Continue reading "InfoSec User Group (ISG) Africa Meeting"
The South African tax (wo)man (SARS) wants Linux! They want to port all their desktops and management infrastructure to Linux. The gotcha will be the 700 supported apps that need to be replaced or ported.
This leads me to a discussion I had yesterday about Microsoft's "TCO point". You know. the whole "carefull, changing things costs money" argument. I realised that TCO is going to factor into *any* decision to switch from one system to another. However, you don't hear it coming from every vendor. Rather, vendors argue that their product is better than the competition, with the obvious premise that in the long term the better product will produce better returns. However, we don't hear that argument from Microsoft (apart from a few quickly smacked down, Microsoft funded 'independant studies'), their focus is on TCO! TCO!
This makes me happy. It means Microsoft is losing. Their primary tactic is a weak one, and they aren't stupid, if there were better arguments, we would have seen them.
Mark Russinovich from Sysinternals (the guy that broke the Sony rootkit story), has a great entry on how a restricted local user (as opposed to a local administrator) can break out of group policy restrictions. He noted that the restrictions are enforced by the actual application, and since a user has control over that application, it can be modified.
To demonstrate this he developed an app, gpdisable, which intercepts calls to the NtQueryValueKey API, used for registry lookups (the local Group Policy object is stored in the registry) and returns 'corrected' values.
Users don’t have permission to modify keys under HKLM, including the SRP settings, but Gpdisable fools the SRP code by returning an error value, STATUS_OBJECT_NAME_NOT_FOUND, whenever it sees a value named “TransparentEnabled†passed to NtQueryValueKey:
I am currently investigating how to secure user profiles in a group policy situation, however the environment is far less restrictive and this isn't a risk. I am learning that it is important to situate risks to your environment. Just because something is broken, it doesn't mean that it can't be useful.
I think this Software Restriction Policy manual would be great to mop up my cat's pee for example.
More information available at:
- CVE CVE-2005-3840
- OSVDB http://www.osvdb.org/displayvuln.php?osvdb_id=2707
- SecurityTracker http://www.securitytracker.com/id?1015049
- SecurityFocus http://www.securityfocus.com/bid/15089
Continue reading "IE 0-day"
I had the pleasure of watching Paul Bremmer being interviewed on CNN earlier this morning. For those of you that don't remember, Paul was put in charge of the temporary government after America trashed Iraq. Paul made three interesting statements; he insisted that there were WMDs in Iraq and that there were clear links between Al-Qaeda and Saddam and that the insurgents wanted to re-install an oppresive dictatorship.
You see, all insurgents basically want to install oppresive facist regiemes. Like those terrorists n South Africa who wanted to install that facist communist government. Beware die swart gevaar!
But, his first point was the most fun, he gave two powerful reasons as to why there are WMDs. First, nobody has proven they weren't taken to Syria. Ha! This is aking to saying "I will only believe you if you eliminate every other possibility, including that the nukes were hidden in cheese blocks and exported to the moon!" The next reason gave me a better insight into how Paul lives with himself. He said "Who would know better than someone who lead 15 000 americans in a search for them!" The implicit premise here is that if you look for something it must be there, the alternative would be that Paul would have to realise he had wasted his time and been complicit in a corrupt invasion resulting in many deaths and the destruction of a country.
Nobody wants to be Skeletor. In truth few are commited to evil, rather their sense of righteousness blinds them to their deeds.
Not much damage, who saw that coming? With all the warning flying around I was sure today was the end of the world. Of course all the warnings could have resulted in the lack of damage, but I doubt it. I think this entire threat was overblown, but so do lots of people. The interesting part is what this tells us about threat reporting.
I believe that CME-24 wouldn't have had this much hype if it wasn't because they found that web counter indicating the number of infections. Suddenly we had a decent threat monitor that didn't involve best guesses made from AV client reports, and people went mad. This worm didn't seem to provide any new infection vectors or any other particularly scary distribution tactics. Its destructive nature upped the 'impact' part of the risk equation, and the web counter let us measure the threat part better. It seems having an accurate measure is the same as multiplying what the 'best guess' threat level would be by 100%. The counter implication is that the threat level for other threats is usually a 'best guess'.
So what CME-24 showed me is that we need better threat reporting, as indicated by the overestimation that resulted when we had it.
Continue reading "CME-24"
Wow, I am impressed with Firefox's new update functionality. AFAIK it uses binary patching to reduce download sizes. Firefox 1.5.0.1 was released in response to some vulnerabilities. The entire update process took me less than a minute.
Click Help->Check for Updates.
Today went well. Nadia Musa, an ex-rhodent was my "buddy" and showed me around, she was awesome and definately went above and beyond. I was introduced to more people than I can remember (I usually have trouble remembering one new person's name). Does anyone have a tip on how to remember names? Most of the day was spent getting an info dump on how things work. By lunch time I had information overload.
My favourite part of the day was when I learned they have a central planning office. The commie jokes ran thick like vodka through my head, but nobody really appreciated them, least of all Lenin and Trotsky who work there.
I got a kief laptop, a Dell Latitude D600. One of the privledges of being in SSG (Security Services Group) is you get admin rights on your machine, so I promptly LiteStep'ed windows and slapped Ubuntu on, despite warnings that the IT people wouldn't be able to help me if there was a problem. The ubuntu install took less time than it did to configure bloody Microsoft *grumble* Outlook. Poked around in the network a bit, couldn't ssh out even with some tricks, but I didn't want to do anything too noisy on my first day. I recon I have a shot at asking for access instead of investigating ssh proxy CONNECT tunelling. The internal company homepage requires IE [sic]. I found IETab a great firefox plugin which uses IE as a rendering engine within a firefox tab, now that's cool.
I am being deployed to a client tomorrow already. Talk about being chucked in the deep-end. I am looking forward to it, although I may get lost in Jozi traffic on the way. Everyone there was very friendly and helpful and I can definately see myself getting on with most of them.
The confidentiality policies are hectic and I figure I basically wont talk about anything work related other than my 'feelings' and 'emotions'. Hence the lack of disclosure of which enormous company I am being deployed to tomorrow. *strut*