I just saw thisin the SANS vulnerability alert this week. If you don’t want to parse the text yourself, it is essentially four separate remote denial-of-service vulnerabilities in the MIT Kerberos implementation for krb5-1.8 and later.

It’s amazing to me that we are still finding fatal flaws in a core security service like this. I’m not sure exactly how old the MIT Kerberos implementation is, but the protocol as defined in RFC 1510(which has been obsoleted by RFC 4120) has been around since 1993, and as far as I know, the MIT Kerberos implementation was the original.

Patch your code!

This articledescribes how a disgruntled IT worker used a back-door account he had created to wreak havoc on his former employer. The story is notable not just in how familiar it is, but in all the ways basic identity and access governance (IAG) practices could have prevented the attack.

The story line goes like this (sing along if you’ve heard this one before): David Palmer, an IT administrator, was fired from his job at McLane Advanced Technologies, a military contractor and IT service provider. He had set up a back door account before he was escorted out. Some time later, he used his backdoor account to log into his former employer’s systems via the Wi-Fi at a local restaurant, and deleted the payroll files for one of McLane’s customers, and apparently accessed files belonging to another customer. The customer was unable to process timecard entry or payroll for a few days, and ultimately McClane contacted the US Secret Service to report that their computer systems had been attacked. Palmer admitted his guilt in Federal Court and stated that "The only reason for logging into any of these servers was to create general havoc and disorder for McLane Advanced Technologies the following day.” Just to add a little insult to injury, McLane advertises themselves as “… adhering to a strict set of values and ethical standards by doing what’s right for our customer” in the areas of (among others) “Software Development”, “Data Management”, and “Information Security”. Fine sounding words for a company that apparently couldn’t muster enough ethics to implement even basic identity and access governance processes. Thank goodness it was only a payroll system. What if it had been something more critical?

Ok, I’m being harsh. I don’t know the company, and perhaps there are some extenuating circumstances. But there are so many ways that this attack could have, and should have, been prevented, I can only conclude that no one was paying attention. Let’s see how many simple identity governance practices might have helped prevent this mess:

1. Appropriate delegation of administrative rights – assuming that Mr. Palmer’s job didn’t require routine creation of user accounts, he shouldn’t have been able to create his backdoor account to begin with. Nor should the account he created had any access to customer files.
2. Appropriate workflow around creation of a privileged account – apparently there was no review and approval for the creation of the back door account.
3. Proper auditing and review of user account changes – the creation of a privileged account should have fired an an alert and immediate review.
4. Privileged account management – privileged accounts should be normally disabled and “checked out” for use only after appropriate approval, and only for a specific amount of time.
5. Functioning account deprovisioning – when Palmer was fired, all of the accounts he owned should have been immediately disabled.
6. Access attestation and certification – no one attested to the validity and necessity of Palmer’s privileged back door account. To be fair, you usually do access reviews and attestations on some sort of a scheduled basis, e.g. quarterly, and he may have created and used his backdoor account within that period.
7. Appropriate authentication technology – As a general rule, privileged accounts should not be usable by people logging in from non-company-owned devices from public networks without a second form of authentication like a smart card or OTP. I’m assuming of course that both his company laptop and any smart card would have been confiscated when Palmer was fired.
8. Appropriate authorization technology – Smarter (e.g. dynamic and contextual) authorization technology would have saved the day here as well. An appropriate access policy for deleting customer files would have included rules like “only from a recently certified (attested to) account” and “not from a public IP” and “not from a public device”.

So that’s eight different IAG activities, any one or two of which would have prevented this attack. All of them are well-known practices, and all but the last one are implementable using commercial off-the-shelf software such as Quest One Identity Manager, Active Roles Server, Quest Privilege Manager, Change Auditor for Active Directory, and Defender. Some of these processes and controls are implementable (with effort and some scripting) just using what’s in the box with Windows. For a Gold Certified Microsoft Partner boasting a CMM Level 3 software development certification as McLane is, putting these processes in place should not have been a problem provided someone was actually paying attention. And there’s the point. If you host sensitive data on your computer systems (and who doesn’t?), someone in executive management has to be paying attention. Typically this would be the CIO or CSO, but at the end of the day it’s on the CEO to ensure that the company is taking due care to ensure that access to critical corporate assets is controlled and audited in a way that ensures the security of the data and of the company. Perhaps that’s something they should be teaching at Famous CEOs School.

