Wednesday, January 31, 2007

Documentation Made Easy!

Lets face it, documentation is a pain, wish you had a tool to do it all without installing a huge piece of software on every machine you need to inventorize? Well, try SIW.

My clients do not mind if i do screen captures and documenting after the settings but you know how tedius this can be right BUT they won't like it if i install *ANY* software which modifies registries, installs drivers etc just to inventorize their machines.

I bumped into this tool introduced by a friend, Frank Rovers, called System Information for Windows or short for SIW.

Why i like this tool?
  • You don't have to install anything, just run the EXE file

  • Collects huge amount of information that you could do so within minutes which you would normally do in hours

  • Collects Software, Hardware and Network information

  • Collects realtime information like CPU, HDD etc

  • Has some pretty neat tools right out like reveal passwords hidden behind asterisks, Product Keys and Serial Numbers (CD Key), MAC Address Changer, Shutdown / Restart.

  • ITS FREE!

THANK YOU GABRIEL TOPALA Download it straight from here http://www.gtopala.com/en/siw.exe

PS> Vista will request admin rights to run this tool :D

PS> The *secret* is dangerous, it can reveal passwords stored in plain text, so try not to export secrets out into exportable formats. BE RESPONSIBLE. Mine revealed Firefox password (im gonna blog this)

Tuesday, January 30, 2007

"EXPERTS" view on Vista

So, is Vista worth the security investment-upgrade? Apparently NOT. I agree, the answer is not really. Read this CNET article talks more about that. http://news.com.com/Experts+Dont+buy+Vista+for+the+security/2100-1016-6154448.html?part=dht&tag=nl.e703.

To put things in perspective, if you give fully armoured tank to a monkey, he'll still walk out naked to get his banana. If you want a "Secure-Paranoia" OS, run DOS unplug the network and don't communicate, at all. Otherwise, most OS-es can be well secured. I've facilitated a Windows 2000 server environment for years without much threat, so, in conclusion on to that article, yes, get Vista to enjoy the fancy bit which includes automatic security spoon feeding which can be compelling to the novice right down to the hardcores, but don't get it to fix your lack of consciousness and down right ignorance.

Enjoy your Vista, i know i am..

Virus Incident Management (draft-v-0.1)

Hmm, recently, there was an outbreak at our client, interestingly, there wasn't any procedures brought up by our clients or ourselves, so i took a little time to write this. Hopefully some find it useful. Its a bits and pieces of various guides out there, only more , ahem, human...

Key success factors:

  • Right tools
  • Right people
  • Right process

Key process

  1. Identify & Investigate
  2. Isolate
  3. Rectify
  4. Recover
  5. Recommend

NOTE: There are sub processes that should kick in at every stage within this guide.

Identify and Investigate
  • Identify the validity of the threat. Classify the threat.
  • Assess the impact from a business and technical point of view
  • Identify infected sources through many methods like Antivirus management consoles, Network analysis tools, IDS/IPS tools, Network logs/activities analysis, 3rd party centralized identification tools,
  • Identify and familiarize with the various threats currently being faced
    • Understand and investigate the cause of the virus attack
      • For mitigation
      • Legal reasons
    • Determine if the attack was targeted or not for forensic analysis
    • Create an image of one infected machine(s) for forensics and proof (preferably the first infected system)
      • Do not alter this system
      • Ensure system level operations won’t overwrite the infections
  • Identify owners or managers of these infected sources, helpdesk, security personnel and other help you can get
  • Identify and existing processes or procedures that can help to access information and resources within the organization
  • Identify and setup a incident management committee which should include

  • Technical engineers
  • Internal administrators and MIS
  • Top management support is also desirable
Isolate

  • Internal & external containment – Ensure those infected sources are isolated from further re-infections and infecting other sources. Unhook them from the network if necessary. Ensure to have authoritative support (e.g. Top management, department heads, head of operations)
  • It is also possible to isolate these sources using network tools such as routers, switches or firewalls. Other tools include personal firewalls, antivirus programs with firewall function etc.
    • E.g. block access of the protocol/port being used by the threat to propagate
  • Separate and classify high, medium and low threat and risk machines and act on them accordingly
  • Isolation can be a continuous process and should
Rectify

  • Obtain the virus signature and fix tools from your antivirus vendor.
  • Test the fix in your virus signatures staging lab, if you have one; otherwise, on non-critical systems in your production environment. This includes testing any repair tools that must be run before using the updated virus signatures.
  • Develop a workable method for deploying the repair-and-fix process.
  • Create a plan detailing how you will repair the damage and deploy fixes, where you will start and how the process will proceed. Validate this plan with all affected teams and your antivirus vendor. Plan to first clean all infected perimeter and email servers and update their virus signatures.
  • Distribute the fix to all workstations and servers in your environment.
  • Isolate systems that require repair.
  • Run all required fix tools on all infected systems to remove the virus or disable it.
  • Scan all systems with the updated virus signatures to remove all infected files.
  • Eliminate all temporary and suspicious files, including hidden directories and files.
  • Remove or alter configuration information used for the functionality of the virus or that might allow the virus to reappear.
  • Remove configuration information that may cause system failures.
  • Search for newly mounted partitions created by the virus and eliminate them.
  • Search for missing log partitions and restore.
  • Search for added or altered user accounts and remove or restore.
  • Restore changed or deleted files.
  • Depending on the risks, determine methodology for each levels like e.g.
    • High – Reformatting may be required
    • Medium – Intensive scanning from more than one AV product, run tools, keep machine on surveillance (Eg. Network monitoring tools, IDS, IPS)
    • Low –Intensive scanning using a single AV product
  • Certify by labeling each cleaned / un-cleanable sources, report to control center of cleaned and un-cleanable sources periodically or in a agreeable fashion (e.g. report by floor, department)
Recover

