.:Computer Defense:.

Just a couple of things I wanted to touch on (I know... I'm due for a decent post in the next little bit)..

First and foremost, if anyone missed this, Argeniss (Makers of the Ultimate 0Day Exploits Pack for Canvas) has announced that in December the will be running WoODB (Week of Oracle Database Bugs). For one week, they'll release a new Oracle 0Day each day. If other users are interested in contributing, they are going to expand the "project" beyond a week.

Previously, I had mentioned Lauren Weinstein's ridiculous blog post on Google's Click-to-Call and I even gave simple solution that would solve the problem. Lauren has a new blog post out, he has essentially ripped off my idea.

Lastly, I wanted to direct attention to Websense and their Malcode of the Week. This week they've got a very cool breakdown of an MS06-067 exploit. It's definitely worth reading.

Peace,
HT

This is pretty cool.... 4,079,381 dominos.

Just check this out.

Read more...

So anyone can get a blog... what surprises me more is that these days Slashdot is willing to put anything on their front page.

I'm not sure who Lauren Weinstein is but I learned something tonight... avoid his blog like the plague. This is a real shame because he seems like an intelligent guy with some useful insight on various topics... which is generally the type of blog I'd add to my bloglines. The problem I have is with a post pertaining to Google's new 'Click-to-Call' feature.

The service is a great marketing idea for businesses. You can have an icon next to your Google listing and a user can click on it to call you... The user will provide their phone number and the call will be made. On his blog Lauren made the following statement:

Of even greater concern is that Google says that it will manipulate the caller-ID on the calls made to the user-provided number, to match that of the business being called. This is extremely problematic, since it could be used to try to convince a prank target that they were being called directly by the business in question, and so cause that target to direct their anger at the innocent business. In the case of targets who are on do-not-call lists, it is possible to imagine legal action being taken by callers upset that the business in question called them "illegally," though in fact the call had been made by the Google system.

Google's explanation for this caller-ID manipulation is that it would be handy to have the called business number in your caller-ID for future calls. That may be true, but the abuse potential is way too high. Caller-ID should never be falsified.

I don't see that great of potential for abuse... Some kids are going to use it for the occasional prank call.. They do that now... You get them dialing *67 first. I don't think the "Caller ID spoofing" is the issue here... Perhaps yes, this service should be authenticated.. Perhaps a user should sign into a Google-related account (gmail for example) before being able to place a call, and that they should have the number registered with their account and it will be dialed automatically... Perhaps Google should spoof the Caller ID, but spoof it to say 'Google Business Connect' on both sides... I could see this as being beneficial to both sides..

Given companies that exist like SpoofTel (which I have an account with) and SpoofCard. I know businesses that use SpoofTel for legit, practical purposes... Given articles on Caller ID Spoofing that require nothing more than a linux install and others that provide complete FaQs of Orange Boxing, I doubt Google spoofing a businesses phone number is any worse. The pranksters that will take advantage of this already have the tools at their disposal to go about more complicated scenerios..

The subject of falsified caller id is a much larger subject... I could see it requiring massive telephone infrastructure changes and I don't see it as overly useful. So a few less telemarketing companies can spoof the Caller ID, and one or two less prank calls can be made.

In the end.... Caller ID spoofing has been around for ages and isn't the end of the world and Google isn't guilty of anything... they aren't doing anything wrong and their service is less troublesome than other services that involve caller id spoofing.

Now... as I wrote this I was browsing Lauren's site and I found the occasional interesting note... most of which I didn't agree with... but it was enough that it may just appear on my bloglines in the future... assuming the quality of the content is better in the future than it was in this Google post.

Peace,
HT

Mike Murray recently made an announcement on his blog.

During the remainder of November and December he will be hosting a series of "teleseminars" which will be released afterwards as podcasts. These podcasts will include some interesting individuals and I'm sure they'll prove to be very useful to those interested in or currently developing a career in Information Technology / Information Security.

Over on the announcement there's a mailing list that you can subscribe to in order to receive additional information on the upcoming series. I've already added my name to the list, and you'll find me listening to all the seminars.

