Sunday, April 22, 2007

Idiocracy Alert - Phone to Human virus

Some people in the middle eastern parts of the world including Pakistan have been shaken by phone SMS messages warning them about the existence of a phone to human virus. This hoax, just like many we JUNK in Outlook, had forced public figures to release statements clearing up the rumors.

Apparently, provider HOTLINES were swarmed with messages requesting clarification from subscribers.

How lame can one be? Very, very lame. The LAME-O-Meter has hit the roof..

Thursday, April 19, 2007

Every cloud has a Silverlight

Look out Flash, here's come another ray of light, called Silverlight. Silverlight is Microsoft's answer to rich web applications which previously dominated by Macromedia Flash. I tried some of the samples, looks like it can do pretty much what Flash can, like, play games, watch movies and enhance users's interaction on your website.

Apparently, Silverlight would work across platforms and browsers. Developers on the other hand, would need the .NET framework to develop but there's a piece of software that end users need to download to view such Silverlight enabled websites.

If you would like to download and test this, check out the CTP. The software is still under development and is not final yet though.

W32.Rinbot - Exploitation of Windows DNS and other vulnerabilities

It comes as no surprise that the exploitation of the MS DNS issue is out and around. According to Symantec, this particular worm executes several vulenrability checks (much like a security scanner) and exploits those that are vulnerable. In short, the process is completely automated and will drop codes inside your computer leaving it open for remote code execution.

It's odd as to why Symantec categorizes this threat as Low (for now). I would think its pretty high as the fixes for MS DNS is still in the bakery. So, please ensure your AV and Windows is constantly updated. As for the DNS issue, please apply the workaround as seen in my previous posts.

Excerpt from this article:

The worm scans network for computers vulnerable to the following vulnerabilities and exploits them:

  • The Microsoft DNS Server Service Could Allow Remote Code Execution (BID 23470) on TCP port 1025
  • The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409) on TCP port 139
  • Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107) on TCP port 2967

Monday, April 16, 2007

WARNING - DNS Zero day exploit code is public

My previous post talks about the DNS vulnerability and now the exploit codes are available and are being used already to VERY EASILY EXPLOIT DNS servers especially within an organization (typically). No one in their right mind would publish RPC over the internet, right.., right..!!??

Remember to run the WORKAROUND FIX in my previous post to ALL DOMAIN CONTROLLERS TO START WITH. A successful attack, again, on a domain controller could lead to complete risk to your AD.

Saturday, April 14, 2007

Windows 2000/2003 DNS Server Service Zero Day Exploit

A new buffer overflow vulnerability with the RPC protocol for managing the DNS service in Windows 2000 (all SPs) and Windows 2003 (all SPs) has been discovered by hackers. Upon successful execution of this exploit, the attacker can run code with the security equivalent of SYSTEM (which is pretty much everything but the kitchen sink).

Microsoft says, in this article, to apply workarounds which includes disabling the RPC management for DNS, local management of DNS will still be possible.

Some security companies have flagged this critical, and i must agree with them. A lot of people will run DNS on a domain controller which holds Active Directory. Having successfully exploited on these domain controllers could leave your entire AD at risk. This could mean all sensitive user, Exchange and other related data could be at risk

It is also possible to perform advanced RPC filtering using application layer firewalls. Simply block MMC RPC connectivity to servers running DNS.

Client operating systems such as XP or Vista are not affected. ISS has raised it's AlertCon to 2 following this zero day exploit. If the exploit codes fall into wrong hands, this could potentially be another MSBLASTER like affect to Windows boxes.

KB: http://support.microsoft.com/kb/935964

Friday, April 13, 2007

CurrPorts - A must have program in your support thumbdrive

Ever wanted to check what ports is a particular program listening on? Well, if you run Windows, there's an awesome tool called CurrPorts which has been around for sometime now. I used it this morning, and still loving it.

Windows itself can do a little to enumerate processes to ports but it's on CLI for now, i.e. NO GUI (i'm a GUI addict, i mean, why make things complicated right?)

Why i love CurrPorts?
  1. I can checkout what program is listening, communicating and responding to which port(s) including UDP ports. Double clicking the process will enlist all necessary information about that process/ports/application
  2. I can KILL programs, more hardcore then "END TASK" from Windows.
  3. I can run this to analyze application behaviors
  4. Its free and there's no crappy INSTALLERS, just run LAH!
  5. Runs on Vista (used to like ActivePorts, but it doesn't support Vista :(
This was my swiss army knife even these days when looking for worms/trojans especially when my faithful antivirus have no clue on what's going on. I just run Currports, terminate the lights off those bugs. Check out CurrPorts. Get it here.

