Wednesday, February 25, 2009

Adobe Vulnerabilty More Info and Mitigations: article 200904

Yesterday I wrote about the Adobe flaw and reviewing my post realized I did not mention that another step to help mitigate this vulnerability is to use an alternative PDF reader that is offered free by Foxit Software . ZD Net posted an article today that pretty much bashes on Adobe but if get past that down towards the end of the Secunia (who has a great free tool I will write about in a future post) announced it was able to perform the exploit without the use of Java. If this is true then some the mitigations proposed by Adobe may not be affective.

In an isolated environment I too created a malicious PDF with exploit code found on Milw0rm and disabled both the Javascript and open in Internet explorer and it still crashed my Adobe reader program while Foxit opened just fine.

There is also a link that points to information that gives you a URL to an actual malicious PDF. I am going to stop "blogging" now and am going to reset my environment and try it next.

Tuesday, February 24, 2009

Adobe and Excel exploits in the Wild: article 200903

Adobe announced last week that there is an exploit affecting their Reader and Acrobat programs and that they would not be releasing a fix until March 11th and then on the heels of that today Microsoft announced that their Excel program has an exploit affecting versions 2007 and earlier.

So whats the good news in all of this? It was announced that the exploits do exist! It has been reported that Microsoft themselves in the past have known of a vulnerability and not rushed fix it. Now we are up to speed and awareness can be heightened. The other silver lining is that this is an opportunity to raise security awareness with the use of real world examples.

There are some configuration changes you can make in Adobe to help mitigate the risk such as disabling java script and not allowing PDF's to open in a web browser; beyond that good security practice can a long way as well; such as making sure AV is running and up to data, not untrusted documents and attachments and if receiving an attachment via email call or write the sender back confirming they intended to send the document to you.

By the way; in defense of the software companies there is much work, especially for Microsoft, to test software patches, think of all the versions and languages they support.

Monday, February 23, 2009

Personal and Small Business Data Encryption: article 200902

I am not a lawyer and the below statements are only my understanding of the laws. Therefore nothing below is legal advice but merely the suggestions of what I would do to best protect myself.

In the past much attention has been paid to the confidentiality of data as it flows across the Internet (a.k.a data in transit). Well have you ever thought about data in transit from different perspective say when a guy runs off with your Acer laptop, or Western Digital Passport, or one of your many thumb drives you picked up as swag as the latest convention? Now that is some data in transit that can reach a 10 on the pucker factor; quick!

Alright so I am really talking about data at rest that is only in transit because your goods got swiped when you got up for that second stove top donut at Starbucks. Hey you were only 15 feet away the force field should cast that far; right?

The point is that it is import to protect the confidentiality of data while it is at rest too and there is a great FREE tool that will do just the job; TrueCrypt. I personally use Truecrypt to encrypt my USB keys, my pocket drives, and my laptop. I opt to encrypt the entire drives but the program can be used in a number of ways and it really is quite simple.

For those that are not so technical there is a great beginners tutorial where you simply create an encrypted container and drag your items into it. For a more advanced user you can encrypt your entire hard drive with pre-boot authentication and rescue disk. My personal laptop with a 60 GB hard drive took about 3 hours to encrypt and honestly I do not notice a performance hit; to give you a base line I pretty much surf the web and use the Microsoft Office Suite and watch CBT's.

An important note is when setting passwords, anywhere, not just TrueCrypt; make sure to select strong multi-character/multi-case alpha numeric passwords of at least 8 characters 10 or 12 are nice numbers actually. An example 0u812V@nH@l3n

Now this is good personal security info but you small (and large I suppose) business owners should take heed of this tool, especially if your toting around customer information. Personally Identifiable Information (PII) laws are in affect and my understanding is that here in Texas our Attorney General Greg Abott is serious about the protection of citizens' information.

If you are a small business owner and you must lug customer data around make sure that you document that you encrypted the data. It is my understanding that TrueCrypt does not offer a solution for this. One Idea I would suggest is to give your storage devices serial numbers and document the information and include in the documentation those that you do encrypt.

Why all this trouble? Well going back to the PII laws if you lose customer data that is considered a breach and based on where you do business you must notify those whose data you lost. Now some states, with your proof of encryption, will wave this, but other states, and Texas is one of them, will not. Now, I have had multiple lawyers in round tables that I have sat in tell me that you have the chance to argue your case if you can prove you did encrypt and the encryption was strong.

I really like TrueCrypt but there are other alternatives. You can buy devices with encryption already enabled at the hardware level such as Dell laptops with encypted hard drives (FDE - Full Disk Encryption) and for a thumb drive Iron Key. The bottom line is keep your data safe and if for some reason you carry around customer do yourself and them a huge favor; encrypt it.

Sunday, February 22, 2009

Nmap: article 200901

Below is a nice video and some great links that can help you wade into using Nmap.

Nmap created by Fyodor is one of my favorite tools for everything from pen-testing to network inventory and the price is right; free. I find it helpful for discovering nodes on a network and if you come across something interesting it's helpful for determining what that node possibly could be.
An example of some handy commands are:

"nmap -O " - this gives me list of possible open ports and a solid guess as to what OS is running. I nice simple evaluation to make sure nothing more is open than should be.

"nmap -sP -PP " This is useful when scanning a range that may be behind a firewall and you recieve false information. The -sP goes no further than ping, this is handy for me when I want to just pipe the output to file that I later edit to have list of host names, if they resolve and IPs. The -PP sends a timestamp request as opposed to the typical echo request.

Darren Kitchen from HAK5 gives a nice intro in the video below.

Mark Wolfgang gives a nice quick read on some advanced scanning tecniques.

And straight from the horse's mouth: NMAP Network Scanning written by Fyodor himself.