NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-MS> 2006-q2

Re: New IE flaw and exploit sites/migration to non-MS browser

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpapacbell.net)
Date: Wed Apr 05 2006 - 17:58:34 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So it wasn't out then? So what? Do it now. That was then, this is now.

In small shops they can hire Small Business Specialists who are starting
to drink the LUA koolaid themselves...it's a matter of education..both
to the consultants and to the buyers of technology. These days we
recommend that you outsource and find an IT pro that specializes in
small businesses.

The small firms you are talking about are typically the less than 10
user/peer to peer/got the college friend of the son to help them set up
the network. Those firms in the 10-50 range are hiring IT consulting
firms to set up their networks.

Regarding your argument that it's harder in a small shop, I'd argue that
it's easier in a small shop because all we have to do is convince the
boss.. one boss..not a committee.... and typically it's after just one
incident. We don't have all the customized just built for us ASP web
applications.. we just bought Quickbooks at Costco and run Word and
Excel and a few other crappy line of business apps, but they are all off
the shelf.

As far as being too hard... www.threatcode.com has the instructions to
do Quickbooks... and we have the info on how to do it via group policy
these days... if this blonde can do it... anyone can. In SBSland we do
screen shots. And how did I figure out the proper registry keys? By
finding someone else who figured it out first on a Quickbooks bulletin
board and finally the vendor stepped up to the plate and made it
official. We ask our fellow geeks to help.. we don't do this all by
ourselves.

And why did they make it official now? Because enough of us yelled is why.

And that's the key right there. WE in the marketplace has to yell at
all of these vendors that demonstrate bad security practices. Both in
the form of non admin requirements...and in the application vendors that
recommend not patching.

And I honestly see it the other way around... it's harder for large
firms to do it... those of us who's bosses have downed the LUA Koolaid
in SBSland are doing it. There's not a tipping point yet... but man..
come out to my SBS community and more and more IT consultants are asking
about LUA and/or doing it.

As far as the home/consumer market... yes... we're losing the war there
and we really need the help there. That's the area that LUA is really
hard to do. In our small biz community, we are recommending that
families buy 'throw away' systems, give them to the teenagers and nuke
and pave every so many months. To me, I can protect and defend my
firm... I have a hard time protecting and defending the teenagers
machines. Between peer pressure of downloads and the "free download"
mentality..that's the one I'm worried about. Add to that ...that Vista
is going to annoy the heck out of folks with it's "are you sure"... it's
the home market that I'm more worried about.

Remember down here in the home/small biz arena there is one tool that we
don't have that you big guys have... and that's the Windows PE... we're
using Bart's PE as an equivalent to boot on that disk and deal with the
critters.

Devin Ganger wrote:

>Hi, Kurt! Good to see you're alive and well!
>
>At Tuesday, April 04, 2006 10:44 AM:, Kurt Dillard wrote:
>
>
>
>>I agree with Susan that logging into Windows without administrator
>>privileges is doable today, especially for well-managed networks.
>>
>>
>
>Note that I haven't ever disagreed; I have acknowledged that it is
>doable.
>
>
>
>>but its not
>>overwhelmingly difficult for most organizations today if you plan
>>ahead and properly test your applications.
>>
>>
>
>The way you phrased this ties back to one of the points I was making,
>which is that it's not hard *today*. A few years ago, when XP was
>released, was a different story.
>
>
>
>>It only becomes impossible
>>on networks with thousands of applications, but organizations with
>>that many unique apps deployed tend to not have any kind of
>>centralized management going.
>>
>>
>
>It's also much more difficult in small shops where the person doing the
>management of the network doesn't know much more than their users, or
>only gets to do network management part-time, or whose owners don't
>understand the value of LUA and thus don't allow their admins to take
>the time to set it up (or who cave in after the bookkeeper complains the
>first time QuickBooks won't start up). The time required to research
>applications, test them out, and make sure they work under LUA doesn't
>scale well for smaller companies. So for them, it *is* "too hard" -- not
>because of the technical difficulty involved, but because the process is
>involved and appears to take away too much productive time.
>
>
>
>>Devin, you compare the level of awareness about LUA in the Windows
>>community with that in the Linux and Unix communities. Its not a
>>reasonable comparison to make because the percentage of users who are
>>not computer professionals in the Linux and Unix communities is
>>miniscule
>>
>>
>
><thinks back to own experiences as a UNIX admin>
>
>Oh, if only that were true!
>
>Okay, okay, you have a point there that the ratio of professionals is
>higher in the *nix community. However, I wasn't directly comparing the
>communities so much as I was comparing *installation processes*. There
>are some flavors of *nix (Solaris, I'm looking at you) that assume the
>box is part of a larger directory service such as NIS, NIS+, or LDAP and
>thus don't prompt you to create additional user accounts during the
>first installation -- but many of the free *nix distributions I've used
>do precisely that.
>
>Let's compare that with Windows XP. If you're using Home, or Pro without
>joining a domain, you get asked to input your name. The account that XP
>creates is given local admin privileges by default even though there is
>still a separate Administrator account. (If you're using Pro and join a
>domain, then it does what Solaris does -- ask for the password to give
>the local Administrator account and not worry about users. I stipulate
>that this is the most useful route to take in the presence of some sort
>of directory service.)
>
>
>
>>Last time I checked
>>Linux that was being marketed to home users was configured to logon
>>as root by default too.
>>
>>
>
>Depends on the distro. The ones that do tend to get a lot of abuse,
>precisely because they're teaching bad habits to the people who use
>them.
>
>
>
>>Devin, you switched the discussion to home users.
>>
>>
>
>Not exactly. First, I wasn't aware that the original discussion was
>limited to just business users, so home users are valid cases of Windows
>users. With so many home machines compromised by malware (in many cases
>was installed because the user was running with admin privs even when
>they have anti-spam, anti-virus, and anti-spyware applications
>installed) they constitute a significant source of threat. I spend a lot
>of personal time helping people with their home machines, and in the
>last couple of years, I don't think I've even seen an XP machine where
>people didn't have anti-malware utilities installed. Most of them, to my
>surprise, were actively updating through Windows Update instead of
>relying passively on default Windows Update behavior.
>
>However, you could make the same statement of many business users on
>laptops. A lot of companies buy laptops pre-configured with Windows and
>don't ever bother to join them to a domain. Many of them allow the end
>user to run through the initial installation process. Boom -- the user
>now has local admin privs. And we're back to where we started.
>
>Sue asked a question that kicked this part of the discussion off:
>
>"Is it IE that's insecure? Or how the workstations are setup in the
>first place?"
>
>My point all along -- which is one that apparently Sue isn't happy with
>-- is while LUA does dramatically reduce the number of vulnerabilities
>(in most user-space applications) that can actually hurt your machine
>when they get through, IE is a special case. It has a history of having
>far more vulnerabilities than other browsers, and because a lot of the
>code in IE is so tied in with the rest of Windows, you cannot guarantee
>(like I can with Firefox, etc.) that only non-admin code will ever be
>affected by those vulnerabilities.
>
>The rest of this was just rat holing.
>
>
>
>>Technology can only do so much, users who make bad decisions will be
>>exploited regardless of what browser (or email client, or P2P app,
>>etc) they are using.
>>
>>
>
>Absolutely.
>
>
>

--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]