SCUP Rule Testing

Posted by Fred Wilson on September 4, 2010 · Leave a Comment 

Microsoft System Center Update Publisher is a method to get third-party updates deployed through SCCM and an internal update server.   As I started working with it this summer, I had issues creating applicability rules.   When you create a collection in SCCM you get immediate feedback about the accuracy of your rules.   You either have the number of computers were expecting or you weren’t. 

With SCUP, I wasn’t getting any feedback until I published the rule to the internal update server, imported that to SCCM and waited for computers to check in.   This is not a good way to work.    Fortunately Greg Ramsey of Dell helped me out on the myitforum.com SMS/SCCM mailing list.

We’re using SCUP 4.5, but SCUP 4.0 has the ability to test the rules much more easily.  I installed SCUP 4 to a test computer, imported the update I had created in 4.5, then exported it.  The export command in 4.0 has an option to export the update to a XML with a script. 

Run the script on each computer to determine if the patch is considered applicable or not.   This is a much quicker way to verify that your update’s applicability rules are written correctly.   If you make any changes to your rules, export and bring that change back to your production SCUP 4.5.

Filed under General · Tagged with , ,

Patching Mobile Computers

Posted by Fred Wilson on September 2, 2010 · Leave a Comment 

A growing number of users are mobile.   While I’ve heard some people say these people will VPN and thus get security updates, I think that many of them don’t VPN in.   They can do so much over on their phone, connect to mail over ISA, perhaps they are using a customers mailbox.   Some are at customer’s sites and not allowed to VPN out.  Others might be travelling and just not have the time.   What happens to the security of these computers?

One of the things I found with NAC was an ability to see what was unpatched on my network.   Problem is the NAC only works if the computer is on the network.   Even if I was using a software NAC agent such as the one in Symantec Endpoint Protection, that provides enforcement only.   It can’t report back to my management server inside my firewall.

As a Microsoft SCCM user, I looked at their configuration options to allow internet based computers to connect to a computer.   It seemed expensive, complicated and hard to implement.   Native mode requires digital certificates.   Our security policy would result in a duplicate SCCM environment on a border network.

I looked at Bigfix, but its seems they would require an inbound connection from the boundary server.  That violates our company policy, so I had to keep looking.

I wondered if Microsoft DirectAccess would solve this issue.   IPv6, and digital certificate requirements make this one a bit scary.   An always-up VPN into our network is a bit scary as well.

That’s when I received a cold call from Fiberlink a company that offers MAAS360 a product for mobile computer management, reporting, and patching from the cloud.  I’m interested in using SaaS where it can be done securely and will save money.   I signed up for an evaluation.   Even with only a few computers installed, I can see some nice reporting capabilities.   As we get a bit further in the evaluation, I”m going to see if this can solve problems also by deploying patches detected as missing.

Filed under General · Tagged with , ,

Not even to my desk

Posted by Fred Wilson on August 31, 2010 · Leave a Comment 

Walking into work through the South Lobby this morning I passed three monitors that normally have traffic, weather and footage from a traffic camera.   The traffic monitor displays traffic information from WTOP normally, but today it showed cgidoctor.com.   This page advised the user on how to remove fake antivirus infections.   Links to remove fake antivirus went to a second site containing malicious code.

The monitor is a touchscreen so I checked the history to see if anyone had been accessing something other than WTOP.com.   While that wasn’t a in-depth check I think its safe to say that yet again WTOP served up a banner advertisement that contained Fake AV social engineering.

That normal sites will could attempt to send you malware via banner ads is not surprising to most people reading this site.   Using URL filters and antivirus is necessary.   A dose of common sense when the attack is trying to trick you into installing the virus rather than performing an exploit.

Filed under General · Tagged with ,

Shockwave Security Update

Posted by Fred Wilson on August 28, 2010 · Leave a Comment 

Adobe has released a security bulletin for Shockwave.  

Version 11.5.8.612 fixes multiple vulnerabilities that could be used for code execution.

Filed under General · Tagged with , ,

Patching week in review

Posted by Fred Wilson on August 24, 2010 · Leave a Comment 

This week saw a large number of Microsoft patches

Additionally Adobe released updates for Flash and Adobe Air. Acrobat and Reader updates expected for this week will occur next week.

Apple patched the iPhone and released an update for QuickTime.  iTunes users were not given the QuickTime update as of this post.

To stay up on all these updates, home users should install something like te Secunia Personal Software Inspector. Sysadmins should wave the dead chicken and hope for the best make plans to deploy these updates if the software is present in the work environment.

Filed under General · Tagged with , ,

Good App for iPhone Update

Posted by Fred Wilson on August 20, 2010 · Leave a Comment 

Good released a minor update to their app for the iPhone.   Release notes are on their site.

Companies that don’t want to use ActiveSync but still feel pressured into making the iPhone an option are looking to Good to do so.  

From the release notes:
• Complete landscape view – Including email list view, calendar, contacts and attachments.
• Conference dialer – quickly and easily dial into a conference bridge without having to memorize the conference pass code.
• Maps integration – quickly find the location of your meeting on a map and even get driving directions.

