Microsoft announced during this week’s TechEd 2006 conference that it plans to consolidate all security efforts under a single umbrella, to be named “Forefront.” Along with their launching of Microsoft Antigen, an e-mail security product, they also announced ISA Server 2006, the successor to ISA Server 2004. ISA Server 2006 is an integrated edge security gateway, which combines a firewall and web proxy server in to a single product.
Forefront products reflect Microsoft’s ongoing strategy to provide a comprehensive set of security products across client, server and edge that integrate with existing infrastructure and simplify the task of managing and controlling IT security and access. The first Microsoft Forefront products will be Forefront Client Security (formerly Microsoft Client Protection), scheduled for open beta in the fourth quarter of this year, and the next generation of our Antigen products. Forefront Security for Exchange Server and Forefront Security for SharePoint are timed to coincide with the upcoming Microsoft Exchange Server 2007 and Office 2007 launches. As Microsoft ISA Server continues to evolve, customers can also expect a Forefront version of our integrated edge security and access gateway. To provide customers with further choice and flexibility, Forefront products will be available as stand alone solutions or as part of the Enterprise CAL suite, the Exchange Enterprise CAL suite or an integrated security product suite.
It will truly be interesting to see if security is really at the forefront of Microsoft’s mind, or if this is another meager attempt to confuse the masses in to offering up money for pointless services.
Social Engineering is an art that is almost a must have for would-be black hat types. It is the single most important way of obtaining insider information. Is it really any wonder that USB jump drives can be used as a social engineering tool?
The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.
I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.
As the cliche goes, curiosity killed the cat. For some reason, when most people find a CD or USB drive laying around they assume that it is benign. Unfortunately, that could not be further from the truth in most instances.
The lesson learned here is this: when you see garbage, like a CD or USB drive, laying around your office, especially unattended, leave it be!
Exploit Prevention Labs, a company that I have never heard of prior to today, has just released SocketShield, an application that supposedly is capable of blocking zero-day exploits from penetrating a workstation.
SocketShield is the world’s first dedicated zero-day exploit blocker. Using a unique combination of research technologies, a deep understanding of anti-malware techniques, and skilled coding, the software is able to block exploits from entering your computer, regardless of how long it takes for the vendors of vulnerable applications to issue patches - or how long it takes for you to install those patches.
As the name implies, SocketShield works at the socket level. Sockets are the points of entry used by your computer to allow programs to be downloaded from the web and other sources; these sockets can be opened and closed to enable or prevent downloads. SocketShield uses the knowledge gained through its multiple research channels to determine whether any download is an exploit and to close any socket that a known or suspected exploit is attempting to use.
Certainly sounds like an intriguing tool that I am very interested in test-driving. A free trial is available, which I intend to download and install this week sometime. Look for an upcoming article that details the software and its capabilities.
Ethereal is probably the most popular protocol analyzer available today. It is an open-source project that spans multiple platforms, allowing the software to be used on Windows, OSX and Linux. Due to trademark ownership issues Ethereal changed its name to Wireshark.
John R.’s synopsis is essentially correct. Several years ago, my former employer (NIS) registered trademarks for the Ethereal name and logo. At the time this provided valuable legal protection for the project. Unfortunately, when I left we weren’t able to come to an agreement on the trademarks and they stayed behind.
There are several details about this that I can’t discuss, but I will say this: There was no “fight” between NIS and I. Although I’m deeply disappointed about the trademarks, I understand their decision. NIS is a great company and I still hold everyone there in high regard.
My reason to leave had more to do with the opportunities available at CACE (for the project, my family, and myself) than anything. The “good stuff” that will come from moving to CACE will far outstrip any “bad stuff” from the name change.
No matter what the name of the product is, it will surely remain the best protocol analyzer around. I have no doubt that the core development team knows what they are doing, and opted to take the best route for the product.
If you have ever been involved in managing a host-based firewall solution for your organization then you know what a headache it can be. Possibly the most difficult task is maintaining the desktop firewall policy, so that users are capable of performing their daily work, without the interference that these applications are known to cause.
Security Focus has a great article outlining standards in desktop firewall policies. If you have experience running a program of this nature, or are endeavoring to commence one, then this is a must read.
The idea of a common desktop firewall policy in any size organization is a very good thing. It makes responses to external or internal situations such as virus outbreaks or network-oriented propagation of viruses more predictable. In addition to providing a level of protection against port scanning, attacks or software vulnerabilities, it can provide the organizations local security team a baseline or starting point in dealing with such events.
The trick to a good desktop firewall policy is to provide a balance between security and the networking requirements of the applications needed by the organization. It’s possible the organization may not yet have a complete knowledge of these requirements. This should make the first attempt to define a standard/global policy interesting, depending on the level of protection one is trying to provide and the situation or environment the desktops may be in.
