Secunia Software Inspector

Unpatched and obsolete (End-of-Life) software can pose a security risk to any system. EoL software is especially bad because the software maker no longer provides support or updates. While there are several programs that have a built-in auto update feature, the programs that don’t can remain vulnerable for a long time because the user doesn’t know an update is available unless they check the manufacturer’s website on a regular basis.

Secunia, a massive online database that provides information about security vulnerabilities and patches, has released software that will check your Windows PC for vulnerable software. The program is called Personal Software Inspector. It works the same way as the web based Secunia Software Inspector does except for a couple of differences. The main difference is that the online version requires users to manually scan their system while PSI, by default, runs constantly in the background.

Installation is straight forward and no reboot is required so a system scan can begin immediately after exiting setup. A thorough scan can take anywhere from a few minutes to almost an hour to complete. The scan time is determined by how many programs you have and how fast your system runs. Closing the main window does not exit the program so it can be closed during scans or monitoring. Double-clicking the Secunia PSI icon in the system tray will open the main window. Right-clicking the icon and choosing Exit will close the program.

Clicking on any of the programs listed under Insecure Software or End-of-Life Software provides details about the detected version, the latest version available, installation path and links to the updates. It even gives information on how to remove older versions if installing the updating will not remove it. One example of an older version not being removed by an update is Sun Java. You must remove the older version of Java using Add or Remove Programs.

All communication between the Secunia PSI and the Secunia web servers is done through a secure HTTPS connection. System requirements and other general information about Personal Software Inspector can be found on the About Secunia PSI page.

NOTE: At this time, the software is Beta. Don’t be surprised if it doesn’t work perfectly. Also, I do not recommend running PSI in the background at all times if you don’t have a lot of free Physical Memory (check Task Manager). Secunia PSI uses about 16 to 20 MB of memory on my system during the monitoring phase.

Nature does not hurry, yet everything is accomplished. - Lao Tzu

07.Aug.07 Security, Software Comments (2)

No, you can’t use the sa login. Not yours.

As previously posted, I’m in the process of locking down the MS SQL 2005 server that I am in charge of maintaining. The built-in admin account group was no longer in the sysadmin group so it was time to move to the next hole. The ’sa’ account.

The ’sa’ account is the default admin login that has full control of the MS SQL server. If the server is only going to use Windows Authentication, a random password can be created and forgotten. A Windows domain user would be assigned to the sysadmin SQL server group because ’sa’ could not be used (SQL logins disabled). This isn’t the case for my server. I had to set it up for mixed mode authentication. Mix mode means that Windows Authentication or SQL logins can be used. The reason I had to use mix mode is due to some software that we use that does not support WA for it’s SQL connection.
(more…)

04.Aug.07 Microsoft SQL, Security Comment (1)

Locking down the SQL Server

Security has always been a big concern for me. I finally had a chance to do a security check on my Microsoft SQL Server 2005 system. In order to perform the test, I used two free tools from Microsoft:

SQL Server 2005 Best Practices Analyzer
Microsoft Baseline Security Analyzer 2.1 (Beta 2)

The results weren’t bad but they weren’t great.

The test were fairly thorough. The BPA tool is the most detailed for SQL while the BSA ran general SQL and Windows 2003 test. I have already started implementing some of the changes. Other changes will have to wait because they will require shutting down the SQL Server.

The first recommendation I implemented was removing the BUILTIN\Administrators group (installed by default). This group allows anyone in the local Windows Server Administrators group to be a sysadmin. The local Windows admin group contains the Domain Administrators group so, in effect, they were SQL Admins.

I had left that SQL login group in if any of the other admins needed to control the SQL server in times that I’m not available (rare but it can happen). Recently, one of the Domain Admins had been taking advantage of that by using Windows Authentication to login and create databases or alter data. SQL DBA’s don’t like non-DBA’s playing around in their server.

This network admin wouldn’t even ask me about doing anything on the SQL server first. Sometimes, I would just find a database that wasn’t there the previous day. They would create the database and set up an application like SharePoint to use it before I would have a chance to configure it correctly. It’s always a little more difficult to correct a database after people start using it.

I don’t have to worry about that anymore. No more telling them to stop doing it when it’s too late. Now, none of the network admins have SQL rights above “connect”. They only have database specific rights (datareader, dbo, etc.).

Microsoft has a whitepaper entitled SQL Server 2005 Security Best Practices - Operational and Administrative Tasks that is a great pointer for securing a MS SQL 2005 server. It isn’t an “everything you need to know” kind of guide. It is a good starting point, though.

Trust your own instinct. Your mistakes might as well be your own, instead of someone else’s. - Billy Wilder

02.Aug.07 Microsoft SQL, Security Comments (3)

Is that a phish?

Phishing schemes are a form of social engineering that attempts to trick people into revealing confidential information (username/passwords, credit card numbers, etc.) by using fake emails and websites. These schemes have been getting a lot more sophisticated over the last couple of years. The criminals, phishers, are doing a better job of making the emails or websites look more like their legitimate counterpart. People are usually fooled by phishing because they don’t take the time to really look at the site/email.

McAfee has set up a quiz on their SiteAdvisor site to see if you can spot a phishing webpage or email. The quiz is only 10 questions long. Eight of the questions are visual and you must choose which screenshot is the legitimate site. Clicking on the images will give you a larger image. The last two questions are “choose one answer” type questions.

McAfee SiteAdvisor - Phishing Quiz

Some good tips on how not to be fooled by a phishing scheme can be found here. The latest release of the a few browsers have a mechanism built in to alert users if the site is suspicious.

Mozilla Firefox 2 Phishing Protection
Opera Fraud Protection
Microsoft IE7 Phishing Filter

It was announced at the OS X Leopard preview in August 2006 that the Apple Safari web browser would have anti-phishing built in when Leopard shipped. As of now, with the release of Safari 3 Public Beta, it is not available but neither is Leopard.

There are also a few free anti-phishing browser add-ons available. For Firefox, PhishTank SiteChecker and McAfee SiteAdvisor reside in the status bar, not another toolbar, and work very well. PhishTank is a community driven site that collects reports about phishing sites. The service operated by OpenDNS and can be queried by other sources through their free API. It has been used as a verification source for the Opera browser (Fraud Protection) since version 9.1.

Common sense, however it tries, cannot avoid being surprised from time to time. - Bertrand Russell

26.Jul.07 Internet, Security Comment (1)

Secure passwords the easy way

One of the supervisors at work, not in IT, asked me for some help with securing his passwords. He wanted to create better, more secure passwords but he didn’t want something hard to remember. I suggested using KeePass. There are four versions available:

• Windows Installer
• Zip package for portable drives
• PortableApps.com suite install
• U3 installer

He decided to install the zip package so that he could take it with him (USB drive). I first showed him how easy it was to create entries to hold his login info (username/password). I then showed him how easy it was to create secure passwords using KeePass. To do that, all he has to do is go to Tools → Password Generator or click the Gen button when creating a new entry.

The part that impressed him the most was the fact that KeePass will autotype the username and password for him. He can just pull up the login page, click in the username field, right-click the entry in KeePass and choose Perform Auto-Type. KeePass will also copy the password to the clipboard for copy/paste use. By default, it clears the clipboard after 10 seconds but that time can be changed or disabled and set to clear after the paste command.

I did remind him that he needs to keep a backup of the KeePass database. It would take a while to reset all his passwords if the database became corrupted, accidentally deleted or the USB drive was lost or stopped working.

I hear and I forget. I see and I remember. I do and I understand.
- Chinese Proverb

19.Jul.07 Security, Software Comments (0)