After my posting last night regarding Skype insecurity in the work place, I was contacted by their PR agency. They directed me to a few references regarding this topic. Under the guise of information sharing, I’ll direct you to the most interesting link. Their Guide For Network Administrators.

Well, I was shocked. Here is a document dated October of 2006, which discusses methods, to deploy and manage Skype in the enterprise. For me, the most interesting part of the document is the discussion on registry settings to manage configuration options. If your endpoints are in a Windows Active Directory, then you can use GPOs to control settings or registry settings for non-domain systems. There are also some elusive discussions regarding custom MSI builds.

I wouldn’t go so far as to endorse Skype in my enterprise, yet. Nonetheless, I’m encouraged by these findings. Check them out for yourself.

To say the least, all of us here at nCircle are excited about RSA next week. Its a delight that the biggest security conference of the year is only a few blocks from work. To anyone traveling to SF, its been a bit chilly and the typical bay breeze has been picking up in the evening. I also see we can expect some rain late next week.

A few items I wanted to draw to your attention for next week.

* The nCircle booth will be at #931. Stop by and say hi. Check out demos and presentations. OK, yes, that a bit of a pitch, but its the best place to find any of us bloggers if you dare to meet us in person.

* Don't miss your chance to see me and Mike Murray back together again scaring your pants off by discussing the insecurity of smartphones. I'm genuinely excited to be able to collaborate with Mike again.

* Get your fill of the nCircle Slice at our cocktail reception

Details on our corporate website

I hope to find some time to blog while at the conference and look forward to meeting everyone.

Safe travels.

Well, I went to check a few last minutes items and it looks like something is amiss with the RSA conference website.

Heading over http://2007.rsaconference.com/US/ redirects one to https://2007.rsaconference.com/US/

what I got is blank site, with source below.

I'm guessing that someone didn't adhere to their change control policies.

Follow up 8:50AM: The site appears to be fixed now. I bet someone over there was sweating it out.

This evening I hit the exbo "sneak peek" available to full conference attendees. Its nice to walk the floor without having to swim upstream thru the masses. Of course, the free food and drinks never hurt. First impressions -- lots of "compliance" and "metrics" buzz words. Its always fun to watch the marketing evolution each year. As for best booth, my initial vote goes to Arbor. The booth entrance is a waterfall of smoke and a projector shooting on to it. The affect is stunning and catches you off guard. I'd also suggest talking to the Veracode team. They are doing some really interesting software security analysis.

Tomorrow is my turn on the smartphone insecurity panel at 4pm.

More to come as the week unfolds.

Tuesday began with skipping the Bill keynote to have a quite breakfast. Most attendees don't wander more than a block from the Moscone, so I was surprised to see another RSA attendee come sit next to me. Turns out that he works at Microsoft and didn't have much desire to see Bill talk again either. Though I never did get a good sense for his job and position, he'd obviously been in a few meetings with Bill given his personal account of said leader of the software giant.

Tuesday afternoon was our smartphone insecurity panel. The panel was a joy and we got a good turn out. The questions, though, were a bit on the light side. Either we had done a good job of covering all the topics, or everyone was bored :-)

The night was closed by the Veracode launch party. Lots of great people, a nice event and I got to awkwardly introduce myself to Simple Nomad. I'm sure he'll never remember me.

Today's plans:

Attend some sessions; hit the Vontu and PointSec booths. This evening is the nCircle reception and the blogger hook up. See you there.

--S

Product Information

	Name:	Request Tracker
	Website:	http://www.bestpractical.com/rt
	Category:	Ticketing System
	Date:	16-Feb-07

Request Tracker, or better known simply as RT, is touted as an enterprise grade ticketing system. In the world of free ticketing systems, most of us only really have 2 options left – OTRS and RT. RT is a perl based and uses your favorite SQL database. On the front-end, it can take advantage of either mod_perl or FastCGI. Like most ticketing systems, it has a number of ways to create, update and manipulate tickets. Its front-end is a web-based system using Perl Mason for HTML construction. Other input methods include email and userland binaries.

