I recently installed  Checkpoint VPN-1 SecureClient software onto a system running XP SP3 with ZoneAlram Extreme Security installed. After running into an issues where WinSCP would run at 100% CPU utilization I decided to investigate. My initial investigation led me to deciding to remove the VPN-1 SecureClient. This was to prove to be a nightmare exercise. I removed the client or so I thought after uninstalling it and rebooted.

I then started getting an issue with BSOD DRIVER_IRQ_NOT_LESS_OR_EQUAL and the vdatant.sys was apparently the culprit. I ended pointed to a couple of notes suggesting this was Zone Alarm. Easy enough I think just uninstall ZoneAlarm and reinstall it. No not quite, still getting these BSOD.

Of to do some more research and I come across a note to use Cpclean to get rid of VPN-1. No problems nice to have a clean up tool. Ran it said it was going to remove some registry keys, good I thought. Ran WnSCP and nope still not right 100CPU, it seems this was due to excessive packet inspection. Saga continues, ok remove ZoneAlarm again, ran CPClean still a problem. Yes I now had no network connection at all. The VPN-1 software had trashed my network stack.

Decided to install some diagnostics and they wanted to have some Windows Network tools SNMP installed. I tried to do that but I don’t have a copy of SP3 that it wanted.  Now I had a problem, I was not sure if I had just reinstalled a SP2 or SP1 version file and I was now getting random lockups. I grabbed some software on my MAC latest Drivers for this Network card and reinstalled the software and yeah I was back online but still unstable, I was getting random lockups.

Next step I did some research could I get my machine back to a state of having SP3 with all the latest updates. Oh yeah I found WindowsUpdateDownloader. Cool, wonderful tool I could now download all SP for my machine since SP3, I reinstalled SP3 and then downloaded all the windows updates and chronologically reinstalled them, about 60 or so. Well it looks like stability had returned. I then proceeded to run CPclean again and it said there were a few keys there for Checkpoint. Next I manually searched and removed from the registry any  remnants of the Checkpoint VPN-1 Software and SecureClient, a few different keyword searches uncovered the majority and  cleaned it out.

So no I felt my system was stable and Checkpoint VPN was gone, so test again and see if WinSCP either caused BSOD or caused high CPU. Yeah!! No issues present, file transferred normally and the system seemed OK. Next trick reinstall ZoneAlarm. Pretty straightforward its key with the license was still present so it automatically got going and after a couple of days it seems well again.

Clearly there should be a huge Warning from Checkpoint about installing its VPN software on the same OS that is running ZoneAlarm. Surely they test that sort of stuff.

Moral of the story you cant run VPN-1 on a system running ZoneAlarm if you have a need look into using VM’s to do the dirty work then you have the choice of having  a VPN-1 VM for that site.

 

All is good now so I am happy again but it lost me close to three days of full productivity cleaning up and reinstalling to rid the issues.

 

See ya round

 

Peter

 

 

 

There is a lot of information to know and understand about Oracle Security and the internal database features. The security features that i will discuss here are those that are internal to the database and in future articles I will look deeper into some of these articles. Transparent Data Encryption (TDE) is the ability to encrypt data internal in the database so it appears only as encrypted strings to those that don’t have appropriate privileges. The data is encrypted by column so only that information that is truly sensitive such as the credit card number or health care number that could identify a patient is encrypted. The encryption requires the use of the wallet. Ideally it would be kept in a separate file system which increases the level of difficulty of it being recovered along with the database from backups in the event of it being stolen. It need not be as the master key cannot be retrieved without the wallet password. The great feature of Transparent Data Encryption is that it works without altering any application code or features. A few quick changes, you can enable transparent data encryption in around 30 minutes with a few simple changes.

Proxy User is another great feature that is there to allow middle tiers to connect to the database with restricted privileges. This then means that a connection to the database from the middle tier that is compromised in an attack as not so likely to expose the data. The other feature that this brings is that in increases the audit capabilities from a three tier application. This feauter from 10gR2 is available via both thick and thin client. There is credential proxy which requires certificates and Internet Directory to associate the certificate with the LDAP DN for the user. The other feature in this is Application user proxy. Many application servers use a connection pool that is using a single user to connect to the database. This allows application users to be traced within the sessions created with the connection pool Using Internet directory is an additional feature as identification of users can be very clearly defined and privileges are able to be managed from central privilege sets. Another useful feature is the shared schem user that can be configured in the Internet Directory This user is able to be mapped along with any others to a single schema and provided with a role that controls what that user has access to. These would be great for use with tools like Discoverer, where users could be logged into a schema with managed views of data and then through applied privileges have data access restricted.

