Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Firefox 3.6.12 available -

Published: 2010-10-28
Last Updated: 2010-11-01 18:37:59 UTC
by Rick Wanner (Version: 1)
0 comment(s)

-- Rick Wanner - rwanner at isc dot sans dot org - - Twitter:namedeplume (Protected)

Keywords: firefox
0 comment(s)

Cyber Security Awareness Month - Day 28 - Role of the employee

Published: 2010-10-28
Last Updated: 2010-10-29 16:08:01 UTC
by Tony Carothers (Version: 1)
4 comment(s)

Today’s topic for the CyberSecurity Awareness Month is the Role of the Employee.  Almost everyone reading this today will create some form of stored data which is significant to them.  Thus is the role of the user.  And, basically, every employee with an IT system is a user of some form or other.  Recently I had the opportunity to discuss a very similar topic with some friends at  .  The discussion centered on personal responsibility in regards to security.  This was a very productive discussion that yielded many of the same questions and conclusions I will discuss today.  The role of the employee is essentially the role of the user which always led to 3 questions:

“What data have I produced?”

“How do I get this data back, so I may continue, when all else fails?”

Once you have addressed these questions to the data you have created, whether 2 presentations or 200 emails, you will find the long road ahead much easier.   The third question is a bit more difficult, and is topic for another day….

“What data, other than my own, am I ultimately responsible for today??”

I would like to talk about the first 2 here a bit more.  Of course discussions or comments are always welcome and encouraged. “What data have I produced today?”  This question hopefully leads everyone to ask a number of questions about backup, restoration, and possibly even continuity of operations in regards to their jobs and data.  One common question is “how do I keep going after a (insert disaster here i.e… fire, flood, etc)?  If you are reading this then most likely we, in both our professional and personal lives, create some form of data each day.  In the workplace this may be several proposals or presentations.  In the home, it may have been a weekend of pictures downloaded to the home computer.  So what happens when the workplace is flooded?  God forbid a fire to the home?  Is the data created on a computer any less priceless than the letters from 2 years ago?  No. You would hopefully plan and protect these electronic artifacts the same as you would the physical artifacts.
“How do I get this data back, so I may continue, when all else fails?”  To completely answer this question the answers to question number 1 have to be answered.  Essentially once you have identified who is responsible for the backup and restoration, then ask the question “where is my data so I can get it back when everything else fails?”  Sometimes this is a question we have to ask of ourselves about personal data we’ve created, in the form of contact lists, email archives, and personal data.  In the data realm we are producers, provisions, consumers, and sometimes all three.  Anyone in the role of the first two needs to understand completely the role they play in today’s CyberSecurity world.

tony d0t carothers at isc d0t sans d0t org

4 comment(s)

CVE-2010-3654 - New dangerous 0-day authplay library adobe products vulnerability

Published: 2010-10-28
Last Updated: 2010-10-28 21:51:01 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
4 comment(s)

Adobe released today APSA10-05 advisory, which shows a 0-day vulnerability that can be exploited remotely for Adobe Flash Player, Adobe Reader and Acrobat. Adobe says the update will exist hopefully by the Nov 15 week.

The following are the mitigation measures recommended by adobe:

Adobe Reader and Acrobat 9.x - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:Program FilesAdobeReader 9.0Readerauthplay.dll for Adobe Reader or C:Program FilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.

Adobe Reader 9.x - Macintosh
1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Acrobat Pro 9.x - Macintosh
1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Adobe Reader 9.x - UNIX
1) Go to installation location of Reader (typically a folder named Adobe).
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
3) Remove the library named ""

More information at

-- Manuel Humberto Santander Peláez | | | msantand at isc dot sans dot org

4 comment(s)

Cyber Security Awareness Month - Day 27 - Social Media use in the office

Published: 2010-10-28
Last Updated: 2010-10-28 01:41:56 UTC
by Rick Wanner (Version: 1)
2 comment(s)

On Day 27 of the 2010 version of Cyber Security Awareness Month we want your view on the use of social media in the office.

Unless you are in one of those few industries or parts of government or military where the control of data is so strict that you can forbid Internet use then it is very likely that your company has had to deal with the conundrum of whether or not to allow access to social media sites.  There is no doubt that from your corporate point of view that there may be huge benefits, not the least of which is low cost access to your customer base, both for customer feedback and for targeted advertising, but there are huge risks, some of which are increased exposure to malware, intellectual property and confidential information leakage, productivity issues, and exposure to objectionable content.

 I am not going to get into the discussion of whether companies should or shouldn't allow access to social media.  That should be an individual company risk versus reward decision.  But if you do decide to go ahead, here is my list of the minimum you should have in place.

  • Internet Acceptable Use Policy - hopefully your company already has one.  An Internet AUP defines the parameters of acceptable use for your company's Internet resources.  Most companies have come down on the side of limiting work-based Internet use to usage directly related to job responsibilities with limited personal use being acceptable.  The two big things are that if your jurisdiction permits it you should indicate that the network can be monitored and that all data stored on company resources belongs to the company.  A good sample Internet AUP is available at the SANS Internet Security Policy Templates page.
  • Social Networking Policy - more and more companies are publishing a social networking policy.  In a nutshell it defines what people can and can't say online.  This policy should indicate that employees can only speak on behalf of the company within their area of responsibility and that they must clearly identify who they are.  It also should define what they can and can't talk about.  Obviously intellectual property, trade secrets, sensitive corporate information, and customer and partner information should be off the table. Most importantly the policy should provide a reporting mechanism to be utilized if employees trip over inappropriate information about your company. Here is a good sample social media policy to help you get started.
  • Management training - no policy should be published without adequate training.  In this case managers must be made aware of the policy and what is an isn't appropriate for their employees to be doing.  What is the difference between limited personal use and abuse?  Where do I report a potential problem?
  • Employee training - employees must also be trained on the social media policy.  They need to know under what conditions they can speak on behalf of the company, and where the line is between limited personal use and abuse. Employees will also be your best source of reporting of inappropriate information being posted, so be sure to let them know how to report issues.
  • Apply Operations Security (OpSec) - OpSec is a military term which describes a process to determine if information which can be obtained by adversaries could be useful to them and minimizing the impact of that information.  Applying this concept to InfoSec, I am referring to a process of monitoring the Internet with the goal of identifying corporate information which could be useful for competitive intelligence, or which could  present your company in a negative light, and have it removed when possible.  Google alerts are a good place to start in this area.

I've gone on long enough.  It is your turn to provide us with guidance.  What techniques have you employed to limit the impact of work-based social media on your company?

As usual your ideas and feedback are encouraged via the comment mechanism below.

Other Resources:

Another good resource when creating your Social Media policy is  "Ten things you should cover in your social networking policy"

-- Rick Wanner - rwanner at isc dot sans dot org - - Twitter:namedeplume (Protected)

2 comment(s)
Diary Archives