Friday, July 31, 2009

Virtual PC 2007 and Windows 7 - UPDATED


Ok here's the update. Windows is supposedly have a successor to desktop virtualization called Windows Virtual PC (this is currently in Beta). Well, i wanted a virtual desktop so i downloaded Windows VPC (the VPC website "knew" i was on Windows 7 and directed me to download Windows VPC instead). When i tried to execute, it failed saying i didn't have virtualization hardware (CPU) and i didn't of course (i used a Dell 1525 btw).

So i wanted to use Virtual PC 2007 since its not a requirement there to run VPC technology with hardware virtualization. That failed too, shucks...

Somehow, 7 didn't like VPC 2007. Well, there's a "fix" and it's as simple as removing Windows VPC and also please use Virtual PC 2007 (without SP1).

If you still can't make it work (through Add/Remove programs) and that above compatibility error still pops, the software (which has a KB update) could still be lurking. Remove that too. Here's how :

Go to Programs and Features, select view installed updates and remove the KB958559 update, remove Windows VPC (if you haven't already done so) and restart the computer. That should remove all traces of Windows VPC.

Once again:- To run VPC 2007 in Windows 7 (in RC build 7100)
  1. Remove all related software to Windows VPC (also remove update KB958559 in "uninstall updates")
  2. Instal VPC2007 without SP1 (somehow this has driver issues)
And that sort of fix my VPC, everything is great again.

If you are stilllllll having problems, i suggest the Open Source's Virtualbox for Windows (http://www.virtualbox.org).

Have fun!

Thursday, July 30, 2009

Google Chrome and Mozilla Firefox non standard port (e.g. Port 79, 6000)

Was trying to access some ports on a customer's website which someone mapped it to 79. 79 is normally used for finger. For Internet Explorer, it works out right. This doesn't work for Google Chrome and Firefox (out of the box)

Well, for Firefox users, there's a solution. Here's how

Unblocking/allowing ports in Firefox
  1. Launch Firefox
  2. Go to the address bar and type about:config. Firefox will complain about some warranty just click ok or "I'll be careful, i promise" button
  3. Anywhere inside the list of configurations, right click and say New --> String
  4. In the string value, enter network.security.ports.banned.override then click OK
  5. It will now ask you what port, say 79 or whatever port you need to have firefox access. Click OK.
  6. And try again to the website you want to access. These settings should remain forever.
For Chrome, we've got some bad news, it is not possible to access certain ports. This is confirmed by Google Chrome team members. The only way is to get the hosting site to change and not to use following ports.

Chrome banned ports: http://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc look under the kRestrictedPorts directive.

Wednesday, July 29, 2009

Conficker: Easy cleaning steps

Hi guys,

Was at a client recently and found they've got a huge collection of the conficker worm residing around their network and causing mayhem.

I am actually quite surprise that some big brand AV products didn't quite do the job :(

It is important to know, if your network suddenly face these symptoms:
  1. Disable access to certain sites including Microsoft, known Antivirus sites
  2. Creates a lot of traffic on your network
  3. Makes domain controllers slow to respond
  4. Force account lockouts on domain computers
  5. Many other stuff (depending on the variant)
These symptoms could be due to Conficker. It could be already residing dormant and your antivirus could suddenly prompt a virus detected every once in a while.

Okay, this is meant to quickly get you started on the removal process. It's not meant to replace the extensive guide posted on Microsoft's website, but it's a summary of things you should immediately do/work on.

These are steps i took to fix problems quickly on a notebook and i've asked the client to do them on all workstations (which is something you need to do too..:) )...

  1. Perform Windows Update. http://windowsupdate.microsoft.com . Get service packs if needed. Run windows update at least twice.

    a. If you do not want to run Windows update, just get this patch: http://support.microsoft.com/kb/958644 the patch from the MS08-067.

    b. Download and install this KB patch http://support.microsoft.com/kb/967715/ .Look under the “Prerequisites to disable Autorun capabilities” section and download according to your system. Without this patch, some computers may not be able to disable network autorun function which the virus can propagate. Now, go ahead and disable autorun via GPO/manually like described in that article.

