Digital Choke Daynotes

 Sunday, August 14, 2005       mail    link   the story

Back from a long weekend at the cabin. We left Thursday afternoon, and spent the whole weekend relaxing on the desk (er...."deck" ... see below) next to the river. Except for a couple of trips to Lake Tahoe for supplies, Pam and I just spent the whole time reading and relaxing. We also watched a few DVDs.

There's no cable up there. Since it is at the 6000 foot level in the Sierra Nevada mountains, we only go there during the warmer times of the year. So it wouldn't be worth it to pay for a monthly cable service. We could get satellite up there; all we would need is an extra dish (we could bring the reciever from home). But, again, not worth it. It was quite relaxing.

There's also no Internet service up there, so there was a bit of Interweb withdrawal. Took care of that when I got home today.

I also installed the new Netgear wireless router. We went into Staples for a few things for Pam's new office, and I found a "g" router for only $30 (and no rebates). That was a pretty good deal; I'd been planning on getting one anyhow to replace the "b" router I've had for a while. It installed quite easily. I didn't use their "Wizard", so can't judge that. But once I tweaked the settings (change the password, set up WPA encryption, change the IP addresses, set up DHCP), all is well.

Big security story this weekend is the vulnerability for the MS05-39 patch released last Tuesday. It will mostly affect Windows 2000 systems, so make sure those systems are up to date, especially those that are 'public-facing'. There are also problems with the Veritas backup software. Start here at the Internet Storm Center's daily diary for more info. Read though the subsequent entries, also.

Then get those systems patched.

 Tuesday, August 16, 2005       mail    link   the story

A correction for the entry above, courtesy of Paul H:

Do you find that you have trouble with your paperwork blowing into the water? what with your desk so close to the river and all. It's so cool when someone else does the typo thing. Wish I could have been somewhere similar instead of working.

Hmmmm...there's an idea. All I need is an Interweb connection... Wonder what the boss would think of that.

The "Zotob" virus is making the rounds. Seems that it has hit some of the major news organizations (CNN, ABC News, New York Times). Even though the worm is targeted (and most effective) with Windows 2000 systems, the folks at Symantec say that it can be spread by other systems:

W32.Zotob.E can run on, but not infect, computers running Windows 95/98/Me/NT4/XP. Although computers running these operating systems cannot be infected, they can still be used to infect vulnerable computers that they can connect to.

The symptoms of an infected computer are continual re-boots. McAfee has released a "Stinger" tool to remove the virus (assuming you can stop the computer from rebooting). Instructions, and a link to the Stinger tool, are here.

The worm seems to be a high-risk, and high-volume. This problem will be in the news for a few more days. Not sure if it is going to be as widespread as Code Red or others. Stay tuned.

Of course, all my readers (yes, both of you) are well-protected, because they are cleverly following my recommendations for ensuring updates are automatically installed. I think that corporate users will be more affected. I know that it is difficult to update lots of workstations. And many companies (like the folks at CNN/ABC News/New York Times) still have a bunch of Windows 2000 systems.

And you Apple users shouldn't keep smirking during this one. Apple released some important security patches this week. And there are also the various Linux updates.

So, update early, and often.

 Wednesday, August 17, 2005       mail    link   the story

"Zotob" (and related worms) are still causing problems. Nothing sensed at work yet. I did send out a company-wide message telling how to check their computer. At the office, all the computers are supposed to get Windows updates automatically from our internal update server. The computers are also supposed to get the daily updates from McAfee via our anti-virus 'pusher' (Network Associates E-Policy Orchestrator). So far, reports indicate that all the corporate-owned computers are properly updated.

I do still worry about the "sideways" attack. (Information Security guys are normally paranoid.) That's when someone brings in an infected laptop from home, or a vendor plugs their infected laptop into our network. That can cause a problem.

Noticed that McAfee came out with two updates for this one. One was late last night, and the other was this afternoon. They also have a free "Stinger" scanner and removal tool, available here. You might find that tool useful to have available. Since Zotob may restart your computer every 60 seconds, and disable your anti-virus, you may want to create a bootable floppy disk, CD, or USB hard drive with that program on it. That might help you defeat an infection of Zotob (and it's variants). A good description of the current variations of this one are at the Internet Storm Center.

... where I notice that there is a possible "zero-day" exploit against MSIE. The ISC diary entry says:

FRsirt posted a possible zero-day exploit against Microsoft Internet Explorer (MSIE) 6. According to the notes posted with the exploit, it should open a remote shell by exploiting Msdss.dll.

