a bunch of nice computer guide, tips, tricks and ideas

Friday, March 2, 2007

How to Enable Processor Based Security

At last PCs operating under Windows have a security level similar to that used by high performance servers. This technology known under names that vary from manufacturer to manufacturer, such as NX (No eXecute), EVP (Enhanced Virus Protection), XD (eXecute Disable), or DEP (Data Execution Protection) allows the processor itself to detect when a malicious code (such as a virus or a Trojan horse) is attempting to run and automatically disables such code, "drowning" the virus. In this short tutorial we will teach you how to enable this feature.

This technology works creating separate areas for the execution of programs and for data storage in the RAM memory of the computer, If a code in the area set aside for data storage tries to run, the processor understands that as something suspicious and prevents the execution of the code. How to Enable Processor-Based Security Hardware Secrets

Delete Hiberfil.sys in Windows XP before defragmenting

If you use the Windows XP's Hibernation feature on your laptop, you may want to delete the Hiberfil.sys file from the hard disk before defragmenting. When you put your computer in hibernation, Windows XP writes all memory content to the Hiberfil.sys file before shutting down the system. Then, when you turn your computer back on, the OS uses the Hiberfil.sys file to put everything back into memory, and the computer resumes where it left off. However, Windows XP leaves the Hiberfil.sys file on the hard disk, even though it's no longer needed.

The Hiberfil.sys file, which can be very large, is a special system file that Disk Defragmenter cannot defragment. Therefore, the presence of the Hiberfil.sys file will prevent Disk Defragmenter from performing a thorough defragmenting operation.

Follow these steps to remove the Hiberfil.sys file from the hard disk:

Access the Control Panel and double-click Power Options.
Select the Hibernate tab in the Power Options Properties dialog box.
Clear the Enable Hibernation check box and click OK.

As soon as you clear the check box, Windows XP automatically deletes the Hiberfil.sys file from the hard disk. Once you complete the defrag operation, you can re-enable the Hibernation feature.

Examining a Blue Screen of Death error with the Watchdog Event Log

Troubleshooting Blue Screen of Death (BSoD) errors, or as Microsoft calls them, Stop messages, can be extremely frustrating due to the fact that, by default, Windows XP automatically restarts the computer as soon as a BSoD error occurs. There's not enough time for you to analyze, let alone read, the error code before the message disappears.
You could disable the Automatically Restart option in the Startup And Recovery dialog box, but doing so might lock your system into an unrecoverable error situation. As such, that's not an advisable solution.
Fortunately, Windows XP keeps a special log of all BSoD errors, called a Watchdog Event Log. Unlike a memory dump, whose creation is the result of a BSoD error, a Watchdog Event Log is a straight text file that is easier to read and understand.

Here's how you access a Watchdog Event Log:

Use Windows Explorer to access the C:\Windows\LogFiles\Watchdog folder.
Locate and right-click the most recently dated .WDL file.
Select the Open command from the context menu.
In the Windows dialog box, choose the Select The Program From A List option and click OK.
When you see the Open With dialog box, select Notepad and click OK.

Launch Windows Explorer with administrative privileges on Windows XP Pro

When you're working on a user's computer and need to perform an administrative task from within her Windows XP Pro limited user account, you can use the Run As command to launch certain utilities with administrative account privileges.

However, if you try to use Run As to launch Windows Explorer with administrative privileges, nothing happens. This is because Explorer.exe is already running and only one instance of Explorer can run at a time. More specifically, when you launch Explorer.exe, the first thing it does is check to see if it is already running. When the second instance of Explorer.exe sees that the first instance of Explorer.exe is already running, the second instance of Explorer.exe closes without any outward notification. Here's how you can work around it.

Internet Explorer 6
Internet Explorer 6 will work with Run As and will allow you to tap into Windows Explorer. Here's how:
1. Right-click the Internet Explorer icon in the Quick Launch toolbar and choose Run As. (Keep in mind that you cannot access Run As from the Internet Explorer icon that appears on the desktop or on the Start menu.)
2. Fill in the appropriate administrative account credentials in the Run As dialog box.
When Internet Explorer launches, type C:\ in the Address bar.
3. After you follow these steps, Windows Explorer will appear in the same window, and it will be running with administrative privileges.

Internet Explorer 7
If you're using Internet Explorer 7, the steps for Internet Explorer 6 won't work because, as part of the new security features in version 7, Internet Explorer is no longer integrated with Windows Explorer. You must use the standard method for launching Windows Explorer with administrative privileges. Here's how:
1. Log on to the computer with the Administrator account.
2. Access the Control Panel and launch Folder Options.
3. When you see the Folder Options dialog box, select the View tab.
4. Scroll down the Advanced Settings list and select the Launch Folder Windows In A Separate Process check box, click OK, and then log off.

The next time you work on that user's computer and need to perform an administrative task from within her limited user account, you can use Run As to launch Windows Explorer with administrative privileges.
Note: This tip only applies to Windows XP Professional.

Monday, February 26, 2007

Don't be misled by these Windows Vista myths

1. You’ll have to buy a new, high-end PC to run Vista

Many in the mainstream media are claiming that to run Vista, you’ll almost certainly have to buy a new computer. This myth is undoubtedly being encouraged by hardware vendors, but it’s not true. I was able to install Vista on my existing Dell Dimension mid-priced system with no problems, and the existing video card, an ATI x600, runs Aero Glass.

If your computer is older or a low-end machine, you can still probably install and use Vista but you may not get the Aero Glass interface. Although Glass adds a lot of “wow” factor, it’s not something that’s essential to getting work done. You'll still benefit from Vista’s security enhancements, search functionality, and added features. If you do want the Glass look, you still may not need to buy a new system. Instead, you can add RAM to bring your system up to the 1 GB recommended for Glass and install a new video card that supports it.

Another myth I’ve heard is that only PCI Express (PCIe) video cards support Aero Glass, so if your computer doesn’t have a PCIe slot, you’re out of luck. That’s not true either. Video card vendors have regular PCI cards that will run Glass. I’m running it on a system with a relatively inexpensive GeForce 5200 card with 256 MB of memory in a regular PCI slot.
If you do choose to buy a new PC, you don't need a high-end one that costs thousands of dollars to run Vista. Just a couple of days after the launch, retailers began offering machines preloaded with Vista Home Premium, complete with LCD monitors, for as low as $600.

2. Vista will solve all your security problems

Microsoft is touting Vista’s improved security, but no operating system is perfectly secure (and no OS ever will be). Running Vista doesn’t mean you don’t still need perimeter firewalls, antivirus protection, and other third-party security mechanisms.

Because much of operating system, including its networking technologies, has been redesigned and new code written, Vista is likely to present some vulnerabilities that weren’t in older versions of the OS even as it fixes many that were. This is true of any new software and Vista, despite its focus on security and Microsoft’s best efforts, is no exception.

In fact, Microsoft shipped the first critical security update for Vista over a year ago, when it was still in the beta testing stage. It will be just as important with Vista as with any other operating system to ensure that updates are installed regularly. The danger is that novice users, hearing that Vista is more secure, may let their guard down and fail to take the protective measures necessary to prevent attacks, virus infestations, etc.

3. Vista is no more secure than XP SP2

On the other hand, some of Vista’s detractors have been claiming that the new operating system offers no security advantage at all. I’ve heard computer “experts” on the radio say that Vista is no more secure than Windows XP with Service Pack 2, and an eWeek article last summer went so far as to report that Symantec security researchers were contending that Vista “could harbor a range of vulnerabilities that will make it less secure than previous iterations of Windows.”

It’s true that, properly updated, Windows XP is a pretty secure OS. But Vista includes a number of new security enhancements that XP doesn’t have. For example, User Account Control (UAC) in Vista protects against attacks that rely on elevation of privileges. Internet Explorer 7, when running on Vista, leverages UAC to run in Protected Mode, which keeps Web applications from writing to system folders. IE7 doesn’t run in Protected Mode on XP.

BitLocker drive encryption, available in Vista Enterprise and Ultimate versions, provides a way to keep unauthorized persons from accessing sensitive data on a stolen or lost laptop. The Windows Firewall in Vista allows you to block outgoing traffic as well as incoming. Windows service hardening reduces the potential for damage if one of Windows’ services is compromised. Vista includes the Network Access Protection client, which allows administrators to restrict computers that are properly updated or don’t have antivirus, anti-spyware, or firewalls from connecting to company networks.
Those are just a few of the new security improvements included in Vista.