A change not mentioned is that when I receive a signed message instead of no indication the message is signed, I now get a message:

The sender has digitally signed the message with a personal certificate.  To verify the signature you can read this message on your desktop computer.

I can still read the message on the device, as I could before the update.   Without signature verification, I feel like this update only provides a false sense of message source identity verification.  

Its my understanding that full S/MIME support is on the roadmap.

Filed under General · Tagged with , ,

But I’m trying Real Hard to be a Sullenberger

Posted by Fred Wilson on August 19, 2010 · Leave a Comment 

Since it’s not obvious, the blog title is an allusion to Jules’ big speech in Pulp Fiction.

I read a couple interesting blog entries on Friday.  John Pescatore asks “Are Security Professionals Like Stephen Slater.”  In another blog, Foilball asks us to look in the mirror and see if we’re more Sullenberger or Slater.

Slater is the air-raging flight attendant who let the frustrations of life take over, stole a couple of beers and headed down the emergency slide.  He made Joanna’s method of quitting Chotchkie’s in Office Space look quite reasonable.

Pescatore  doesn’t actually compare Slater and information security personnel.   Rather than anything specific to this situation, he compares infosec people to the typical condescending flight attendant who does not explain the rules and only gives you a half can of Pepsi.

Is it really necessary for the flight attendant to explain that you need to leave the seatbelt on so you don’t become a human projectile mid-flight.   Or that your laptops need to be stowed not just for dubious electronic interference problems but so they don’t smack someone in the head during take off and landing.   Why does the sun visor need to be up during take off and landing.  I don’t know, but I have enough sense to know that having that discussion as we’re first in line for take off isn’t a good idea.  

You can get 20 years for interference with flight crew attendants and members.  Don’t even think of disabling the smoke detector.   I wonder if I can arrange similar penalties for disabling the antivirus or interference with infosec personnel.

The foilball article caused deeper thought.  Going through life, there are days when you’re hit in the head by luggage or cursed out by  a passenger.  There are days when you want to escape down the slide and it takes every ounce of control not to.   I’ve heard it said you can’t control your circumstances, but you can control how you react to them.   I look in that mirror and I see more Slater than I’d like to admit.   But I’m trying real hard to be a Sullenberger.

Filed under General · Tagged with , , , ,

SSL Proxies

Posted by Fred Wilson on August 17, 2010 · Leave a Comment 

Because it is open outbound from the firewall, many applications send their traffic across port 80 to avoid firewall issues.   This has led to port 80 being called the Firewall Traversal Exploit.   Port 443 then is the Secure Firewall Traversal Exploit because it allows traffic out in an encrypted fashion.

Because its encrypted users bypass protections in place for HTTP to download viruses, access forbidden sites and leak confidential information.  This is limited only by the availability of SSL sites.     In recent years webmail like GMail has gone to full SSL sessions.   Bad guys can easily set up SSL as well.  Without a SSL proxy, all you can do to address these concerns is block by IP address.   IP addresses change frequently and are less likely to be categorized in a URL block list.

When you use a SSL proxy, the web traffic is terminated at the proxy server and a new request is made to the remote server.   The client browser uses a certificate from the proxy to secure data during the first leg of this transaction.   This will result in a certificate error if you don’t deploy the proxy’s self-signed certificate as a trusted root.   Because the client never sees the certificate of the remote server, the user does not get information about the trustworthiness of that certificate.  For this reason it is necessary to either block all bad certificates or make sure your SSL proxy can pass on that certificate info when the certificate is expired or does not chain to a trusted root.

The SSL proxy can use the hostname (CN) in the server certificate to make a  URL categorization decision to intercept or tunnel the traffic. 

Because you can intercept based on URL categorization, you could choose to intercept (and block) only websites that are in your blocked categories.  This is the simplest implementation of a SSL proxy.    It blocks site that wouldn’t have been blocked before and it doesn’t interfere with anything else.   If a computer doesn’t have your certificate in their trusted root, it’s not that bad because the site would have been blocked anyway.

A slightly more intrusive step is to also intercept webmail sites.   Webmail sites have the potential to download malware although the site itself is valid.   By intercepting the site the download is scanned by the antivirus layer.   A related idea is intercepting all uncategorized sites so they can be scanned.

A full implementation involves intercept everything not categorized as a financial site.  It is not recommended to intercept financial websites for obvious reasons.
Intercepting everything allows you to scan all downloads for viruses.  The main drawback is you’ll have more issues with web applications not conforming to HTTP standards.  

I think the simplest option of only intercepting websites classified in categories on your block list is best.   It provides additional security without potential for complications.  You’d have to make a security decision for your own environment.

There are security considerations to intercepting traffic.   When you only intercept a site to block it you don’t have sensitive data but as you intercept other categories, you must take care.  Sensitive data may now be exposed in clear text.  You may want to think twice about what you are logging and caching.  If any offbox analysis is performed you need to encrypt the connection and make sure nothing is on the remote box. 

