Archive for October, 2009

Adobe Acrobat products update available

Wednesday, October 14th, 2009

Adobe has released updates for the Acrobat suite of products. The update fixes over two dozen vulnerabilities[adobe.com], at least one of which is being actively exploited. The version number of the fixed Acrobat and Acrobat Reader products are 9.2, 8.1.7, and 7.1.4.

What is more damning than the 29 vulnerabilities fixed is that it appears that many of the vulnerabilities have existed since the Acrobat 7.x and are just now being discovered and/or addressed. I have a suggestion for Adobe: Get your developers some secure coding training. Stop all coding at your company until all your developers have taken one month of secure coding classes.

Posted in Advisories, Malware, Security | No Comments »

Cybersecurity Act of 2009 – Professional Licenses?

Tuesday, October 13th, 2009

The Cybersecurity Act of 2009[opencongress.org] was introduced April 1, 2009, by Senator John Rockefeller (D-WV). The act is:

A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.

One of the more talked about provisions of this bill is the granting of authority to the POTUS to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network.” Perhaps that will be another blog post, but the provision currently bothering me is the one in Section 7[opencongress.org] of the bill. That section directs the Secretary of Commerce to establish a “national licensing, certification, and periodic recertification program for cybersecurity professionals” and that, after 3 years, makes it “unlawful for any individual to engage in business…as a provider of cybersecurity services…who is not licensed and certified under the program.” The provision only applies to professionals providing services to Federal agencies, their networks, or a network deemed as “critical infrastructure” by the POTUS.

Why does this bother me? Well, to start off with, licensing and certification sure sound like there will be some exchange of money involved, just as private certifications like CISSP, CCNA, MCSE, etc., require you to fork over some cash to take the test and/or maintain membership. If the Federal Government steps in and does the same thing either

  1. the Feds are getting a de facto tax from cyber security professionals; or
  2. if an already existing certification is chosen, that certification body essentially gets public welfare.

In the latter case, whoever spends the most money lobbying the Congress Critters (probably) wins.

This sounds like some unnecessary meddling to me. Yes, the Feds need some well-trained cyber geeks to shore up their defenses. A lot of the cyber security professionals that are already in the government are incompetent–I’ve taken various educational courses and met them, and also worked around some of them–but the way to fix that problem is to make it possible for the Feds to fire people. Right now, if you get in to the Federal government, you’re employed for life unless you do something extremely stupid and illegal.

But even the NSF Scholarship for Service (AKA CyberCorps) program (which this act evidently re-authorizes) won’t help. First of all, you can’t train enough cyber security professionals fast enough to make a difference. More importantly, the lack of people is not the real issue. The real issue is the politics, red-tape, and managerial incompetence that restricts the competent CSPs that are already in the Federal government from securing their networks.

To defend a network, you have to be able to react quickly. To defend a network that has little or no existing defense in place, you have to be able to rapidly re-configure the network with up-to-date tools and hardware. It takes entirely too long to get approval for purchasing those devices, and entirely too long to get approval to deploy them. Then some manager can’t understand that some things are going to break and take a while to fix, and pretty soon you have a half-deployed three year-old “security is in the blinky thingy” device that can’t keep up with the volume of traffic transiting the new OC-128 the Undersecretary for Porn Surfing demanded be put in place.

I just don’t see this going well. Someone’s going to get very rich, another 1500 jobs are going to be added to the federal government to oversee this program, more tax money is going to be wasted, CSPs are still going to be frustrated in their attempts to repair Federal networks, and the Internet is still going to be a DANGEROUS PLACE with unfriendlies from all points south of our border and across the oceans trying to steal our information.

Posted in Security | No Comments »

YAAV (Yet Another Adobe Vulnerability)

Thursday, October 8th, 2009

Another Adobe Acrobat vulnerability is being exploited in the wild. All versions up to and including 9.1.3 are vulnerable. The current exploit targets Acrobat and Acrobat Reader on Windows specifically, but all Acrobat variants (those for Linux and Mac OS X) are vulnerable. Apparently, using DEP (Data Execution Prevention) in Windows may thwart the attack (at the moment). DEP is an optional setting. Here is the Microsoft KB article about DEP, but their server is saying it’s “too busy” at the moment (4:11p). More information from the ISC is here.

Adobe is set to release an update on October 13. Until then, keep on your toes!

TRUE Network Security Monitoring customers: rest easier: if your resources are successfully attacked, we should see the results.

Posted in Advisories, Security, Windows | No Comments »