  2. Download and install (the free version). http://www.malwarebytes.org/mbam-download.php
    a. Close all running applications include browsers etc.
    b. Install the software
    c. Update the database (as instructed during setup)
    d. Run the scan (as instructed during setup)
Performing the above does not permanantly fix the problem, you still need to get your antivirus installed/updated to the latest if you've not already done so.

Also, to prevent further reinfection/propagation, do these for the time being;
  1. Stop the Task Schedular service in all your Windows machines. (this service allows you to automate processes based on time, such as windows backup. It is safe to remove them on workstations under the assumption that automated running programs are not needed on desktop levels)
  2. Stop the Server service on desktops (not server). The server service allows it to share files accross the network. To access shared files, is the Workstation service. Just stop the server service for the time being until you've got the network sorted out.
  3. Start scanning like the steps above.
The above should already sort you out quite a bit. After you've got the situation under control. Now, get those updates in place for both OS and AV.

Thursday, July 23, 2009

Nagios Read Only User


By default your Nagios user will have full access to the web interface. This mean, he/she can do just about anything like stopping checks etc.

Here's a quick guide on how to enable read only user access for your nagios web interface.

This document assumes:
1. Nagios 3 (may work for 2, please try, if it works, pls post a comment)
2. Apache2
3. Debian 3 (or higher)
4. Authentication on Nagios is enabled
 
You need to find out where apache is storing your htdigest or htpasswd file in your apache sites-enabled config file. In that file, for the nagios website, you should see the link to the htpasswd or htdigest file.
 
Edit that file add your new users there. You can generate new users with user/realm/password pair via CLI tools such as #htpasswd or #htdigest or use this page similar to this http://www.htaccesstools.com/htpasswd-generator/ to generate that readonly user, for this guide, we will use the username rouser and password rouser.
 
E.g. generating a htaccess file for Nagios rouser
#htpasswd -c /tmp/rouser.txt rouser
 
This created a file in /tmp/rouser.txt, which has content like this;

rouser:ug/fib3zqISok
 
Paste that exact line inside the .htaccess (or htdigest) file that you found in sites-enabled in apache.

Now, you can test access with that user already on your Nagios web screen. You will notice, it doesn't have any access to anywhere except for the static images/html in there.

To provide rouser with rights to see stuff, simply edit your nagios cgi file normally found in /usr/local/nagios/etc/cgi.cfg. Look for the directives

authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin

And add next to it with a comma, the rouser which you just created like below:

authorized_for_all_services=nagiosadmin,rouser
authorized_for_all_hosts=nagiosadmin,rouser

Now, you need to restart the Nagios daemon. Then sign in again (shutdown your browser) with user rouser and password rouser. You now can see everything but cannot access those CGI commands therefore making it read-only.

Now, if you want to make access specific for certain hosts only, then you need to match the user you create with the contacts definition files. So, user rouser can be rouser-switches for instance and now he/she see read only for switches.

Try it out and let us know the outcome.

Tuesday, July 21, 2009

ISA Server 2006 Radius OTP Authentication Bypass

An update is available for ISA 2006 with SP1 or less users who uses Radius OTP to authenticate backend web servers. The vulnerability allows an attacker to assume an admin without keying in the correct password (authentication bypass).

Please update your issue of ISA immediately to avoid any possible attacks.

Source MS Article snippet of the update:

"This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation."

Friday, July 17, 2009

Blackberry- A significant security consideration


Blackberry Enterprise Server is a service hosted internally or externally to allow people to receive emails through their Blackberry enabled handhelds. This is a similar function to MS Push Mail service.

In Windows Mobile, Exchange users are requested to key in a password before they can connect to their mailboxes and read stuff. In Blackberry for Exchange and Notes they don't have to.

This is why (for Exchange, im not sure of Notes tho, this applies to BES, not BIS bcs BIS needs passwords to logon to POP/IMAP accounts)
  1. Blackberry already uses a service which has read only mailbox access across the entire mailbox which this service has permission to
  2. This gives BB configuration person unauthenticated full access to a person's mailbox by simply associating the BB unit to a mailbox.
  3. Configuration people can also re-associate mailboxes to other BB devices therefore giving them access to the mailboxes they wish to view.