Spam Storm

Some sources have confirmed a highest number of spam since 12 months ago containing security related messages and request users to patch files etc. Please be very careful, i do not know any klutzy security companies that send updates via emails. WELL THEY DON'T. Have a good weekend.

Read the full article: Here

Excerpt:
Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the [ http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015979 ]"Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers.

Thursday, April 12, 2007

Checklist for designing Active Directory

Well, i walked the web for a while now and finally i had to make a checklist myself of designing Active Directory. I hope this super simple guide helps presales, consultants and other enthusiasts out there..

10 Hot-checklist for Implementing/Designing Active Directory:
NOTE: Please know AD first then by running this checklist, you can't go too wrong.

1. Organization needs for AD
2. Forests and domain structures
3. Domain Name System, WINS and DHCP
4. Sites and Replication
5. Domain controllers, FSMO, GC
6. Organizational Units
7. Group Policy
8. Users, computers, groups and objects naming
9. Security (authentication, auditing, authorization, etc)
10. Schema extension, custom coding and application integration

Of course there are a little more things one must consider when designing AD but here's a good start to working on another list.

Hope this helps :)

Wednesday, April 11, 2007

Vista updates

Yesterday (Apr 10, 2007), Microsoft released 4 to 5 updates for Vista. I downloaded and patched the CSRSS manually and got 4 updates on WindowsUpdate program.

Also, there's a couple of high criticality vulnerabilities on Windows and anyone running Windows should immediately run Windows update. Some of these vulnerabilities exploits are publicly available and can execute codes remotely, so do not take things lightly..

Tuesday, April 10, 2007

Active Directory Bulk Editing GUI

What do you want to bulk modify today?

Tired of writing VB scripts to modify Active Directory object attributes (users, groups, etc) then try out Microsoft Exchange team's ADModify.net. This is a cool tool do perform bulk modification of attributes of Active Directory and / or Exchange using a graphical user interface (GUI)

AD and Exchange administrators (or vendors) will find this tool indispensable and in a simple to use interface. But do remember, modifying the attribute values will immediately reflect on your AD and think about what's gonna' happen when it starts replicating attributes across your forest.

Alright some features drill down;
1. Supports AD 2000 or higher
2. Support Exchange schema extensions
3. Custom LDAP queries

Download and play around with this free tool but be careful not to make a booboo.

Source download: ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify

Guide/howto: http://www.msexchange.org/articles/ADModify-Change-Exchange-Specific-AD-User-Attributes.html

Psychic Whois


I found this tool website called Psychic Whois (http://www.psychicwhois.com/). It has a cool way of looking for WHOIS domain information in an autocomplete method. If you're a researcher or enthusiasts you could use the site for finding domain names quick and easy. Like the google of domain names, only with autocomplete.

Monday, April 9, 2007

Which Active Directory Schema?

Now that Microsoft released Windows 2003 R2, some customer have been facing issues making their R2 box a domain controller. This is simply because R2 requires an upgrade of the schema of Active Directory to a higher one from Windows 2003.

So, if you intend to use any of your R2 boxes as a domain controller, you must first upgrade the schema using adprep from the Windows 2003 R2, disc #2.

Also, disc 2 is the one that actually upgrades your Windows 2003 to R2. The first disc contains a slipstream version of Windows 2003 SP1. Disc 2 makes the box R2. So run the adprep from disc 2 and now you can introduce R2 boxes as domain controllers.

So what's the schema versions for different Windows boxes?
  • 13=Microsoft Windows 2000
  • 30=Original release version of Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 (SP1)
  • 31=Microsoft Windows Server 2003 R2

"You can verify the operating system support level of the schema by looking at the value of the Schema Version registry subkey on a domain controller. You can find this subkey in the following location:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

You can also verify the operating system support level of the schema by using the Adsiedit.exe utility or the Ldp.exe utility to view the objectVersion attribute in the properties of the cn=schema,cn=configuration,dc= partition. The value of the Schema Version registry subkey and the objectVersion attribute are in decimal. " SRC: Microsoft KB Reference:
http://support.microsoft.com/kb/917385

Sunday, April 8, 2007

iPod virus?


Kaspersky recently detected a potential program/virus dubbed Podloso that could be used and infect a linux based iPod's executables with the extension .elf. Right now, i guess there's no "real" virus *yet* that could spread automatically and do bad stuff to your cute-lil-ipod.

The best thing to do as a user of iPod now is not to panic *yet*. If they do bump into something that resembles close to a virus for these devices, rest assured, it will get posted here, someone will find a cure and someone will find another new ". More reading: Here.

It is an interesting breakthrough in malware vectors. It would come as no surprise if Zune, Xbox, PS2/3 and all those connect-capable devices be at risk.

