Thursday, December 6, 2007

Windows Vista Service Pack 1 - The Real Deal

Long awaited SP1 for users of Vista is around the corner. I just got a glimpse of the beta site MS has setup to enable dev folks and private beta testers to roll out.

So what's the deal all about. Well, it's simple enhancements from a security, performance and functionality point of view. According to a MS correspondent, the SP1 BETA it should be available in next week or so (2-3 week of December). The final RTM will be available in first Q of 2008.

First to state is the fact that it comprise of many patches, updates and upgrades previously made available via Windows or Microsoft update websites. One key improvement is the administrative enhancements to ease admins of their daily routines.

In short, Microsoft summarizes Vista SP1 as;
  • Quality improvements, including all previously released updates, which address reliability, security, and performance.
  • Improvements to the administration experience, including BitLockerTM Drive Encryption (BDE).
  • Support for emerging hardware and standards, such as an Extensible Firmware Interface (EFI) and an Extended File Allocation Table (exFAT).
State-worthy 1: Quality Improvements
  • Introduction of new cryptography standards
  • Integration with security center, APIs and other interfacing mechanisms for security companies to integrate with Vista (once a huge concern with ASVs)
  • Lesser crashes through analysis via the Windows Error Reporting avenue
  • Better hibernation/sleep restoration (this is surely a needed!)
  • Copying and extracting files should be faster! - I hope they got rid of that inaccurate graphical display and ETA timer...
  • Faster IE Experience with lower CPU utilization, logon delays have been removed, increased battery life (by reducing screen redraws) and also, much needed/awaited, improvement in network file sharing by reducing the actual bandwidth used to do so

State-worthy 2: Administrative Improvements
  • Bitlocker available for other than C (finally!!!)
  • Group policy management enhancement
Well, as for hardware enhancements, nothing much for us, not too flamboyant PC user (ok ok, not like me). Some noteworthy, the support of exFAT drives in flash devices. This SP should support DX10.1 so good news for gamers who await DX10 for their games.

And finally, it will support SSTP, an emerging VPN protocol that work better with NATs and other challenges that legacy VPNs face.

Alright, there you go, one thing's for sure, i'm gonna' get this baby once it's out in the market. I guess i can get a copy since i'm a beta tester for certain products, perhaps could pull some strings to get the Sp1 beta prior to public release (for all kiasu's sake la)

Parts of this article is taken off the Vista team blog website at: http://windowsvistablog.com/blogs/windowsvista/pages/windows-vista-service-pack-1-beta-whitepaper.aspx

Thursday, October 4, 2007

Delete ALL SMTP Queues In Exchange 2007 (Quick and Dirty)

Had a client that was subjected to an open relay attack. In mere hours their Exchange 2007 was filled with not less than 100,000 outbound emails, indicating this server is a possible open relay. I though, i should try out the GUI to start cleaning junk emails, so i loaded the Exchange Management Console, went to tools and checked out the queues in Queue Viewer. True enough, there was emails not destined to our internal mail client again suggesting a security problem.

Due to these overwhelming SMTP connections, it comes as no surprise that the processor on this 64bit OS box went on overtime. The Exchange SMTP runs on an Image called EdgeTransport.exe and this piece went over 50% of processor time most of the time. It even reached 99% at some points when im not looking :)

Anyway, fact is, using EMC's GUI will take hours! to clean up e.g. 100,000 emails (and counting). So i decided to hit the kitchen sink with the SMTP queues in Exchange by deleting the them through Explorer.

In essence, to completely wipe out the queues in Exchange 07 perform the following;
  1. Stop Exchange Transport
  2. Browse to the folder where mail.que is stored (our server was in mail.que at c:\program files\Microsoft\Exchange Server\TransportRoles\data\Queue)
  3. Delete or move everything there
  4. Start the Exchange Transport
  5. Open up Queue Viewer, and verify that every thing's cleared..Exchange has now recreated mail.que and associated files like in the beginning of time..:P

Image above: The physical path of the mail queue which also could be found by looking for the file mail.que like above. Since the mail queues are ESE, simply removing the mail.que file may not work (just like removing the edb/stm file without removing the related transaction logs)

Now, more importantly, close that relay! and enjoy Exchange 2007. PS. I do not warrant against klutziness and failure to backup/test backups. I don't even think MS approves of such vicious method, but it worked like a charm and i swooped 1GB of smtp spam in 2 minutes :D

Monday, September 24, 2007

MSN and MS-Agent exploits

There are two rated high vulnerabilities exist in Microsoft software that's publicly disclosed and have the patches released!