The Roster for these Seminars is as follows:

Linda Ferguson of NLP Canada Training on Integrated Thinking for IT Professionals Linda and I are going to talk about the key social, emotional and thinking skills that make a successful IT career. We'll explore the different types of intelligence: social intelligence, emotional intelligence, and those thinking skills that can make you a successful individual contributor and manager. We'll explore the most fundamental question: What resources do you need in order to have a wildly successful information technology career?

Scott Blake of Echelon One on Being a CISO Scott is responsible for managing and executing Echelon One’s CISO roundtables - beyond being a former CISO, he works with CISOs as part of his day to day job. Scott and I are going to talk about what CISOs are all about - what they expect, what they need, and equally important - how you become one.

Tim Keanini of nCircle on Managing Creativity, Technical Skill and your Network As CTO of nCircle, one of his biggest tasks is to bring together groups of really smart people and discuss, create and learn about new technology. Anyone who knows TK is amazed at his ability to bring together technical skill, creativity and synthetic thought, and an uncanny ability to bring together a network of really smart people. We're going to explore TK's mind and get some nuggets of brilliance from him.

Lee Kushner of LJ Kushner & Associates on Getting Hired, Getting Promoted and Building A Career. As president of LJ Kushner & Associates, Lee is a wealth of knowledge about what information security careers look like these days. We're going to talk about the skills, traits and experience that make a successful career in information security. Lee has brilliant advice about what can make you a more successful internet security professional today.

The Career Coaches Panel - We will bring together three life and career skills coaches including Ron from The Geek Coach and Dan from FRACAT to discuss the trends that they're seeing in IT careers these days, and the useful social intelligence and career skills that really matter in IT today.

I'm also willing to bet that Mike will be present to add his thoughts and insight.

While we're discussing the Episteme blog, there was an interesting post earlier on how job interviews are a sham.

That's all for now... Just wanted to share the information.

Peace,
HT

This is just a quickie to share some of the more interesting points of the day... nothing to long but hopefully it'll still be informative.

It's the little things in Gmail - A run down on the Google blog of some of the smaller additions to Gmail that they really enjoy.

Public PoC released for MS06-070 - The MSRC is reporting a new MS Advisory addressing a recently posted public PoC for the vulnerability addressed in MS06-070. As I post this the advisory link doesn't seem to be working.

Interview with LMH - eWeek sat down and had a little chat with LMH (The mind behind MoKB). It's an interesting read.

Like I said... short and sweet today...

Peace,
HT

As many of you may have guessed... I read a good number of blogs on a daily basis... My bloglines feed contains 191 feeds (6 of which I don't consider to be tech related)... One of my favourite blogs to read is the SecuriTeam blog... They keep you up to date on most things, and they do some cool things themselves.

This morning, however, I was a little disappointed. I read their RSS feed and see a new article outlining Microsoft scheduled patch release on Tuesday... No big surprise. I've got that and half the IT bloggers out there have posted it. The problem I had with it was that they essentially said this was the first time Microsoft had given advanced details on what the updates were...

From the blog:

When releasing information about the upcoming security patches of the next Tuesday Redmond guys informed about one Security Bulletin related especially to Microsoft XML Core Services. I.e. they are fixing Extremely Critical code execution vulnerability in XMLHTTP 4.0 ActiveX as a part of XML Core Services.

It was the first time today when they shared a more detailed information about the target of upcoming bulletins via Microsoft Security Bulletin Advance Notification program started exactly two years ago.

So there are two problems with this... yet only one should apply, depending on how you are supposed to read the blog...

Problem 1:
Microsoft was warned of a flaw in XML Core Services that was being exploited in the wild. Like usual, when presented with this information, they provided an informational advisory related to the vulnerability. These advisories are commonly published and completely unrelated to the Advanced Notification program. So the fact that we have the informational advisory is nothing new.

Problem 2:
The actual Advance Notification looks like this:

On 14 November 2006 Microsoft is planning to release:

Security Updates

One Microsoft Security Bulletin affecting Microsoft XML Core Services. The highest Maximum Severity rating for this is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates will require a restart.

Five Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.