4. You can’t dual boot Vista with another operating system

One of the strangest and most inaccurate statements I heard was that “With Vista, you can’t run two operating systems on the same computer like you could in the past.” That’s news to me, as I’m currently running two computers that dual boot Vista and XP. As with previous versions, a boot menu is displayed when the computer starts, and you can choose either Vista or Previous version of Windows.

5. Most old applications and peripherals won’t work with Vista

Circulating amongst the FUD (fear, uncertainty, and doubt) being spread about Vista is the idea that upgrading will subject you to all kinds of application incompatibilities. Some programs made for XP, especially those that hook into the kernel, like antivirus programs and some system utilities, won’t work with Vista. However, the majority of applications that run on XP will also run on Vista.
In some cases, you may need to install or run older programs in Compatibility mode (right-click the program file, select Properties, and click the Compatibility tab to select compatibility options) and/or run the program as an administrator for it to work properly.
You don’t have to figure out most compatibility issues for yourself. Vista comes with the Program Compatibility Assistant, which can detect what changes need to be made to run a program and resolve conflicts with UAC that may be preventing a program from running correctly. It runs automatically when it detects an older program that has compatibility issues. You can also use the Program Compatibility Wizard, a tool that you run manually from the Control Panel Programs and Features section (in native view).

There have also been many reports about hardware peripherals, especially printers and scanners, that don’t work with Vista. It’s true that some hardware vendors were slow to provide Vista drivers during the Vista beta testing period. By the time Vista launched to the consumer market, though, many hardware drivers were included on the installation DVD and many more will be made available in the next few months.

My older HP OfficeJet G55 had no problems working with Vista, and if you peruse the list of supported printers (Control Panel Printers Add A Printer Wizard), you’ll see that Vista supports a large number of printers from HP, IBM, Brother, Canon, Citizen, Dell, Epson, Fujitsu, Konica, Kyocera Mita, Lexmark, Minolta, NEC, Oki, Panasonic, Ricoh, Samsung, Sharp, Sony, Xerox, and other major printer vendors.

6. You have to buy a Premium version of Vista if you have a dual core machine

There was initially some confusion over the specification that Vista Home Editions support only a single processor. Some folks took this to mean that that version of Vista wouldn’t run on dual core machines.
Dual core CPUs do contain two processors—but they’re combined on one chip or die. This is called chip-level multiprocessing and it’s different from having two separate physical processors installed on the same machine. Even though a dual core machine will show the activity of two processors in Windows performance monitoring tools, Microsoft’s definition of “processor” refers to the number of physical CPUs, not the number of cores.

7. You won’t be able to play ripped music in Vista

Have you heard about the horrors of Vista’s DRM (Digital Rights Management)? Some people have implied that it will prevent you from playing any music or movie files unless you download and pay for them online. Others are speculating that even the media you do buy may be blocked.

Interestingly, the people who are spreading this one all seem to be folks who have never used Vista (and, according to many of them, never will). The real story: I have no problem playing music files that were ripped from CDs on Windows Media Player 10 or in Vista’s Windows Media Center application. Yes, I legally own the CDs, but Vista has no way of knowing that. All of the media that imported from my XP Windows Media Center computer, including recorded TV programs, played without a problem.

Pharming Attack Slams 65 Financial Targets

An Internet based attack aimed at about 65 financial targets in the United States, Europe and Australia was shut down after a two and a half day run. Hackers launched the "pharming" attack on Monday, Feb. 19 and authorities shut it down on Wednesday. (...Read more)

Microsoft starts feeding antipiracy tool to users in 21 countries

Microsoft Corp. has updated its antipiracy software for Windows XP for English speakers, and begun rolling out the optional tools to users in 21 additional countries, including some the company has tagged as centers of counterfeiting. (...Read more)

Wednesday, February 21, 2007

Firefox 3 To Support Offline Apps

An interesting tidbit came out of the recent Foo Camp New Zealand (which unfortunately I wasn’t able to attend). Robert O’Callahan from Mozilla, who is based in NZ but drives the rendering engine of Mozilla/FireFox, spoke about how Firefox 3 will deliver support for offline applications. This is significant because you’ll be able to use your web apps - like Gmail, Google Docs&Spreadsheets, Google Calendar, etc - in the browser even when offline. I deliberately mentioned all Google web apps there, because of course this plays right into Google’s hands.

Although Mozilla is an open source organization, some of its top workers are employed by Google.So it’s a very cozy relationship. We’ve discussed before how Firefox 3 as information broker suits Google very nicely, because the Mountain View company has a number of best of breed web apps - and if it’s not building them, it’s acquiring them Firefox 3 To Support Offline Apps

Windows Genuine Advantage (WGA) to be upgraded

Microsoft's controversial anti piracy application, Windows Genuine Advantage (WGA), is to be upgraded next week. The WGA Notifications tool allows Microsoft to see whether or not your copy of Windows and other Microsoft software programs were purchased and installed legally when your PC is connected to the internet.The WGA programme has caused a storm in some quarters, with many claiming that it is an invasion of privacy

Shockwave Trojan Information and Removal

What is the Shockwave Trojan Virus?

Remember all those warnings you hear about never opening an .exe attachment! This virus is why those warnings appear. Discovered on November 30, 2000 this virus has the subject "A great Shockwave flash movie" and the attachment is "CREATIVE.EXE." Using Outlook, the trojan sends itself as an attachment to every address listed in the address book of the infected user. This Trojan also changes the filenames of all JPG and ZIP files and then moves the files to the C:\ root directory. Because Shockwave is a standard format for animation, most people will just think its a "cute" file and open it...then the trouble starts.

How to Clean/Delete the Shockwave Trojan?

Delete the Creative.exe file from the Windows Startup folder and restart the computer. Then use the file called C:\ MESSAGEFORU.TXT to manually move and rename the JPG and ZIP files that the virus changed. The filenames of these files are then appended with the text "change atleast now to LINUX". For example, "XXXX.ZIP" becomes "XXXX.ZIPchange atleast now to LINUX". The file C:\MESSAGEFORU.TXT logs the original location of all files so it can be used to restore all moved files.

When viewed, the file C:\ MESSAGEFORU.TXT contains the following text:
Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin

Sunday, February 18, 2007

How to Remove BlazeFind (BlazeFind Removal)

BlazeFind is a spyware implemented as Internet Explorer Browser Helper Object. This program redirects browser search requests to its controlling server and displays popup advertisements on your computer. It may also slow down the performance of Internet Explorer.

Follow these removal steps to remove this spyware from your computer:

1. Reboot the computer to Safe Mode (Press F8 when Windows starts).
2. Open a DOS command prompt window ( Start > Run , type 'cmd' (on Windows NT/2000/XP ) or 'command' (on Windows 95/98/Me)) and enter the following commands,... Remove BlazeFind - Adware & Spyware Removal Instructions

Firefox Flaw Could Let Attackers Change Cookies

A bug was recently uncovered in Firefox that could allow a malicious Web site to appear authentic. The bug affects the way Firefox handles writing to the "location.hostname" DOM property, according to a posting by security researcher Michal Zalewski on the security mailing list Full Disclosure. The vulnerability could potentially allow a malicious Web site to manipulate the authentication cookies for a third-party Web site.

By bypassing same-origin policy, attackers can possibly tamper with the way these sites are displayed or how they work. For users, this means the bug could allow for the browser to appear as if the user were connecting to a bank, when in fact the user would instead be receiving data from an attacker. Firefox Flaw Could Let Attackers Change Cookies

Windows Genuine Advantage (WGA) to be upgraded

Microsoft's controversial anti piracy application, Windows Genuine Advantage (WGA), is to be upgraded next week. The WGA Notifications tool allows Microsoft to see whether or not your copy of Windows and other Microsoft software programs were purchased and installed legally when your PC is connected to the internet.