One of them affecting Windows OS is explained in http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx for MS Agent vulnerability which pretty much affects those using Windows 2000 with SP4 (most likely a lot of W2K users). This attack requires access to a vulnerable (or malicious) website which you choose to access. Mitigation factors include disabling MSAgent or otherwise, more effectively, do not get too "friendly" on the WWW and get that patch.

MSN Messenger (and Windows Live Messenger) is also vulnerable to an exploit by crafting a malicious code inside the the request to ACCEPT AN INVITATION FOR VIDEO CHAT. I regard this as quite dangerous as this particular type of vulnerability can easily be scripted and thus spawn the network for vulnerable sources. MS KB article here explains it all http://www.microsoft.com/technet/security/Bulletin/MS07-054.mspx. This particular attack however does require a user interaction where an "accept" response is required for the exploitation to successfully take place. Also, when compromised, if you turn on UAC in Vista, most likely the action to allow administrative rights will be triggered by UAC. This is when you say no if all else fails up this point.

Does this affect you? Most likely if you use Windows 2000 or Windows Live Messenger or both.

How bad is it? Remote exploitation is possible and can run in the context of a currently logged on user.



Both problems have been reported responsibly and Microsoft has publicly released related patches. Please update your software.

Tuesday, September 18, 2007

Outlook Tip: Retrieving "lost" attachments

When you directly open up attachments in Outlook, they launch the application that corresponds to that attachment, e.g. a .xls file will launch Microsoft Excel. So when you start working on this file, remember to save it somewhere else (save as) to where all your other files are stored. When you click save, it will save the file in Outlook's temporary attachment cache folder.

Just say you've saved a file (File->Safe) and closed Excel, then later cant find the file anymore!!! you start to get all Tasmanian devil about it..ITS NOT even in the Excel's recently opened document list. Well DON'T PANIC YET...

Most attachments launched directly from Outlook will be stored in a cache (temp) folder before getting executed within the corresponding application. This folder is normally in C:\Documents and Settings\username\Local Settings\Temporary Internet Files\OLKxxx (where username is your logon username) . This is where all temporary files are stored directly from outlook. Some may have different settings to this and you can easily find this path out inside your registry Key HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security and look for the key OutlookSecureTempFolder...

Now access the file/folder directly using run or explorer (note in most OS-es, this particular folder and preceeding folders could be hidden, so unhide it from Explorer's folder options first).

This is also a great place to find out what you girlfriend's been receiving in her email... :P

Thursday, September 13, 2007

Split-brain DNS

Many a times you might cross organizations that implement internal DNS for name resolution. This is especially true for those running Microsoft Active Directory, where DNS plays an integral part in it's directory services lookup. Problems can happen when especially the domain names for both internal and external happen to be the same or to achieve seamless name resolution, an internal DNS need to exist to match that of external names.

Lets take for instance an email client that connects to their email infrastructure using the name email.company.com. In this case, when a user goes out of the organization, he or she can receive emails since the name email.company.com resolves to a valid external IP. Now, this user comes back into company and the company implements Active Directory but when resolving email.company.com either;

a. Does not get resolved as you may have a similar zone setup
b. Resolves to an external IP (whereas the server is actually internal)

Both these problems mean, the user may not be able to receive emails no more.

This is where administrators can setup a split-brain DNS. A split-brain dns in simplest possible explanation is having similar DNS zones internally and externally. Records like A, CN, SVR can be different as long as it meets your requirement for security, performance and accessibilities.

For instance, taking the exact example above, say Ahmad receives emails externally by using the email.company.com (which resolves to 202.188.0.133) then he comes back to his office, the exact same name email.company.com now resolves to 10.1.1.1 which is their email server but accessed internally now. This is because his administrator has setup a split-brain dns to ensure internal users do not resolve internally servers as external IPs and work the gateway for no apparent benefit.

There's a little bit of administration involved to ensure records match that of the internet. You must create records that correspond to the split brain domain to match the resources or records that exist externally if this record or server does not exist internally. For instance, the company in our example, hosts their external DNS to an ISP. This ISP also hosts their website www.company.com. This record should also exist in your network, simply because you assume the ownership of the zone company.com in your split-brain dns setup. Otherwise, users will not be able to access this www.company.com internally if you do not have such record. This record however will contain a live IP address matching that of the ISP. Remember, if the record does not exist, it will fail and will not forward to a root or top level DNS since you assume the role of the authority of this domain company.com.

There's a downside to this amongst others, is that is it can be subject to abuse and thus lead to a phishing or pharming attack. Imagine, internally you could setup the zone maybank2u.com and host your own www.maybank2u.com to resolve to your own little fake maybank2u website ;)...fun eh.