I believe that the SecuriTeam blog post is actually referring to the section I have bolded... That this would have previously just said 6 Microsoft Security Bulletins affecting Microsoft Windows. However this is not the case, just last month the Advance Notification looked like this:

On 10 October 2006 Microsoft is planning to release:

Security Updates

Six Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. Some of these updates will require a restart.

Four Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

One Microsoft Security Bulletin affecting Microsoft .NET Framework. The highest Maximum Severity rating for this is Moderate. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates may require a restart.

As you can see from the bolded section, Microsoft published more specific details than they previously had. Meaning this month was nothing new.

So all we've got for this months advanced notification is a notification that's formatted the same as last months notification and an advisory that was released to deal with "exploits in the wild". These two simply happen to coincide... nothing amazing here and the SecuriTeam blog posting, based off the last line, was just a failed shot at Microsoft

So, if it was a shot... the guys at SecuriTeam need to grow up... if it was a misrepresentation based on what was seen this month, they just need to get their facts straight for the future.

Peace,
HT

Summary:

1 Update - XML Core - Severity: Critical
5 Updates - Windows - Maximum Severity: Critical
2 Updates - Non-Security
From Microsoft:

Summary
=======
On 14 November 2006 Microsoft is planning to release:

Security Updates

. One Microsoft Security Bulletin affecting Microsoft XML Core
Services. The highest Maximum Severity rating for this is Critical.
These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates will require a restart.

. Five Microsoft Security Bulletins affecting Microsoft Windows.
The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.

Microsoft Windows Malicious Software Removal Tool

. Microsoft will release an updated version of the Microsoft
Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

. Microsoft will release No NON-SECURITY High-Priority Updates
for Windows on Windows Update (WU) and Software Update Services (SUS).

. Microsoft will release two NON-SECURITY High-Priority Updates
on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Novell This.... Microsoft That... SuSE will gain ground.... Red Hat will gain (more) ground.. Kudo's Novell... Novell in the new SCO... This is great news... This is horrid news... It's the end of the world!!!!!!....
The reactions to the Microsoft / Novell agreement couldn't be more.... manic. Everyone and their "mother/brother/sister/father/" is chiming in on the subject... and most people have nothing (and less than nothing to share)... I'm about to become one of those people.

When I saw this, the first thing I thought was "Woohoo!" This has the potential to change things that I mentioned in a previous post. I thought the patent covenant for SuSE users and open-source, non-commercial developers was a great thing. It seems there are plenty of people that disagree. The anti-Microsoft crowed things this is the death of SuSE... To call Novell the new SCO is nothing but the words of a true linux zealot. These attacks on Novell and this agreement are the sign of little kids... anti-social, "using linux makes me cool" people. The potential for improvements and advances to Linux over the next five years is huge...

We could see full AD integration of linux clients in the enterprise environment. We could see improvements to Evolution that allow full interoperability with Exchange. Full support for Microsoft Office file formats in OpenOffice... maybe even an effective, non-command line method of working with Access databases. I see Virtual PC for Linux, WMP for Linux and maybe even IE for Linux... Is this what the agreement outlines? Not in the least but it's all possible now... more possible than it was a month ago. I'd rather take an optimistic outlook on this... I was also happy to see that I wasn't the only one with a positive take on all of this, a buddy of mine, J_K9, blogged regarding this previously.

I was even surprised by Mark Webbink, Red Hat's general counsel, in his interview with SearchOpenSource.com. To say things like:

But let's see where we all are a year from now. We will still be standing. We still believe that we will be the dominant player in the Linux market because, by that time, there won't be any other Linux players. We will have succeeded once again.

I think that's very short sighted... I also think it's sour apples. To me the entire interview read like, "We're pissed that it wasn't us in the deal so we're going to bash Novell for taking part in this."

So for this most part this is all old news... So why am I blogging about it today? One reason.. A blog post I came across on Linux Journal. It seems that Nicholas Petreley wants to run... He even goes so far as to suggest that all SuSE users should dump the distro and find a new one... As a SuSE user (it get's equal face time with Ubuntu, Mac OS X and Windows XP... I like to spread myself across the operating systems ) I take offense with that statement. Novell is a great company with great support for their customers. I've dealt with them for both end-user support and business purchasing and I've never been unhappy with the support or suggestions they provided me.

