Monday, November 17, 2008

7^W12 years old vulnerability

I blogged last week about Microsoft patching a seven-years old vulnerability. Was irritating.

According to Sid, the vulnerability was known since 1996. (The link is in French.) 12 years-old. Is irritating.

Friday, November 14, 2008

Sharp decrease in spam

A big spammer was cut out of the Internet. 70% of the world's spam seems to have vanished.

I was once told by Olivier Caleff that there could be no decrease in spam, that if you saw a decrease in the number of spams caught by your antispam, it was that your antispam was falling behind the smartness of spammers.

But I think it doesn't apply to this situation. If we don't watch the pessimist side "they will start their spamming business again somewhere else and all that will be for nothing!", that's very good news :-)

Not often a security guy can get happy by reading news.

Thursday, November 13, 2008

Desperate security guy

In case you missed it, Microsoft released a patch for a seven years old vulnerability. Said shortly, the Windows file servers could be hacked into by about any attacker with a tenth of luck and a hundredth of patience.

Well.

I'm often grumbling against Microsoft behaviour concerning security, but that goes too far. Once more.

Turned off by default

Every now and then I read about a product, most often a server, that is considered more secure because features are turned off by default.

There is something not expressed in this kind of advertisement. It is implied that you will not choose which features are turned on and off. That you will use the product just like it is out of the box.

No company should do that. No uncustomized product should go in production in a company. That's precisely what the admins are payed for: to know the various options, and to manipulate them. If you don't do that on every product, that possibly means two things:
  • Your admins are not qualified for their job or you under use them.
  • Your company is full of security holes, because of unknown and unmonitored features.
So check about this in your company, and remember that except if you hire them precisely for that task, consultants will never take the time to look at side-features of a product. It is your teams' job to do this work.

Wednesday, November 12, 2008

My first virus under Linux [joke]

I just experienced my first virus under Linux. In a virtual machine running Windows XP. Of course, it was just for testing purpose... I installed a fresh Windows XP, tried to share files between the real machine and the virtual machine through Samba. To ease the configuration, I deactivated the firewall of Windows. I didn't use Internet Explorer at all.

And the result was there in less than five minutes. Multiple windows popped-up out of nowhere, proposing to install sex software, false anti-virus software... and I don't want to think of the things that happened without displaying a pop-up window.

There was a statistic a few months ago, saying that a non-secured Windows box alone in the wild was compromised in a few minutes. I can confirm.

Saturday, November 8, 2008

Online resources in security

A few links to read about security.

Schneier on Security: perhaps the world's best know expert in security, Bruce Schneier comments security actuality, either on the IT side or on a broader scale, including state and terrorism security.

Security warrior: Anton Chuvakin blogs, mainly about security and security through log analysis. If you are interested in understanding logs and implementing them, each minute invested in reading this blog is worth it.

Chaos Computer Club: a German site for hackers. Most articles are in German, though.

Security in a company being about saving the company's money, better learn how easily it is lost. These two are quite interesting.
IT Project Failures
The IT Skeptic often more funny than productive, still you can learn interesting things.

Friday liberty blogging - Welcome back, America !

Need to celebrate a little on the election of Barack Obama.
After eight years of GW Bush, the republicans had become to the eyes of the world the party of warmongers, liars, religious extremists, creationists, gun nuts... The Americans have sent the message that they didn't want anymore of this, that this was not the Republican party at all.

Welcome back, America !

I am sorry for John McCain and Sarah Palin, who were valid candidates. I am also sorry for the Republican party, which stands for good values, very important to the strength and vitality of the US. But that's the result of eight years of GW Bush.

Good luck to president-elect Barack Obama, who will have to deal with big tasks, even more now that all the world is looking at him for a sign of hope. Welcome back, America !

Tuesday, November 4, 2008

Five behaviours that decrease security in an organization

In addition to being fashionable, the composition of a five- or ten-items list gives the opportunity to sort the very things that you would like to be understood by the people who don't work in the field.

I speak of security in an organization, not company, because I have seen the manifestation of some of these also in associations or in public agencies.
  1. Not responding to people's good moves towards security. For instance, a user reporting a vulnerability must always be thanked, and notified once the vulnerability is fixed. Other example, an executive coming to ask general questions about security must always be answered as soon as possible.
  2. Allowing unmanaged exceptions to the policies for the high executives of the organization. They are the ones with the most valuable data. Primary target.
  3. Letting some high executives of the organization think security is a IT-department-only matter. Good security includes physical security, human resources security, legal security and of course, respect of the policies by all users whatever department they're in.
  4. Implementing security solutions incompletely, because of a lack of resources. If IT or security people lack time, human resources, hierarchy support, or budget to implement security solutions correctly, their work is very likely worth zero. For instance, a logging solution that has not been precisely customized to fit the organization's needs is useless. It's time and money lost, and it's no gain to security.
  5. Letting consultants do all the "hard work". Because the daily job is often heavy, many companies (less true for public agencies or associations) make call to consultants for every untypical job. This way, the employees don't increase their skills, and they don't get enough experience on using the new developed/bought tools. Which means they can't react effectively in case of an incident.