In case you didn’t get that last reference, see Famous Artists Schoolon Wikipedia.

Hello Secure World is a website set up by Microsoft to promote Windows security. The Microsoft Business Marketing Organization (BMO) and Tri-Digital worked with us on DEC 08 in Chicago to record some of the more security-related sessions, and they are now available on the HSW site. Start at the main page, sit through the intro (or click the Skip link), and click the "Inside the DEC" link.

IIRC, we recorded 10 of the sessions. Currently four of the RMS-related sessions are available; I believe that the BMO rotates the 10 sessions through the site.

Is this a usable format for you? Would you like to see all of the DEC content recorded this way?

It never ends, does it?

Bank loses tapes with data on 4.5M clients - Network World

I just heard today that NetPro's ChangeAuditor was nominated as a finalist for the Best of TechEd 2008 IT Pro Awards. That is great recognition for product that has been so successful for us and for our customers over the last several years.

When we first defined ChangeAuditor (back in 2002!) it was intended to be an automated change log for Active Directory administrators. Any administrative change you could make to AD, ChangeAuditor would track and record who made the change, when and where the change was made, and what the old and new values were. If you changed an ACL on an OU, or added a site-link, or deleted a GPO setting, or changed an NTDS registry setting on a DC, ChangeAuditor would immediately record the who, what, when, and where (you had to add the why manually).

My favorite customer experience with ChangeAuditor happened during a proof-of-concept installation at A Really Large Semiconductor Manufacturer. Their AD spanned the globe and supported more than 100K users. The AD admin team managed their AD like their lives depended on it, and they had change control processes in place that would make an IT auditor weep with joy. The AD team were justifiably proud of their tightly-run ship, and needless to say, they were absolutely floored when they saw the kinds of changes being made by delegated admins that flew underneath their change control radar. It was an impressive demo.

Since then, ChangeAuditor has grown both in depth and breadth. ChangeAuditor now tracks essentially any change made to AD, administrative or otherwise, and provides a truckload of useful out-of-the-box administration and compliance reports. And ChangeAuditor tracks changes in other platform services as well, including Exchange, SQL Server, and Windows file servers. You can expect support for other core services Real Soon Now (tm).

Congratulations to the ChangeAuditor product team at NetPro for this fine recognition.

If you want to learn more about ChangeAuditor, click here.

I find configuring WS08 Server Core a bit of a pain because I have to use several different (and unfamiliar) command-line tools to perform the normal day-to-day configuration tasks that I do so easily with the graphical tools in a full WS08 install. It's not a big deal; the proper command-line syntax is documented in several places, for instance here, but it can be annoying.

Rafael Dominguez, one of NetPro's Systems Engineers, passed this nifty little tool on to me today. It's a little graphical utility by Guy Teverovsky that supports the most common configuration scenarios, including:

I haven't used it yet, but I will. Check it out!

I heard about this through the CyTrap labs Regustand newsletter. Basically, the Article 29 Working Party of the European Commission have carefully read the privacy regulations and issued an interpretation that, among other things, consider that IP addresses are personal data and are subject to privacy regulations.

I suppose from a privacy perspective this makes sense, and if you read the interpretation, it is hard to argue with the logic. On the other hand, the only organization that can reasonably identify a person on the other end of an IP address is the ISP that issued it. J Random Webmaster can capture the IP address and some other interesting information about the client, but they will be hard-pressed to associate that information with an "identified or identifiable natural person". But the wording of the legislation states that any information "relating to" such a person is "personal data", and IP addresses would seem to qualify. This means that IP addresses are subject to Directive 95/46/EC which governs the use of personal data.

So does this mean that DHCP logs are subject to the same regulations that passport numbers are? It would seem so. Even in the enterprise? Again, it would seem so.

Yet another thing to add to the compliance effort.