Nicholas also makes use of the information in a way to support his arguments...He's more than willing to quote the Novell FAQ on the subject when it's beneficial to him. Yet provides "quotes" from Microsoft General Counsel Brad Smith without links to back them up. The thing is that none of this makes any sense because it doesn't give any bearing to Nicholas' point of view. Novell claims they don't infringe on any Microsoft patents. Yet Novell is going to pay Microsoft for a patent covenant. The thing that Nicholas doesn't seem to get is that this covenant isn't for Novell... It's for Novell's users... The people that run SuSE... It applies to open-source developers... Novell is paying so that the community can build and use open source software without fear of prosecution from Microsoft... I have a lot of respect for Novell for doing this... It's pure benefit to the OSS community.

Nicholas makes his second statement based on comments from a lawyer for the FSF. First, Novell has already addressed this... Secondly the portion of the GPL that Nicholas quotes is as follows:

If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

The thing is... Novell isn't paying a royalty to distribute the "Program"... they are paying on behalf of their customers... I don't see this as a violation in the least.

The rest of Nicholas' post goes on to outline how he wants to eliminate SuSE from his hard drive and asks everyone else to do the same... He sees this agreement as nothing more than a Microsoft attempt to eliminate Linux... I see him as another Linux zealout...

I guess I'm just never going to get why people want to look at Linux as a private, partially-interoperable home operating system. Why can't they see it's ability to be an enterprise operating system, fully interoperable in a Microsoft environment. Why can't they see the business side of it instead of their personal battles with Microsoft. The little comments from Nicholas... and Webbink and all the other bloggers that are bashing this are just that... little comments from closed-minded individuals...

This is a great time for Linux and OSS... I'm looking forward to the results of the next five years and say kudos to both Novell and Microsoft... Let the good times roll!

Peace,
HT

The daily link list...
News of the day... whatever.. here it is.

Network Access Controls - NetworkWorld has a great article entitled 'How much can a LAN Switch protect your network".. It's a high level, quick reference guide to 802.11x, packet filtering and VLAN "schwinging"

Mozilla rolls out 1.5.0.8 - The actually interesting point of this article wasn't that there were more vulns in Firefox and that an update was required... but that Mozilla plans to end support and security updates for Firefox 1.5.x in April of 2007. Just a quick heads up for everyone.

PNRP (Peer Network Resolution Protocol) - I'm probably slow to the gate on this one, but I came across PNRP for the first time today.... I can't say I'm overly impressed, or see a real use to this... The "technical documentation" is not technical at all... giving no real details to how it works.. It looks like routing to me... "Do you know how to get to this address". This technical document also outlines how it overcomes DNS shortcomings like caching, but then goes on to mention how PNRP hosts will look in their cache... It's also an IPv6 only technology... I'd love more details if anyone has them... perhaps something technical instead of this Microsoft marketing speak... I may do more research on this in the near future.

Vista RTM - Not much else to say but Vista has gone Gold.

Process Monitor - This product comes out of the Microsoft/Sysinternals team... It's a combination of Filemon and Regmon. From the Microsoft Site:

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Vista Security Guide -  From the site:

Welcome to the Windows Vista Security Guide. This guide provides instructions and recommendations to help strengthen the security of desktop and laptop computers running Windows Vista™ in a domain with the Active Directory® directory service.

In addition to the solutions that the Windows Vista Security Guide prescribes, the guide includes tools, step-by-step procedures, recommendations, and processes that significantly streamline the deployment process. Not only does the guide provide you with effective security setting guidance, it also provides a reproducible method that you can use to apply the guidance to both test and production environments.

The key tool that the Windows Vista Security Guide provides for you is the GPOAccelerator.wsf script. The tool enables you to run a script that automatically creates all the Group Policy objects (GPOs) you need to apply this security guidance. The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values.

That's it for today... I've got a bigger issue, regarding the MS/Novell deal... however it requires it's own post.

Peace,
HT