Tuesday, February 21, 2006

Not running as an administrator

I was IMing back and forth with a friend who is still in school. He was looking for a topic for a infosec related class so I pointed him toward LUA--Least-privileged User Account. He liked it so today, we were chatting again about the topic and how to quantify it. Below is my side of the conversation where he first asked if we had graphs or similar regarind the compromise resulting from administrators not enforcing LUA in their dept.

- We can't quantify it that well because the attacks are user initiated and not network initiated like an IDS would normally pick up.

- There are vulnerabilities that exist in Web browser, e-mail clients, RSS readers and IM clients that can be exploited simply by the user opening a link, reading an e-mail or accepting an IM. If the user does not have administrator privileges, the damage caused by those vulnerabilities exploited is greatly contained to just their user account. It is much easier to recreate a user account than to rebuild a system.

- Services are a completely separate issue. A user logged in usually does not interact directly with services running on their computer. The services start up automatically in as SYSTEM or some other user and work independently of the user. Today's attacks are targeting client applications more and more. If you go back through the Microsoft vulnerabilities, you will see patches for things that exploit the system because of something the user does like opening a bad WMF file. There have not been many remote service exploits on Windows lately.

- For example, "To continue browsing this website, you must install this software. By doing so, you agree to....blah, blah, blah." Hmm. I don't need to read that crap. I just need to click yes so I can keep browsing.

Here is a great blog post that correlates how adware/spyware affected a system where a user was an administrate and then as LUA. I did this same testing when I was at IFAS with the same results. It isn't rocket science people. Get a clue!!

Quick Update: SANS/CISSP, Articles and Personal Projects

So many things going on...where to start. Well, first of all, I will be at the SANS conference all next week in Orlando in the CISSP track. To some of you, it may seem odd to be taking a CISSP class from SANS, but it was convenient as it is in Orlando and I had $3000 in tuition credit so it's only costing $95. Makes sense, now, doesn't it? ;-) Several coworkers and security professional friends keep telling me I could simply take the test and pass it but I prefer to go to the review just to be safe. I like sure things! Especially, when the dang test costs $500.

I just finished a "Deploying EFS in the Enterprise" for Security Enterprise magazine to be published in the March issue. It was a short two pages that ended up being a pretty good learning experience. I knew most of the limitations and features of EFS going into the article and picked up a bit of new knowledge in the process. The January issue had my review of Arbor Networks Peakflow X and the March issue will also have my review of Credan't Mobile Guardian 5.1 Enterprise Edition. An upcoming issue of Network Computing magazine will also have my review of PacketMotion's PacketSentry.

I have been posting pretty regularly in the ForensicFocus' Forums over the last couple of weeks. I will probably be copy some of the content of those posts over here. The posts were good and had some excellent information that would be useful here, and I would like to elaborate on them a bit.

Foremost and Scalpel don't have extensive patterns included in their config files so I am going to slowly begin collecting and testing patterns. Eventually, I want to have an extensive reference that will become a good online reference for forensic analysts using both tools.

I keep a list of "articles" that I want to work on and post on the blog in a PDF format. The list is quite ambitious and the magazine articles have pushed them to the backburner but I expect a lull in the magazine world for the next couple of weeks so I hope to make some headway with those personal articles.

nubuntu: this is a link as a reminder for a potential future project.