Apple defuses Safari “Carpet Bomb”

June 20, 2008 – 7:59 AM

Apple has closed four security holes in the Windows version of its Safari browser with the release of version 3.1.2. The fixes include the browser’s “Carpet Bomb” behaviour of placing downloaded files on the desktop by default and without asking the user’s permission. In association with with Internet Explorer – which, unlike other applications, looks for DLLs on the desktop as well as in the system folders – this behaviour can present a security hazard.

Apple didn’t originally consider the behaviour of its browser to be a problem, but seems to have been forced into action by public discussion. Safari now asks users where to save a downloaded file. In addition, the browser now suggests a dedicated download folder by default. It is unknown whether Microsoft will release a patch to stop Internet Explorer’s strange library detection habits.

Apple has also fixed a flaw in WebKit which could potentially crash the browser when a page containing malformed JavaScript arrays is visited. Apple’s report states that this flaw also allows arbitrary code to be injected an executed. In addition, Safari automatically executes downloaded executable files if the required zone settings were made in Internet Explorer 6 or 7. No details are available about the exact connection between Safari and the Internet Explorer zones. It appears that Safari accesses or imports these settings, but there is no way of enabling or disabling them in Safari. The update also irons out a memory problem in connection with BMP and GIF images which allows unauthorised access to memory.

The new version will be deployed using auto-update and is also available for manual download. However, not all internationalised versions of 3.1.2 are yet available.

Read the rest of the story…

Successful 802.1X Every Time

June 20, 2008 – 6:10 AM

It’s not rocket science, but any time we mingle and intertwine four or five different pieces of technology, there’s always the potential for a mess… or at least a misconfiguration or two along the way. Don’t know what 802.1X is? Check out the recent 802.1X technology primer.

If you’re planning to, or are implementing wired 802.1X, wireless security and/or NAC, the contents of this blog may save you hours of time and trouble.

Throughout the implementations I’ve done, for both wired and wireless 802.1X, I’ve developed a procedure for implementing and testing 802.1X each step of the way. Following these steps my seem to be tedious and unnecessarily time-consuming. But, if  you’re just starting with 802.1X, I’m offering a way to implement it in phased pieces that will give you the information to test, confirm and troubleshoot at each step.

To be honest, I frequently skip these steps, but I’ve done many 802.1X implementations and can usually hit the bullseye the first time (unless there’s buggy software or firmware- you guys know who you are). But, if something doesn’t work, I start right back at Number 1 here and I follow this procedure.

1) Configure wired 802.1X
First setup the basic wired 802.1X. Ideally, start with a Windows test, using XP SP3 or a later server edition and PEAP. Provision RADIUS, I recommend Microsoft IAS because it’s well-documented and well supported. Even if you have other future plans, if you’re using Active Directory, start with IAS. You’ll need to setup a test RADIUS group and policy and link to AD. Get a test switch, add it as a RADIUS client, and configure it to talk to your RADIUS. Set up some ports for 1X and enable it on the switch. I recommend testing with PEAP as the authentication method and a Windows credential pass-thru. Note- you’ll need to create a server certificate to use PEAP- a self-signed Microsoft cert is fine.

If this simple configuration doesn’t work, you have some troubleshooting options. First, view the system events log in the RADIUS/AD server and look for informational events from IAS. If the authentication request is making it from the client -> switch -> RADIUS, you’ll see something here. The something you see should tell you if the EAP method is mismatched, or if the credentials were wrong, etc. Your second line of troubleshooting comes if you don’t see any RADIUS log activity. If that happens, throw on a packet capture utility like Wireshark. You want to search for 2 things. First look for conversations from your Test Switch to the RADIUS server (filter on IP or MACs). If you see something here, see where the conversation drops off. If that comes up empty, it means the conversation is terminated between the Test Switch and Test Client. I have some neat tricks for troubleshooting I’ll share with you later.

