From the latest SANS NewsBites:

The Pirate Bay, a website that helps users find files over BitTorrent peer-to-peer (P2P) file sharing software, has reportedly been the victim of attack; the intruder stole a copy of the site's user database.  User passwords are encrypted, but Pirate Bay's site operator encourages users to change their passwords nonetheless, and if they use the same password elsewhere, to change those as well.  The attacker got in through a hole in the site directory's blogging software.  Pirate Bay has a reported

1.4 million members.

http://www.theregister.co.uk/2007/05/14/pirate_bay_hacked/

http://www.securityfocus.com/brief/499

Guess even the pirates get hacked once in a while.  ;)

Russell Shaw reports that there is now a new "attack vector" utilizing Java and Quicktime on a web page. This is basically the security bug that was recently found against MacOS, but it's actually not against MacOS per-se, but rather Quicktime. That means not only is MacOS vulnerable, but Windows is potentially vulnerable too.

From nist.org article:

Currently Safari and Firefox are confirmed vectors on the MacIntel OSX platform. Currently it is known that Windows Quicktime is vulnerable as well. What is not known is to what degree. If the attack is a buffer overflow an actual "exploiting the box" type attack may be OS specific. In other words Quicktime under Windows may simply crash or hang the computer if the same exploit code is used. Converting a buffer overflow in to a full fledged exploit takes time and is not always possible. But they did it on the OSX platform so it is entirely possible that someone can do it on the Windows platform as well. However, if the exploit simply takes advantage of a function built-in to Quicktime than the current exploit may work on both platforms.

The mitigation for this issue?  Disable Java, Uninstall Quicktime, or if you're a Firefox user, use the NoScript extension and ensure Java is disabled on untrusted sites. Not getting rid of Java or Quicktime, but I sure use NoScript. Yes, it's a pain, but these kinds of issues are precisely why I am willing to go through the trouble of running it.

Presumably, Apple is now aware of this issue and is working quickly to patch this issue both in Windows and MacOS.

Everyone blew this supposed "Mac" security issue out of the water, it seems. The Mac was "hacked," but it wasn't exactly specific to the Mac as the issue could be replicated in any browser on any system. It was a local exploit, at best, and it involved cross-site scripting, something that is inherently dangerous on all computers.

Please let me know when the Mac can be remotely rooted, though. That will be some serious news.

I am currently taking a CISSP Prep class online thru Global Knowledge. They are using a tool called iLinc for the class, and I have to say, I'm throughly unimpressed with the experience.

First off, the voice quality frequently goes from mediocre to worse. When the instructor drops off and comes back--which happens on more than one occasion--when the voice comes back, it chipmunks big-time until the voice buffer clears and everything returns to normal. The iLinc client has crashed on my relatively vanilla Windows XP machine a half-dozen times. Oh yeah, it requires Internet Explorer, which means Windows only. Yuck! The chat client stinks and they do a lousy job of providing ways for participants to give feedback. In a previous online class I took with Global Knowledge, they use a tool called Interwise, which required installing a Windows client, but seemed like it was much more stable.

Probably my biggest complaint with the whole experience is the instructor's Internet connection, which seems to be causing at least some of the issues. But it really sucks whatever it is.

Meanwhile, next week, I will be starting an online class with SANS on Intrusion Detection Systems. Their online class tool seems to be Java-based and should work on the Mac, which I would prefer for obvious reasons.

I've also played with WebEx, Lotus Sametime, and Windows LiveMeeting. They all have their issues. None of them provide an optimal experience and they all certainly aren't cross-platform. I do want to check out Unyte Meeting, which is working on a new version that has gone into public beta. The pertinent deets from their press release:

WebDialogs is seeking users to participate in the beta test, which will run through April 25, 2007. As a registered user, participants can sample Unyte Meeting’s unified voice, video and Web conferencing capabilities without charge for up to 1,500 minutes or until April 25—whichever comes first. To sign up, visit http://www.webdialogs.com/umbeta/ 

Unyte Meeting Spring ’07 is faster, yet still completely browser-based, with no downloads required for hosts, presenters or participants. The service is based on WebDialogs’ proprietary conferencing technology that is currently used in the market today by more than 200 brand names through 70 partner agreements.

