SIRT IT Security Roundtable
Harvard Townsend
Chief Information Security Officer harv@ksu.edu
September 11, 2009









Timeline for release
Security features
Application compatibility
Anti-virus solutions
Deployment strategy at K-State
2




Now available for purchase from SHI ~ $50
General availability to public Oct. 22, which is when it will start shipping on new computers
Designed to fix the Vista debacle; sort of a streamlined Vista under the hood


Faster boot/shutdown times
Some “improvements” to the UI, handling media,
Windows Explorer, IE8, wireless networking (“the wireless networking interface isn't completely stupid anymore”), and setting up home networks
3







Still has annoying pop-up security nags, but not as many as Vista because it’s easier to set level of alert messages in User Account Control, but that also makes it easier for user to shut off alerts
Same ol ’ Windows Firewall and Windows Defender
Security settings all managed through “Action Center”
AutoRun disabled for USB drives (but not CDs/DVDs)
Improved encryption with BitLocker (easier to use, support for USB drives, but still only in Enterprise and
Ultimate versions); we still recommend using PGP for encryption for key mgmt/recovery
Better support for biometric devices
4





Designed to run anything that runs in Vista, but don’t believe it
– test everything and ask your software vendors
Hardware requirements virtually the same as Vista
(unprecedented for a new Windows OS!)
Trend Micro OfficeScan




Version 8 NOT compatible
OfficeScan 10 has some issues
OfficeScan 10 sp1 supposed to have full Windows 7 support; in beta now
Should have no problem being available by October 22
PGP Whole Disk Encryption

August 12 from PGP: “There is no official statement on the compatibility of Windows 7 right now. There is still several levels of testing that need to occur before it is fully released. The next full release of PGP should support Windows 7, but there is no official statement as of yet.” 5






Purchase now from SHI to test with ALL applications used by your department
Build Trend Micro OfficeScan 10 infrastructure (or use central TMOS server) and test OfficeScan 10
(are other reasons besides Windows 7 to upgrade to v10)
No compelling security reason to upgrade from
Vista, but probably are performance, reliability, usability reasons
Check hardware requirements for upgrade from XP
Beware of version 1 of anything, let alone an OS
6






Released Aug. 28, shipping NOW on all new
MacBooks
Available from K-State Union Computer Store for
$29
Incremental upgrade to 10.5 (“Leopard”), hence not a new cat name!
Mostly performance/efficiency improvements
 Faster startup/shutdown time, more efficient use of multiple-core Intel processors
 UI tweaks, better 64-bit architecture support,
Microsoft Exchange 2007 support
No support for PowerPC processor – it’s Intelonly from this point on
7




 Rudimentary antimalware feature added (enhanced “File Quarantine” that was part of OS X 10.4 and 10.5)







Pops up warning if attempt to install known malware
Only detects two categories of Trojans (RSPlug and iServices)
Signatures generated by Apple
Apple distributes the malware signatures through usual update services (which isn’t very frequent, so not responsive to new malware)
No clean-up services – tells you to drag it to the Trash
Not detected when executed from USB flash drive, DVD, Skype, and some other programs
See www.securityfocus.com/news/11559?ref=rss
Built-in support for Cisco VPN (not sure how well it will work at K-State)
Same ol ’ (adequate) firewall
Shipped with vulnerable version of Adobe Flash – users should get update from Adobe
( blogs.adobe.com/psirt/2009/09/flash_player_update_and_snow_l.html
)
Also said to be fixed in Mac OS X 10.6.1 update released on Sept. 10.
8



Lists of incompatible sw:
 support.apple.com/kb/HT3258

 snowleopard.wikidot.com/ wiki.brown.edu/confluence/pages/viewpage.action?pageId=5367
4011
PGP Whole Disk Encryption also incompatible
 www.securityfocus.com/brief/1004?ref=rss
 Statement from PGP support blog on August 27 :
“While we are working diligently to complete the Snow Leopard compatible versions of the PGP Desktop products, we do not recommend you use the currently shipping versions on any system that has been upgraded to Snow Leopard. Please note that users wanting to migrate to Snow Leopard immediately must first decrypt all of their PGP WDE encrypted drives and uninstall their PGP Desktop application prior to upgrading to
Snow Leopard. Failure to decrypt PGP WDE encrypted drives prior to installing Snow Leopard could result in data loss or other system issues.
”
9




Symantec AV for Mac 10.2 incompatible

 www.symantec.com/connect/forums/mac-osx-snow-leopard-installfailure
Sorta works if already installed on Mac OS X10.5 and install 10.6 over the top; updates work, can do manual scan, but “Auto-Protect” fails.


Will not install on a clean Mac OS X 10.6 install
Symantec has not offered any date for compatible release
Trend Micro Security for Mac 1.5 incompatible

Service pack 1 will support OS X 10.6 “end of October”
ClamXav an interim option?




