February 2005
« Previous Month Main Next Month »
February 27, 2005
Nsauditor: Network Security Auditing on the Cheap
Conducting a network security audit isn't very easy the first time you do it. You've got to either purchase a commercial audit package and learn how it works or assemble your own adhoc toolkit from open source offerings. Either way, you're looking at hours of effort to get even a quick look at the security condition of your network.
Now you can conduct an initial audit in just minutes, with a total cash investment of only $37, thanks to Nsasoft's Nsauditor.
Nsauditor is a suite of 34 ready-to-run security scanners that will probe your network for common vulnerabilities and give you a quick heads up of any glaring exposures. It includes probes for MS and Sun RPC ports, MSSQL Server, NetBIOS, SNMP, SMTP, Web proxy, CGI, and LM/NTLM password vulnerabilities. It also includes a reasonably capable Security Events monitor, an IP ARP watcher, a routing monitor, a local connection analyzer, and a bevy of tools for performing various common network assessment tasks, such as validating DNS servers, verifying routing, and capturing and decoding Ethernet packets.
A built-in discovery scanner detects all live hosts on your network and executes more detailed scans on each automatically. A report generator creates XML-formatted reports detailing the results of each audit run.
Is this as complete a tool as heavy-weight vulnerability assesment packages sold by the likes of eEye, Foundstone, and ReddShell? No, but it's definitely way more than $37 worth of securityware. The package is a little rough around the edges, and documentation could be more complete, but any network professional with basic mouse-clicking skills can drive this program through its paces. If you're new to VA, this tool will let you get some basic hands-on experience at low cost. If you're an experienced network security auditor, Nsauditor can still give you a quick initial assemement to help you see where to best concentrate more detailed analysis.
Posted by Mel Beckman on February 27, 2005 at 7:51 PM
Don't Be Fooled by MIMO Hype
802.11n, the new WiFi standard slated to replace 802.11g, is still two years away from finalization. But that hasn't stopped a bevy of vendors from bringing so-called Pre-N products to market. The main draw with 802.11n is MIMO -- Multiple In, Multiple Out -- antenna technology, which can double the throughput of a WiFi network and increase its range and coverage by up to 100%.
A MIMO-enabled endpoint uses two or more (usually three to five) antennas to talk to a MIMO-enabled access point over several channels simultaneously, taking advantage of multiple paths between the devices to augment bandwidth and get around obstacles.
The trouble is that 802.11n is incompletely defined thus far, so vendors must make things up to fill in the blanks spaces in 802.11n's specs. The obvious caveats for any pre-standard product applies: the product likely will not interoperate with other vendors, may not perform as well as the standard anticipates, and may never end up being compliant with the actual standard when it finally arrives.
To take advantage of MIMO's performance gains, all devices in a network must be MIMO enabled. In my tests, any non-MIMO devices dragged the network back down to 802.11g speeds instantly. Given the two- to three-times higher price for MIMO-enabled gear, you have to ask yourself if the cost is worth the risk. There are plenty of people who bought pre-802.11g gear who discovered they had incompatible doorstops when 802.11g became official.
If you're building a new network and can afford to throw the first iteration away, then MIMO might be a reasonable early leap. But for most of us, the fact that 802.11g works very well, and that we must coexist with legacy 802.11b and g devices, makes MIMO a no no.
Posted by Mel Beckman on February 27, 2005 at 7:43 PM
February 11, 2005
Mozilla Firefox Browser Vulnerabilities
Platform: Mozilla Firefox 1.0, all platforms
Vendor Severity: not specified
Actual Severity: HIGH to CRITICAL
Just becuase it's not Microsoft doesn't mean it's perfect. The exodus of users from Microsoft's security-hole-ridden Internet Explorer to the open source Firefox browser is well documented. However, Firefox suffers from serious security bugs just like IE does, so vigilance is still required. To date Firefox hasn't suffered from the high rate of IE security gaffes, but this week three serious bugs in a row reinforce the need to keep an eye on all software patches.
The vulnerabilities occur in three completely separate areas of Firefox's user interface: tabs, dragging, and the Flash plug-in.