The WGA programme has caused a storm in some quarters, with many claiming that it is an invasion of privacy. Anti-piracy tool to be upgraded - Web User News

Monday, February 12, 2007

Storm Worm DDoS Attack

number of antispam websites came under a distributed denial of service attack on January 12, 2007. The trojan responsible for the attack was one of several dropped onto systems infected by a seeding of the email virus which later came to be called "Storm Worm", also W32/Small.DAM and Trojan.Peacomm.Researching further back in time, we find that variants of the same malware family were released in similar fashion in November, December and early January. Many AV companies labeled the previous variant "Win32/Nuwar".When Storm Worm runs, it attempts to link up with other infected hosts via peer-to-peer networking. Through this conduit it gets a URL which points to a second-stage executable, which in turn downloads additional stages onto the infected system. Storm Worm DDoS Attack - Research - SecureWorks Linked by shanmuga Saturday, 10th February 2007 9:41AM

Saturday, February 10, 2007

10 tips for troubleshooting slowdowns in small business networks

Network congestion and slowdowns--whether caused by faulty hardware, negligent users, viruses or spyware applications gone wild, or other factors--lead to serious headaches for network administrators and support personnel. By keeping a wary eye tuned for the following 10 items, IT professionals can help prevent the most common causes of network slowdowns.

#1: Bad NICs
Intermittent network errors, particularly those isolated to a specific workstation or server, can often be traced to a failing network interface card. When you believe a network adapter may be failing, visually inspect the card's LED link lights.
A solid green (or amber) LED indicates the NIC has a good active physical connection with another network device, such as a network switch or router (blinking LEDs typically indicate the NIC possesses an active connection and is processing network traffic). If the LED is not lit green, it's likely the network adapter is disabled within Windows or doesn't have an active connection to the network. It's also possible the cable plugged into the NIC is connected to a nonfunctioning wall-jack or faulty network port.
If you can rule out nonfunctioning wall-jacks and faulty network ports (the easiest method of doing so is to connect the same network connection to a laptop known to have a properly functioning network adapter), and if the network adapter is properly enabled and configured in Windows, it's likely the NIC is bad and requires replacement.

#2: Failing switches/routers
Many network slowdowns are foreshadowed by strange occurrences. For example, regular Web traffic may work properly, but e-mail may stop functioning. Or, regular Web traffic may work properly but attempts to connect to any secure (HTTPS) sites may fail. In other cases, Internet access simply ceases across the board.
Often the best remedy for inconsistent network outages and/or slowdowns is to reboot or power cycle the network's routers/switches. If local network connectivity exists (if users can view and access network shares) but they are not receiving e-mail from external users or cannot access the Internet, rebooting or power cycling the WAN modem can often return the network to proper operation.
If you're having to reboot or power cycle a piece of network equipment consistently, make sure that it's connected to a quality uninterruptible power supply. Power fluctuations often result in confused switches and routers. If a network device is connected to a good UPS and still frequently experiences trouble, it may be necessary to replace the failing switch, router, or modem.

#3: Daisy chaining
As organizations grow, particularly small businesses, outside IT contractors often implement simple solutions. Many consultants choose to simply add a five-port router to an existing four-port router/firewall. Small businesses everywhere boast just such a setup.
However, as switches are added to a network, data packets must navigate additional hops to reach their destination. Each hop complicates network routing. Depending upon the amount of traffic a network must support--and even a small dentist's or doctor's office can easily stress 10/100 Mbps systems due to X-ray imagery, patient file information, and other data--the addition of an extra hop or two can spell the difference between a smooth running network and one that frequently slows employee productivity to unacceptable levels.
Resist the urge to daisy chain multiple network switches and routers. Instead, plan for capacity. Or if unforeseen growth has resulted in successive connected switches, eliminate as many devices as possible through consolidation to a more potent and scalable unit.

#4: NetBIOS conflicts
NetBIOS, still in use on many Windows NT 4.0 networks in particular, contains many built-in processes to catch and manage conflicts. Occasionally, however, those processes don't handle conflicts properly. The result can be inaccessible file shares, increased network congestion, and even outages.
Guard against NetBIOS conflicts by ensuring older Windows systems all receive the most recent service packs. In some cases, Windows NT 4.0 systems having different service packs will generate telltale NetBT (ID 4320) errors.
Strange network behavior can also occur when two systems are given the same computer name or when two systems both believe they serve the master browser role. Sometimes the error will log itself as Event ID 8003 in a server's system log. Disabling WINS/NetBT name resolution (only if it's not required) can eliminate such issues.
If disabling NetBT is not an option, such errors can often be eliminated by identifying the second system that has the same computer name within the same domain and giving it a new name or by restarting the Netlogon Service on the domain controller. Yet another option for eliminating legacy NetBT issues is to search a system's LMHOSTS file for inaccurate or outdated entries. Some IT professionals claim they've solved similar errors by disabling and re-enabling the NIC on the offending system.

#5: IP conflicts
Windows typically prevents two devices with the same IP address from logging on to the same network (when using DHCP). But occasionally, two systems with the same address wind up on the same network. For example, one system could receive an address automatically, while another computer logs on using a static address specified by a user. When such conflicts occur, network slowdowns result (and the systems sharing the same address frequently experience outages).
Troubleshoot IP address conflicts by ensuring you don't have a rogue DHCP server on the network. Confirm, too, that configured DHCP scopes don't contain overlapping or duplicate entries and that any systems (such as servers and routers) that have been assigned static IP addresses have been excluded from the DHCP pools.

#6: Excessive network-based applications
Occasionally, networks are overrun by the applications they power. For example, a physician's office that uses a Web-based patient and practice application will commonly have every workstation logged on to the program during business hours. Retrieving data from the patient database and consistent monitoring of appointment and scheduling information alone can place stress on even a well-architected network.
Add in the fact that each workstation is likely tuned to e-mail (and many offices are turning to VoIP) and it's easy to see how introducing a few streaming audio/video files to the mix (either in the form of online music services, news videos, or instructional medical presentations and Webinars) can unacceptably slow a 10/100 Mbps network's performance.
Implement policies--and if necessary, hardware-based Web filtering tools--to prevent applications from overwhelming available network bandwidth. Make sure employees understand they're not to stream unnecessary audio and video files. Further, when working with VoIP, be sure adequate data pipes are in place to manage both voice and data traffic.

#7: Spyware infestation
Spyware, the scourge of the last few years, finally appears to be meeting its match in business environments. The development of potent anti-spyware tools, combined with effective end user policies, is reducing the impact of spyware in many organizations. Windows Vista includes Defender, a decent anti-spyware application powered by the popular Giant engine.
However, infestations still occur, particularly on older systems that haven't been properly safeguarded. Implement strong user policies and either gateway-based protection or individual client applications to prevent spyware programs from consuming precious network bandwidth.

#8: Virus infestation
Just as spyware is proving containable within business environments, so too are viruses. That said, despite an administrator's best efforts--including firewall deployment, routine and consistent Windows patching, and the use of regularly updated antivirus programs--viruses do get through. The result can bring a network to a standstill.
For example, many viruses place Trojan programs on Windows systems, where they can wreak havoc. In addition to leveraging a system's ability to send e-mail to forward hundreds (if not thousands) of spam messages an hour, viruses can corrupt network configuration.
Defend against virus threats to network performance by ensuring firewalls, Windows updates, and antivirus programs are properly configured and maintained.

#9: Insufficient bandwidth
Sometimes, a network just doesn't have the throughput it requires. As with # 6--excessive network-based applications--some environments demand more bandwidth than others.
When a network does bog down, several options typically exist for increasing capacity. Besides boosting up- and downstream speeds, some offices may require additional dedicated connections. From multiple T1s to DS3s to even optical carrier-grade connectivity, many potential solutions exist.
Further, some organizations may need to upgrade existing 10/100 Mbps networks to gigabit speeds. By upgrading NICs, cabling, and devices to 10/100/1000 Mbps equipment--and replacing any remaining hubs with switches--many firms can realize significant capacity gains. In other cases, it may be necessary to subnet networks to localize particularly intense traffic to specific network segments.

#10: DNS errors
DNS configuration errors can lead to numerous network failures and generalized slow performance. When no DNS server is available on a local LAN, local systems may have trouble finding one another or accessing local resources because they'll have trouble finding service locator records that assist Windows systems in communicating with Active Directory. Worse, systems with no local DNS server or those workstations having DNS servers several hops away may experience delays or flat outages in accessing Web sites and extranets.
Try placing DNS servers as close to network systems as possible. Although adding DNS services to existing servers places greater demand on those boxes, properly configured machines can remain secure and noticeably enhance response times to external resources.
Also, always check to ensure systems are configured to use the proper DNS servers. Network architectures change over time, yet older workstations (particularly those set to use static addressing) occasionally are forgotten and continue operating using outdated DNS settings. As your organization and ISP update DNS systems, be sure workstations and other routing equipment actually receive the updates.