Friday, April 6, 2007

Why you should disable dynamic objects caching on your proxy server

If you run a proxy server in your organization, please take note about enabling caching for dynamic objects. Dynamic objects are normally pages that change based on user inputs or is a similar page with different information based on who's logged on etc.

Why you should not enable caching for Dynamic Object?
Because, there's a chance that certain logged on pages like say for example, sites like myspace, blogger (this) can be cached and the results, when someone logs in, say for example, i logged in as sanjay@gmail.com to this blogger suddenly i see the blog of my colleague, say, Frank Rovers.

This is not a "vulnerability" per-se, its just that this is how proxies work if you ask proxies to cache dynamic objects and how authentication is "kept-alive" by these sites for convenience purposes.

I actually saw this in our own network and about 3 clients reported this same issue. I must admit this is also a poor implementation of authentication on these sites (including blogger!). Cookies or auth sessions should expire immediately when a person closes his/her browser or moves away to another page, or is idle, etc.

This "issue" can also present in cybercafes that enable proxies so, be careful especially in public places like these when logging on to these sites. For now, i've seen blogger.com and myspace.com loading multiple profiles of other people when i am suppose to see my own.

So, again, if you run proxies in a large organization, protect people's privacy and do disable dynamic caching all together.

PS> I am blogging this via our corporate proxy but we've disabled dynamic objects caching :)

Thursday, April 5, 2007

ANI has been patched, but bugs are known and workarounds are available

If you patched your system with the ANI patch from Microsoft, it may break certain drivers such as the Networking & Audio ones from Realtek.

If you have this particular problem checkout this article: http://support.microsoft.com/kb/935448

(I guess if your network adapter is down, chances are you can't read this too, :P)

Microsoft releases patches for several GDI vulnerabilities including the new ANI vulnerability

This update is outside Microsoft's standard security update cycle thus clearly sends a message of the seriousness of these issues.

Customer using Windows should do Windows Update and/or read this article http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx where you can find more information about the patches available.

This KB article updates the following exploits/vulnerabilities:
1. GDI Local Elevation of Privilege Vulnerability
2. WMF Denial of Service Vulnerability
3. EMF Elevation of Privilege Vulnerability
4. GDI Invalid Window Size Elevation of Privilege Vulnerability
5. Windows Animated Cursor Remote Code Execution Vulnerability
6. GDI Incorrect Parameter Local Elevation of Privilege Vulnerability
7. Font Rasterizer Vulnerability

Wednesday, April 4, 2007

eEye Releases Temporary Patch for Windows .ANI Exploit

Microsoft hasn't released the patch, yet. So, if you are concerned about this exploitation, there's a temporary patch available from eEYE which can fix the issue until Microsoft releases an official patch.

Please test these files before using in production environment. Thie eEye patch should be removed once Microsoft releases the official patch. The patch doesn't work on x64 or Itanium based machines.

The patch and more information about the .ANI vulnerability can be found at:

http://research.eeye.com/html/alerts/zeroday/20070328.html

Free Web Conferencing Solution

If you're like me, who do presentations to customers etc and would like to do at the comfort of your office space, then try http://www.vyew.com/.

I've used it several times thought I'd share it this time around.

It is a free (and has a commercial) pure web based (flash) conferencing software that enables you quickly setup online presentation meetings and invite people while using just their browsers. Import word documents, PDF, PowerPoint and images and start presenting! It can also share desktops live, import screen captures and plug-ins.



It connects on HTTP(s) and if you require file transfer, then you need port TCP9102 and TCP9100, otherwise, simply use the default HTTP (80,443) to connect. It has a simple chat bar and can do free voice conference calls (within US) but you pay your normal long-distance calls if you are outside the US (sigh, otherwise, this would rock for my prezzo in the morning!). So now, i've just have to conf-call my clients ol' skool.

Apart having a funky color skin, this piece of tool is good enough with its free package that can offer up to 20 users per session. If you like it and want to have more connections, get the commercial version.


Well done Vyew!

Tuesday, April 3, 2007

Security Companies Have Raised Their ThreatCon/Alertcon..

Interesting, ISS Raised It's threatcon (alertcon, what have you) to 2. This is due to the .ANI exploitation code and trojan out there. Do read the articles i've posted for prevention and workarounds.

Do take this seriously, alert customers, friends and grandma!

Monday, April 2, 2007

Unleashing ISA's HTTP Filter Demon

Hey if you run ISA Server 2004 or higher, come on, make use of its HTTP filter. You don't need expensive software to block almost anything that "rides" inside the HTTP protocol without you knowing it. Even HTTPS session can be re-established by ISA so that nothing can tunnel through without your ISA "knowing" and "acknowledging" it.

