes three problems which, research has shown, can be combined into effective spoofing attacks:

VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning
VU#252735 - ISC BIND generates cryptographically weak DNS query IDs
VU#927905 - BIND version 8 generates cryptographically weak DNS query identifiers

The advisory lists 101 DNS servers, their status and the date of their last update. For the large majority of the servers the status is "Unknown," but several important ones are listed as Vulnerable and all of these were patched either today or late last week. Among the vulnerable systems, in addition to Microsoft, are Cisco, ISC, Juniper, Red Hat and Sun. Many of the servers whose status is "Unknown" were also patched quite recently, and it's a safe guess that it was for this reason. The advisory credits Dan Kaminsky of IOActive, Paul Vixie of Internet Systems Consortium (ISC) and Daniel J. Bernstein for the research. It also earlier mentions Amit Klein for work he did on one of the constituent attacks. According to CircleID, Kaminsky will reveal details of the attack in 30 days after users and vendors have had a fair shot at patching it.

Have you googled, HR security breaches lately?

Tue, 08 Jul 2008 05:38:15 +0000

Blogger: Randall Gamby

As briefly mentioned in a Burton Group IdPS blog and a ZDNet Australia published article on July 3, 2008, HR data from Google was stolen from one of their previous HR outsource partners. It seems that the partner, Colt Express Outsource Partners, had equipment stolen that contained HR data from some of its clients, including Google. The data was unencrypted and stored on systems that were apparently portable.

So what does this mean for all of us?

First, it shows that even large SaaS companies like Google can be bitten by a lack of security at their partners, just like many of us can. Burton Group has been warning clients for a long time about the dangers of sending confidential information to outsource partners without proper security and audit processes in place. Of course this should also be backed by strong contractual language.

Second, be prepared to pay. Even if Google had breach mitigation terms in their contract, Colt Express announced that it was in financial difficulty. So Google has had to pay for financial reporting and other compensation to its own employees, even though Google did nothing wrong.

Third, a Google representative stated "We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis.” Does this mean that Google doesn’t require encryption of its confidential information since encryption of the data was not deployed at Colt Express? When working with third parties, whether it’s financial data or confidential personal data, this information needs to be protected from unauthorized access. One of the simplest ways is encrypting the data while at rest, regardless of where it’s located.

Final, the Colt Express breach brings to mind a question Burton Group is always asking: “What is your exit strategy if the contract is terminated with your outsourcing partner?” A lot of effort is expended in creating an outsourcing agreement around use and protection of data, but what happens when the contract is ended? Do you obtain and retain the information the outsource partner maintained? Do you have the outsource partner destroy the information and any archives of it (and verify this was done)? Do you create a custodial contract with the outsourcing partner for them to maintain the information and archives on your behalf (ensuring the data is properly protected)? As was found in this incident, after their contract with Google was terminated the outsourcing partner apparently retained the employee data unencrypted on their servers. This was the fatal mistake that allowed the breach to occur.

So as you work with your outsourcing and SaaS vendors, you should not only consider how day-to-day operations should be secured to maintain the confidentiality of your data. You should also think about how that data is being maintained over time, and what are your procedures should the unthinkable happen if your partner allows your data to be compromised.

Swedes Massively Protest Wiretap Law

Mon, 07 Jul 2008 17:50:03 +0000

In June the Swedish parliament passed a controversial surveillance law that gives authorities a mandate to read all email and listen in on all phone calls without warrant or court order. In response to the law, The Pirate Party organized rallies, bloggers and journalists turned into activists, and even Google decided to relocate their servers.

Firewalls On Your Windows Servers

Sun, 06 Jul 2008 04:37:16 +0000

A survey last year by David Litchfield of NGS Software showed "...there are approximately 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 Oracle database servers directly accessible on the Internet." Egad! That's almost certainly not a good thing. Many of them are accessible by accident and many of them are run by just plain incompetent people; 4% of the SQL servers were so old they were still vulnerable to the Slammer worm from many years ago. One point it raises, even if you don't in intend for your server to be accessible directly on the Internet, is defense in-depth. There should be a firewall on the server so that at least the attack surface is somewhat restricted. Out of this philosophy, starting with Windows Server 2008, the Windows Firewall is turned on by default. Many users will notice this change in the form of connectivity failures, but that's a good thing because it forces you to think about what's open and closed on your server and make a decision about it. An entry on the SQL Server Security Blog discusses these changes and how you can approach them to make your Windows Server 2008-hosted SQL Servers secure. First you have to locate your servers; it's a good bet that quite a few owners of those Internet-facing servers that Litchfield found don't even know the servers are up. You need to review the host security implementations on those servers to make sure that they conform to your policy. You also need to review your network firewall policies to make sure that the two are compatible. Verify that it's all working as expected; in other words, test the configuration. Then remedy the problems. Read the blog for more details. On your Windows Server 2003 servers you might even want to turn the firewall on as a defensive measure. Or you might want to turn it off on 2008. But it should be you making a conscious decision.