The articles does not talk about the various products available, only about the basic theory behind managing and maintaining a desktop firewall policy. If you are looking towards defense in depth then host-based firewalls might be a good direction to go, which makes this a much more important read than you might have initially though.
McAfee has something up their sleeve with their new “falcon” suite of security applications. According to ZDNet Australia, is appears that ”falcon” will come in four flavours.
The four editions will vary in the number of security features, giving consumers the option to buy a less comprehensive package. Offering various editions also allows McAfee to try to sell its customers a more expensive option at a premium price. Microsoft’s OneCare and Symantec’s Norton 360 are pitched as one size fits all.
Marc Solomon, director of product management at McAfee, said in an interview that all four McAfee products would include the basic security features — antivirus, anti-spyware and a firewall. Additionally, all editions include SiteAdvisor, which adds ratings to Web search results, and PC health tools for tasks such as hard drive defragmentation, he said.
McAfee has some decent basic security software that is good both at home and in an enterprise environment. It should be interesting to see where this new suite will fit in to their current offering.
McAfee has been out purchasing quite a few companies these days, in order to build up their information security arsenal. Today they snatched up a risk management firm that aims to protect large businesses.
McAfee on Tuesday said it had acquired Preventsys, a company that specializes in security risk management and compliance. The technology will be integrated into McAfee’s solutions for large businesses in order to protect customer information and communicate security compliance to executives.
“With Preventsys technology, we can help our customers satisfy regulatory requirements for automated compliance reporting, while leveraging existing McAfee technologies such as McAfee ePolicy Orchestrator and Foundstone,” said Ken Gonzalez, McAfee’s vice president of corporate development. Terms of the deal were not disclosed.
Looks to be a win-win situation for all involved. Since McAfee specifically speaks about ePO, I wonder exactly what else they plan to add to this already monstrous behemoth.
Has the government’s state secrets privilege been misused from the start? According to the New York Times, it would appear that the Supreme Court was misled, which caused them to basically define the terms under which the privilege can be used.
[D]ocuments from the 1953 case that defined the modern privilege, United States v. Reynolds, have been declassified in recent years and suggest that Air Force officials misled the court.
An accident report on a B-29 bomber crash in 1948 was withheld because the Air Force said it included technical details about sensitive intelligence equipment and missions, but it turned out to contain no such information, said Wilson M. Brown III, a lawyer in Philadelphia who represented survivors of those who died in the crash in recent litigation.
“The facts the Supreme Court was relying on in Reynolds were false,” Mr. Brown said in an interview. “It shows that if the government is not truthful, plaintiffs will lose and there’s very little chance to straighten it out.”
This is a very compelling read, especially when thought of in the context of the NSA eavesdropping case currently being heard. Makes you really wonder what the government is attempting to hide.
A new security vulnerability has been found in Skype, which allows an attacker to obtain files that they would otherwise not have access to. The latest flaw was found by a New Zealand security researcher.
The security flaw manifests itself through the way Skype handles Uniform Resource Identifiers (URIs) that point to names or addresses referring to resources.
Security-Assessment.com discovered that with one type of URI handler installed by Skype it was possible to include additional command-line switches. One such switch will set up a file transfer session that will allow data written to the local hard disk to be sent to another Skype user.
For an attacker to succesfully exploit the flaw he must know the exact name and location of the file he wants to transfer on the victim’s computer. The attacker must also authorise the victim, Security-Assessment.com says. This is easily done, with the attacker simply adding the victim to his contact list.
Skype programmers have been alerted to the exploit and are actively working on a solution. Look for an update to this widely used VoIP application in the very near future.
The US government is going to be performing business continuity testing in the middle of June, probably for the first time ever. Back to the Bunker explains some of the interesting choices for essential services that the government made during their risk assessment. Many of the decisions leave me wondering if they truly conducted a risk assessment or just “winged” it.
On Monday, June 19, about 4,000 government workers representing more than 50 federal agencies from the State Department to the Commodity Futures Trading Commission will say goodbye to their families and set off for dozens of classified emergency facilities stretching from the Maryland and Virginia suburbs to the foothills of the Alleghenies. They will take to the bunkers in an “evacuation” that my sources describe as the largest “continuity of government” exercise ever conducted, a drill intended to prepare the U.S. government for an event even more catastrophic than the Sept. 11, 2001, attacks.
The government really needs to take some cues from the financial industry in regards to disaster recovery and business continuity. There are many lessons learned that could be put to good use in the creation of a well designed system for sustaining vital government operations in a major crisis.