Monthly Archives: September, 2012

Patches! We don’t need no stinking Patches!

And you thought implementing a vulnerability program was too expensive!

Recently the CSIS Denmark released a report which highlighted 99.8 % of malware or virus infections could be mitigated by patching five key applications. Those applications, some of our favorite:

Internet Explorer – Lots of bells and whistles elements built into the browser which must be kept up-to-date for them all to be as secure as possible. IE is now a very secure browser for the most part, if kept patched! As with all browsers, if there is a dodgy website setup to exploit a browser weakness, unless it is a zero day (rare), patching will protect from this risk and is easy to deploy locally and administratively.

Windows Vista & Server 2003 – Both operating systems need to be kept up-to-date with a roadmap for upgrade to Windows 7 & Server 2008 respectively. If you weren’t aware, most users would rather still use Windows XP over Vista and would love to be upgraded to Windows 7. Both Server 2003 and Windows Vista have been out for a number of years and those naughty cyber-criminal syndicates are very familiar with exploitation. The operating systems are weaker than their upgrade counterparts due to some architectural flaws. An operating system infection is dreadful, you can’t trust any installed applications or the OS itself. They can also take the greatest amount of time and highest cost to remediate.

Adobe Acrobat Reader/Writer – The business, internet, research, and education necessary applications all computer users at one time (or 20 times today) have used much to our delight and frustration. Due to the widespread usage of the apps and lack of patch management they are a juicy, luscious easy target.

Java JRE– Again, widespread usage and lack of general patch management is a driving force behind infections. Also, this application, similar to many Adobe products, suffers from a less than favorable security reputation.

Here how expensive not patching and vulnerability testing is:

You have to call the CEO and or the board to an emergency meeting. A trusted third party supplier infected your network and compromised very publically a primary database of customer information. It seems quite sensitive customer information that is. The CEO and or other higher up well known for arse-chewing or at least the level that can terminate you instantly is on vacation. As an extra bonus, it is 2 am his/her friendly, understanding corporate officer’s local time. No matter if your IT Security department had sign off, documented meetings, warnings etc.… to the upper management or board that a program was needed it will still cost reputation, business and possibly jobs before the dust is all cleared.

If you are new to the topic, a fantastic resource for assistance is Reddit NetSec and need some solid answers. Try to avoid loss from the door being left unlocked to all your organization’s information because of an aged or insecure application that in most cases just needs a free patch. If your patch and vulnerability testing is lacking, get up to speed now. If all else fails, you can learn to use some new tools and update your CV/resume, just in case due to pressures within your organization there is a risk of ever having to make that loud, uncomfortable and/or demoralizing phone call.

There are low cost, awesome, high feature, speedy tools that can be used to express the importance of patching and vulnerability testing. They also have a low learning curve for new users:

Nessus– There is a limited free version which is perfect to perform quick (non) commercial tests. If you contact them and explain you wish to use a demo with more features I’m guessing they will likely send you one. Once you use Nessus it’s a fairly easy sell after presenting the app’s generally solid results.

FOCA-This is one of my favorite tools, always impressed when I use it. It is a succulent, meta-data driven beauty that makes basic to medium level pen testing feel like a holiday on a warm tropical beach during winter. At a push of a button, to paraphrase from their Hack in the Box presentation: Perfect for the lazy pen-tester. FEAR the FOCA!

Belarc Advisor– There are fully functional (free) home and low cost corporate versions. Its HTML based and can be parsed with functions such as displaying software keys, if patches were correctly installed with hyperlinks for rectification, review of user accounts and a custom security score. I have used it for more years than I care to reveal lest I date myself out of the abundant job market.






Regarding the lack of Blog updates

Freedom of speech in a litigious society can be an extremely expensive proposition. My Advocate, although extremely experienced is as one would expect as equally expensive. We have a legal fund via insurance which only pays for <15 hours of his expert time. In June, 2012 we lost our home and cat to an electrical house fire, leaving us only with some clothes, our dog and unexpected bills for replacement of necessities, rent costs for our new temporary accommodation (the Wi-Fi is horrible). JK47 had to bring me some clothes and of all things deodorant before we presented. Amazing all the stuff/crud/clutter you don’t think about until it is literally up in smoke.

As such, we cannot afford at this time to have our attorney review every single digital conversation public or private. Due to the threat of severe financial repercussions I have chosen to self-censor these past few months after JK47 and I presented in NYC for The Last H.O.P.E. This was prompted by very stern legal correspondence from the same law firm Apple uses the week of our presentation. This self-censoring unfortunately had to include personal conversations with friends and family via email, Tweets, LinkedIn, blog, conference attendance and anything regarding the IT based security domain.

The current president of the US, Obama, recently spoke to the UN regarding the continued global legality of blasphemy and the idiotically dubbed and smarmy film short “Innocence of Muslims“. I was inspired by one small piece of advice; the answer to controversial speech is not censorship but more speech.

This blog will again focus on actual IT related topics, such as correlation engines, multiple layers of OSI security, malware, bots, covert communications channels, etc…. Some things my foray into DefCon badges has taught me: I suck at photography and I love the beauty of IT security. I read RFCs for breakfast! Additionally, we have formally requested a blanket authorization in writing from Baker & McKenzie for my conference attendance so hopefully I can participate again within the community.

Thank you for your patience during this issue.