Monday, September 3, 2007

ISA Server 2006 VS Exchange Outlook Web Access

A customer from Cambodia (shout out to Whaddanak of CBL) once asked ways in which one can publish a front end Exchange server securely in a DMZ (DeMilitarized Zone). The obvious answer is DEFINITELY YES. Since Exchange 5.5, OWA could easily be isolated from the internal network thus lowering the risk of a security compromise on valuable data such as mailboxes.

Publishing a Front End server in Exchange 2000, 2003 and 2007 today is a little like taking an Exchange box and stripping it down to "enough" features for; all required Exchange services to work and of course, the Web components and dependencies such as IIS. While this is a great way to start working towards security but it still introduces concerns to administrators for possible administrative and certain security issues for example, Active Directory membership (since the Exchange server needs to be part of the domain) ports need to published between DMZ to Internal DCs, securing the Windows server in which Exchange server reside (since it's being placed in a DMZ) and configuring firewalls to allow communication between internal mailbox servers (which can be rather complex since you need to codehack ports in which the information store listens on etc). Other concerns could also be the inability to implement multiform factor authentication (which is not possible with just Exchange FE-s). Here's a good (detailed) sample article one can use to do just Exchange FE publication on DMZs or alike http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html

Fortunately, there's a much easier, secure and "cheaper" way. Yes, you guessed it, USE ISA SERVER 2006. Cheaper? (i leave this to you to do the math here).

Lets continue this topic by simply looking at key differences which an organization can directly benefit by using ISA Server as their FE for Exchange OWA. Here, i present, my oh-so-familiar way of presenting benefits:

ISA Server's top 10+1 reasons as an Exchange OWA Front End

  1. Its a firewall - Once installed, it's a dead Windows box which only do stuff you allow it to do. You do not need to crack your head open on how to block ports and secure this secure that. Of course, you still need the basic hardening guides to help enhance the ISA box..la.
  2. It can publish one or more Exchange OWA or backend servers with OWA enabled and do a better load balancing job (like application response-e.g. http/s-get) than WNLB (network level only)
  3. You can do all the HTTP filtering you would normally do with an ISA server like URL filters like HTTP signatures filtering, headers, extensions, methods, HTTP redirection to HTTPS (which you would normally use a ASP script in OWA 2K3 or lower) setup concurrent connections and connection limits (anti DoS), etc...
  4. Perform higher degree of control by using Forms based authentication via ISA server like the use of persistent cookies, HTML customization and password management.
  5. Single Sign On - Yes, once you sign on to OWA, you could also be signed on to say your intranet web servers!
  6. You can filter out users at the ISA server level itself and lockdown on users whom are not suppose to use OWA or enforce limits on time for instance. You can also specify sources like directory based users groups, IP addresses, domain names, etc.
  7. You can choose to bridge SSL! That hundreds of thousands of dollars application filtering IPS can finally see what's going on with OWA on SSL
  8. It can support multiform authentication - Yes, multifactor auth is possible meaning you could have your OWA users sign on to a certificate and/or an RSA token or a combination.
  9. Setting it up is a breeze, you do not need to introduce an additional Exchange server in your organization (or the Exchange SM ). All done through wizards and its up and running when you click APPLY!
  10. It can cache!, compress, you can do other fun stuff like taking the OWA offline by sending users to a "...this page is unavailable page.." for maintenance and you do it all from ISA rules!
  11. BONUS POINT: You could also perform attachment rules, customized logoff pages etc straight from the ISA server rule line itself.
So there you have it, again, a top 10 type reasons why you MUST insist on ISA Server 2006 as a front end Exchange OWA (and also your corporate firewall :) ) when using Exchange 2K and up.

Happy ISAlating your Exchange

Wednesday, August 29, 2007

DNS and ISA Server

A shout out to my friend Velan Ramalinggam, thanks for your help today :)

We just got back from a customer's site and they had a complain that after enabling ISA server proxy forwarding option through routing, the ISA server became a crawl. Although direct, the access is pretty acceptable.

After some initial diagnosis, we found that the DNS was not forwarding to external DNS servers correctly. We fixed it by changing to a valid external DNS forwarding server and everything seem to worked pretty well.

So in conclusion, we noticed that the ISA had rules that refer to websites (names). There were around 20 such rules. By enabling such rules, for example, block the website http://www.friendster.com/, the ISA server would then need to resolve this name to IP and evaluate the rule whether it is a match or otherwise. Since the DNS didn't resolve the names in those rules had to wait for a timeout then moved on to another rule and so forth. This caused a significant delay in evaluating those rules before it reaches the rule that allows people to browse when there's a no-match. One would think, well, since i am forwarding packets through a proxy "in front" of the ISA why would you need such DNS resolution (especially to an external DNS)? Well, this is by design and in some versions of ISA server, we can disable this lookup feature provided if we do not have rules that have names (external names particularly) and we forward ISA's web requests to a forward proxy.