  • Create a recovery plan for each type of threat
  • Restore and recover high and medium risk machines
  • Apply network and operating system fixes and patches
  • Restore data from backup if required
Recommend

  • Every incident should be a learning and a learning plan should be developed to mitigate future threats
    • Modify policies if required
    • Identify need for training if required (Administrators and Users)
    • Identify need for new products/solutions
  • Include enforcement as part of the security policy. Systems that violate policy can be disabled automatically and the people who thwart policy can be sanctioned through HR policies.
  • Create incident response procedures and put together a virus response team.
  • Clarify or adjust the reporting structure and communications processes within the technology departments and among the teams, to simplify infection response processes.
  • Educate upper management on the importance of proactive virus protection.
  • Require backup servers for all critical files.
  • Products to look at;
    • Install antivirus solutions to filter email, Internet and network traffic and local file access.
    • Implement centrally managed antivirus software to control configurations and keep virus signatures current.
    • Install both host-based and network-based intrusion detection technology. Host-based intrusion detection can detect viruses that the antivirus software may miss. Network-based, intrusion-detection technology helps determine the spread of the infection. Newer network intrusion prevention technology can even help stop the spread of the infection.
    • Install security management software to monitor policy adherence and system patching.
    • Simplify the network topology so it can be easily segmented during a virus infestation.
    • Install email content filtering technology to block email based on strings of text in the subject line or the body of the message.
    • Implement desktop firewall software to block the spread of a virus through specific ports. Desktop firewalls are especially important with the advent of VPN and wireless solutions.
  • Create enforcement like which ties down to disciplinary action from management
    • Prevent users from disabling antivirus software.
    • Limit the allowable file extensions for email attachments.
    • Implement a process in order to keep system patches up to date.
    • Institute technology or processes to verify that antivirus software is running and up to date.
    • Lock down workstations to limit regular users' ability to modify their systems.
    • Disable the Windows Scripting Host, as it is not often needed by users and provides a known propagation method. You may also want to remove scripting in Outlook and Internet Explorer.
    • Disable the ability to access external IM systems, news groups, email servers or other externally controlled communication platforms.

Monday, January 29, 2007

Lost your ISA Backup Password?

Something interesting i found while playing around with ISA 2004 (might even work with other versions too).

If you got a backup and forgotten the password, simple.

  • Install ISA
  • Create a backup of that server in a file and remember the password
  • Open the backup file using notepad, copy out the MD5 hash
  • Paste this hash inside the backup file which you've lost
  • Import the backup with the password that you created earlier

OR, if you have at hand an MD5 hashing tool, just hash out the new password. Not sure if that would work tho.... (This is for the geeks who have hashing software in their mobile phones or favorite link in their browsers)

There. Cool huh.

Microsoft Security Advisory (932114) - Vulnerability in Microsoft Word 2000 Could Allow Remote Code Execution

If you run Microsoft Word 2000 there's a security bug but there's no real fix to it right now. So in short, do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.

Or

Ensure your Antivirus is updated. If unsure, download Windows Defender to provide you with advice. Its free, get it from http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en

Or

Upgrade to Office 2007 :)

Or

If you are unsure of the content, open it using Word Viewer, its free and safe of this attack (Word Viewer can be downloaded from http://www.microsoft.com/downloads/details.aspx?familyid=95E24C87-8732-48D5-8689-AB826E7B8FDF&displaylang=en

Do remember that you must not open Word documents directly in Microsoft Word's full version, to do this, ensure you save the document into your local drive and launch Word Viewer to open it.

Automation/Propagation
Note, this worm/attack is not automated, you need to be wise enough to decide if the source is good or untrusted. Remember the rule? If you aint sure, dont do it..

Link: http://www.microsoft.com/technet/security/advisory/932114.mspx

Java Beans Gone Bad

There are some issues with Java!. So are you affected? Most likely yes, if you use a web browser like Internet Explorer or Mozilla Firefox.
If you are not a tech geek, just go to this website and run the online installation to safeguard your computers. Just click http://www.java.com/en/download/installed.jsp this site will verify your installation and check if you need a latest updated version/or not.