Monday, November 3, 2008

Decrease in vulnerabilities: a myth

Joseph Tartakoff just published a statistics about the number of vulnerabilities in Microsoft products. They have decreased by 38% in six months. That seems to be good news, for sure, yet I would like to underline two not-so-good elements of explanation about it:
  1. It's possible that the number of vulnerabilities decreased simply because the guys looking for vulnerabilities (either white, grey or black hat) don't focus on the operating system that much anymore. Online applications have come to replace a lot of our previous applications.
  2. It's possible that the numbers don't reflect the actual numbers of vulnerabilities, because found vulnerabilities are sold to the underground of black hats, and not published in the open.
Furthermore, Joseph Tartakoff emphasizes on the fact that Vista gets fewer vulnerabilities than XP. This is quite normal as the very low adoption rate of Vista makes it a less interesting target of analysis both for security guys and attackers.

I am quite skeptical about the interpretation of whatever statistics of vulnerabilities. Except if the numbers were zero or infinite, I don't think we can get something productive out of it.

Sunday, November 2, 2008

ODF vs OOXML: Being impartial, and having people work

I was recently confronted with the question of having my users open any kind of office files they would receive as attachments. It gave me an occasion to review the whole controversy on Office Open XML, the new Microsoft format. And I didn't get any further by reviewing it :-(
As matter of fact, rather than focusing on solutions like ODF, OOXML, or their implementations in MS Office or OpenOffice.org or others, I think the good way to take the question is to focus on the problems we have to address and define them better.

  • Why did we need to change? What were the problems in the previous formats of Microsoft Office?
  1. Vendor lock-in: because the format was not publicly documented, competitors could not implement it. They could not write competing software, resulting in a slow down of quality and support from Microsoft.
  2. Bad support of previous versions: some files created with older versions of Microsoft Office cannot be opened with newer versions. This is especially true of Powerpoint slideshows. Even when a file can be opened, it is very common that the layout of elements doesn't look the same on different MS Office versions or different Windows versions.
  3. Viruses: because the format was binary, and not publicly documented, it was easy to hide viruses in it, and hard to detect them. Lots of botnets have been created because of the funny powerpoints that are forwarded from employee to employee.
  4. Heavy and limited format: the format inherited incoherences from its previous implementations, making it heavy to implement, and resulting in heavy files.

  • What makes the best format?
  1. Vendor lock-in: ODF suffers no limitations, the standard evolves, and can be implemented freely. Microsoft have said they will let competitors implement OOXML freely and they will publish modifications to the standard. Yet we have historical reasons to doubt this will be their policy.
  2. Viruses: ODF is a complete XML format, which can easily be scanned against viruses. OOXML allows for binary parts in the documents, thus enabling viruses.
  3. Weight of the format: Both are mostly text based and use a zip compression, obtaining comparable results for the size of files. ODF makes re-use of other standards such as HTML or SVG, allowing for cheaper implementation, whereas OOXML starts all from the ground up.
  4. Implementations: Currently, OOXML is completely supported only in Microsoft Office 2007. ODF is completely supported in OpenOffice.org, StarOffice, Symphony, KOffice, Google Docs and others.
From a technical point of view, ODF is by far superior to OOXML.

  • What do we face now?
  1. Both ODF and OOXML have been promoted as ISO standards (26300:2006 for ODF and 29500:2008 for OOXML.)
  2. Some companies have updated to Microsoft Office 2007, which saves by default as OOXML. Some companies have turned to OpenOffice.org which works natively with ODF.
  3. So the result is that company users receive daily legacy binary .doc, .xls, .ppt and ODF documents and OOXML documents.
  4. The most common Office suite is still Microsoft Office 2003, which works neither with ODF nor with OOXML.
  5. Many companies don't have enough Microsoft licenses for all their workstations and implement OpenOffice.org where they don't have license.

  • To the point: what do we need now?
  1. Have both formats work with MS Office 2003, or pay and have them work with MS Office 2007. This seems to be possible with a "conversion environment" from Microsoft (to open OOXML) and a plugin from Sun (to open ODF).
  2. Have both formats work with OpenOffice.org, where Microsoft licenses are not available. ODF is natively supported, and the implementation has started for OOXML. OOo should have working OOXML in short time.

As a conclusion, after spending quite a few hours on the question, I can tell that ODF is a technically far better solution, and that it should be possible to maintain people working through this cacophony with additional plugins for MS Office.
Of course, as usual, implementation will be the most important part. I will post about the implementation of plugins when I have results.