Remember though, internal name resolution must work correctly especially if you use Active Directory and have internal/intranet websites.

Please note that you need name resolution to internet sites if you do not have a forward proxy configuration. In cases where you do forward to a forward proxy and you do not have names in your rules, you could wish to disable name resolution on the ISA server for external sites. An article from MS talks about this but this is for ISA 2004, not sure if ISA 2000 (which was what my customer had) has a way to do this or not!...http://www.microsoft.com/technet/isa/2004/plan/disablenameresolution.mspx

Tuesday, August 21, 2007

Go figure

We bumped into this piece right after lunch. Figure out what's wrong with it!!!...



bart would say...aye carambe!

Download MP3s via Google Search

I start with a disclaimer: I do not advocate piracy nor support it. Whatever you learn from this and how you apply it to your benefit/misfit is completely beyond the purpose of this article. Be responsible for your actions or inactions :P

OK. Sigh of relief. Now lets start.

A day ago, a friend (see Frank's Blog) sent an email about how one can get files directly using google's advance search techniques. This applies to movies, documents or virtually any file that google may have inside it's crawled database. How this search works. Lets see the contexts or slap this line inside google's search tab:

-inurl:htm -inurl:html intitle:"index of" mp3 "ziggy marley"

The exact same line above will return sites that have MP3 extensions that contain the words "ziggy" & "marley". The "-inurl:htm and -inurl:html" tells google to look for the extensions within HTML documents only (you could also add -inurl:asp or -inurl:aspx). These are pages that google crawls which can also include text or PDFs or whatever that's text or alike.

Now, the intitle: switch searches documents that match the HTML tag TITLE. In the above example, "index of" is a typical directory browsing format which in normal cases are file repositories using HTTP. If you for instance, upload a bunch of files inside a website and do not specify a "start page" or restrict browsing access to that directory, your webserver will automatically or dynamically return a html or htm document listing all files in that directory in unix style.

So, to translate the above query into english would be something like this. Hey google, search for mp3s containing words ziggy and marley within html or htm documents which have a title of "index of" or a directory browsing format.

Now, use only your imagination to figure out what more you can do with this.

For guided google's advance searching, go to www.google.com/advance_search or for help on switches using standard searches go to http://www.google.com/help/operators.html

Happy fishing.

Monday, August 20, 2007

Firewall Considerations

A MERDEKA SHOUT OUT TO ALL MALAYSIAN! LONG LIVE MALAYSIA

When purchasing a firewall long time ago, there weren't many things to consider as it was really the lame ole' packet and stateful filtering the few vendors boast about. Fine, that was then but these days, things seem more complex than just to say "i want that one" (ala Little Britain). Organizations need to ensure that the first unit of defense, normally the firewall, be equipped with enough firepower to thwart intelligent attacks and "noises" that come from the internet, particularly.

So, here, i try to discuss the basis of enquiry when purchasing firewalls by breaking down the methods into the soft and hard factors. Soft factors are quite tricky sometimes as its mostly subjective or open to further discussion. So, here's some of the things you should run in your heads when considering a firewall solution;

The soft(er) factors
  1. Management - Consider solutions that you are familiar with. There's no patch for human error. Nonetheless, this shouldn't be the reason for a compromise in quality.
  2. Scalability - Will the solution be able to cater for your business needs in say, 5 years?
  3. Support - Firewalls will have holes, these holes must be patch. Is there a guarantee from the manufacturer of full support for up to n-number of years that you wish to keep the unit. How about SLA from these providers? Any formal training/certification provided?
  4. Policy - Does the firewall govern and works with your current IT policy and/or a corporate policy? Will it eventually help to achieve governance and compliance?
  5. The $$$ factor - There's firewalls that cost virtually nothing to those which will have your arm and leg. I personally don't believe anything is free. In IT, free comes with a non obvious price tag on it. In reality, this particular factor determines play the ultimatum decision for the rest of the factors.
  6. Company direction - What is the type of vendor you are buying from, their proposal (and product) and business direction
Now, we talk about the more obvious choices, reasons and features that you will need to consider when purchasing a firewall
  1. Type - Hardware or Software. I don't wish to discuss which is "better". Have your own opinion, justify it and live with it
  2. Speed - Throughput vs network speeds. No. of concurrent connections/users/devices
  3. High availability, cluster, cold standby - Do you guarantee SLA for users? If so, how..
  4. Built-in AntiDOS/IDS/IPS/Antivirus/Content Filtering (e.g. web filtering, antispam, antimalware) - Should the firewall include this? Take overheads into consideration when turning on such features
  5. VPN (and sslvpn) - Do you need this? If so, again, consider performance factors
  6. Forward/Reverse proxy - Should the firewall provide application layer filtering including reverse publishing of web servers or forward proxy functions?
  7. Logging/Reporting/Accounting - Do you need extensive reporting/accounting? Do you wish to correlate with an existing tool?
  8. Protocol support - Do you need any specialized routing protocols such as BGP/OSPF/VLAN other protocols such as Authentication protocols (multi factor authentication), content vectoring/rendering
  9. Integration with existing firewalls/systems - Is there a supported configuration when using this particular firewall? Is such even needed?
  10. Others - E.g. requirements for policy governance e.g cipher strength, supported internet standards etc
There...now go get urself a firewall :)