Initial testing was not able to reproduce this, but we are still working with the exploit (if you tried it, let us know). This may just be another exploit against MS05-038, one of the vulnerabilities announced last week.

Antivirus scanners are able to detect this exploit as "Iframebof Exploit" (Kaspersky) or "JS.Bofra.A" (Bitdefender).

On a fully patched Win2000 system, CPU load went to 100% after hitting the exploit page. But no open port was observed.

This story is also developing, although it appears that current anti-virus scanners might be able to detect and prevent this one.

If you have an email filter solution at your place, you might want to block all executable attachments. That's what we do here to catch a lot of the viral messages, especially the "zero-day" exploits. For instance, the Zotob worm started surfacing last week. But there wasn't an anti-virus detection update for that right away. By blocking executable attachments in emails, we reduce the possibility of a user opening up that viral attachment.

Remember what Sgt Esterhaus said.

 Thursday, August 18, 2005       mail    link   the story

Got a note from "one of my two readers" (Angus), who commented on this entry from yesterday:

"Of course, all my readers (yes, both of you) are well-protected, because they are cleverly following my recommendations for ensuring updates are automatically installed. I think that corporate users will be more affected. I know that it is difficult to update lots of workstations. And many companies (like the folks at CNN/ABC News/New York Times) still have a bunch of Windows 2000 systems."

Angus said:

I think the problem with corporate systems is many corps, esp. larger ones, have proprietary software that they must test against all these patches before allowing the patches to propagate through their networks. After all, if a patch breaks a business-critical app, it's as bad as a virus or worm.

Yep, I'd agree, partly. I think that a responsible corporation should have an update process in place that gets the updates efficiently and quickly installed, but is versatile enough that some systems might need a bit more hand-holding before getting up the updates installed.

One good product is the Microsoft Windows Software Update Server (WSUS). It's free, and works just like the manual Windows Update on your Start menu. The network admin gets a notice from Microsoft about a new update or patch, and you "approve" it for distribution. The workstations are set (via Group Policy or a registry push) to contact the WSUS once a day. If the updates are available, they are installed automatically. WSUS lets you set up groups of computers, so one group might always get their updates automatically downloaded and installed, and another group might get a download, but a manual install. And WSUS has reporting functions (a great improvement over the prior version -- called "SUS") so you can see who has gotten the updates.

So WSUS lets you automatically update your workstations. Servers can be placed in a separate WSUS group so they can be manually updated. (The software is on the server waiting for an admin to install it.) If you have a server (or workstation) with some unique software, you can place that computer in a 'manual update' group. Or you can have a 'testing' group.

The point is that a responsible organization, no matter what it's size, needs to have an efficient upgrade process in place. WSUS fits that need for our office.

There's been a discussion of Windows and patches and stuff over on Dr. Jerry Pournelle's Chaos Manor site. It's starts in his Wednesday mail, and continues into Thursday. (It's interspersed with some other interesting mail.)

One comment (from Robert Thompson, in the Wednesday and Thursday mail sections) got me writing back to him. Not sure if he'll post it, but I'll stick it here. (Some of it I've discussed before.)

I respect Robert Thompson's expertise in things computerish. I've been reading his blog for several years (through the "Daynotes Gang", of which I am proud to be a member). But each time he mentions Microsoft, I just know he is going into another 'rant' against them as the "evil empire".

I take exception to many of his statements posted on your mail pages this week (and similar rants on his pages). For instance, "Fully patched Windows machines by the millions have been infected by worms *before* Microsoft has even issued a patch". I have previously stated that my computer, which is fully (and timely) patched, has *never* been infected with a virus/worm. That is not only because of my policy of automatic updates, but because I practice "safe computing" (even though I do, as part of my job, go to some 'dark places'). It's my responsibility to compute safely.

But it's not just my experience. There is research that verifies that patching is important, even if you *do* go to 'dark places'.

Example: An interesting research paper from Microsoft and their "HoneyMonkey" project. The paper is here ftp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf , and is described by Microsoft as:

"Internet attacks that use Web servers to exploit browser vulnerabilities to install malware programs are on the rise. Several recent reports suggested that some companies may actually be building a business model around such attacks. Expensive, manual analyses for individually discovered malicious Web sites have recently emerged.

"In this paper, we introduce the concept of Automated Web Patrol, which aims at significantly reducing the cost for monitoring malicious Web sites to protect Internet users. We describe the design and implementation of the Strider HoneyMonkey Exploit Detection System, which consists of a network of monkey programs running on virtual machines with different patch levels and constantly patrolling the Web to hunt for Web sites that exploit browser vulnerabilities.