Speaking of Perl and Mason, this is perhaps RT’s biggest downside. Perl for HTML construction isn’t the fastest or most popular thing on the market. However, RT does have some nice features we’ve come to expect from enterprise ticketing systems. Inbound emails generate new tickets and subsequent correspondences are nicely threaded accordingly. The built-in system comes with a business logic implementation method calls ‘Scrips’. Here one can perform basic to moderate ticket manipulation and automatic email correspondence based on predefined conditions and actions.

The extensibility and customization of RT isn’t too bad, nor is it necessarily fun. Thankfully, the system was developed with an object-oriented mindset. Hence its fairly straight forward to overload function calls and alter the UI. Best Practical, which appears to be the consulting arm of RT’s author, Jesse Vincent, also provides a few add on modules. These include a FAQ manager type of knowledge base and an incident response tool. Outside of these modules, the asset tracker add-on from a third party rounds out the best of RT. Combine the base RT with asset tracking and you have an instant ITIL service desk tool.

Installation of RT is par for the course. First, get your software installed – webserver components, a databases, perl and a ton of PMs. From there it’s an expected set of steps from database schema, config files and base setup via the web UI. The security configurations of user access control and custom fields can at times be a bit confusing. Best to create yourself a few test accounts with various permissions and run a full set of tests before going into production.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

The community around RT has been pretty stable and active for a few years. The basic rt-users email list ranges from 300 to 600 messages a month. The online installation docs are in wiki format. Despite the fact that I despise install docs in wiki format, the wiki users are actively contributing.

Personally, I’ve been a user of RT for many years and always recommend it as an option when looking at ticketing systems. My one suggestion is to realize that Perl Mason is slow, so allow for enough horse power and be ready to do some FastCGI tweaking. RT is licensed under the terms of version 2 of the GNU GPL.

Enjoy the Free Lunch.

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive. Remember, this is not an endorsement by nCircle. Please see my FAQ.)

So a buddy just alerted me that PodTech posted a video from the security blogger meetup during RSA week.

Unfortunately, immediately after RSA I flew to southern California for a week. Hence I never got a chance to post the traditional RSA follow up. Lets just say that it was great week. By far, the security blogger event was the highlite.

Digital Maoism: The Hazards of the New Online Collectivism, work of author Jaron Lanier means to impress that the new faceless Internet community has already brought about death to individuality and creativity. Back in August, I pondered what if his ideas were applied to information security. And now, we have TK proclaiming the death of Defense in Depth and life to Defense in Diversity. Are we to believe that following the hive mind of best practices is doom and not boom?

The goals of our work speak loudly:
Share information
Establish best practices
Deliver on that gold standard
Reduce overheard
Create a seemingly secure looking hive
The outcome: reduced risk

Many of us recently spent a week at RSA. Anyone who spent more than 10 minutes on the exposition floor walked away inundated with compliance acronyms – PCI, SOX, HIPAA, FISMA, GLBA. In fact, there is an entire conference track called “standards”. Outside of security specifically, we live by standards – the RFC, Task Forces, Consortiums, Steering Groups, you name it. The goal is simple; deliver on a mostly unified practice, theory or protocol such that we can all intercommunicate. The basis of shared knowledge. Perhaps you might take it a step further and say that standards are at the core of the Internet.

We live by standards, we aim to deliver the McDonalds of security – build the best burger once in the lab once and mass-produce everywhere. Are we to believe that great thinkers of our day like TK and Jaron Lanier are telling us to quit conforming? To what degree should we be applying their warnings and suggestions?

Obviously neither TK nor Lanier has specifically said to go about modifying how each of our systems implements TCP. In fact, modification of your TCP code would probably then make your implementation “TC” as the word Protocol infers the following of a standard. More in general, however, it’s fair to say that both believe that a monoculture or monotonic organism (the specie) will eventually bring about the fall of what we admire.

Though TK provides a valid argument and interesting discussion topics, he unfortunately fails to provide us with task-oriented examples. Simply saying to “decouple the server from the service” or his analogy of load balancers and server farms really provide little direction for security operations. As for Lanier, wouldn’t the hive of one community become an organism onto itself? The new larger organism would represent diversity from other community organisms. The same is true for security. Obviously each company will produce its own cheeseburger of the security standard. In fact, it’s fair to say that each business unit of each organization delivers their own menu. Its not that we aren’t working towards diversity, its just that the set becomes larger.