Sanjay

Friday, August 17, 2007

PDF and ECard Spam

Hi there, bet most of you are wondering why's your mom (who's perhaps computer illiterate btw) sends an e-greeting for an occasion that has nothing to do with you (e.g. Indonesia's national day, today!). Well, the answer is simple, they're just SCAMS!.

Recently, i've received and done some research on two types of spam that walked right pass my antispam goofy gateway protection and my local email client antispam protection. One comes as an e-greeting with an IP address with a link claiming origin of credible sources such as bluemountain.com. There's also PDF documents that comes sailing smoothly through my (now what i believe to be a seriously goofy gateway product) antispam solution.

One quick way is to see the sender. If it's unknown, don't bother opening. If the links are dotted notations (IP addresses) don't open. They are phishing scams!. As for the PDF, feel free to read em' if you've got ridiculous time (like i have now writing this) but don't click anything within these PDFs.

Be safe .

Happy weekend

Top 5 reasons why you shouldn't connect to an open wireless (WiFi specifically) connection

When you connect to, umph, say, Starbucks's wireless networks and similar, you connect without even providing a username or password (some of these applies to web based authentication) think about these;

  1. 1. It's open, therefore there's NO encryption, everyone (can) see your traffic
  2. 2. Others can impersonate you! and do stuff you wouldn't (or would, but not in public, haha)
  3. 3. Anyone could easily impersonate the access point and become the gateway. Which mean, everything passes through his/her computer before reaching another destination
  4. 4. Your own computer can be easily exposed to unauthorized access (or attempts) since almost ANYONE can connect, which mean, the good and bad guys!
  5. 5. And finally, It's designed to be insecure! or the implementors have no clue what so ever. So, don't even expect any security on it.
Stay secure, opt for secure APs (at a minimum), if you do not have a choice, they ensure that you access only SSL, TLS or VPN type of accesses to ensure you create an encrypted tunnel between you and the destination. Wikipedia TLS or SSL for more information.

Stay secure

Wednesday, August 15, 2007

Accessing paid tech knowledgebase (for free!!!)

Its really frustrating sometimes that these communities like expert-exchange, event-id charge for a community response. I think it should be free! Anyway, i found a nasty way to access some of these information for free.

How to?
Firstly, you would probably do a search engine for a said problem, then, most likely these "paid" websites would pop up in your searches, great, but when you access, they ask to sign up and sign up requires $$$. Well, try this now, GOOGLE'S CACHED pages. Do the same search based on the keywords on that particular website/page then most likely that actual page may appear in google. Now, instead of clicking what you would normally click in google, click the CACHED link below. And viola! the page is free for you to read.



Note that the cache may be outdated tho...so, this is for cheapskates like me but if you like their service, subscribe lah...

Only your imagination is limited to whatmore you can do with it... :)

Cheers!

Wednesday, July 11, 2007

Running checklists

I am a big fan of checklists, besides "reminding" us of steps to do or take, it creates a kind of standardization for work being done.

Pilots use checklists even they have thousands of flying hours and are highly experienced. Why? We are only human, we can make mistakes.

Therefore brings me to introduce a cool link that provides security checklists from Wireless to Windows. Download them and run them against your implementation.

Checkout http://iase.disa.mil/stigs/checklist/index.html

Happy securing.

Monday, June 25, 2007

How to enable the 75 gigabyte limit on Exchange 2003

So you've implemented Exchange 2003 and installed it with service pack 2. Your database grows up to 20 GB from all that migration suddenly the Information Store stops with an error. Well, don't panic.

In Microsoft Exchange 5.5 until 2003 standard editions , the database logical store cannot reach more than 16GB otherwise the information store will stop gracefully. There's an allowance given by Microsoft to increase this limit 1GB more until you've cleaned up the database size and make it smaller than 16 GB. Now with SP2 on Exchange 2003, the limit is increased by default to 18GB. But they said SP2 can grow up to 75GB..?

Yes, this is possible but you need to set it through a registry key and specify the size of your database.

Here's how and where ...http://support.microsoft.com/kb/912375/en-us

Happy bloating your mailboxes!

