Wednesday, March 23, 2011

IIS 7.0 STIG released

DISA has released a STIG for IIS 7.0.  You can find the STIG here:

I cracked open the .zip file and confirmed that there is guidance for both a site and a server.
Comments, recommended changes, and/or additions are due to DISA by 21 April 2011.
I'm glad that this STIG has been released, as I'm seeing more IIS 7.0 servers.

Monday, March 21, 2011

Case for a tablet

I've been thinking of getting a tablet...just something to store books on. And, if I can root it, maybe some Android Apps. I haven't settled on one, but I'm toying with the idea. However, I saw this case, and think it's pretty cool. Practical? I'm not sure, but I like it.

Friday, March 18, 2011

Windows 2008 Server R2 draft STIG has been released

DISA has released the draft of the Windows 2008 Server R2 STIG.  You can find the STIG here:

Comments, changes, and additions are requested by March 25, 2011.

Thursday, March 10, 2011

Is a DLL an application?

Almost every auditing trip I take has an application of some sort; it is rare that I do not have to apply the Application Security and Development checklist. Quite frequently, the discussion arises as to "what IS an application?" It seems the answer is not cut and dry.

Certainly, we can make the depiction from GOTS (government) and COTS (commercial) applications. Further, COTS auditing is different from GOTS testing. Below are some quotes from the Application Security and Development STIG.

From the glossary:
Application - Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges. Examples include office automation, e-mail, web services, and major functional or mission software programs.

Automated Information System (AIS) Application - For DoD IA purposes, an AIS application is the product or deliverable of an acquisition program, such as those described in DoDD 5000.1. An AIS application performs clearly defined functions for which there are readily identifiable security considerations and needs that are addressed as part of the acquisition. An AIS application may be a single software application (e.g., Integrated Consumable Items Support (ICIS)); multiple software applications that are related to a single mission (e.g., payroll or personnel); or a combination of software and hardware performing a specific support function
across a range of missions (e.g., Global Command and Control System (GCCS), Defense
Messaging System (DMS)). AIS applications are deployed to enclaves for operation and have their operational security needs assumed by the enclave. (Note: An AIS application is analogous to a "major application," as defined in OMB A-130; however, this term is not used in order to avoid confusion with the DoD acquisition category of Major Automated Information System (MAIS).)

Government off-the-shelf (GOTS) - software and hardware products developed and tailored specifically for government agencies by a government agency itself or in cooperation with a external vendor or contractor. These products are developed for redistribution to other government agencies. Custom developed code being developed by an external source, does not automatically qualify as GOTS.

Desktop applications, thick client applications, web services, and web applications are pretty easy to understand and relate to the definitions. However, where does a DLL fit in the mix? I have worked with many vendors that design hardware and software for DoD entities. Typically, the application is written to manage or facilitate use of the hardware. But, how about a DLL that is written as an interface for software and distinct hardware? Does the creation of that DLL fall under the guidance of the Application Security and Development checklist?

This is a discussion we are having with one particular client and I would be interested in thoughts, citations and references for either side of the argument.

Saturday, March 5, 2011

Recovering from a Blue Screen after upgrading XP to Service Pack 3 from Service Pack 2

I received a laptop that had XP Service Pack 2 on it. During the reboot after installing Service Pack 3, the laptop blue screened. I could not get in at all. A little elbow grease and some googling, and I was able to get back to where I was before the original upgrade. Here are the steps I took.
1. As I could not get past the blue screen, I had to use recovery console. Put an XP cd in the drive and boot the machine. (Of course, on my machine, I had change the boot order in BIOS.)
2. Press any key to boot from the CD.
3. When the "Welcome to Setup" message appears, press R to start the Recovery Console.
4. Select the Windows XP installation (I had only 1.)
5. Enter the admin password (a miracle that I had this.)
6. When you get the command prompt, type: cd $ntservicepackuninstall$\spunist and hit enter.
7. When you get a prompt back, type: batch spuninst.txt and hit enter.
(You will see error messages and files being copied, this is normal.)
8. Remove your cd.
9. When you get your prompt back, type: exit and hit enter
10. Restart the computer in safe mode.
11. Log in as administrator.
12. Either open Control Panel, or Start -> Run and type: appwiz.cpl
13. Click the check box to Show Updates.
14. Scroll and find Windows XP Service Pack 3...and click remove.
15. Click Finish to restart the computer after the removal process is finished.

Now, I have to re-apply Service Pack 3 to get this computer up to date. But, at least I'm beyond the blue screen.

Thursday, March 3, 2011

Ars Technica and HBGary

I'm not going to re-hash the HBGary story; Ars Technica has done a great job of following and chronicling the story.

Here are some of the great pieces I've read:

The Aftermath

How one security firm tracked down Anonymous - and paid a heavy price

Black ops:  How HBGary wrote backdoors for the government

I'll add more as I read more of their work.  Great stuff.

Tuesday, March 1, 2011

In 20 years it will be ok for Twitter to mislead consumers with regards to their privacy

I've been traveling quite a bit lately, so I spent the last couple of days catching up on magazines.  I came across this interesting quote in SC Magazine's January issue.  From Angel Moscaritolo's article "Private Matters" on page 24 of the January issue:

As part of the settlement, Twitter "will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information."

Awesome.  So, does that mean that in 20 years Twitter will be able to mislead consumers?

Multi-factor authentication means more than knowing an answer

My bank is a great little hometown bank.  I like it for its convenience and that it is local.  The other day, I went to log in to check a deposit, when I noticed a link on the login page that said "Multi-factor Authentication."  I thought "wow, I would love to add a factor to my login."  Currently, my bank just uses username and password.  So, I clicked the link to learn more about their multi-factor login options.  It turns out that if you want to use full-time multi-factor login functionality, you answer an extra question.  That's it.  Yes, you have to answer it exactly, numbers for numbers, punctuation, etc.  But that's it.  I was hoping for a one-time token, or an option to text me a one-time password.

To me, and I guess the classical definition, multi-factor authentication is made up of:
  • Something the user knows (passwords, PINs, etc)
  • Something the user has (ATM card, CAC, etc)
  • Something the user is (biometrics, eyes, fingerprint, voiceprint, etc.)

As I mentioned above, right now, my bank uses a username and password to log in.  That's something you know.  Adding a question that the user "knows" the answer to is not adding a new authentication method.  That answer is still something you know.

I'm trying to get in touch with someone at the bank to see if there are other options supported or if there are any plans to add a second factor.