Security Watch
Check Point Vulnerability Expanded
More products are added to Check Point's SecurePlatform Firewall vulnerability warning.
Hacking/Denial of Service
Check Point SecurePlatform NGX Firewall Rules Bypass Vulnerability (Intellishield
ID: 9706): This warning has been reissued to add additional impacted products.
Initially reported was Check Point SecurePlatform NGX R60 Build 244 and prior.
Now added to that list: VPN-1/FireWall-1 versions NG AI, 4.1 and NG; VPN-1 VSX
version NG AI; and Provider-1 versions NG AI and NG.
The rule supplied with the Firewall product to handle "CIFS" traffic
is equivalent to "ANY," in that it actually allows any traffic to/from
the source/destination addresses added to the rule. CIFS is a file sharing protocol
used by Windows systems which permits SMB over TCP. The rule permits CIFS as
well as some legacy NetBIOS traffic. A proper CIFS rule should limit traffic
to port 445.
While no patch has yet been provided by Check Point, anyone needing this rule
group can create a custom group of their own limiting what traffic is allowed.
Denial of Service
Snort TCP SACK Option Error Handling Denial of Service Issue (Intellishield
ID: 9711): Snort version 2.4.0 and earlier contain an issue that could allow
a remote attacker to create a denial-of-service (DoS) condition. The issue only
affects systems running Snort in verbose mode. Exploit code is available.
It’s worth reminding everyone that any service, including forensic services
like Snort, can contain vulnerabilities which put systems at risk. While this
issue isn’t likely to be widely attacked, if you use Snort to audit your
networks, an attacker may be able to avoid being logged. Snort version 2.4.1
was released to correct the vulnerability.
Human Factors
Gartner has published a study regarding the Indian call center industry
where they claim India will suffer a shortfall of 250,000 qualified call center
workers by 2009. Gartner claims this will result in an increased risk of fraud
and identity theft within the industry, largely due to less due diligence during
the hiring process.
What country hasn’t faced a shortfall of qualified workers for a given
industry at some point in their history? Typically, when that happens, immigration
efforts are stepped up to attract the qualified from countries where a surplus
exists. There’s certainly no reason to believe that India would be unable
to do this.
The real question is whether or not due diligence in background checks on any
employee is going to be lessened under the weight of fewer available candidates.
This must surely exist already, given that most "qualified" call
center employees must undergo education in precisely how to perform their jobs.
India sees call center business as a huge potential to raise the quality of
life in their country, so it’s highly unlikely that they’ll permit
the industry to become overrun with fraudsters and insider criminals given the
harm it could cause to their overall economy. Probably the greatest risk is
in the rapid growth of the industry while the government and private industry
groups come to terms over how to regulate and supervise this resource.
A survey conducted by Trend Micro reports that users are more likely
to take risks while surfing the Internet when they’re at work because,
they believe, their IT departments are protecting them.
So users at corporate desktops are as ill-informed as those at home computers
... wow, that’s a headline! Why would anyone think that corporate
users would be any more security-savvy than they are when they’re at home?
Certainly user security education occurs more often at work, but that doesn’t
mean that those users who have been taught are any more likely to apply what
they’ve learned than those who have never been taught. History shows us
that if a virus-laden attachment gets past the corporate anti-virus gateway,
users within that organization are as likely to open it as anyone else. That’s
why Cybertrust has long recommended default deny for attachments.
Anyway, for all you IT folks out there creating complacency with your users,
convincing them they are completely secure within your perimeter ... maybe you
should run through your offices with their hair afire a few more times a week
than you are now just to convince your users that bad things can, and do, happen
in your workplace.
Physical Security
A few weeks back Los Angeles found the equivalent of the "Big Red
Switch" when, as a result of a mistake made while connecting a power line,
a cascade failure resulted in the blackout of 750,000 homes and businesses.
Ever hear the story of the "Big Red Switch"? That’s the switch
in the computer room that has a sign on it that says "Only press in the
event of an emergency!" and turns everything off at one time. Redundant
systems are, all too often, plagued with such elements.
It’s also worth mentioning the costs of such events. Power officials
said that they had restored 90 percent of blacked-out premises within 90 minutes,
but because the event occurred at lunch time, many people had simply decided
to take the rest of the day off. Therefore, the actual cost isn’t simply
90 minutes of downtime, but an entire afternoon.
Want
More Security? |
This
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here. |
|
|
Privacy
Researchers at the University of California, Berkeley, have found a way
to turn the clicks and clacks of typing on a computer keyboard into a startlingly
accurate transcript of what exactly is being typed. The techniques described
in this paper are relatively easy; the team used open-source spell-checkers
and a $10 PC microphone, for example. And for that reason, the Berkeley team
has decided not to release the source code used in the study.
First, for this to be effective, the eavesdropper is going to have to profile
the system being listened to. Different keyboards give off different sounds.
Anyone who has tried to train their voice-aware cell phone to "dial"
is aware of how tricky it can be to get reliable recognition consistently. One
also has to believe that people who type with two fingers sound different than
those who type will all fingers. In any event, it’s worth noting that
they did mention that defeating this technique, and other TEMPEST eavesdropping
techniques, may be as simple as turning on an AM/FM radio.
Governance
The U.S. Federal Communications Commission (FCC) gave the toll-free number
1-800-RED-CROSS to the American Red Cross, taking it from an entity who
had acquired the number hoping to receive a major payday for it.
Why should squatting be allowed at all, be it telephone or domain names?
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.