From Erik\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s IT-Security notes
Jump to: navigation, search

EZSecurity Bulletin for May of 2011

INTRO

It’s not really that bad, the summer in Swedish is not just merely the most beautiful day of the year. Actually we have had a few really great sunny and warm days now. In a row even. For Sweden, this is great!

This month so far has been quite easy on the patching groups as we only have two bulletins to cope with. One covers WINS and the other one PowerPoint. You might wonder if you need to patch any servers at all, but we’ve still decided to recommend that you schedule a patching window this month. The rationale is simple: Wins-servers are still at large and deployed in places where you don’t expect them to be and the proliferation of Citrix and terminal services makes it quite possible to find PowerPoint installed on a server. I’ve not had the time to read up on the recent attack on Sony’s networks. The only observation I can offer is this: I believe it is time to start questioning why we always have to be connected to the Internet when using software and/or games that need no network access to begin with.

And also remember that big headline news like the death of Bin Laden will always generate spam email. Throw away any email linking to sites promising material from the attack.

MICROSOFT SECURITY BULLETIN SUMMARY FOR MAY OF 2011

As per usual, Microsoft release their security bulletins the second Tuesday every month. This month comes along with 2 bulletins.

Recommendation: patching should be done as soon as possible, which means next patch window.

Critical
MS11-035 - Vulnerability in WINS Could Allow Remote Code Execution (2524426)
Important
MS11-036 - Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)

A LESSON IN TROUBLESHOOTING

Troubleshooting and investigation have a lot in common, and I touched the subject a few months ago in a story called “The power of inference”. Now, here’s a true story that is not really related to IT, but that I think you might find interesting.

About a month ago, I got my HAM (Amateur radio) license. But my interest in radio began much earlier, when my grandfather showed me how to operate one of his old radios. It was a large “National HRO sixty” shortwave receiver that had previously been installed in the Bromma airport control tower in Stockholm. If you wanted to change which wavelength band you wanted to listen to, you had to physically remove a cassette and switch it for another cassette that held the necessary circuits to allow the radio to receive that particular band. My grandfather had worked for many years for the Swedish telecom- and radio authority “Telegrafverket” (Later Telia) and was himself a radio amateur.

All radio amateurs get a unique call sign assigned to them by their country registrar when they take and pass the exam(-s) required to operate as a radio amateur. When I finally was about to get my own license, I decided to find my grandfather’s call sign. He became a silent key in 1994. In amateur radio slang a radio amateur that has died becomes known as a “silent key”. This goes back to the days when you used a telegraph key to transmit Morse code. So my grandfather is now known to the amateur radio (“HAM”) community as SM0HAE (SK). Simplified: SM is Sweden’s country code (SA – SM actually). 0 stands for the Stockholm area. This is where the operator has his home but he can off course broadcast from another location, although this has to be noted by him during the broadcast. HAE is the part uniquely identifies the operator. (SK) means that the operator is no longer among the living. Well, on with the story…

I was able to find his information through a service called HamCall Net and that could have been the end of the story. But it wasn’t. As this information was quite old, it had most likely not been registered through the Internet. One interesting thing was that his “QTH” or broadcast location was noted along with the rest of the information. I fed the latitude and longitude into Google maps and ended up… nowhere. The map centered on some trees on the side of the road, a few miles away from a small town called Perstorp. It just didn’t make sense. Then the troubleshooter in me awoke. I spoke to my mother and asked her about it. She was quite sure he had never had a house in our around Perstorp. The gut feeling told me there had to be a mistake somewhere, but numbers couldn’t be totally wrong. I used Google and some other tools to quickly get the latitudes and longitudes of all locations where I knew that he had either worked or lived. The numbers were all significantly different from the Perstorp location. Then my eyes fell on the grid locator that was also present in the text.

Latitudes and longitudes are cumbersome to read or telegraph over the radio, so most radio amateurs use a shorthand notation of their location. This is called a “Maidenhead locator” or “Grid locator” and it’s not nearly as precise as the latitude/longitude system. If my theory was correct, the correct location had to be nearby and my mother provided me with the final piece of the puzzle. She pointed out that my grandfather had worked at large broadcast facility in Hörby, which was fairly close to Perstorp. I calculated the locator for Hörby and compared it to the one pointing to odd location near Perstorp and sure enough:

JO66RD (Hörby)
JO66QD (Perstorp)
JO99AH (Stockholm)

The Stockholm location of his home was very different but the Hörby one differed with just one single character. That solved the mystery for me. Had this been a criminal investigation or some serious research done by an honest journalist, it would have been just a lead to follow. But I felt no need to check any further. This was just a fun little “mind game” that took 15 minutes and proved that you don’t have to go to great lengths to solve a “mystery”.

There are a few lessons to be learnt here:

1) Get the setting.

I knew that we were talking about broadcasting locations, so antennas had to be involved. And antennas are generally located where a person works or lives. You can’t just put an antenna up on any building and expect it to not be taken down.

2) Get the information – but not all of it

You collect enough information, you get a haystack that may or may not contain a needle. Ask yourself if the information HELPS your investigation or not. Be ready to go back to the sources if you end up in a dead end. When you work with computers it means: please SAVE the logs and data to a secure location. Logs often get overwritten over time and data changes.

3) Have a problem? - take a break

Your brains get locked in a rut after a while. When you just can’t seem to solve a problem, taking a break for a few minutes, hours or for a day gives you new insights. Remember to avoid thinking about the problem during the break.

4) Talk to others

It was my mother that gave me the final piece of the puzzle. Had she not told me that he had worked at the Hörby transmitter; I would probably been unsuccessful in finding the explanation to the weird location.

5) Put yourself in their position

I envisioned someone typing the information into a computer after reading it from a piece of paper. One small typo or unclear handwriting is all you need to get it wrong. But I didn’t expect more than one or two incorrect characters, and I was right.

There is more than this to troubleshooting. As a matter of fact, I’ve mostly covered the information gathering/investigation phase of the troubleshooting process. But still, it matters a lot how you get and analyze information. Good luck! SA0BTZ signing off…

LINKS

The official bulletins from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms11-may.mspx

ISC Sans's monthly Microsoft-analysis is always a good read:
http://isc.sans.edu/diary/May+2011+Microsoft+Black+Tuesday+Overview/10855

All back-issues of this newsletter can be found here:
https://secure.ericade.net/security/index.php/SECBulletins

And on the EZSecurity blog at Tieto DF:
http://df.tieto.com/Blogs/EZSecurity/

My private blog:
http://erik.zalitis.se/

Bruce Schneier’s excellent news letter:
http://www.schneier.com/crypto-gram.html

A collection of useful security links:
https://secure.ericade.net/security/index.php/Security_links

A good site to check for known vulnerabilities for your favorite programs:
http://secunia.com/

What's the general state of the Internet?:
http://isc.sans.org/

OWASP Sweden's email list archive:
https://lists.owasp.org/pipermail/owasp-sweden/

Recommended for you developers out there:
http://www.owasp.org/index.php/Main_Page

My own, random knowledge base:
https://secure.ericade.net/security/index.php/portal:Kb

Regards
Erik Zalitis
Senior Infrastructure Architect
CISSP
Certified Ethical Hacker
MCITP:EA
MCSE:Security 2003
MCSE:Messaging 2003
Citrix Certified Administrator for PS4.
VMware Certified Professional on VI3
ITIL Foundations
Mobile: + 46 (0)70 673 07 54