Let us return to the threat model. Microsoft products have inherited a larger threat model because of two factors. First, the set is large and the potential payoff is promising. As that grows, so do the number of threat vectors. It’s self-feeding logarithmic equation…an organism onto itself. I put forward that we are the cusp of the same model for compliance initiatives. As each entity (the organization, network, systems or services) become more compliant, the diversity of the set dwindles producing a larger more threat capable set. More persons will work towards delivering threats to the set. A single successful attack vector spells doom for many sets. In this regard, the more we following the same set of compliance initiatives, the larger the threat.

As TK noted, it’s important to understand “just because it cannot be implemented in your current system does not make the principle wrong.” Too often we are forced into a situation where we must take the principle and find a way to implement. However, it’s those persons who make the leap from thought to action are the names we remember in history.

No, please don’t try. I’m not extending an open invitation to anyone, but my 401k company is putting us at risk. We recently changed 401k vendors and yesterday in the mail I received my welcome letter and access PIN.

What you see here is at the bottom of the letter, an invitation to write down my social security number along with my PIN, then clip it out and save it. Anyone at work reading this? Well good, here is my advice:

• DON”T write down your SSN
• DO shred the letter and
• DO change your PIN

• The website application doesn’t force me to change the PIN. Come on now. Andy, the ITGuy, count me in for your campaign to make vendors force us all to change the default passwords.
• The letter actually invites or perhaps encourages you to write down your SSN, PIN then clip and save it. Even some 15 years ago when I got my first ATM card, the bank strongly cautioned against writing down my PIN anywhere.

Note: even though the image above says “nCircle Network Security”, we didn’t send out the letters. They were sent by the 401k company. So don’t think for a moment this is some common practice to nCircle. Whats more, I bet every person from many organizations using this large, nationwide company have all been put at risk.

Old Microsoft is old again and Britney with a shaved head is more interesting

After a year of listening to Microsoft tout its new security features and explanations of its rigorous life cycle testing of Vista and its new office 2007 suite, we appear to be right back on the same path. Last week Eeye hinted to an advisory in Publisher 2007. A day later we learned they had in fact disclosed the vulnerability to Microsoft with respect to the Publisher 2007 file format. Didn’t we do this already in office 2003? Oh yes, we did, a few times. Yesterday we learned that Symantec reported a pair of vulnerabilities in Word 2003 and Excel 2003. Apparently, a Russian researcher found a new exploit in, you guessed it, the WMF file format.

The new, yet to be disclosed, vulnerability in Publisher 2007 probably won’t affect many enterprise shops. Publisher isn’t an enterprise application and historically has been targeted to the SMB market. As I recall, the last time I installed Office from CD, wasn’t Publisher on an entirely separate CD? Though in recent years it has taken a slight step forward with its integration with Sharepoint, Microsoft’s enterprise content management and Intranet platform. Nonetheless, if Publisher was subjected to the same rigorous security testing as the rest of the office 2007 suite, we can probably assume that similar bugs will eventually end up affecting Word and Excel. The real question today is “just how good was Microsoft’s stepped up security testing of its new products for a vulnerability to have been found so quickly?”

The fight is getting old and taxing. The insecurity of Microsoft apps probably keeps 20% of security operations employed. How many times do I need to deploy new GPOs to issue a kill bit on some ActiveX bug? Just how many file formats can we be excluding from our perimeter email gateways? We worry about the loss of intellectual property. Seriously, it may get so bad that unless you convert all your Word docs to text only, you be will be unable to find any buyers for your stolen IP. I can imagine a new SOA market – conversion of Office docs to their equivalent text-only formats for the purpose of black-market dealings. Vulnerabilities aren’t going to go away, but lets get something new. How about a new multidimensional attack worm? How about something funny like the Solaris telnet vulnerability? I got to imagine that security teams, press and consumers are probably pretty bored as well. Probably explains why we all flock to our computers to see pictures of Britney shaving her head.

Just a quick note. This seems to be a good month for Cisco vulnerabilities.

Advisory ID: cisco-sa-20070228-nam
Advisory ID: cisco-sa-20070228-mpls