This leads us to two primary things to consider:
  1. The security on the BES (Blackberry Enterprise Server)
  2. The Blackberry device itself (both during configuration and after)
Organizations should be aware of this powerful access and should control the way BB devices are distributed and BB servers are configured.

Here's my view on a possible way to mitigate and control this "issue"

For item 1 - Security on the BES
  • The access level on BES servers should be well defined, i.e. read only access vs. full access
  • The username and password used to access the BES server should be controlled at least by two people (i.e. two or more people should have parts of the password for example)
  • Any logon attempt to the BES server should immediately be logged (enable full logging in any which way possible
For item 2 - Security on the handheld
  • When provisioning the device, have someone else (a neutral party) physically seeing the operations of the person configuring
  • If anyone gets "disconnected" or "unconfigured" on their BB devices to their Exchange/Notes, let them notify someone immediately, perform investigation afterwards and do a remote wipe if someone else is configured to use the mailbox on their handhelds apart from the original owner of that mailbox
Stay secure!

Monday, July 13, 2009

Online Scam (what you need to know) And What To Do (First Aid)

Hi, been a while since i blogged about anything but anyway, here it goes.

A couple of days back a good friend of mine was lured into an online scam. The perpetrator assumed a Hotmail support staff and email her to send information (such as her password) as a respond back to a "security measure" taken by Hotmail for it's users. Anyway, i've helped her done some initial "first aid" but more importantly, here are some top 10 online tips

Top 10 Online Tips

  1. No credible online company will ask for your password! Period. If they do, just trash it.
  2. No credible application developer will email you an executable (They may put a link up but look at tip no 3)
  3. If there's a link to download and apply a certain fix/patch, do a search and see if its legitimate first before applying. Most credible sources such as the principle's website would be on the first few hits in your search. Go to that link, read what's it all about. Consult someone credible (yes you can ask me, i would be happy to help)
  4. You have the right to ask and question anything you receive from a source seemingly legitimate if they are asking for personal information (and it's your right not to disclose)
  5. If you're in doubt, ask!, search!, be sure!. There's no stupid question, just stupid assumptions
  6. When transacting anything with money online, DO NOT DO IT OVER A PUBLIC WiFi. There's too many reasons why but i wont.state them here. Search that if you are interested. You might end up reading some stuff on this blog :P
  7. Passwords are the weakest form of security. Use long passwords (complex short ones are easier to guess than long non-complex ones). I am not a big fan of changing passwords too frequently cause the flipside of that is that you will start to forget those new passwords you created and start using post-it-notes as reminders and start pasting up on your walls/monitors
  8. HTTPS (secure HTTP) does not necessary mean its secure. You should still verify the certificate (which are used to make that HTTP > HTTPs) and URL. Most browsers will complain if the basic criteria is not met like related URL (friendly name), validity etc... Again, if in doubt, see item 5
  9. Read stuff. There's a lot of credible website that give users basic and clear information on what's the latest in the world of security. I recommend reading stuff from CNET, Microsoft's Security Website, and the one i like most is http://www.us-cert.gov/current/
  10. Use basic PC level protection like Antivirus (I use kaspersky and love it), enable a firewall (Windows Firewall is a good start) and keep your machine up to date (using Microsoft OS, just go to http://update.microsoft.com).

Ok, lets say you do get scammed into something and there's risk of potential sensitive information leak. Do the following;

  1. Ask for help from an IT expert in house or write to me if i can help, i will (real world experts, not the ones from Lowyat forum etc)
  2. Lodge a police report (state the seriousness of the case)
  3. Write an email to the corresponding company stating your case. Give them as much information as possible
  4. Inform any friends that may be affected, of possible fraud attempts (e.g. if your email is hijacked/stolen password, someone may impersonate you and ask for money because you're apparently stranded in the Bahamas, "they" stole your baggage and you need money to travel home and will pay back once you reached back home)
  5. Learn from the lesson! Read the tips above!