Thursday, February 8, 2007

The frustration of bot fighters

This last week I was among those at the "secretive conference" of security folks, ISPs and law enforcement agents to discuss bots. Much like at last year's VB conference, there was much discussion about the need for more cooperation and information sharing between bot fighters. Not just within the three groups but within each of the individual disciplines. People within all of the three groups were clear that none of us have all the pieces of the puzzle, and that in order for us to truly make a dent in the growth of bots and botnets, we need to share more of our information with each other.There has been much made of turf wars within the bot herder community, but the more notable thing in terms of fighting these bots is actually how much they’re cooperating. We know they’ve been pooling resources to code their bots, but apparently they’re also sharing botnet resources quite widely (for instance, to take down a particularly robust website that they wish to attack). Computer Security Research - McAfee Avert Labs Blog

Storm Worm Hits Computers Around the World

Computer virus writers started to use raging European storms on Friday to attack thousands of computers in an unusual real time assault, head of research at Finnish data security firm F Secure told Reuters. The virus, which the company named "Storm Worm," is sent to hundreds of thousands of email addresses globally, with the email's subject line saying "230 dead as storm batters Europe."The attached file contains the so-called malware that can infiltrate computer systems. Storm Worm Hits Computers Around the World - News and Analysis by PC Magazine

Saturday, February 3, 2007

Myth #6:A wireless IDS is unnecessary if other rogue AP

While exposing the myth about the prevention of rogue APs could be a blow to wireless IDS vendors, there is another common Wi-Fi myth that has been having the opposite effect. Many networking professionals are under the mistaken impression that a wireless IDS is unnecessary if other rogue AP prevention measures are in place.

It’s easy to understand why the average network administrator might be hesitant to get behind a wireless IDS. They are very expensive and there’s not a whole heck of a lot of folks out there who actually understand everything that a wireless IDS is doing. Even most of the folks who have invested in a wireless IDS only did so because they need to prevent rogue access points.

The reality is that there’s a whole other area of troubleshooting and Wi-Fi optimization features that make wireless IDS products a valuable addition to most networks. Some of today’s wireless IDS offerings do location tracking, remote packet captures, and analysis of RF interference levels.

When you think about it, these other wireless IDS features are much more likely to make a networking person’s job easier than the ability to neutralize rogue APs. Instead of having to send field technicians out to every location that has a problem, a wireless IDS allows the experts that own your network to troubleshoot the wireless medium from a centralized location.

One more thing to think about is the fact that so many Wi-Fi users are new to the technology. New users are often reluctant to report problems or call the support team. A wireless IDS may be the best way to find out if some area of a facility is likely to be unsuitable for time-sensitive applications like VOIP or video conferencing.

This myth about the ways the use a wireless IDS really has more to do with the performance of the network than the security of the network. Let’s look at three more myths that really touch on the performance of Wi-Fi networks.

Friday, February 2, 2007

Myth #5:You need a wireless IDS to prevent rogue access

The previous Wi-Fi myth was a chance to examine a well-known relationship of safety and security: The more secure something gets, the less accessible it becomes to the folks who need to use it. There is another, more fascinating dichotomy as it pertains to technological advances in safety and security: As any entity becomes safer or more secure, the advance of technology will continue to create new ways to push the limits of this new security.

Take the security of automobiles. With airbags, crumple zones, and enhanced braking technology, cars and trucks are safer than ever. But as these safety enhancements have been introduced, more and more cars are capable of faster and more dangerous speeds due to ever-improving engine, cooling, and suspension technology.

In the world of Wi-Fi, things are no different. As Wi-Fi security has evolved from WEP to WPA and WPA2, people have become more and more comfortable buying Wi-Fi access points and station devices. With this boom in the number of wireless devices, network administrators have been forced to deal with the ever-increasing threat of rogue devices being attached to the network.

While the number of potential rogue access points has surely risen, the potential for intrusion has long been present. Many companies have introduced wireless intrusion detection systems (wireless IDS) as a way to counteract such intrusions. A wireless IDS can identify, locate, and even contain rogue access points. Over the last several years, many wireless IDS vendors have touted their products as essential tools for counteracting the threat of rogues.

There’s little question that a wireless IDS will help prevent rogue access points, but the question has to be asked: Is a wireless IDS the best tool for preventing rogue access points? The answer is a clear, “No.”

A wise man once said, “To thwart thy enemy, one must first know thy enemy.” (Actually, we’re not sure if anyone said that, but it sounds great, though.) Knowing rogue access points means knowing exactly what type of threat they pose to a network. A rogue access point is a threat because it could allow unauthorized users to gain access to network resources through a wireless link. Since a rogue AP is not managed by the network administrator, the authentication and encryption quality being used on a rogue AP cannot be verified. Without the guarantee of strong authentication and encryption, an intruder could use any number of means to gain network access from outside the walls of the organization.

In understanding these the nature of rogue access points, two important principles come to light: They must be identified separately than any authorized APs in the area and they must be blocked from network access.

A wireless IDS does a superb job of identifying 802.11a/b/g rogue APs. If an ACL is configured on the wireless IDS, the network administrator will receive an alarm every time an unauthorized device is nearby.

Unfortunately, a wireless IDS does a much less impressive job of identifying non-802.11a/b/g rogue APs. If someone plugs in a legacy AP that was based on 900 MHz and/or FHSS technology, that device will remain undetected. The same applies for certain newer non-802.11a/b/g APs like those based on Bluetooth and MIMO technology. Some newer wireless IDS vendors now offer products that can identify some of these non-standard APs, but comprehensive AP identification is virtually impossible.

A wireless IDS also does a less-than-superb job of blocking rogue APs from gaining network access. Almost every wireless IDS vendor offers some method of rogue AP suppression. Some vendors send a wireless DoS to the rogue AP and its associated stations. This technique is weak because a Wi-Fi adapter can have its drivers manipulated to ignore de-authentication or disassociation frames that are used to cause a DoS attack. Other vendors shut down the wired port that the rogue AP is plugged in to. Another weakness of this technique is that a rogue AP configured with encryption and authentication (yes, even WEP) will not allow the wireless IDS
to send the message onto the wired side of the network so that the correct port can be identified.

Really, the problem with using a wireless IDS to prevent rogue APs begins and ends with the nature of the system itself. A wireless IDS is designed to be an overlay to a network. Heck, that’s part of its allure. You know: Installing the wireless IDS where Wi-Fi is not allowed. The best way to stop rogue APs is going to be something that is integrated with the network. It has to be something that allows a network manager to block access on every network port.
Wired 802.1X authentication is the perfect solution for blocking access on every network port.

When wired 802.1X is enabled, network access is denied until a device authenticates as an 802.1X supplicant. This is even more effective than using MAC address authentication for a couple of reasons. First of all, if you’re using 802.1X for your wireless users then you can use the same infrastructure that may already be in place. Secondly, 802.1X authentications generally include the negotiation of an encryption key. When encryption is used, MAC address spoofing becomes impossible because the intruder will not have the correct encryption key.

The myth that a wireless IDS is the best way to prevent rogue access points has benefited wireless IDS vendors for quite some time. Numerous students who attend our classes enter class with the idea that they need a wireless IDS to stop rogue APs, but by the end of the week, they usually see that wired 802.1X and wired MAC authentication are both more comprehensive methods.

Wednesday, January 31, 2007

Myth #4: Disabling the SSID broadcast will hide your

We’ve made it through a darn good portion of this paper without relying on analogies. As anyone who’s taken our classes knows, though, we love them. They tend to lighten up class a bit, and they let us talk about topics that we really know something about: movies and sports cars.We know you’re not exactly in a class right now, but let’s tackle our fourth myth by starting with an analogy of a really good Western movie.