Wednesday, June 13, 2007

Safari for Windows Beta 3 - Vulnerabilities found in found in mere minutes



Apple corporation released Safari 3.0 beta 3 and works on Windows as well. I downloaded and tested B3 after Frank sent an email of this release. Just cruising the web i found already 10s of vulnerabilities in this browser by far. This was further confirmed by an email i received just hours after downloading Safari 3.0 Public Beta. One researcher apparently could perform a BO using a standard fuzzer in mere minutes from Apple's release!


Hmm, this makes we wonder if these products from not-so-adopted platforms and companies are put to the masses (making it available on Window for example) get to taste reality and i question the fundementals of vulnerabilities disclosure numbers.


So the question is: Is having lesser vulnerability disclosures eludes us to believe it is more secure or it is not exposed enough to know for sure?


Explanation: Just say with a Mac, there's only 10 people using it out of 1000 and 990 are using Windows. It can be safely assumed that a majoriy vulnerabilities may be exposed on Windows as opposed to a Mac. Now take a Mac application that runs on Windows, now the exposure number is no longer 10, but 1000 (10 + 990)...




Safari for Windows: http://www.apple.com/safari/


Wonder when Google's gonna' punch something out...?

Thursday, June 7, 2007

Stirling- The fore front to Microsoft FOREFRONT

Its about time someone envisions something like this. Imagine, a centralized desktops and servers management platform, with anti-malware, email message protection, workstation access validation, centralized log correlation, personal firewall and what have you. It all spells ONE CONSOLE, ONE INTERFACE which equates SIMPLICITY. The key to any success, in my belief, at least.

Stirling
Microsoft released a press statement of it's upcoming security powerhouse, codename Stirling. In a Microsoft camp(people who use a lot of MS technologies) this would be a dream product to integrate almost all the security a company would need (including firewalls) under on hood. It would be easy for CIO and whomever to produce a single piece of report snap-shotting your company's state of security and threat.

I am hoping to get involved in the TAP and work with Microsoft Malaysia on this. Till i get more information and product demos, stay tuned. This piece of product could potentially turn heads :)..kinky...

FAQs-http://www.microsoft.com/forefront/prodinfo/roadmap/faq.mspx

Security Showdown


Graph source, http://blogs.zdnet.com/security/?p=135

A recent study by ZDnet reveals Vista has way lesser vulnerabilities and high fixes rate as compared to other OSes like RHEL, MacOS. Vista, is what i would imagine, a begining to what will be of the security enabled operating systems, come fully hardened. There's only getting better from here on..SP1 of Vista will prevail :)
To read more, check out http://blogs.zdnet.com/security/?p=135


Tuesday, June 5, 2007

Things to consider before going for Citrix or Terminal Services

I had a chance to "play" around with a few virtualization and thin client architectures lately and i must say, before you proceed in spending your big bucks in them, consider the following ..

Top 5+1 things to consider before going for Citrix or Terminal Services

1. Not all applications can work with virtualization. If they work in Terminal Service for instance, they don't necessarily work on other platforms or virtualization thin clients. Test each and every business critical functions with end users (people who will eventually use the app)

2. Will this application be able to run on server platforms. It makes no sense to run them on workstations as workstations software have very limited hardware scalability. Furthermore, Citrix and TS only works on Windows Servers. Ensure you get proper papers to say it does work and fully supported on server platforms.

3. What type of specialized hardware or other related software your application require? Will that hardware/software work with virtualization? Simple example would be, your graphics card, when running graphics intensive applications, will they or not take advantage of this hardware when virtualizing? What if that hardware is required to run the app?

4. Is your application client server based? I don't think it makes any sense if there's no client server architecture involved when using virtualization technologies. Outlook and Exchange example here, you publish Outlook and hence run multiple instances of Outlook on a single server would make absolute sense. In a weird twist, if you publish Exchange and it creates an entire new DB for every new virtual instance, whoa, you need serious hardware power man.

5. Does your application maintenance support complies this sort of deployment? Otherwise, you may end up having the support people say, "sorry, we do not support this sort of configuration"..you're in a little bit of trouble

and just for the heck of it the #6 ...

6. Will it benefit in the sense of the amount of hardware+software+service+maintenance you will achieve vs. decentralizing. Also remember, crucially, availability, if decentralized, one PC goes down, one PC is affected, if in virtualization, one server goes down, 10s of clients are affected. How would you address availability, clustering? NLB? Layer7 switching? Built-in application HA?

Hashbreaker

5b69d4f5b5e7929b5c593e1d63cfc078 - Thats "password" in MD5digest. How to crack more hashes? Try www.hashbreaker.com. Register very quickly and use their free version. If you like it, use their paid service. They use Rainbowtables at the backend, which is an open source hash cracking tool available with gigs of hashvalues in a table. To avoid all that, just use this service. How effective? Well, make a hash value and test it out for yourself. :)

Oh, hashing is no longer secure, by the way, try encrpyting the transport then hashing the secret values, that should be the best.

