Setting up gpg4win on Windows 8

A few weeks ago, when building my new computer, I decided to go with Windows 8, primarily for the under-the-hood improvements.  I won’t get into the overall experience, but I did run into a few issues getting security software installed, especially gpg4win, which I chose to enable PGP e-mail encryption.

The OpenPGP specification (encapsulated in RFC 4880) was created by Phil Zimmerman back in 1991 and is pretty much the standard for encrypting messages sent via the Internet.  However, implementing encryption is hard, and implementing encryption implementations isn’t always easy, either.  While Linux has several options built into most distros to handle this, Windows ends up with two primary options: PGP and gpg4win.  We’ll have a look at them and how to install the latter after the break.

Continue reading “Setting up gpg4win on Windows 8”

July 2013 patches for Microsoft, Adobe, Oracle

It’s the second Tuesday of the month, and that means it’s Patch Tuesday once again!  Well, for two of the companies mentioned.  Oracle still sees the need to do things their way, so their patches are out a week from today.  Still, be aware that Java might (read: probably will) be patched here in the near future.

But let’s focus on what’s out today, shall we?  I’m going to try to display the information in a useful format without getting into tables and without extending things too long.  Microsoft has 7 patches that address 33 vulnerabilities; Adobe has 3 patches that address 6 vulnerabilities.  They’re all pretty much in the “patch ASAP” category.

Microsoft

  • MS13-052 – Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution, Elevation of Privilege
    • Products Affected:
      • .NET Framework on Windows (all versions)
      • Silverlight 5 running on Mac or Windows
    • Vulnerability Count: 7
    • Public Status: 2 disclosed, none in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: Silverlight is a little like Java in that its presence as an application framework is sometimes required for business purposes, but it should be removed where possible.  Unfortunately, Netflix requires it for PC viewing on Windows, so many millions of systems have it installed.  Fortunately, even Microsoft sees an end in sight for Silverlight and has largely discontinued its use.  Here’s hoping that the remaining users also see fit to scrap it.
  • MS13-053 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution, Elevation of Privilege
    • Products Affected:
      • Windows (all versions)
    • Vulnerability Count: 8
    • Public Status: 2 disclosed, none in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: One of the public fixes is the bug that Tavis Ormandy found and published a couple of months ago.  Microsoft is downplaying the risk, saying that an attacker needs to have local access for the likely scenario to work, which presumes that a system not patched for this will be patched for everything else or that it won’t come in via e-mail or a web download.  I’ve leveraged it in a pen test through another remote vulnerability that wasn’t patched.  It’s really not hard to do.
  • MS13-054 – Vulnerability in GDI+ Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all verions)
      • Office (all except 2013)
      • Visual Studio .NET 2003
      • Lync Client for Windows (all versions)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: I considered putting this in the 30-day category, but it affects such a wide variety of software that I could not in good conscience do so.  This is probably going to be a quick target for attackers.
  • MS13-055 – Cumulative Security Update for Internet Explorer
    • Severity/Impact: Critical / Remote Code Execution, Information Disclosure
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 17
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: It’s Internet Explorer.  It needs to be patched.  Sixteen of the vulnerabilities are memory corruption reported to Microsoft by at least a dozen people.  Memory corruption is a big topic of research these days.
  • MS13-056 – Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: This has to do with specially-formed GIF files, a file format in very wide use on the Internet, hence the short patch period.
  • MS13-057 – Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: Most video is played back in Flash or HTML5, but there are still plenty of ways to get Windows Media Player to play something from the Internet.  Patch soon.
  • MS13-058 – Vulnerability in Windows Defender Could Allow Elevation of Privilege
    • Severity/Impact: Critical / Elevation of Privilege
    • Products Affected:
      • Windows Defender when installed on Windows 7 or Server 2008R2 (does not affect Security Essentials or other Microsoft security software)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: It’s antivirus software, so you should be patching it pretty much immediately.  However, my actual recommendation is to get a real AV product.  If you’re a business, you need to spend some money, but it’s worth it.  If you’re at home, there are plenty of good, free AV options to go with such as Avast or AVG if you don’t want to buy something.

Adobe

  • APSB13-17 – Critical security update for Adobe Flash Player
  • APSB13-18 – Critical security update for Adobe Shockwave Player
  • APSB13-19 – Critical security update for ColdFusion 10, Important update for 9.x

June is here: Patches galore!

So June 2013 has arrived, and with it, so many security updates.  Some have been released, some have not, and some won’t be patched until at least next month.

Here are the patches that have been released, or at least scheduled.  (I’m probably not going to do my Microsoft overviews anymore.  They take a LONG time to write up and are useful to only a niche crowd that can find the details elsewhere.  I’ll still post when bad things come along, but not with as much detail.)

Microsoft Windows, IE, and Office

Microsoft released a few patches this week.  Of special note:

  • MS13-047: Internet Explorer gets updates, and a lot of them.  How many?  This update includes fixes for NINETEEN vulnerabilities.  While they weren’t known to be publicly exploited as of Tuesday, frameworks like Metasploit have already caught up to May’s updates, and odds are that June’s updates will be covered soon.
  • MS13-051: Office gets an update (or several of them, judging by Windows Updates for me), covering attacks that are already in the wild.  Yep.  Microsoft patches something the bad guys know is broken.  Time to patch now and break the bad guys’ hearts.