Other features to discuss are Virtual Private database and Row Level Encryption, then there is Auditing and fine grained auditing to boot, which allows very intense scrutiny of what people are looking at.  When Oracle 10g came out there was additional auditing of the SYSDBA account and Oracle Vault has also been added to the mix. These are all features to protect your data within the database. There are still many external features available to protect communications to the database and protect the data at rest in backups or elsewhere. In wrapping up Oracle has many security features internal to the database that allow the DBA to configure a level of security for the businesses needs to protect important data. I will discuss this in greater details in future articles on security that I have coming up

See ya round

Peter

Just having a look through the CPU for July and the first item CVE-2009-1020,  makes this CPU very important to Windows hosted databases. The Windows installation method for Oracle products that requires Administrator Group privileges means this bug provides an attack vector which through this attack you can compromise the entire server, a not so nice proposition. The impact on this is not so bad for Unix and Linux, as a total compromise of the database is not possible and therefore there is less impact. As Oracle runs under user non root privilege accounts on Unix and Linux, you avoid the potential complete compromise of a server at the same time. Other problems addressed in the patchset  are not as bad, as none create a full compromise. One worrying aspect is most are of Low access complexity or to put it simply are easy to implement to set up an attack. CVE-2009-1019 is of concern as it is remotely exploitable without authentication. CVE-2009-1019 also breaks all aspects of CIA for the database, however it is only a partial compromise across the board.

For those of you interested in developing you security knowledge further then going and reading about the CVSS program is worthwhile, as it allows you to provide a better assessment to the problems and their impact on the databases and other products you manage for your organisation.

Recommendation: Update your databases to  apply this CPU

With Application Server the items are a little lower, however they are both remote attacks without authentication, one compromises the HTTP server and the other impacts security tools. Neither are of a high degree of difficulty to implement an attack.

Once again as the HTTP server is a front line device it is important to update that as the vulnerability may be used more creatively than expected by Oracle and the security analysts have envisaged. Recommendation: Patch and update

I don’t work presently with E-Biz and Peoplesoft, so i wont comment other than to say since you already now have a need to patch your Oracle database and your application server then you should review and apply the patches across the board

From teh BEA technologies the JRockit vulnerability is derived from a number of Java bugs, Sun has provided data on this, if you use JRockit for public facing systems this is a critical patch to address. The 10 rating along with that an entire compromise is worrying. Some will already have applied the Sun patches and have avoided some or all the issues addressed in this patch.

Recommendation: Upgrade now

That has made for an interesting bundle this quarter, so happy patching.

See ya round

Peter

For those of you that follow the daily sagas of the MPAA and RIAA, you have heard of there attempts to shutdown file sharing systems. They have had some successes and a lot of battles, I am not sure they are any closer to solving the problems they have created for themselves with over priced music, region encoding, staged delivery of content and so on. The internet has caused them great headaches to try and maintain this regime. Read the rest of this entry »

Apparently Security skills of the IT work force lacks generally. This is not surprising as for the most part many organisations where I work there is a lack of understanding of IT security. The government departments are very aware, generally have good policy and practise in place but I have seen many stupid breaches of good practise due to poor policy and procedures. This is where the problems often lie and its not the practitioners, who are struggling to do there job but the management who fails to understand many of the ramifications as they do not well understand the problems they are being faced with at the coal face.

This is a common problem that many parts of IT face. Management ever come up to you and say “can you sort this out for me it shouldn’t take more than a few hours.” Well this lack of understanding of IT from our managers is what is leaving the organisations exposed to breaches.

Clearly many managers do not understand IT law, I find this a terrible oversight that leaves many companies exposed to poor outcomes when there is a failing of there IT policy and procedures.Recently I was doing some work on a clients site and they had me sign a piece of paper for internet access about acceptable use. It would now be considered that for that organisations they will be covered against a misdemeanour. My legal studies would lead me to the conclusion that they are likely on shaky ground, for a few reasons they have not clearly identified what are a couple of items open for interpretation. what is offensive and what is acceptable use. Now maybe another time they might just put me on a induction course that will clearly outline these, however until that is clearly stated then what may be considered offensive by the organisation may not be yours or mine interpretation.

It is these problems that management have about IT and security that are leaving the IT practitioners hanging out as without this being understood how do they understand the firefights the practitioners are wrangling inside and outside the organisations. If they can’t understand this how do they get to a place where they have sufficient skills. Offering training will be good, but how does it benefit people. Does a new Checkpoint course really help solve the problem or should we look deeper at other types of training to take people out side the box to solve the problems. I certainly think a lot of management needs to go there.

See ya round

Peter

Security skills of IT workforce lacking, survey finds – Network World