Based on popular ClamAV open source code
Version 2.0.1 is compatible with OS X 10.6, but is a beta release  www.clamxav.com/
Needs to be tested, including compatibility with Bradford Campus
Manager
10





Purchase now for testing, both upgrade from 10.5 and clean install; test all applications used in your department
Delay departmental deployment until Trend Micro
Security for Macs 1.5 sp1 is available and tested
(late Oct, early Nov)
Any MacBook used PGP WDE must wait until
PGP releases compatible version, which we’ll get due to our support contract, or decrypt laptop and uninstall PGP
Residence Halls a different animal – when
Bradford Campus Manager supports 10.6, we’ll evaluate AV options
11





First experience in fall 2007 with
PE_LUDER – wreaked havoc!
Seen it off and on ever since
Hit campus again in August as soon as students returned, spread rapidly throughout campus
Aug. 21: IT support reported it on USB flash drive after helping students in reshalls; OfficeScan did not detect it.
12







Autorun.inf file:
[autorun] shellexecute=Wscript.exe /e:vbs M.p.jpg
Malware file on the flash drive named M.p.jpg, which is a VBScript program not a jpeg image
I was admittedly slow in getting this submitted to
Trend for analysis, but they had solution within
2.5 hrs of submittal
Identified as VBS_AUTORUN.MAD
By the end of the day, the production pattern file was identifying it
92 instances detected/cleaned by OfficeScan since 8/27
13








Next one reported on August 28; very similar with autorun.inf file that executes VBScript code
This time the malicious file was “(o_o).jpg”
This time it was submitted to Trend right away and they had a solution within 3 hrs
Identified as VBS_RUNAUTO.AM
155 instances detected/cleaned by OfficeScan since 8/28
Third round on September 3, more of the same
Since August 1, Trend Micro OfficeScan has detected/cleaned 275 instances of autorun-style malware, including 8 instances yesterday
14







New variants exploit limits of pattern-based anti-virus protection
OfficeScan 10 will help by distributing pattern files quicker, thereby limiting the spread
Submit new samples as soon as you discover them via new
“Malicious Software Reporting Tool”:
SecureIT.k-state.edu/ReportMalware.html
Can be difficult to find original malicious file




Hackers hide the malicious files
Was a student USB flash drive and you’re not sure which one
Often only see the after-effect – a compromised computer
Can put a flash drive into an infected computer and see if new autorun.inf and malware files are added to it (be careful!)
Be wary of student USB flash drives!
External USB hard drives also vulnerable
15





Disable Autorun so files on infected USB drives are not automatically executed when you plug the flash drive into your computer
Side effect: In Windows Vista and older versions, it also disables automatic playing of a DVD movie or automatic software installation from a CD – it’s all or none with Autorun
Run Windows 7 since it disables Autorun on nonoptical media by default (everything except
CDs/DVDs, like USB flash drives)
Trend Micro OfficeScan 10 allows sysadmin to specify different actions for different media/devices
16




Autorun enables media and devices to launch programs by use of commands listed in a file called autorun.inf
, stored in the root directory of the medium.
Autoplay examines removable media and devices (like USB flash drives) and, based on content such as pictures, music or video files, launches an appropriate application to play or display the content.
Autorun is the bigger risk of the two, but they are interrelated enough to be confusing, and both have the same end result – automatic execution of a program when you insert removable media .
17








Method depends on version of Windows – either use group policy or edit the registry; can be complicated and is always risky to edit the registry manually.
Check with your IT support person!!
Are security patches required for most versions of Windows to properly handle Autorun registry keys
Detailed instructions at support.microsoft.com/kb/967715/
Wikipedia entry is informative en.wikipedia.org/wiki/Autorun
TweakUI sets it on a per-user basis rather than for entire computer (HKEY_CURRENT_USER registry keys rather than
HKEY_LOCAL_MACHINE) and the local_machine setting trumps the per-user setting.
Use Windows Group Policy


Centrally managed with ADS, done by your sysadmin
Individually with Group Policy Editor
18

Windows XP Pro, Windows 2000, Windows Server 2003 only:
1.
Click Start , click Run , type Gpedit.msc in the Open box, and then click OK .
2.
3.
4.
5.
6.
Under Computer Configuration , expand Administrative
Templates , and then click System .
In the Settings pane, right-click Turn off Autoplay , and then click Properties .
Note In Windows 2000, the policy setting is named
Disable Autoplay .
Click Enabled , and then select All drives in the Turn off
Autoplay box to disable Autorun on all drives.
Click OK to close the Turn off Autoplay Properties dialog box.
Restart the computer.
19

Windows Vista and Server 2008:
1.
Click Start , type Gpedit.msc in the Start Search box, and then press ENTER.
If you are prompted for an administrator password or for confirmation, type the password, or click Allow .
2.
3.
4.
5.
Under Computer Configuration , expand Administrative
Templates , expand Windows Components , and then click
Autoplay Policies .
In the Details pane, double-click Turn off Autoplay .
Click Enabled , and then select All drives in the Turn off
Autoplay box to disable Autorun on all drives.
Restart the computer.
Have more granularity for defining actions with two additional registry keys:


Default behavior for AutoRun
Don't set the “Always do this…” checkbox
20

For operating systems that do not include gpedit.msc:
 Click Start , click Run , type regedit in the Open box, and then click OK .





Locate and then click the following entry in the registry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Window s\CurrentVersion\policies\Explorer\NoDriveTypeAutorun
Right-click NoDriveTypeAutoRun , and then click Modify .
In the Value data box, type 0xFF to disable all types of drives. Or, to selectively disable specific drives, use a different value as described in the "How to selectively disable specific Autorun features" section.
Click OK , and then exit Registry Editor.
Restart the computer.
21






Open Notepad and copy/paste the following into a text file:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist “
Save the file as something.reg. (You have to be sure to change the "Save
File as Type" to "All Files" before saving, or Windows will try to save it as a .txt even if you typed in .reg).
Locate the file you just saved and double-click the file to run it. You will receive a prompt asking if you want to add the data to the registry. Click yes to allow the modification.
Restart the computer
The above method nulls any request for autorun.inf and works on XP
Home or Pro, as well as Windows Vista.
This is from antivirus.about.com/od/securitytips/ht/autorun.htm
22

23