Imagine your local bank. Imagine that Butch Cassidy and The Sundance Kid live nearby. Your bank clearly needs security, but it also needs to stay open to customers. Let’s now imagine that instead of installing a safe, some locks, and thick steel bars between the tellers and customers, you decide to simply take down the sign advertising the name of your bank. Your bank has now performed the financial equivalent of disabling the SSID broadcast.

Disabling the SSID broadcast has been touted by a number of network security professionals because the SSID will stay hidden from Wi-Fi client software. When users want to connect, they must manually configure the SSID (and accompanying security settings). Since hackers and wardrivers won’t know the SSID, they won’t be able to connect, right? Not exactly.

Forcing users to configure the SSID offers minimal security to a wireless network. As in our Wild West banking analogy, network intruders can see that a Wi-Fi network is there. Just as Butch and Sundance would have been able to identify the bank by watching the clientele that entered, wardrivers can identify the SSID by capturing frames with applications like Wildpackets Omnipeek when authorized users connect.

When stations are connected to the network, they are constantly looking for other APs with the same SSID. They must do that to enable roaming. When APs respond to these probing stations, the SSID is sent in the clear, viewable text whether encryption is being used or not.

Now, it should be pointed out that your SSID will stay hidden as long as the network remains unused. For an AP to respond with the SSID in clear text, a station must probe the AP using the correct SSID. But think about it; how often is your network in use? If your network is like most enterprise Wi-Fi networks, it’s in use darn near all day. That means attackers have the ability to uncover your hidden SSID in a matter of seconds whenever they darn well please.

In the end, what you’ve got is a security method that gives you no real protection against malicious intruders, but causes your novice Wi-Fi users to have a tougher time getting connected. Why put your users (and the support team) through all of that? Once you consider the good and bad of leaving the SSID broadcast enabled, you’ll probably find that it’s summarized best by paraphrasing Butch Cassidy’s thoughts from the first scene in the movie: “It’s a small price to pay for manageability.”

Tuesday, January 30, 2007

How do I... Secure Windows XP NTFS files and shares?

How to .....File Share Permissions
Most users begin sharing files with workgroups, or peer-to-peer networks, by following these steps:

1. Right-clicking the folder containing the documents, spreadsheets and files they wish to share.
2. Selecting Sharing And Security from the pop-up menu.
3. Selecting the Share This Folder button from the Sharing tab of the folder's Properties dialog box. (Figure A)

A folder's Properties dialog box is used to configure share-level permissions for users and groups.

1. Entering a Share Name for the folder.
2. Optionally supplying some wording describing the folder's contents within the Comment field.
3. Clicking OK.

However, that method won't always work as you intend, especially on Windows XP systems formatted with NTFS (in which conflicting NTFS permissions can prevent an intended user from accessing those resources -- more on that in a moment). Worse, Windows XP's default share permissions behavior is set to provide Everyone with access to the share's contents.

It's also important to note that Windows XP's Simple File Sharing, enabled by default, must be turned off to specify different permissions for different users. To turn off Simple File Sharing:

1. Open Windows Explorer.
2. Click Tools.
3. Select Folder Options.
4. Click the View tab.
5. Within the Advanced Settings window, scroll to the bottom and uncheck the box for the Use Simple File Sharing (Recommended) option.
6. Click OK.

To remove the Everyone permissions, and specify varying access permissions different users should receive to a file share:

1. Right-click the folder you wish to share.
2. Select Sharing And Security from the pop-up menu.
3. Click the Permissions button. The Permissions ForFolderName dialog box will appear. (Figure B)

Share permissions are configured using the Share Permissions tab (reached by clicking the Permissions button from a shared folder's Properties dialog box.

4. Highlight Everyone from within the Group Or User Names window.
5. Click the Remove button.
6. Click the Add button. The Select Users Or Groups dialog box will appear. (Figure C)

Specify users and groups by entering them in the Enter The Object Names To Select window and clicking OK

7. Within the Enter The Object Names To Select window, specify the users' names for whom you wish to provide access, then click OK.
8. Highlight (within the Group Or User Names window) the names of the users and groups you selected and specify the appropriate permissions (Allow or Deny for Full Control, Change and Read are the options that appear) within the Permission For Username or Group dialog box.
9. Click OK to apply the changes and close the dialog box; click OK to close the FolderName Properties dialog box.

The Full Control permission enables a user or group to read, write, delete and execute files within the folder. Users possessing Full Control permission can also create and delete new folders within the share.

The Change permission enables a user or group to read and change files within the folder and create new files and folders within the shared folder. Users with Change permission can also execute programs within the folder.

The Read permission, meanwhile, enables a user or group to read files within the share and execute programs located within the folder.

Windows XP systems formatted with the NTFS file system provide additional permission settings. The next section reviews configuring NTFS permissions.

NTFS Permissions

Windows NTFS permissions provide a host of additional permissions options. In addition, NTFS permissions can be applied to a single file or folder.

Before configuring NTFS permissions, first ensure the Windows XP system is configured to use the NTFS file system:

1. Click Start.
2. Click Run.
3. Type compmgmt.msc and click OK. The Computer Management console will appear.
4. Highlight Disk Management within the Storage section to learn the file system in use for each of the system's drives.

If a hard disk or partition isn't formatted using NTFS, you can upgrade the disk by typing convert X: /fs:ntfs where X denotes the drive requiring the upgrade. Using the convert command, you can upgrade a drive to NTFS without losing its data. However, it's always best to confirm you have a working backup on hand before executing the command.

To configure NTFS permissions:

1. Right-click the file or folder you wish to share.
2. Select Properties from the pop-up menu.
3. Click the Security tab.
4. Use the Add/Remove buttons to add and remove permissions for users and groups.
5. Highlight the respective user or group within the Group Or User Names window and specify the appropriate permissions from within the Permissions For User/Group window using the provided Allow and Deny checkboxes. (Figure D)
6. Click OK to apply the changes.

NTFS permissions permit applying more granular rights, as compared to folder shares.

Note that, by default, subfolders will inherit permissions from parent folders. To customize permissions inheritance, click the Advanced button found on the share or filename's Properties dialog box.

Several NTFS permissions are available:

Full Control -- enables a user or group to perform essentially all actions, including view files and subfolders, execute application files, list folder contents, read and execute files, change file and folder attributes, create new files, append data to files, delete files and folders, change file and folder permissions and take ownership of files and folders.
Modify -- enables a user or group to view files and subfolders, execute application files, list folder contents, view file and folder attributes, change file and folder attributes, create new files and folders, append file data and delete files.
Read & Execute -- enables a user or group to view files and folders, execute application files, list folder contents, read file data and view file and folder attributes.
List Folder Contents -- enables a user or group to navigate folders, list folder contents and view file and folder attributes.
Read -- enables a user or group to view a folder's contents, read data and view file and folder attributes.
Write -- enables a user or group to change file and folder attributes, create new files, make changes to files and create new folders and append file data.

To determine a user's ultimate resulting permissions, add all the NTFS permissions granted to a user directly and as a result of group membership, then subtract those permissions denied directly and as a result of group membership.

For example, if a user is explicitly granted Full Control but is also a member of a Group in which Full Control is denied, the user will not receive Full Control rights. If a user received Read & Execute and List Folder Contents in one group but was also a member of a group that had List Folder Contents denied, the user's resultant NTFS permissions would be only Read & Execute. For this reason, administrators should carefully apply Deny permissions, as the Deny attribute overrules any equivalent instances of Allow when the two rights are applied to the same user or group.

Windows XP includes an effective permissions tool you can use to help verify the permissions a user or group receives. To access the tool:

1. Open the folder or filename's Properties dialog box.
2. Click the Security tab.
3. Click the Advanced button. The Advanced Security Settings For File/Foldername will open.
4. Click the Effective Permissions tab. (Figure E)
5. Click the Select button.
6. The Select User Or Group dialog box will appear.
7. Type the group or username whose permissions you wish to confirm in the Enter The Object Name To Select window and click OK.
8. The Advanced Security Settings For File/Foldername dialog box will display the resulting NTFS permissions for that user or group.

The Effective Permissions tab helps simplify determining a user or group's actual permissions.

Combining Share and NTFS Permissions

It sounds straightforward. Configure the permissions you want and a user is good to go. But there's one additional catch to keep in mind. Folder share and NTFS permissions must combine to determine the actual rights a user or group receives. Unfortunately, they often conflict.

