03/25/10

Permalink 11:35:28 am, by Fred Parks, 48 words
Categories: Priveon News

Priveon Training Schedule Updated

Priveon has updated our training schedule through June 2010 with offerings for the technologies listed below.  Check out the Training Schedule for more information or to register for a class.

  • Cisco Security Agent
  • Cisco Security Agent 6.x Upgrade/Migration
  • MARS
  • Cisco NAC Appliance
  • Cisco ASA
  • CEH Certified Ethical Hacking

 

03/16/10

Permalink 05:44:23 pm, by Chad Sullivan, 136 words
Categories: Security Advisories

Microsoft Virtual PC Creates Vulnerabilities

A Core Security researcher has announced a vulnerability in Microsoft PC Virtualization that in effect, can expose a vulnerability in applications where one did not exist in un-virtualized systems. The problem is, if you run an application in a Microsoft Virtual PC Environment (which includes: MS Virtual PC 2007, Virtual PC 2007 SP1, Virtual PC and Server 2005, as well as Windows 7 in XP Mode!), a vulnerable application may be exploitable becasue SafeSEH (Safe Exception Handlers), ASLR (Address Space Layout Randomization), and DEP (Data Execution Prevention) can be bypassed hen run in the virtualized environment.

Microsoft has opted to NOT ISSUE A PATCH for this vulnerability. Just as a side note: Core Security notified MS about this on 8-19-09 according to the security advisory from Core Security.

The Core Security Advisory is here. (as well as PoC code)

 

Permalink 05:28:54 pm, by Chad Sullivan, 462 words
Categories: General Security

Interesting Data Leakage Statistics and Visibility

A recent article published by Trustwave on CSOonline.com provides some interesting statistics regarding Data Leakage from corporate environments. Based upon research of 200 actual investigations, it becomes fairly clear that Data Leakage is both a very real threat and that it will take multiple mechanisms to prevent this sort of targetted attack on your intellectual property.

In this article, it states that 65% of leakage occurs due to the following combined methods: Microsoft SMB sharing, Remote Access Applications, and Native FTP clients. What do I glean from this data? Well, for starters, it is clear that organizations are not doing enough to control their endpoints. Secondly, most organizations are struggling with really understanding normal network flows versus suspect traffic flows.

As far as controling your endpoints, it is really important that every organization takes a look at what they are doing to control their endpoints. This means ALL of the following: patching, software distribution, enforcement of an approved application list, and system lockdown. I know in many cases when discussing endpoint control with customers I often hear "It is too difficult, our users are different." I understand that this can be a challenge, but I also know the difference in planning to regain control of YOUR endpoints over time versus giving up. Start by controlling what you can, when you can. A perfect time to take back ownership would be during an OS migration. As you roll out Windows 7, lock it down and take it over. The time is NOW! Technologies like Systems Management tools from BigFix and Application Whitelisting from Bit9 are an excellent start to solving your computing woes.

(Notice that I said YOUR endpoints above... Unfortunatelty, most organizations seem to forget who 'owns' these resources. You need to make it crystal clear to the end user who owns the endpoint and the data on it and remind them who, therefore, controls the policies regarding usage)

As far as understanding the network flows, I agree, this can be a challenge. You need to start by simply implementing a tool to collect flow data from your network. This can be a compination of Netflow, various network device logs, and security device logs. Either look at the data individually, or better yet, combine the data in a SIM. Now, baseline your network. Really understand what network flows belong to what applications. A tool like LanCope StealthWatch can really help you identify flows per segment, create thresholds and alert to new unexpected flows or thresholds being crossed.

To wrap up, I have said it before and will say it again: "You need visibility!"

There is no real excuse for not looking at what is right in front of your eyes. Let's get a hold of this problem, define the solution, and implement the controls.

03/12/10

Permalink 01:44:28 pm, by Zach Brewer, 325 words
Categories: Security Advisories, General Security

CVE-2010-0624: Heap-Based Overflow in GNU Tar and GNU Cpio

GNU Tar and GNU Cpio are used for managing archives on many *nix distributions (note: most BSD distributions including MacOSX use bsdtar). Both GNU Tar and GNU Cpio are capable of using the RMT protocol - a protocol used for accessing tape devices on remote systems over rsh/ssh. An example attack might include a specially crafted Tar file and a remote malicious server.

From the GRU Tar man page, we see that archive names that include a colon are assumed to be on another machine (note that a user would be prompted for the new key unless the remote machine is already in the known_hosts file):

If the archive file name includes a colon (‘:’), then it is assumed to be a file on another machine. If the archive file is ‘user@host:file’, then file is used on the host host. The remote host is accessed using the rsh program, with a username of user. If the username is omitted (along with the ‘@’ sign), then your user name will be used. (This is the normal rsh behavior.) It is necessary for the remote machine, in addition to permitting your rsh access, to have the ‘rmt’ program installed (this command is included in the GNU tar distribution and by default is installed under ‘prefix/libexec/rmt’, where prefix means your installation prefix). If you need to use a file whose name includes a colon, then the remote tape drive behavior can be inhibited by using the ‘--force-local’ option.

So an example attack scenario might include:

tar -cvf myuser@remotehost:/dev/st0/badarchive.tar

This vulnerability is fixed in GNU Tar 1.23 and GNU Cpio 2.11 although many distributions have not updated the related packages as of the time of this post. Users of affected systems should be cautious about any script or archive using the rmt client protocols in Tar/Cpio or use the --force-local option when extracting archives.

More information:
http://seclists.org/bugtraq/2010/Mar/99

03/08/10

Permalink 09:57:01 am, by Fred Parks, 149 words
Categories: General Security, Tivoli Endpoint Manager/BigFix, Mac OS X

Trend Micro Core Protection Module support for Mac released by BigFix

The Core Protection Module (CPM) solution from BigFix brings the Anti-Virus/Anti-Malware features of Trend Micro's Office Scan product under the management of BigFix. This allows the administrator to manage software deployments, patch deployments, software and hardware inventory, anti-virus/anti-malware protection, and much more into one product using one administrative console.

The CPM solution has been available for a while for Windows based clients but many customers have had to use one-off solutions to manage their Mac AV protection even though they could manage all other aspects of the Mac with BigFix. BigFix has now released CPM support for Macs. Existing CPM customers will get the new features as part of their existing license agreement.

CPM is supported on macs running:

  • Mac OS X 10.4 (Tiger)
  • Mac OS X 10.5 (Leopard)
  • Mac OS X 10.6 (Snow Leopard)

Here is a link to the user manual on CPM for Mac for more details.

<< 1 2 3 4 5 6 7 8 9 10 11 12 ... 41 >>

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.

Search

XML Feeds

Archives