The Barking Seal

So begins the farewell to Windows 2003

16Oct

Author: paul Categories: IT Management Comments: 2

2010 will be here in no time, and with it will come some changes to support for Windows Server. In July 2010, public support for Windows 2000 will cease. At the same time, Server 2003 moves from mainstream support into the “Extended Support” phase. While security patches will still be released, all non-security hotfixes developed during this period will be restricted to customers enrolled in the extended hotfix support (EHS) program.
Read more »

Tags: patching, windows

A Tangible (negative) Impact of the Sun/MySQL Acquistion

17May

Author: ned Categories: Infrastructure, Ramblings Comments: 1

MySQL didn’t escape the Sun acquisition unscathed… hopefully Oracle doesn’t make the same dumb mistakes.

I took (what I thought would be) a few minutes this afternoon to upgrade a group of production MySQL servers at Applied Trust. I started by following the same process I have followed for at least four or five years: browse to mysql.com, click on “Download”, and follow the links to the latest RPMs for my Linux distributions.

The download went as expected, with the consistent MySQL branding lulling me in to a false sense of ease – this was something I’ve done dozens of times. I shouted down the hall that I’d be ready to start grilling dinner in a few minutes. Next, I scheduled downtime, did the necessary change documentation, and brought one of the slave MySQL servers down – I was ready to upgrade the database. I typed sudo rpm -Uvh MySQL-*-5.1.34-0.rhel5 and my pleasant ride through upgrade-land came to a screeching halt:

WordPress Patching Vigilance

27Feb

Author: ned Categories: Security Comments: 0

WordPress versions We run WordPress for our blog and like it. I have been debating whether to upgrade our the barkingseal.com WordPress installation – we were at version 2.6.5 and it didn’t look like there were any important security issues fixed in 2.7 and 2.7.1. Patching is all about balance – the risk of security vulnerabilities versus the risk and effort of applying the upgrade. Plus, in this case, I sure don’t want to be too far behind the Web 2.0 curve (a little bit of sarcasm).

For a little guidance, I looked to the “big dogs” – how up-to-date are the most well-known WordPress sites? Yesterday, I ran a quick scan of all 354 sites listed in the Wordpress Showcase to see how we compared. Sadly, not only are many sites not running WordPress 2.7+, but almost half (44%) are running a version older that 2.6.5. 2.6.5 was released in November, 2008 and did fix important security problems. Wow… four months later and 44% of these leading WordPress sites still haven’t updated!

Black Thursday’s 20 year anniversary

02Nov

Author: trent Categories: IT Management, Security Comments: 1

Today, November 2, 2008, is the 20th anniversary of “Black Thursday” – a significant, defining moment in Internet and information security history. On this day in 1988, the Robert Morris Jr. worm was unleashed on the Internet. Sometimes called the Great Worm, this was the first time that the world had proof of what we all knew to be true: significant damage could occur if a malicious party exploited known vulnerabilities across the network en masse. As silly as it sounds now, prior to that date we always talked about how a worm “could” happen; now we fret about “when.”

RTM’s worm brought significant change to the Internet world. The damage it caused (possibly upwards of $100M) and media attention it received ultimately provided the foundation for much of what we know as modern-day, non-military Information Security. For the first time ever, the Internet became well-known to the mainstream media. DARPA provided funds to form CERT at Carnegie Mellon, which also directly or indirectly resulted in most clueful organizations establishing their own information security or security incident response teams. Many of the security standards we take for granted are based on early work done at CERT. I’ll save the debate about whether the worm was ultimately good or bad for our community as a whole for some later post.

Personally, this date also marks the start of my career in Information Security. I was in the Computer Science system support group at the University of Colorado at the time, and vividly remember sleeping on my office floor for the last half of that week. Our primary production systems – mostly VAX 11/780’s, 11/750’s, and Sun 3’s – were all infected. Lacking any formal incident coordination and communication infrastructure, we reached out to our friends at UC Berkeley and the University of Utah to collaborate on how to contain and mitigate the situation. We provided data to the teams working on dissecting the worm, some of which ultimately led to Donn Seeley’s USENIX paper which is still regarded as the most complete and accurate technical analysis.

It’s great to reminisce about history, but where are we 20 years later? Although I’m not currently planning on sleeping on my office floor tonight, ironically today I am again worried about the potential for a worm to spread uncontrolled due to lack of patching. Specifically, the Microsoft MS08-067 vulnerability that was released out-of-cycle 11 days ago represents a significant threat to almost every Windows system out there. In the last week, I’ve heard all the same arguments against patching that we did 20 years ago — too much effort, too much risk to availability, not enough threat.

It’s true that overall we have better mitigating controls in place than we did 20 years ago — most organizations have a firewall, virus protection, an incident response plan, and maybe even IDS/IPS. The bottom line, though, is that none of this eliminates the need for patching serious vulnerabilities. As an industry, we MUST patch known serious vulnerabilities, and it takes the same amount of time to patch them now as it does later. It’s just a question of whether you want to suffer the pain and embarassment of looking like a fool in between doing it “now” vs. “later.”

I admit to being an “old dog” (and certainly, this particular anniversary rubs that in) but personally, I’d rather make the effort to apply a patch than look like a fool. Any day.