"Within the first month of utilizing this new system, we identified 752 unique URLs that are operated by 287 Web sites and that can successfully exploit unpatched WinXP machines. The system automatically constructs topology graphs that capture the connections between the exploit sites based on traffic redirection, which leads to the identification of several major players who are responsible for a large number of exploit pages."

(For more information on the Strider Honeymonkey research project, visit http://research.microsoft.com/honeymonkey, including the PDF of the article here: ftp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf . It's a bit technical, but interesting.)

Note that they tested various levels of unpatched WinXP systems. They found that a patched system is much more protected. From an article at SecurityFocus:

"Among the researchers other findings is that even a partially patched version of Windows XP Service Pack 2 blocks the lion's share of attacks, cutting the number of sites that could successfully compromise a system from 287 for an unpatched system to 10 for a partially patched Windows XP SP2 system. A fully patched Windows XP SP2 systems could not be compromised by any [of these] Web sites, according to the group's May-June data. (The zero-day exploit of javaprxy.dll happened after this data set.) " [See Table 1 in the Microsoft report.]

***No exploits on a fully patched XP system.*** And those systems went to very dark places.

Linux is not perfect, and needs to be regularly patched. Does that make it a less secure product? Firefox/Mozillia has vulns that needs regular patching. Open-source apps (large and small) have vulns that need patching. Several open source blog/diary-type sites (PHP-based) have vulns that need patching. One big exploit last year was the attack on web-based advertising servers running exploitable Linux OS. Just by visiting a high-profile page (news or entertainment sites) and getting an ad from that compromised ad server infected computers.

So you say to "change to Linux". How are you going to keep your Linux computers updated? Shouldn't you? There are lots of vulns for Linux computers; lots of patches to install. I see dozens of Linux-based bug reports every week on the "BugTraq" mailing list for open-source software large and small.

I believe that Microsoft has made great progress in security. You can see how the security folks at Microsoft are working hard to protect their systems (there are lots of MS staff writing blogs related to security and malware).

A chef knows that he needs to keep his knives sharp, and the gas bill paid. Without the proper tools, the chef is out of business (a "Denial of Service").

A responsible corporation knows that the tools they use have to kept current. Or they can be out of business. (Oops... I didn't pay the phone bill. So it's the phone company's fault my phones don't work.)

A responsible corporation can keep their computer patched, and quite easily. At my "large municipal government agency", we use the *free* Microsoft Update Server (now called "Windows Software Update Server) to automatically keep the workstations and servers current. MS releases a patch, a couple of checkmarks at the WSUS update interface, and workstations are updated.

Yeah, it requires a server. Yeah, it took a bit of effort to set up the user's computers (we just pushed down registry settings). Yeah, the user's computer may restart.

But our 2500+ Windows computers are protected and updated.

Responsible corporations (and users) with Windows computers can be protected against malware. Automatically, with minimal effort once everything's set up.

No matter which tool you use, you need to do updates. If you don't, then don't complain when your tool doesn't work. And don't blame the tool manufacturer. It's your fault. *You have to take responsibility*. ("I'm sorry that you ejected through the windshield during the car crash. The seat belt was there; you chose not to wear it. Must be the car's fault." "Oops, cut yourself again, didn't you. Must be the knife's fault." "Phone doesn't work? Didn't pay the bill? Must be the phone company's fault." "Didn't change the oil as often as you should have? Must be the engine's fault that it seized up.")

And that's enough for tonight.

 Saturday, August 20, 2005       mail    link   the story

Here's a few observations from George Carlin that made me chuckle:

COWS
Is it just me, or does anyone else find it amazing that our government can track a cow born in Canada almost three years ago, right to the stall where she sleeps in the state of Washington. And they tracked her calves to their stalls. But they are unable to locate 11 million illegal aliens wandering around our country! . Maybe we should give them all a cow.

CONSTITUTION
They keep talking about drafting a Constitution for Iraq. Why don't we just give them ours? It was written by a lot of really smart guys, it's worked for over 200 years and we're not using it anymore.

TEN COMMANDMENTS
The real reason that we can't have the Ten Commandments in a Courthouse? You cannot post "Thou Shall Not Steal," "Thou Shall Not Commit Adultery" and "Thou Shall Not Lie" in a building full of lawyers, judges and politicians!
It creates a hostile work environment!

And I was reading Wil Wheaton's blog tonight (great place -- great writing skills). Seems his son has turned into a teenager. Good read.