To determine the ultimate permissions a user receives, take the user or group's resulting shared permissions and compare it with the user or group's resulting NTFS permissions. Note that the most restrictive of those rights will prevail.

For example, if a user's resulting NTFS rights are Read and Execute and the same user's resulting share permission is Full Control, the user will not receive Full Control. Instead, Windows calculates the most restrictive of the two resulting rights, which in this case is the NTFS permission of Read and Execute.

Remember that, to determine a user or group's ultimate resulting permissions, the most restrictive of the resulting NTFS and share rights applies. This is an important lesson that's easily forgotten but that quickly leads to frustration for users, so be sure to spend time up front properly calculating share and NTFS permissions

Myth #3: Captive Portals are an effective way to prevent

When WPA or WPA2 can’t be used, many organizations turn to a captive portal to control network access. A captive portal is defined as a network security system that restricts access until a user verifies a credential through a web interface. The theory behind such systems is that web browsers are available on all manner of Wi-Fi devices, so creating a captive portal to authenticate the public would allow the largest number of authorized users to gain access to the Internet.

Hotels, universities, and airports are just some of the places that use captive portals. Those environments must handle such a wide variety of station devices that choosing one type of security is generally thought to be restrictive to the point that some of the target audience may be unable to enjoy wireless Internet access.

Using a captive portal does allow access to a wide variety of stations, but the security design is quite flawed. To understand the flaw in authenticating users via a captive portal, one must first understand what a captive portal is. Captive portals are a layer 2 security method. When users authenticate to a captive portal, their MAC address is placed in a list of authorized users. When the person logs off, their MAC address is removed from the list.

Once it is understood that a captive portal is nothing more than a dynamic MAC address filter, it becomes easy to understand why they are ineffective at restricting unauthorized users from a public Wi-Fi network. A number of free, simple software tools are available that allow people to modify the MAC address of their network interfaces. If an intruder has one of these tools and an 802.11 protocol analyzer, he could easily identify an authorized user’s MAC address and masquerade as that user to gain network access.

A secondary reason why captive portals are no longer considered a good way to restrict unauthorized users from a public network is that Wi-Fi client utilities have become largely standardized. Users of all operating systems now have client utilities available that support WPA and even WPA2 on a number of adapters. With these stronger security protocols now being nearly ubiquitous, it has become reasonable to require public access users to login with a WPA/WPA2 Personal passphrase rather than through a captive portal. A publicly distributed
passphrase may lack the security required for an enterprise network, but it is a far more secure solution for public networks than a captive portal.

Sunday, January 28, 2007

Myth #2: Even with 802.11i, you still need a VPN to

Once a network security professional learns that the physical layer of the network can be extended outside a room, building, or even across town, by an intruder with a high-gain antenna, it’s only natural to get skittish about allowing access points on the LAN. When you consider security options for this type of network that has an openly accessible physical layer, comparisons to the Internet are inevitably made.

IPSec and SSL VPNs have long been a logical way to secure users accessing the network via WAN connections, so it makes sense that people would choose those same options to secure a wireless LAN. To make matters worse, many network security veterans have been bombarded with news items telling them how vulnerable Wi-Fi networks are to intrusion—WEP or no WEP.

When WEP was fixed with the introduction of WPA in 2003, many people noticed. When 802.11i and WPA2 were introduced in 2004, even more people noticed. But few people who knew about WPA and WPA2 really knew the ins and outs of how they make wireless networks secure.

WPA fixed WEP by introducing TKIP (Temporal Key Integrity Protocol) encryption and using 802.1X/EAP or WPA-PSK as secure authentication methods. TKIP is an encryption type based on the same ciph er as WEP. While TKIP fixes the flaws in WEP, perhaps even more important is the fact that it kept the same cipher as WEP so that legacy equipment could be upgraded with improved software, not hardware.

Even when WPA became widely available, security professionals still had good reason to recommend VPNs for some secure Wi-Fi environments. TKIP’s use of the RC4 encryption cipher meant that certain organizations (Department of Defense, financial services, etc.) would be unable to comply with tough regulatory standards for IT security unless IPSec or SSL were employed.

When WPA2 was released, all of that changed. WPA2 uses CCMP (Counter Mode CBC-MAC Protocol) encryption. This is significant because the cipher used in CCMP is AES. The AES cipher is the strongest cipher used with IPSec VPNs, and it has no known flaws. The end result is that using CCMP on an 802.11i network provides encryption that is as strong as the strongest IPSec VPN.

Some network security professionals who acknowledge the encryption strength of 802.11i still prefer VPNs because authentication on IPSec and SSL connections is known to be secure. In fact, there are very real concerns when certain types of authentication are used in concert with CCMP encryption. WPA-PSK and 802.1X/EAP-LEAP authentication are both vulnerable to dictionary attacks.

Even though vulnerable WPA2 authentication methods do exist, several secure authentication methods are available as well. When a Wi-Fi network is designed using the 802.1X framework with EAP-TLS, EAP-TTLS, or PEAP authentication, wireless credentials are kept private using tunneling technology similar to SSL. Devices that use CCMP encryption with any of the aforementioned types of authentication are easily identified with the WPA2 Enterprise certification.

The development of WPA2 Enterprise has been an important step in the security evolution of Wi-Fi networks. For some IT security folks, however, being just as secure as an IPSec or SSL VPN isn’t quite enough. Seasoned security people know VPNs. They may not really know WPA2 Enterprise and, therefore, may be unwilling to adopt it when VPNs are readily available. For that reason, it’s important to understand that WPA2 Enterprise is not just as good as an IPSec VPN –it’s better.

WPA2 Enterprise offers benefits over wireless VPN connections in terms of cost, performance, availability, and support. There are numerous ways to express the advantages of WPA2 Enterprise, but a look at the intrinsic nature of each technology is the most revealing way to understand it. Wi-Fi is a layer 2 technology and WPA2 Enterprise secures the network at layer 2. IPSec is a layer 3 technology, which makes it fundamentally less scalable, secure, and manageable for securing a layer 2 link.

Friday, January 26, 2007

ELEVEN Myths about 802.11 Wi-Fi Networks series 1

It seems that Wi-Fi networks have been misunderstood by much of the IT community since their inception.
Even the reasons for this misunderstanding are kind of hard to understand. It could be that the rising popularity of Wi-Fi caused demand to surge ahead of the supply of professionals ready to manage networks. Maybe it’s that networking folks and radio frequency folks both had to learn the other side’s technology on a fairly intimate level. Maybe it’s just that engineers cooped up in an RF chamber all day have a hard time explaining themselves. Whatever the reason, the result has been that myths about 802.11 (better known as Wi-Fi) networks have grown almost as fast as the technology itself.

Being wireless networking instructors allows us a unique perspective in sampling the Wi-Fi myths that are believed by a wide variety of IT professionals. In this series we examine 11 such myths and explore ways to use correct information about wireless LANs to make your networks scalable, secure and satisfying to your users.

Myth #1: If you leave your Wi-Fi adapter turned on, someone could easily hijack your notebook and take control of your computer.

The most widely publicized presentation at the 2006 Black Hat hackers convention revolved around a vulnerability in certain wireless device drivers1. Though the chipsets that use these drivers were left unnamed, the end result was that intruders associated to the same Wi-Fi network as your notebook computer could potentially gain access to your machine through a command line interface.

This is a severe vulnerability, and it strongly emphasizes the point that Wi-Fi stations should be kept from associating to unknown networks. Unfortunately, the people responsible for creating the application that performs this intrusion also ended up perpetrating one of the most widely spread myths concerning Wi-Fi security.
As part of the promotion of their presentation, the authors of this attack tool claimed that Wi-Fi stations were vulnerable to attack just by leaving their Wi-Fi adapters enabled. They could be correct to an extent, as there may be heretofore unknown flaws in Wi-Fi device drivers that could allow an attacker to disengage normal login protections that are in place for today’s operating systems.

Where the presenters of this attack went wrong is in suggesting that a full active attack—one where a victim’s entire machine is overrun—is possible against any poor sap that has a Wi-Fi adapter turned on. In certain situations, this line of thinking ends up being accurate but, like many network intrusions, it would take an extremely negligent end user for such a diabolical attack to be successful.