Windows IPSEC

I was doing lots of testing using IPSEC over the weekend (yea, don't have a life). I must say, in Windows client and server environment, it's really simple to implement it. Unlike popular application, IPSEC can be centrally deployed and managed in Windows through Group Policies.

IPSEC will ensure that wiretapping is literally impossible, data remains intact and assured of it's source and destination. It's like having VPN connections with every device in your network that supports IPSEC.

Note there's overheads. Like any encryption technologies, it will require processing power and lots more overhead in transport. But seriously, thesedays with Gigagbit networks and very powerful computing ends (server/client), it's really not much of an issue. Unless you have a 10bt network and really old computers, you should consider implementing IPSEC across your entire organization.

Since IPSEC works below the TCPIP layer, it can support most of your applications natively, unless they are broadcast or multicast enabled (see more unsupported configuration in this KB http://support.microsoft.com/kb/253169/)

Also, please do test in a non-production environment, setup monitoring tools and enabled logging extensively during your testing to ensure IPSec is correctly working and is compatible to your applications.

Happy IPSECing...

Monday, May 14, 2007

Top 5 reasons why i would like to implement ISA Server 2006 as my outgoing proxy/firewall

1. ISA Server is the ONLY FIREWALL THAT I KNOW today that supports authentication for almost all WINSOCK compliant protocols if you use Windows Operating System.

2. ISA Server stores frequently used caches in memory

3. ISA Server contain out of the box a bunch of application layer filters (http, ftp, smtp, rdp...). Furthermore, if you're kiasu for more, write the filters yourself

4. ISA Server support Cache Array Routing Protocol, Backgroung Intelligent Transfer Service, and HTTP Compression

5. ISA Server works great with Active Directory, Radius, LDAP (running AD), RSA etc.

Sunday, May 13, 2007

Multiple Vulnerabilities with Cisco's PIX and ASA

There's a possible bypass for authentication when LDAP is used for Chap/MsChap in Cisco's VPN. An attacker can access your internal network without providing authentication at all.

This is quite serious to those running LDAP on PIXes and ASAes.

So far, as i can remember it, when comparing ISA Server and Cisco's firewalls, ISA Servers have no single type of serious attacks like this on it by far. Go ISA Server!

Refs: http://www.sans.org/newsletters/risk/display.php?v=6&i=19&rss=Y#widely3
http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml

Saturday, May 12, 2007

ISA server's incoming vs outgoing IP (and SMTP Reverse Lookup)

Ok, lets start making it clear who the initiator (SRC) and receiver (DST) are. SRC is the person/computer who wants to talk to you and makes the first attempt to do so. Receiver is the person who will either respond to the attempt made by the SRC or just ignore it.

Now, in ISA, please remember that outgoing IPs are ALWAYS the first external IP of the NIC (if you perform NAT from source internal to external). This is true only in a scenario where ISA is the final hop to reach the internet.

ISA manages outgoing requests through PAT (port address translation) but when it comes to incoming requests such as a published webserver etc, ISA can be reached on any external IPs which you specify in the Wizard.

So in short, if the SRC is internal and the DST is external, ISA will use it's first external IP address and, if the SRC is external and the DST is internal, and if you have a corresponding rule/listener, ISA will accept incoming connections using that IP you specify in the wizard.

This is especially important if you performing reverse dns settings esp for SMTP MX servers. Always to remember to register your ISA's first external IP along with your actual SMTP IP as your reverse DNS settings. Otherwise, your org's email can identified as a potential SPAMMER by reverse lookup checks done by SMTP engines.

URGENT! - Serious security flaws with all Microsoft Exchange versions

In a recent ISA Server 2006 Level 400 class, we discussed a vulnerability on Exchange server that could lead to remote code execution. The particular remote attack is listed in CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0213 and rated high in it's severity. If you have customers or run Exchange of all version, check out the article from Microsoft.

This vulnerability and other not so critical ones are described in MSKB 07-026 (http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx). Apply the fixes stated in article immediately, as highest priority.

REMEMBER, PLEASE TAKE THIS MATTER SERIOUSLY, REMOTE CODE EXECUTION=TOTAL CONTROL OF YOUR EXCHANGE BOX. If you run a domain controller on top of that box, the risks are even higher.

Thursday, May 3, 2007

Vulnerabilities on Quicktime and Asterisk

Was doing some reading on my frequently accessed security page, SANS and found these two vulnerabilities that should be of mention.