What has not been fixed is Tavis Ormandy’s odd little find from the last month or so.  While it’s a local privilege exploit, don’t dismiss it, as I used it on the path to Domain Administrator access in a recent test.  It absolutely works (sometimes, but for me when it counted).  No word on when it will be addressed, but it probably won’t be before 12 July 2013.

Adobe Flash

Adobe released a Flash update, as they do pretty much every month.  Either update Flash or Chrome (or both for those that run Flash outside of Chrome, which is most of you).  Adobe Reader seems to be unaffected, but here’s a random reminder to check your installed version.  If you’re not on 10.x or 11.x, you’re at serious risk.

Oracle Java

Oracle has not released a Java patch this month…yet.  No, that’s not until next week.  That’s when Oracle releases an update that fixes 40–that’s forty, as in four times ten–known vulnerabilities.  How badly does it affect Java?  The update announcement includes mention of Java 7 b21 and earlier, which isn’t surprising.  But it also mentions Java 6 b45 and earlier, which is funny because Java 6 support was supposed to end in February with a one-time extension in April.  However, it also mentions Java 5 b45 and earlier.  Java 5 was supposed to be EOL last year.  It looks to me like Oracle has had to face the very ugly truth that people don’t upgrade like Oracle wants them to.  Even if they fix Java 7 and 8 with a crash security program such as was seen with Microsoft and Windows XP SP2, I expect that Java problems will be with us for a long, long time to come.

John the Ripper 1.8.0 released

A new version of pre-eminent password cracker John the Ripper has been released.  Bringing the version up from 1.7.9 to 1.8.0, the biggest change is a boost in performance, in some cases nearly doubling performance.  The performance edge seems to drop off as the checks go longer, but it’s still present.  The formal jumbo patch isn’t done yet, but it should be here soon.

I expect to see it in Kali and other security distros soon.  Passwords are growing less safe by the day.

Don’t use APNIC ranges for test addresses

A tip for those of you who manage DNS servers:

If you absolutely MUST put a fake entry in your zone, DON’T point it to 1.1.1.1 or 1.2.3.4.  Either point it to an address (of your own!) that you know to be unused or point it to an RFC5737 address (192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24).  It’s still not a good idea, but at least they’re non-routable addresses that you’re (probably) not using in your network so it won’t give away internal information.

Pointing it to anything in the 1.x.x.x range sends the resulting traffic to APNIC parts of the Internet that include Asia and Australia.  You have no control over these addresses.  Don’t put your customers in danger.

User security rebellion? Maybe you have too many rules

On a recent pen test engagement, I found myself comparing two very different security environments and drew a lesson from it that can benefit them both.  Both are familiar environments (an IT department in one case and a flight home in the other), both are heavily regulated, and both can easily irritate their users.  The actual results, though, are very, very different.  In the first case, there is widespread compliance and in the second case, there is widespread rebellion, even if at a level that’s harder to track.

Continue reading “User security rebellion? Maybe you have too many rules”

Leading a SANS SEC504: Hacker Techniques Mentor class starting in July

To those in the DFW area (or those who know someone in the area), I will be conducting a SANS Security 504: Hacker Techniques, Exploits & Incident Handling Mentor class beginning in July.

Running over ten sessions, students are able to train with SANS at a pace designed to allow more time to absorb the course content while not being out of the office for a week or incurring travel costs.

Class starts July 23rd and will meet over 10 Tuesday evenings running from 6:30-8:30PM.  Full schedule and details are available at https://www.sans.org/event/32987.

Tuition is $3077 if you register by June 25th, using Discount Code DRIVE13.

Some of what you will learn includes:

  • The tactics used by computer attackers
  • The latest attack vectors and how to stop them
  • Proactive and reactive defenses for each stage of an attack
  • Strategies and tools for detecting each type of attack
  • Attacks and defenses for Windows, Unix, switches, routers and other systems
  • Application-level vulnerabilities, attacks, and defenses
  • How to develop an incident handling process and prepare a team for battle
  • Legal issues in incident handling
  • How to recover from computer attacks and restore systems for business

When registering, it would be a great help to me if you would enter “MENTOR RECRUIT” in the Comments section of the registration.

Thanks, and I look forward to seeing some familiar faces in July.

Oracle realizing that Java engine security is broken

Oracle is not a company I’m fond of.  I dislike its business practices immensely and its security stance has historically been very much a reactive one.  I realize that they have immensely complex products, but when quarterly patches regularly cover dozens of security fixes, it’s time to start wondering how seriously they take security.

Over the last couple of weeks, though, two things have happened that give me some hope that a new direction is coming.  They don’t yet cause me to change my recommendation that Java should be removed where feasible and secured where it must be present, but it’s a good change nevertheless.

Continue reading “Oracle realizing that Java engine security is broken”

Facepalm: Microsoft (sort of) sends patches via e-mail

In general, I think most companies are doing better in security than before.  They at least are admitting that they have to pay attention to it, and Microsoft has made huge changes in its programming and business practices that have made it far more difficult to break into systems than it used to be.  But there’s still room for improvement, and it’s a change that needs to happen sooner rather than later because it’s undermining a key aspect of user security awareness.

Continue reading “Facepalm: Microsoft (sort of) sends patches via e-mail”