Let’s put one semi-myth to bed right away: Attackers cannot access your computer without first establishing a connection to the same network you are associated to. This is a fundamental truth of networking. Any peer-topeer attack—such as the CLI attack touted at Black Hat 2006—requires that data be transferred from station to station. Since a Wi-Fi association is necessary for a notebook computer to have a data link layer (layer 2) connection, perpetrating this attack on an unassociated machine is simply impossible.

Now let’s look at the more widely propagated myths. Many people believe that unassociated stations are vulnerable because your notebook computer can be easily hijacked on to a nearby network by an attacker. It is also widely held that associated stations could surreptitiously roam to nearby APs set up by attackers (we’ll call these “hijacker APs”). These myths are tricky because there is some truth to both of them. Let’s differentiate, shall we?

Concerning unassociated stations, many of them are indeed vulnerable to hijacking. Specifically, stations that are controlled by Wi-Fi client utilities that use a Preferred Networks list are vulnerable to hijacking. If the attacker creates an AP with a non-encrypted SSID that is in the station’s Preferred Networks list, the station will connect to the hijacker AP.
There are a couple of solutions to the problem of hijacker APs. Users could eliminate this threat by removing all non-encrypted SSIDs from their list of Preferred Networks. This becomes difficult because every time a user connects to a Wi-Fi network, the SSID and encryption settings (or lack of encryption settings) are automatically added to their Preferred Networks list. A more comprehensive solution is to disable the Wi-Fi adapter when it
is not in use. Sure, this is a great solution in theory but, in practice, often times users are forgetful or negligent when it comes to network security.

Solving the hijacker AP problem may be getting easier. Applications like NetOaats can be configured to disable a user’s wireless network adapter upon the connection to a wired network. It can even be configured to work the same way if a notebook establishes a connection to a Broadband wireless network (like the EvDO networks from Sprint and Verizon). By having users simply run the NetOaats application, they become much less susceptible to peer-to-peer attacks.

Another item that could counteract the attack from Black Hat 2006 is the preponderance of security protocols that prevent Wi-Fi stations from accessing each other. Protocols such as Cisco’s Public Secure Packet Forwarding (PSPF) prevent a wireless user from accessing another wireless user’s station when they are connected to the same AP. This is known as wireless client isolation. Virtually every commercial public Wi-Fi Internet service uses some kind of wireless client isolation protocol. The end result is that users remain safe as long as they stay connected to the network of the Wi-Fi Internet access provider.

There are several other mini-myths that are related to this fundamental myth about the ease of hijacking users. One is that users will connect to an ad-hoc (peer-to-peer) Wi-Fi network that is configured with the same SSID as an AP. This is false because Beacon frames from APs always indicate whether the network is a BSS (network with an AP) or an IBSS (ad-hoc network).

Another myth is that users will automatically connect to any access point in the area if their Wi-Fi adapter is left enabled. While some very old client utilities did have this flaw, today’s client utilities usually only allow a Wi-Fi station to associate to SSIDs that are configured with proper security settings in the list of Preferred Networks.

The truth about the flaw that was presented at the Black Hat 2006 conference is that it appears to be a very real device driver flaw dressed up in a Wi-Fi vulnerability to peer-to-peer attacks that has been known and understood for years by well-versed network security professionals. It is true that if the following conditions are met, users are vulnerable to the full attack:

1. The user has an enabled Wi-Fi adapter.
2. The user’s Wi-Fi adapter is not associated to a network that uses encryption.
3. The user has a non-secure SSID configured in their list of Preferred Networks.

If any of these three conditions are not met, the Black Hat 2006 wireless attack becomes just another vulnerability on the periphery of Wi-Fi that perpetrates one of the most common myths about Wi-Fi security.

Monday, January 22, 2007

Help users create complex passwords that are easy to remember

So how can you make sure users' passwords are complicated enough to deter hackers and easier enough to remember? One of my colleagues offers the following trick for creating complex passwords that meet complexity requirements while still being possible to remember.

Step 1: Come up with a base wordPick the name of a pet or any common thing that's easy to remember. For example, say you once lived in Louisville. You can use that to establish the base of your password and satisfy the required criteria for a strong password.
Remember: You need at least one capital letter and either a number or special character. So, using Louisville as your base word, you can substitute an ! or 1 for i and replace the s with $—e.g., Lou1$ville or L0u!$ville.

Step 2: Add more characters to the base wordPick any four characters to add to the base word.

Step 3: Store your password without worryNow, write down the added four characters, along with a clue for the base word. Using our previous example, you would write down city1xyza, where city1 signifies Louisville with a 1 and $ and xyza represents the four additional characters.

So, even written down, this password reference would serve as a reminder of your complete password while revealing nothing to any roaming eyes. (Keep in mind that this example is a 14-character password. While that may be longer than the actual requirement, it may be easier to remember.)

Friday, January 19, 2007

Take advantage of the Windows XP Start menu's pinned items list

You're probably familiar with Start's left side menu—but do you know why the program list is divided in two? Here's what you need to know about the pinned items list found in Windows XP, and how you can customize it to easily access your favorite programs.

The left panel of the Start menu consists entirely of a divided list of programs that Windows XP thinks will come in handy for you: the pinned items list above the separator line, and the most frequently used programs list, displayed below the line.

By default, Windows XP places links to your Internet browser and your e-mail application in the pinned items list and will place as many as 30 shortcuts to the programs that you've recently used in the most frequently used programs list. (The most frequently used programs list is, by default, six shortcuts long.)

In order to really take advantage of the Start menu as a launching area for all the programs you use most often, you can configure the entire left panel as a pinned items list. Here's how:

1. Right-click the Start button and select the Properties command to display the Taskbar and Start Menu Properties dialog box.

2. Click the Customize button adjacent to the Start Menu radio button to display the Customize Start Menu dialog box.

3. In the Programs panel, use the Spin button to set the Number Of Programs On The Start Menu setting to 0. Click the Clear List button.

4. In the Show On Start Menu panel, you can clear the Internet check box because the Internet Explorer icon already appears in the Quick Launch menu by default, and maybe even the e-mail check box, depending on how you launch your e-mail application.

5. Click OK twice—once to close the Customize Start Menu dialog box and once to close the Taskbar and Start Menu Properties dialog boxes.

6. Click the Start button and access the All Programs submenu.

7. Locate and right-click on a shortcut to a program you use most often and select the Pin To Start Menu command.

You can pin as many as 30 of your most often used programs to the Start menu, depending on your screen resolution setting. With your actual favorite programs on the pinned items list, you can now really take advantage of the Start menu.

Thursday, January 18, 2007

Speed up Windows XP's defrag operations

Note: This tip applies to both Windows XP Home and Professional editions.
A simple way to speed up a defrag operation in Windows XP is to restart the system before you launch Defrag. This allows the operating system to clear out the swap/paging file and reset it to the default size. This lets Defrag focus strictly on the necessary data on the hard disk without having to stop and manage a huge swap file loaded with unneeded data.
Another approach to speeding up a defrag operation in Windows XP is to configure it to occur immediately upon startup. Fortunately, you can do so easily with this simple registry edit:

1. Launch the Registry Editor (Regedit.exe).
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
3. Right-click on the RunOnce subkey and select New String Value.
4. Name the value Defrag and press [Enter] twice.
5. Type Defrag.exe c: /f in the Value Data text box and click OK.
6. Close the Registry Editor and restart Windows.
The defrag operation will begin when you type in your password and press [Enter]. (Keep in mind that values added to the RunOnce key are removed immediately after the command has been run.)

Tuesday, January 16, 2007

How to Back up Mozilla Firefox and Thunderbird

Backing up Firefox and Thunderbird is easier than you think....

Firefox and Thunderbird Firefox users need to regularly back up to guard against the possibility that their profile gets corrupted or wiped after installing a new extension or a new version of Firefox. If you use Thunderbird then it's even more important that you backup to ensure you don't accidentally lose your email correspondence and account settings.

There are two ways to backup: use a backup utility or do it yourself manually.

Backup Utilities
MozBackup is a free utility written by Pavel Cvrcek that will automatically backup Firefox and Thunderbird as well as Netscape and the full Mozilla suite. It works like a charm - the whole process is driven by a Wizard so easy to use that even raw beginners will be able to set up automatic backups. It also offers encryption of the backup files and a complete push-button restore option.