Hidden endpoints: Mitigating the threat of non-traditional network devices

Thu, 03 Jul 2008 11:40:22 +0000

Organizations have many safeguards in place for network-enabled devices like PCs and servers, but few realize the threat posed by non-traditional devices like printers, physical access devices and even vending machines. Endpoint security expert Mark Kadrich offers up some worst-case scenarios and explains how these and other endpoints can be protected.

Upcoming Talks and Training

Thu, 03 Jul 2008 10:32:26 +0000

Here is my current list of talks and training

"Breaking Web Services," Monday July 7: OWASP Twin Cities - "SOA and Web services promise wonderful interoperability, but distributed systems create lots of room for fantastic failures. This session will explore the gory details of unique vulnerabilities at each layer of the SOA stack - from the WSDL interfaces to XML processing (XSD, XPath and XQuery), to the implementation languages liike Java and C#, to new security standards like WS-Security and SAML.
I gave a version of this talk with Brian Chess at the 2008 RSA Conference.
"Web Services and SSO: There and Back Again" at Ping's SSO Summit. July 25, Keystone, CO - "What happens to your identity information and business data after you press "SUBMIT" on a website? These bits have a journey as dangerous as Frodo Baggins' travels through Mordor. This talk traces the path from the website through the perils that lurk in the enterprise and legacy systems. We will explore what threats are encountered along the way, and how to design a cost effective security architecture with Security Token Servers using open standards."
"SOA, web services, and XML Security" 1 day training at Usenix Security July 29. This is a public 1 day version of my training see the link for details

Protecting exposed servers from Google hacks (and Google 'dorks')

Wed, 02 Jul 2008 11:32:18 +0000

Search engines are now routinely used to find ways of gaining unauthorized access to servers. Michael Cobb explains how to avoid exposing your important data to 'Google dorks.'

Tip: Does Your Server Really Need a Recycle Bin?

Wed, 02 Jul 2008 04:54:44 +0000

This is obvious when you think about it. What might you do, operating on the server itself, for which you need a recycle bin? In fact, for some, like Terminal Servers, you might need then, but not on others like a web server. In the meantime, it turns out to be a potential liability there. Thanks to The Elder Geek, by way of the SBS Diva blog (read this one for better details), for pointing this out. Susan, the SBS Diva, recently had a server compromise, and it turns out that the attackers used her web server's recycle bin as a video repository. Why? Because it's hidden. Removing the recycle bin won't stop someone from compromising your server, but it will take away one place they can hide once they get in there, so you might discover the breach sooner. And if you don't delete it, at least cut it down in size from the default 10% of space, which is far too big for a server, and probably for most client desktop.

Virtualization Needs vs. Cool Features

Tue, 01 Jul 2008 17:00:08 +0000

Regardless of the size of your virtualization project you will probably ask two of the most common questions before you even start:

What product(s) & version(s) should I use?
How much should I plan to spend?

The simplest answer of course is “it depends”. I’ve seen implementations range from a thousand bucks to over several million. Ideally, your virtualization project needs & goals should drive your product selection. The bells & whistles you chose will determine your spending.

10 Basic questions that will help you determine product & cost:

Will your Virtual Infrastructure (VI) host production Virtual Machines (VM)?
What servers do you already have that can be used as hosts (32bit, 64bit, Mem, Disk, Network)?
Do you have a need for High Availability (HA)?
Do you have the need to manage SLA’s on your VMs?
What will a typical VM in your VI look like (OS, Disk, Mem, Network, CPU)?
What other IT resources do you have that can be used (SAN, NAS, Switches, etc…)?
What level of comfort does your existing staff have with the various IT resources?
Do you have existing hardware/software support agreements with Vendors you could leverage?
What tools do you already own that are “virtualization aware” and what new tools will you need?
How many VM’s do you plan to scale to?

Please, please, please, don’t make the mistake of implementing features that you don’t need and over-engineering just because the product lets you do so.

If you plan it right your product & cost, questions will be answered with no unpleasant surprises.

ShareThis

Links for 2008-06-30 [del.icio.us]

Mon, 30 Jun 2008 20:00:00 +0000

SIEM tools come up short
Are SIEM and log management the same thing? - Network World
Log Management « IT@SmallBiz
Another issue we faced in dealing with our SAS 70 audit was log management. Every system admin deals with this issue, we just ignore it most times. You have all sorts of information stored in log files on all your various servers. If you were going to
Datawocky: Searching for a Needle or Exploring the Haystack?
"Searching for a Needle or Exploring the Haystack?" Search engines are great at finding the needle in a haystack. And that's perfect when you are looking for a needle. Often though, the main objective is not so much to find a specific needle as to exp