2) Add in Wireless
If you’re planning to implement 802.1X for wireless, now is the time to throw 802.11 in the mix. It’s harder to sniff wireless traffic for troubleshooting, which is why I recommend starting with wired 1X. Keep it simple, and then start layering. Once you have the wired 1X configured, all you need to do is get your AP ready and configure it just as you did your switch- add it as a RADIUS client and configure it to talk to RADIUS. For wireless, you’ll need to configure encryption also. Note, I recommend (for testing) to begin with your primary VLAN.

If your wireless 802.1X isn’t working, follow our troubleshooting above and re-check settings based on the RADIUS event log contents. If nothing is making it to RADIUS, then most likely something is misconfigured in your AP/Controller and the AP isn’t communicating with the RADIUS server. You know the rest of it’s working (RADIUS, AD, Client) so you can narrow your troubleshooting scope. Once that’s working you can stop if wireless is your goal, or keep going if you’re layering on more security.

3) Replace with Custom Pieces
If you’re planning to use a different RADIUS server or a different supplicant, now would be a good time to start swapping out our vanilla configuration with custom pieces. Replace 1 piece at a time and re-test.

4) Add in NAC or Endpoint Integrity
Most NAC or EI solutions will integrate with your 802.1X infrastructure (if you want them to) and can be ‘consulted’ prior to authenticating and opening the secured port. My suggestion is to always get 1X working 100% before you add any type of integrity or compliance testing.

Source:
http://securityuncorked.squarespace.com/security-uncorked/2008/6/20/successful-8021x-every-time.html

Desktop virtualisation gets military-grade security

June 20, 2008 – 6:06 AM

Tresys Technology has released a desktop virtualisation platform with a difference – it is designed from the ground up for organisations needing tight security, including military bodies.

Tresys, which has a track record of providing military systems, said its VM Fortress can cut costs for organisations which would like to implement the consolidation programmes offered by desktop virtualisation, but haven’t taken the leap because of security concerns.

The company said existing security technologies are often inadequate where it comes to the relatively new practice of virtualising desktops.

“For virtualisation solutions, traditional security measures provide inadequate security for critical systems,” said Frank Mayer, president, chief technology officer and co-founder of Tresys, in a statement.

VM Fortress includes features from Security Enhanced Linux (SE Linux), such as flexible mandatory access control (MAC) features, which the company said can limit damage caused by vulnerabilities in virtual machines (VMs).

Tresys is itself known as a significant contributor to SE Linux.

Other features ensure data is not leaked across VMs and that applications on different VMs cannot interfere with one another while sharing the same hardware. VM Fortress is designed to limit the effects of attacks on one VM affecting other VMs or the host operating system.

The technology allows for centralised deployment and management.

Administrators control the system using a simple graphical interface, where they can provision sandboxes for each VM, controlling resources such as network connections, shard folders, USB devices, removable media and cut and paste activities, Tresys said.

Read the rest of ther story…

The Twitter Hall of Shame: 50 Tweets That Will Echo in History

June 19, 2008 – 3:00 PM

Twitter is a fun Web 2.0 communications tool that allows users to deliver quick messages of 140 characters or less. The hastiness and ephemeral nature of these messages means that Twitter has become more than a communication tool — it’s a source of angry, funny and awkward messages that would be sometimes best left unsaid. Whether they’re embarrassing or just interesting, these tweets are worth preserving.

Read the rest of the story…

Firefox 3 suffers its first vulnerability

June 18, 2008 – 7:55 PM

Less than one day after its launch, Firefox 3 has a vulnerability.

According to Tipping Point’s Zero Day Initiative, the vulnerability, which it rates as critical, was reported within the first five hours of Firefox 3’s release.

“Once the vulnerability was verified in TippingPoint’s DVLabs and acquired from the researcher, the vulnerability was promptly reported to the Mozilla security team,” said a representative.

Although the Zero Day Initiative team does not offer specifics until the vendor has a chance to patch it, the blog post did say this vulnerability, which also affects Firefox 2, requires user interaction and could result in an attacker executing arbitrary code.

Mozilla is reported to be working on a fix.

Source: CNet