Thursday, October 28, 2010

Ovaldi initialize error

When auditing systems that run a Microsoft operating system, I use Ovaldi to find patch management issues.  (I understand it will run on *nix-based systems, but I've never tried it.)  I have it scripted out in a large script that performs other host-based scanning and configuration gathering.  Very occasionally, I'll see in my results directory that Oval did not run for a particular server.  (Typically, it is servers where I find missing results.  Rarely, I see the problem on workstations.) 

Today, I was looking through Oval documentation when I came across the following at

Also, on some Windows systems, the OVAL Interpreter may fail with the following error message when executed.

“The application failed to initialize properly (0xc0150002). Click OK to terminate the application.”

This error message occurs when the run-time components of Visual Studio, that are required to run an application developed with Visual Studio, are not installed. If you receive this error message while executing the OVAL Interpreter, please install the VC++ redistributable package that can be obtained at the following link.

The VC++ redistributable package will install the required run-time components.

As a third-party auditor, I do not add the VC++ redistributable package as I do not want to introduce potentially new vulnerabilities to the system.  And, I do not want to break anything else.

Wednesday, October 27, 2010

Uptick in webmail spam messages

Lately, I've been receiving more and more SPAM in my inbox, and the message usually contains a single URL.  Most likely, that URL leads to a site that is heavily poisoned or makes an attempt at stealing personal information.  It's happened to some of my friends just recently and they've asked for help.  (What they've done about the issue, I do not know.)

In my limited analysis, it appears that their email accounts have been hacked, and someone/thing is using the accounts to pump out spam.  I haven't been able to do a root cause analysis, so I don't know if it is the machine that they are logging on to that is infected, or if there is another vector.  The latest article I've seen on the problem is listed here:

Hacked web mail accounts used to send spam

My response (when asked by my friends) has been to fully scan the computer with anti-virus software that has current definition files to ensure that there is nothing obvious on the system.  Secondly, change the password to the webmail account from a computer that is known to be free from malware.  From the friends that have taken this advice, I've heard good results.  But, short of fully analyzing a machine, I really don't know what's there.

Is there more to it that this?  Is there a bigger problem?  If you have any answers, leave them in the comments.

Monday, October 11, 2010

SCAP-based process

It's been a while since I posted anything.  For one, we were waiting for the fiscal year to end to see what proposals we would be awarded.  Two, after weeks of slowness, I just got back from a big audit.  It was interesting because it was as if they did not want us there.  We were holed up in a back conference room, our contacts went out of their way to ignore us, and we found lots of different machines/technologies/platforms that we were not expecting.  (At least, they didn't tell us about them before we got there.)  I know, shocking.  I don't know if it is because they don't want to pay for more work, or they are just ignorant about their network.  Granted, there was virtually no documentation, and we STILL do not have a network diagram.

While working this contract, we are working on updating our testing process.  I don't think it is a secret that DISA is getting out of the business of producing Gold Disks.  Personally, I think they want to get out of the tool development process all together.  I foresee DISA maintaining the STIGS and requirements, but I do not see them developing tools to test those requirements.  To that end, we've been working on how we will test those controls in the future; and we're looking at SCAP-based products.  We'll see how this goes.