Bug 280056: When dropping a javascript link to a tab, the script runs in the security context of the site currently displayed in the tab
Bug 279945: Image drag and drop allows to create executable files
Bug 280664: Using Flash and the -moz-opacity filter you can get access to about:config and make the user silently change values
All of these can be exploited by a malicious server to compromise the security of a user's browser environment, which could lead to disclosure of confidential information, to arbitrary code execution, and ultimately to the takeover of the user's machine.
All three bugs are fixed in the latest build of Firefox, but getting and installing the latest build isn't as easy -- or as automatic -- as Microsoft's self-installing updates. If you deploy Firefox, you must manually upgrade each user's installation to the fixed version, which could be a tedious process.
This additional labor may still be worth it given the advantages of Firefox: immunity from IE exploits, such as spyware and keystroke logging; resistance to cross-site script attacks; and built-in control over pop-up ads. The lesson here is to avoid complacency. While Firefox is safer than IE today, it's still software and still contains bugs that require close monitoring.
Posted by Mel Beckman on February 11, 2005 at 10:24 AM
Bevy of Critical Microsoft Flaws
Platform: Internet Explorer 6.0
Microsoft Severity: Important to Critical
Actual Severity: HIGH to CRITICAL
Microsoft this week released a record number of vulnerability alerts and associated fixes. And in an unusual move, Microsoft first gave security administrators a heads up at the beginning of the week that a number of fixes were coming down the pike. Presumably these vic..., er, security professionals appreciated the warning so they could clear off their weekends for a fun time updating systems.
Microsoft announed new twelve security vulnerabilities, -- many rated Critical:
MS05-04: ASP.NET Path Validation Vulnerability
MS05-05: Vulnerability in Microsoft Office XP could allow Remote Code Execution
MS05-06: Vulnerability in Windows SharePoint Services and SharePoint Team Services Could Allow Cross-Site Scripting and Spoofing Attacks
MS05-07: Vulnerability in Windows Could Allow Information Disclosure
MS05-08: Vulnerability in Windows Shell Could Allow Remote Code Execution
MS05-09: Vulnerability in PNG Processing Could Allow Remote Code Execution
MS05-10: Vulnerability in the License Logging Service Could Allow Code Execution
MS05-11: Vulnerability in Server Message Block Could Allow Remote Code Execution
MS05-12: Vulnerability in OLE and COM Could Allow Remote Code Execution
MS05-13: Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution
MS05-14: Cumulative Security Update for Internet Explorer
MS05-15: Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution
Such a flood of vulnerabilities (note the prevelance of the phrase "could allow remote code execution") should give one second thoughts about the Windows monoculture. Although replacing Windows on the desktop is problematical, I suspect this bug swarm will prompt enterprises to consider bumping Microsoft out of server roles. There are many good alternatives to Microsoft IIS, SMB and MSSQL servers.
Posted by Mel Beckman on February 11, 2005 at 9:46 AM
Symantec Buffer Overflow Creates Widespread Vulnerabilities
Platform: Symantec anti-virus, anti-spam, and firewall products.
Symantec Severity: High
Actual Severity: CRITICAL
Intrusion detection software vendor ISS Inc. yesterday reported a serious cross-product vulnerability in Symantec's security products, including stand-alone appliances. A buffer overflow problem in the Symantec scan engine, used in many Symantec products, could be exploited by a virus to compromise a Symantec-protected system.
Symantec acknowledges the problem, but reports that they have seen no instances of an exploit in the wild. The problem afflicts many editions of the company's consumer products for both Windows and Macintosh systems, as well as a number of Symantec enterprise products. The flaw also exists in Symantec Gateway Security 5300 and 5400 firewall appliances.
The specific module involved, DEC2EXE, is actually an obsolete component that Symantec products can live without; its function has been replaced by the Symantec AV Definition Engine, which is immune to this particular failure. Symantec says users can safely disable the DEC2EXE module by following instructions posted on its website at:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005020911112648
DEC2EXE is removed by the latest Symantec automatic software update for its products that support live updates. For Symantec's firewall appliances Symantec has posted a manual software fix.
Here are links the ISS and Symantec security bulletins for DEC2EXE:
http://xforce.iss.net/xforce/alerts/id/187
http://www.sarc.com/avcenter/security/Content/2005.02.08.html
Posted by Mel Beckman on February 11, 2005 at 9:08 AM