I did play with their Skype remote desktop product, which I was suitably impressed with. Still waiting for them to come out with a Mac version of the "host" part of their application--the Mac client piece worked fine.

Meanwhile, all this training is paying a price on my ability to blog, so continue to expect light blogging over the next couple of weeks.

In my past life, I did a heck of a lot with Check Point FireWall-1, now called VPN-1 Power or something. I don't do much with it now except for use their VPN client to access work, but I do spend some of my day job reviewing stuff other people write about it.

One of the things I have to do in order to use my work computer on my home network is to actually allow my work computer to access a couple of things at home: namely my Mac sitting right next to it and my network printer. Unfortunately, the combination of the VPN configuration and the firewall software loaded on the laptop make this a challenge, but not difficult.

One of the things the VPN does is add all these routes to the routing table that essentially override the local routes. Now I can see why an enterprise might want to do that, but if you want to access local resources, then it creates a challenge.

What I was doing to correct this issue was doing all this by hand: looking at the routing table, removing the offending routes, and adding a few others. In smaller environments, the routes are going to always be to the same default IP. The problem with the implementation I am working with is the nexthop for these routes has a habit of being different each time I connect. I needed to look at the routing table manually before doing the surgery on it. The end result was that I could access the machines I needed.

Today, I got the bug to automate all this, so I decided to write a Windows Batch file to accomplish all this. Apparently, this was harder than I thought, but I wrote a batch file that:

• Looked at the routing table for a route I know the VPN will set. Fortunately Windows allows you to print only a specific route.
• Parse out all the junk that gets printed in addition to the information I wanted. This parsing turned out to be the most difficult, particularly in getting the information out of a FOR loop.
• Set routes, which is relatively easy once you have the information.

And FTW, I decided to also add in automatically logging into SecureClient. One batch script logs me in and mucks with the routing table. To find that information, I had to refer to a tome I wrote nearly four years ago. Yes, I know it was published in 2004, but I did a lot of the writing for it in 2002/2003. Damn publisher lead times. Anyway, I looked in a more recent Check Point book (on NGX) that I had lying around and it didn't even cover SecureClient on the command line. It's not the first time I found something in my own book that hasn't made it into other, more recent books, either.

Anyway, I am happy to say it's all working just fine. I do miss being able to use my SecureClient GUI (enabling CLI mode disables all that stuff), but I like how much easier the entire logging on experience is now. For those who are interested, I am posting my batch job after the break. If you're interested, click on thru and read my handy work.

@REM kill Echo
@echo off
setlocal EnableDelayedExpansion
set SCC="C:Program FilesCheckPointSecuRemotebinscc"
%SCC% setmode cli
rem %SCC% disconnect
%SCC% up username %1%
%SCC% connect "VPN Profile"
%SCC% status
%SCC% ep
@REM Trying to pull out VPN route and mess with routing table
@REM
@REM Did we find the netmask line?
set hitnetmask=0
@REM Let's pull out a route I know will be there:
@for /f "tokens=3" %%i in ('route print 192.168.0.0') do (
@REM After we found the netmask, the next thing we get is the route we want
@REM and make sure we get out of dodge
if !hitnetmask! EQU 1 (
call :set_nexthop %%i
GOTO :found_route
)
@REM The next line after the "netmask" line is the one we want.
if "%%i" == "Netmask" (call :set_hitnetmask)
)
:set_hitnetmask
set hitnetmask=1
GOTO :eof
:set_nexthop
set nexthop=%1
GOTO :EOF
:found_route
echo Nexthop is %nexthop%, deleting/setting the routes appropriately
echo on
route delete 192.168.0.0 mask 255.255.255.0 %nexthop%
route delete 192.168.0.2 %nexthop%
route delete 192.168.2.253 %nexthop%
route add 192.168.2.253 192.168.0.254
@endlocal