Lots of people have asked me, so how do i block MSN, Yahoo, and other irritants on your network? Well, there's this good article from Microsoft, which you can use with any application layer filtering device to block or allow applications inside and outside your corporate network.
 http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx
Got questions on ISA or network designs? Let us know, we will help for nuts (Free!).

Gmail Paper and Google TiSP - Are these April Fool Jokes?

I sprayed coffee out of my nose reading these two new services Google's offering (well, one actually , TiSP)

Apparently, Google is providing free Internet from your toilet, called TiSP (probably stands for Toilet Internet Service Provider) and Gmail Paper which is a service to print and distribute emails from Gmail to hardcopies right to your door step (even attachments get printed).

Oh man, what else will these folks think of more huh? But then again, there's a lot of "privacy" concerns around Gmail paper and of course, the toilet bit, i just hope it's an April fool's joke.
Anyway, kudos Google for being so crazy. Love you guys!

Here's the excerpt from the FAQ from TiSP that had me expelled liquid from my nose.

"How can Google offer this service for free?

We believe that all users deserve free, fast and sanitary online access. To offset the cost of providing the TiSP service, we use information gathered by discreet DNA sequencing of your personal bodily output to display online ads that are contextually relevant to your culinary preferences, current health status and likelihood of developing particular medical conditions going forward. Google also offers premium levels of service for a monthly fee (see below).Note: We take your privacy very seriously. So we treat all TiSP users' waste-related personal information with tremendous discretion, in accordance with our Privacy Policy."

Nasty Piece of Code

Was doing some reading online and found this little piece of code to remove blogger.com's top navigation bar (or called navbar).

Login to your blog. Go to template, find, Edit HTML. In there, copy and paste these codes between the head and variables section in this link: http://blogger-templates.blogspot.com/2005/01/remove-navbar.html

Please note, this is blogger.com's way of promotion, and blogger provides a decent set of blogging service without much ads etc for Free. So, before removing, ensure you give back something to blogger.com like me, i have their logo in my blog :)

Sunday, April 1, 2007

Where Do I Place My ISA and DMZ?

With the introduction of Exchange 2007, there's been a lot of upselling of ISA Server. Don't get me wrong, ISA 2006 is an awsome firewall, it's rock solid. So the question now exist, i've got my superb Exchange 2007 now in my internal network and i wan't to use ISA to protect my Exchange resources (MAPI publishing, RPC-HTTPS, OWA, etc). Where do i place my ISA and my DMZ?

Simple, look at sample diagram below;, now you don't need to pay consultants thousands of bucks to design something like this. (Note, this is perhaps a setup ideal for a small to medium organization)



Let me explain a little of this diagram above

  1. My first firewall is my traditional firewall. This box should filter all those incoming traffic not explicitly allowed by your organization. Outgoing packets can go freely without restrictions. Later, i will share why you can confidently do this and therefore reduce complexity in your network.

  2. The DMZ is placed in between the ISA and my 1st FW. Please note, this server is now "published" by the 1st FW and not ISA. In here, you should only keep boxes that will not contain data for a long time (a temp repository) like a web server, smtp server etc..

  3. Finally, the ISA comes in. ISA's default GW is the 1st FW.

Lets talk about NAT.


1stFW (liveIP) --NAT/Route --> ISA --NAT/Route > Internal Networks


So, the DMZ IP network will act as ISA's external network but you can still use private IP addresses. Some of these IPs will be the publishing IP for your internal networks, just imagine them as public IPs.

Another huge benefit of having ISA there is to do Proxy-ing. Now that i've mentioned to allow all traffic outbound on the 1stFW, ISA takes the responsibility to ensure certain ports and protocols are allowed. Doing this, having one place for internal to external traffic control simplifies management of security in your network. Users can be authenticated and authorized to sites or services that are allowed by your organization policies.

Even VPN should work fine in this design where ISA can terminate the VPN connection after a NAT done by the 1st FW.

Got a better idea? Share with us here. Write me .. highsecurity@gmail.com

Windows .ANI File - Zero Day Exploit

There's a new exploit of Windows without a patch (yet). The vulnerability is in the .ani file extension used for animated cursors in Windows. The exploit allows attackers to run code and potentially take ownership of your computer.

Most antivirus should have already been updated with this type of attack therefore, do update your antivirus pattern and wait until MS releases a new patch for this vulnerability. The current status from MS is to do a workaround, not the best solution but it should mitigate the attack. Vista users using IE7 are protected becauses of the "Protected Mode" feature in IE.

Exploit info here.

Below are the excerpts from MS's security advisory for the workaround on this issue:

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

  • Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector.Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.
  • Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
    Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability.
  • Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
    • The changes are applied to the preview pane and to open messages.
    • Pictures become attachments so that they are not lost.
    • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.