A lot of attacks occur over the web and its important to provide the best defense.  It’s no longer good enough to ignore 443/TCP.

Filed under General · Tagged with

Good[tm] for iPhone

Posted by Fred Wilson on August 13, 2010 · Leave a Comment 

As I mentioned back in July we started an evaluation of Good on the iPhone.   We used Good in the bad old days of RIM’s patent fight.  Some executives stated they wanted a quick out plan in case RIM was forced to shut down.   I don’t think that was ever likely to happen.   It did allow us to bring in what was then the current top (gadget) fashion accessory.  A Palm Treo.   I think we had both the original palm operating system and a Windows Mobile version.   I really hated it.   It locked up often requiring a device reboot (pull the battery). 

As I understand it we were able to bring our Good license back up to date without much trouble.  So the remaining question is will the current gadget accessory, the iPhone, work well with Good.    Part of security is usability so this post will largely focus on Good’s usability.

Installation
For those not familiar, Good is installed as an application from the App store.   Once that is installed, it can be provisioned over the air just like the Blackberry.   No issue there.  

Policies
I’m sure you can find other places that do a blow-by-blow comparison of the policies available on a Blackberry versus Good.  I think it has the policies needed.  One issue we had for a bit was every time we exited Good even for a second, we’d have to reauthenticate when we returned to it.   It turned out we had the security policy a bit too tight.  The Good environment can be set to timeout after x minutes whether you have the app open or not.  

Email
Good does not do S/MIME.   This really sucks.   This is on their roadmap for this year.   First being able to verify signatures and then later being able to encrypt/decrypt messages as well.   So they’ll be catching up with Blackberry.    I haven’t heard if Apple has any plans to support this natively on the phone.  I didn’t ask if PGP support was in the offering.  

There seems to be issues with HTML only emails.   I’ve had that issue with a couple of message where nothing displays.   To be fair we had an issue like that with the Blackberry.   If I recall correctly they hated Cyrillic characters.

Attachments
I have not checked what attachments are supposed to be readable.   I had issues with a few docx files.  Yet when I sent myself a docx test file, it opened correctly.   There is a configuration to keep larger attachments (4 MB by default) from downloading to the device.

If you used Notes or Tasks in Outlook those items are not synced

There are a number of Good settings that aren’t supported on iOS 4 right now.   You are unable to deploy the iPhone configuration file using Good.   It’s a good idea to be able to refresh that configuration rather than just when the phone is new.  In Good’s compliance policy they have a section to force Good to close or wipe itself if it detects the phone is jailbroken.   If I understand a co-worker correctly, he was told by Good that feature doesn’t work on iOS4 either.  I haven’t gotten an answer on how Good tells its jailbroken.   It appears that its checking for installed software (and I’d need to supply the names of the apps to look for).

Calendaring
My only issue with Good and calendaring is the meeting reminders are worthless.  Seems like whether the app is unlocked or not, I get “good meeting reminder” then I have to open Good to see what the meeting was.   One of those security tradeoffs.   But a meeting title isn’t that secret to me.

Apparently delegation is not working.  My Director issued an invitation from Good to a Senior Manager.   The Admin Assistant was unable to accept on his behalf even though she had the correct Exchange rights.   I’m wondering if that is a Good configuration issue rather than something that would require a patch.   

Bottom Line
It’s a bit sad but Blackberry is no longer something they’d have to pry from my cold dead hands.   The Good application is more than acceptable usability and I think security too.   I probably check mail a bit less because it’s in a separate application but that can be a good thing.  The work/life balance can be improved if I’m not looking at work email every 5 minutes.

I’ve now heard question about allowing Good to be installed on personal iPhones.  Check out the Forrester article I linked to yesterday for some tips on policies to use in that event.  To a certain extent the flood gates are opened.   If Good is good enough for a corporate iPhone.  What about personal iPhones.  What about Android. 

I’d love to hear what other people do about a device pin/passcode versus a Good pin/passcode.   Some people feel with a strong passcode policy on the Good application no device passcode is necessary.   I’m not sure I agree with that.

Filed under General · Tagged with ,

Jailbreaking – Unsafe at any speed

Posted by Fred Wilson on August 11, 2010 · Leave a Comment 

Look at me, making Ralph Nader references whether they work or not.

Back in July, the US Copyright office ruled it is legal to jailbreak your iPhone in order to install non-appstore apps or even to unlock the phone to use with another carrier.

What does this mean for iPhones used the enterprise?

Just because something is permissible under the law, that does not mean that a corporation must allow it.    Apple may still make it a violation of their terms of service and void the warranty. 

Jailbreaking  offers a greater potential for malware to be run on the phone.  Do you remember the iPhone jailbreak worm?   A popular jailbreaking technique was setting up SSH and leaving a default password.   Doh!

Dave Zatz had a recent post asking if there was even a case for jailbreaking anymore.

So while my company is full of engineers who like to tinker.   While the phone has corporate data, we need to enforce a no jailbreaking policy.

Filed under General · Tagged with , ,

Next Page »