MozBackup only backs up the essential information rather than all the information in your Mozilla profile but that's fine for most users. You can get MozBackup here: http://mozbackup.jasnapaka.com/index-old.html

Manual Backup
Backing up Firefox and Thunderbird manually is as simple as copying their respective profile folders to another location. If you do that, you’ll have a full backup with all your setting and personal data saved.

The hard part is finding the profile folders. First up, they are not located where you would expect to find them. Secondly, they are located in different places for different versions of Windows. Thirdly, they may be assigned random file names that make them difficult to recognize.
On Windows 2000/XP machines the locations for your Firefox and Thunderbird profiles are respectively:

C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\\
C:\Documents and Settings\\Application Data\Thunderbird\Profiles\\

To back these up I copy the profiles to an external USB drive. It's as simple as that. I do it manually but you could also use Windows Scheduler or a backup manager to do the job automatically. Make sure, though, that Firefox and Thunderbird are not running before you backup.

Sunday, January 14, 2007

Fix a registry on a dead system

Sometimes a registry problem causes a computer not to boot or to prevent logon. If you can't boot the computer, or you don't have any other means to restore the problem registry file, you might be able to open the registry on another computer, fix it, and restore it to the problem PC.

In order to fix the registry this way, you must be able to boot the system through a diskette or dual-boot configuration and gain access to the file system. You also need to be able to copy the registry file to a removable media with sufficient space to accommodate it or be able to copy the file across the network.

Here's how to modify a remote registry locally on your computer if you can't connect to it across the network:

1. Boot the other computer with a boot diskette or dual-boot OS and then copy the problem hive file to a removable media or directly across the network to your system.
2. Log in as administrator on your system and run REGEDIT.EXE.
3. In the Registry Editor, select either the HKEY_LOCAL_MACHINE or HKEY_USERS window, and then choose Registry Load Hive.
4. Locate the file copied to the system in step 1, select the file, and click Open. This loads the hive into the local registry as a subkey of the selected key.
5. Make the necessary changes to the damaged hive and then choose Registry Unload Hive.
6. Copy the hive file back to its original location on the problem computer. Restart to test the system.

Note: Editing the registry is risky, so make sure you have a verified backup before making any changes.

Recovering from a forgotten Administrator password in Windows 2000 Pro

It's the one of the worst things you can do, and it makes you feel like a complete idiot. You forgot the password for the Administrator account of your Windows 2000 Pro system. If you've just finished the install, check for an innocent mistake before you jump out the window or reinstall—enter the password in uppercase in case the Caps Lock key was on when you created the Administrator account.

Didn't do it? Hopefully you have another account that is a member of the Administrator's group. If so, just log on with that account and change the Administrator password. If that doesn't do the trick and you can afford to lose any other accounts contained on the system (likely with a workstation but unlikely on most servers), delete the SAM hive. On a FAT system, boot the computer with an old DOS or Windows 9x boot disk and delete the %systemroot%\System32\Config\SAM file (or rename it). On an NTFS system, you can use the Recovery Console to access and delete the file, but only if you have configured the Recovery Console for automatic administrative logon through the local security policy or through the inherited domain security policy.

Another option is to back up the system, reinstall Windows 2000, and then restore the system. As when deleting the SAM, you'll lose your accounts, but at least you'll have the system back with all your other settings intact. And if you absolutely don't want to lose your accounts, check out http://www.winternals.com/ for utilities that will enable you to reset the administrator password.

Recovering from a forgotten Administrator password in Windows 2000 Pro

Thursday, January 11, 2007

IT NEWS 2007 Security Threats on the Rise

With the new calendars freshly hung on the wall, an important question surfaces: What security threats are on the rise for 2007? It appears that the year will bring more narrowly defined threats or "targeted threats," which are different from what we've seen before. They are more focused on individual information as opposed to mass-mailing worms that are sent over the Internet to randomly infect victims.

IT NEWS 2007 Security Threats on the Rise

Monday, January 8, 2007

SPEED UP Your Internet connection settings: DSL/Cable/56K

Now Windows XP is installed, it's time to get the internet connection working. Most popular are the DSL or Cable connections, but a connection through your phone line is also possible. Follow the instructions of your service provider.

The most simple connection is through a gateway router. The gateway router (provided by some of the internet providers as the modem) keeps the DSL or Cable internet connection alive, and makes sure that every connected computer is able to enter the internet. If this is the case: you only have to plug in the ethernet cable and the connection will probably be there automatically.

DSL or Cable? Buy a gateway (wireless) router!
There are increasingly more households with more then one computer. By placing these computers in a network, all computers are able to connect to the internet at the same time. Besides using the same internet connection, you are also able to share printers and files as well!

Theoretically, creating a network with a gateway router is not that difficult, in most cases easier then sharing the internet connection within Windows. Practically however, many are having a lot of problems, especially if a secured wireless connection is on the wish list! Most internet providers use a modem with DHCP to get connected. By setting up the router with automatic IP address you are probably quick online (sometimes you have to clone the computers MAC address). Although there are routers which support an USB modem, I advise to buy an ethernet modem. Besides that, I advise to use a modem supported by your internet provider (if you buy a combined modem-router, you will probably get no support if needed).

Optimizing the internet connection

For maximum performance, it's wise to optimize your internet connection. For this purpose you can make use of the utility TCP Optimizer (download: http://www.speedguide.net/downloads.php). This tool can be used for both Windows XP/2000 and 98/ME. Choose your internet connection type, option Optimal settings, and Apply changes to optimize your connection.
For the tab MaxMTU use the value 1500 and reboot your Windows and do the test (if needed change to www.google.com). The optimized MaxMTU will be found.

Internet by a 56K modem

If you are still using an old fashion 56K modem, I can imagine you get irritated with the noise. Switching the noise off, is easy: Control Panel, Network Connections, right click the 56K connection and choose Properties, button Configure (the modem), tab Modem, Speaker volume: Off.
Are you having troubles creating a connection? Use the following initialization string (same place): s11=55 for getting connected faster and s10=60 to prevent to get disconnected.

Internet history cleaning (cookies, temporary files, history, visited websites)

With every visit of a website, all sort of information and files are stored on your computer. There are a few tools to erase this information easily. I like the following utilities most:
Active@ Eraser for Windows (download: http://www.active-eraser.com/)
IEHistoryView from Nirsoft (download: www.nirsoft.net/utils/iehv.html)
Active Eraser actually overwrites the data, so they are no longer recoverable!

Thursday, January 4, 2007

How to remove the SpywareKnight (Removal Instructions)

SpywareKnight is a rogue anti-spyware application that uses aggressive advertising, popups, and Internet Explorer start page hijacking. Popups will display alerts stating that you are infected with various malware including one called Win32.Trojan.Dropper.

If you start Internet Explorer your homepage will be about:blank and contain text stating that you are infected with Trojan.DLoader/LX and that you should install either Spyware Knight or SpySoldier to remove it. These popups and warnings are fake and are only being displayed to scare you into purchasing the commercial versions of SpywareKnight and SpySoldier. Needless to say, you should not purchase these programs.

Tools Needed for this fix:
SmitFraudFix.zip Symptoms in a HijackThis Log:O4 - Startup: spywareknight.lnk = C:\Program Files\SpywareKnight\spywareknight.exe

Next, please reboot your computer into Safe Mode by doing the following:
a. Restart your computer
b. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
c. Instead of Windows loading as normal, a menu should appear
d. Select the first option, to run Windows in Safe Mode.
e. When you are at the logon prompt, log in as the same user which you had done the previous steps.
f. When your computer has started in safe mode and you see the desktop.
g. Click on the Start button and then select the Control Panel menu option.
h. When the Control Panel opens double-click on the Add or Remove Programs icon.
i. When the Add or Remove Programs window opens look for the SpywareKnight 1.2 entry and double-click on it. This will launch the uninstall program for SpywareKnight.
j. When the uninstall programs has started click on the Yes button when it asks if you would like to uninstall the program. Then click on the OK button when it tells you the program has been successfully uninstalled to finish the uninstall..
k. Close all open Windows.
Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below:

2. When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

3. You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

4. The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below.

5. This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient.

6. When it is complete, it will close automatically and you will should continue with step 11.
When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.

7. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.

8. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.Your computer should now be free of the SpywareKnight infection.