Next Page >>
security policies
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@isatools.org]
> Sent: Sunday, July 20, 2008 4:33 PM
> To: 'me@abegetchell.com'; 'Thor (Hammer of God)'; 'Johan Beisser'
> Cc: bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> It's about reality & priorities.
>
> What we're both saying is:
> 1. it's a bug and should be fixed in accordance with its impact on real
-----Original Message-----
From: Abe Getchell [mailto:me@abegetchell.com]
Sent: Sunday, July 20, 2008 12:32 PM
To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser'
Cc: bugtraq@securityfocus.com
Subject: RE: Windows Vista Power Management & Local Security Policy
So, you guys don't think it's an issue that power management in Vista
(apparently) has a pass to bypass local security policy?
--
So, you guys don't think it's an issue that power management in Vista
(apparently) has a pass to bypass local security policy?
--
Abe Getchell
me@abegetchell.com
https://abegetchell.com/
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
> -----Original Message-----
> From: Abe Getchell [mailto:me@abegetchell.com]
> Sent: Saturday, July 19, 2008 12:33 AM
> To: 'Jim Harrison'; bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> As stated in my original e-mail to the list, I definitely don't think
> that
> this is a security vulnerability in a traditional sense. I completely
> agree
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@isatools.org]
> Sent: Saturday, July 19, 2008 1:36 AM
> To: 'me@abegetchell.com'; bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> Abe,
>
> Other than a denial-of-service from the console (is the power switch
> now a security vuln, too?), what can you do with this bug? It's
1975 access to the affected device. Cisco IOS software releases
12.2BC and 12.2SCA support the CoPP feature. CoPP may be configured
on a device to protect the management and control planes to minimize
the risk and effectiveness of direct infrastructure attacks by
explicitly permitting only authorized traffic sent to infrastructure
devices in accordance with existing security policies and
configurations. The following example can be adapted to your network.
Note: CoPP is not supported on uBR10012 series devices.
>I think however that Check Point consideres >everyone with access to a
>Secure Platform system to be a trusted user. So >they will not regard these
issues with the priority you (Hugo Va¿½zqu) seem to bestow on it.
Right now -16 October 2007- Check Point as already accepted the flaws. Regarding to the privilege escalation to the "Expert" mode -standard root-, I should tell again that that is the minor problem. If you read the paper you will see that there are things more interesting to explore... Anyway, today, "googleing" a bit I found an interesting URL of the NIST:
"FIPS 140-2 Non-Proprietary Security Policy"
http://csrc.nist.gov/cryptval/140-1/140sp/140sp420.pdf
This doc is no more available online, but you can have the cached version...
If you read you will see: "This is a non-proprietary Cryptographic Module Security Policy for Checkpoint Software Technologies Ltd."
(...)
traffic to the device. Cisco IOS software releases 12.0S, 12.2SX,
12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be
configured on a device to protect the management and control planes
to minimize the risk and effectiveness of direct infrastructure
attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies
and configurations. The following example, which uses 192.168.100.1
to represent a trusted host, can be adapted to your network. If FST
is not used, protocol 91 may be completely filtered. Additionally, if
UDP is disabled with the "dlsw udp-disable" command, UDP port 2067
may also be completely filtered.
access-list 150 deny udp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 123
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device.
access-list 150 permit ip any any
-----Original Message-----
From: Abe Getchell [mailto:me@abegetchell.com]
Sent: Thursday, July 17, 2008 7:39 PM
To: bugtraq@securityfocus.com
Subject: Windows Vista Power Management & Local Security Policy
When the security option "Shutdown: Allow system to be shutdown without
having to log on" (in the local security policy) is set to "Disable", and
the power management setting "When I press the power button" is set to "Shut
Down", it is possible for an unauthenticated user to press the power button
Although many of the useful arguments have been disallowed, Security-Assessment.com
found that the /Datapath argument can be included and directed to a remote SMB
share directly through a specially crafted Skype URI.
The Datapath argument specifies the location of the Skype configuration files and
security policy. Specifying a Datapath argument will override any local security
policy defined in the Windows registry.
A remote user is capable of crafting a link that when clicked, will spawn
Skype.exe on a client using a Datapath location which is present on a remote
SMB share. The Skype client will load any configuration or security policy
!--- other sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any anyinterface serial 2/0ip access-group 150 in
access-list 150 permit 115 <source_ip_address and mask>
<destination_ip_address and mask>
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
for submission include but are not limited to:
* Intrusion Detection
* Malicious Software
* Web Security
* Security Policy
* Peer-to-Peer and Grid Security
* Wireless and Mobile Security
* Network Forensics
* Network Discovery and Mapping
* Incident Response and Management
other than applying infrastructure access control lists (iACLs) on
the Cisco 7600 router to block ICMP traffic destined to the IP
address of the Cisco CSG. Administrators can construct an iACL by
explicitly permitting only authorized traffic to enter the network at
ingress access points or permitting authorized traffic to transit the
network in accordance with existing security policies and
configurations. An iACL workaround cannot provide complete protection
against these vulnerabilities when the attack originates from a
trusted source address.
The iACL policy denies unauthorized ICMP packet types, including echo
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to specific network configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
> >>
> >>
>
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
Topics include but are not limited to:
Intrusion Detection
Denial-of-Service
Privacy Protection
Security Policies
Peer-to-Peer and Grid Security
Network Monitoring
Web Security
Vulnerability Management and Tracking
Network Forensics
Topics include but are not limited to:
* Intrusion Detection
* Denial-of-Service
* Privacy Protection
* Security Policy
* Peer-to-Peer and Grid Security
* Network Monitoring
* Web Security
* Vulnerability Management and Tracking
* Network Forensics
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to specific network configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
>>>>>
>>>>>
>>>>>
>>> --
>>> Eric C. Lukens
>>> IT Security Policy and Risk Assessment Analyst
>>> ITS-Network Services
>>> Curris Business Building 15
>>> University of Northern Iowa
>>> Cedar Falls, IA 50614-0121
>>> 319-273-7434
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
to the affected device. Cisco IOS Software Releases 12.0S, 12.2SX,
12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be
configured on a device to protect the management and control planes
and minimize the risk and effectiveness of direct infrastructure
attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies and
configurations. The following example can be adapted to specific network
configurations:
!
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
setsockopt of 0 for this SHOULD also be nullified, on a server also...
(However/Again - Workstations are easily taken care of , vs. servers,
just by what I wrote up above either by PORT FILTERING)
IP Security Policies, which can work on ranges of addresses to block,
OR, single systems as well you either ALLOW or DENY to talk to your
system, still can help also... vs. a DDOS though? SynAttackProtect is
your best friend here... you'd use netstat -b -n tcp to see which are
held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR
WAY (or just by doing it in a router or routing table)... takers anyone,
> >>
> >>
>
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
Next Page>>
|