---Geek start here----

VU#149457
12/20/2006
Sun Java JRE vulnerable to arbitrary code execution via an undetermined error
VU#102289
12/20/2006
Sun Java JRE vulnerable to privilege escalation
VU#939609
12/20/2006
Sun Java JRE vulnerable to arbitrary code execution via an unspecified error
VU#388289
01/16/2007
Sun Microsystems Java GIF image processing buffer overflow

Technical Info
Systems Affected
  • Sun Java Runtime Environment versions
  • JDK and JRE 5.0 Update 9 and earlier
  • SDK and JRE 1.4.2_12 and earlier
  • SDK and JRE 1.3.1_18 and earlier


Overview
The Sun Java Runtime Environment contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
I. Description
The Sun Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Sun has released updates to the Java Runtime Environment software to address multiple vulnerabilities. Further details about these vulnerabilities are available in the Vulnerability Notes Database.
Note that exploit code is publicly available for at least one of these vulnerabilities.
II. Impact
By convincing a user to run a specially crafted Java application, a remote, unauthenticated attacker can execute arbitrary code on a vulnerable system. A common attack vector would be a web page that contains a Java applet.
III. Solution
Apply an update from Sun
These issues are addressed in the following versions of the Sun Java Runtime environment:
JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_13 or later
SDK and JRE 1.3.1_19 or later
If you install the latest version of Java, older versions of Java may remain installed on your computer. If these versions of Java are not needed, you may wish to remove them. For instructions on how to remove older versions of Java, refer to the following instructions from Sun.
Disable Java
Disable Java in your web browser, as specified in the Securing Your Web Browser document. While this does not fix the underlying vulnerabilities, it does block the most common attack vector.
SRC:http://www.us-cert.gov/cas/techalerts/TA07-022A.html
---Geek end here----

Hit a problem? Don't worry, Google It.

Hi IT Admins and Engineers, like you, i face challenges with implementations and configuration, but i must say, most of my solutions i get from Google (or any search engine to that matter).

For example, if you hit a Microsoft related issue, go straight to www.google.com/microsoft.

Most of the time, a solution will appear, but you must be wise enough to decide if the information seen on the linked website can serve you any good (or do you more harm).

3 Quick tips on searching;
  1. Use unique words, numbers, terms
  2. Keep it short
  3. Use " " quotes if you need the word hit be together

Happy troubleshooting, its fun, really, if you know where to get help.

Three Simple Ways to Protect Your Windows

Lets face it, there's way way too many opinions out there about computer security, if they do you any good, great, if you are confused, then follow these simple steps i believe in.

  1. Update your windows, turn on Automatic Updates (http://support.microsoft.com/kb/306525)
  2. Install at least an Antivirus product with a basic firewall feature (I personally like Kaspersky Internet Security, http://www.kaspersky.com/kis6)
  3. If you are not sure, don't do it, google it out first, check out what the experts say

There, simple right?

ISA 2008 Is In The Bakery

One of the products from Microsoft i truly like is Microsoft ISA Server. ISA has proven its strength and robustness and we personally run it at our office. It just runs, just runs well.

Since ISA 2004, I've been impressed, I've tried 2006 but haven't tried 2008, i am participating in the TAP.

So what's new in ISA 2006 (from ISA 2004)?
  • SharePoint Server Publishing Wizard.
  • Integrated support for Exchange 2007
  • Branch Office VPN Connectivity Wizard
  • Flood Resiliency
  • Enhanced remediation during attack
  • Single sign on (for Web)Support for LDAP authentication
  • Cross-Array Link Translation (worked on single ISA previously)
  • BITS caching
  • Web Publishing Load Balancing (free, free, free, you know how much these things cost?)
  • HTTP compression
  • Diffserv (Quality of Service)

I will try to get the new features of ISA 2008..stay tuned

[From https://partner.microsoft.com/global/productssolutions/40029027]
Get first-mover advantage on the next generation of Forefront edge security and access technology: enroll in the Technology Adoption Program (TAP). Work directly with the product team, help improve the product, start a new practice, and get visibility for your solution upon product launch. To get started, send email to: ngtprcrt@microsoft.com.

Top 10 things about Vista


THE VISTA'S AERO EFFECT
  1. Security - Even, logged in as administrator, gives you non administrative rights, just yet, those admin rights request will pop-up when its needed. So, this means, if there's an automated process that tries to run as local logged in privileges, they may have problems executing admin level functions.
  2. Aero - Darn, its cute, takes a little more video power at the core, but hell, its worth it
  3. Incompatible program will be booted - Good, cause, i don't want some crappy lack of testing product running on my system
  4. Bitlocker - Finally, your data belongs to you even if some terrorist picks up your stuff
  5. Its fast - Although, some may not be too fond of this though, i think, with decent hardware, Vista performs quite well with all the junk i am running on it now...
  6. My favorite programs work - Fear of unable to run your favourite program? If it runs on XP with SP2, most likely it will run with Vista
  7. Update is integrated - I do not access any website, just hit the updater..viola...
  8. Event viewer - Awsome, awsome..It sorts important events to the regular bla blas, it has more categorization (this feature will kick ass in Longhorn)
  9. Vista's Parental Control - Now i can force myself out of surfing porn :D, and works like a charm, and its part of the OS
  10. Windows Defender - Its truly a centralized command center for security related to your computer.