These two software i use well, often, like Quicktime (for my ITunes) and Asterisk (for my mobile VoIP support).

Quicktime- A vulnerability that allows a an exploit on Windows and Mac machines that have Java and Apple Quicktime installed. This exploitation allows code execution and has been categorized as HIGH alert by SANS institution. Apple has not made a fix but recommends a workaround, yea you guessed it, disable Java on your browser.

Asterisk - There's multiple exploits on the Asterisk box with T38 fax function installed on Asterisk opensource PBX. This exploitation allows code execution and has been categorized as HIGH alert by SANS institution. Successfully exploiting this vulnerability will buffer overflow this fax module on Asterisk and can allow an attacker to execute code running the same process as Asterisk is. Asterisk has confirmed this bug and has provided a fix.

Fring Me (Asterisk and Nokia Symbian special mention)


Here's a piece of software i must blog about, its called Fring. I just got a Nokia N80 recently and of course, i wanted to stuff the phone like what we did to the turkey in Christmas, but with software. The company i work for specializes also in VoIP technology and it was quite difficult to get the N80 to "talk" to Asterisk at first, but eventually got it working.

Nonetheless, i found this very exciting new software (still in beta) called Fring. It combines the capability of VoIP in SIP and other P2P/IM software like GoogleTalk, MSN and Skype. All in one tiny piece of excellent codes.

Currently, it only supports Nokia (Symbian). The best part of it all, its real easy to setup and use. It has all the basic needs for a simple text messaging to voice calls right from your mobile. I did a test with Marco the night i installed it and connected it to my WiFi and the sound quality is pretty decent (i called Marco using MSN). I then tested registering Fring to my SIP UDP Asterisk rental business box and it worked like a charm first time :).

Ok, here are the top ten things i like about Fring:
  1. Supports Asterisk (or any IPPBX that supports SIP - UDP)
  2. Supports WiFi
  3. Works great (stable) on my Nokia N80
  4. Works just superbly with MSN, Skype and GoogleTalk
  5. Simple, straight forward registration (they're nice enough to send you an SMS on how to install straight onto your phone)
  6. Combines all your contacts from the supported services/providers above into one single list
  7. You CAN connect to normal landlines and/or mobile phones
  8. Their ICON
  9. Its FREE
  10. Best of all, the voice quality is very decent (and the IM texts are crisp clear :P ), no lags and echoes on most occasions
Download and install now: http://www.fring.com | http://www.fring.com/download/

Sunday, April 22, 2007

Idiocracy Alert - Phone to Human virus

Some people in the middle eastern parts of the world including Pakistan have been shaken by phone SMS messages warning them about the existence of a phone to human virus. This hoax, just like many we JUNK in Outlook, had forced public figures to release statements clearing up the rumors.

Apparently, provider HOTLINES were swarmed with messages requesting clarification from subscribers.

How lame can one be? Very, very lame. The LAME-O-Meter has hit the roof..

Thursday, April 19, 2007

Every cloud has a Silverlight

Look out Flash, here's come another ray of light, called Silverlight. Silverlight is Microsoft's answer to rich web applications which previously dominated by Macromedia Flash. I tried some of the samples, looks like it can do pretty much what Flash can, like, play games, watch movies and enhance users's interaction on your website.

Apparently, Silverlight would work across platforms and browsers. Developers on the other hand, would need the .NET framework to develop but there's a piece of software that end users need to download to view such Silverlight enabled websites.

If you would like to download and test this, check out the CTP. The software is still under development and is not final yet though.

W32.Rinbot - Exploitation of Windows DNS and other vulnerabilities

It comes as no surprise that the exploitation of the MS DNS issue is out and around. According to Symantec, this particular worm executes several vulenrability checks (much like a security scanner) and exploits those that are vulnerable. In short, the process is completely automated and will drop codes inside your computer leaving it open for remote code execution.

It's odd as to why Symantec categorizes this threat as Low (for now). I would think its pretty high as the fixes for MS DNS is still in the bakery. So, please ensure your AV and Windows is constantly updated. As for the DNS issue, please apply the workaround as seen in my previous posts.

Excerpt from this article:

The worm scans network for computers vulnerable to the following vulnerabilities and exploits them:

  • The Microsoft DNS Server Service Could Allow Remote Code Execution (BID 23470) on TCP port 1025
  • The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409) on TCP port 139
  • Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107) on TCP port 2967

Monday, April 16, 2007

WARNING - DNS Zero day exploit code is public

My previous post talks about the DNS vulnerability and now the exploit codes are available and are being used already to VERY EASILY EXPLOIT DNS servers especially within an organization (typically). No one in their right mind would publish RPC over the internet, right.., right..!!??

Remember to run the WORKAROUND FIX in my previous post to ALL DOMAIN CONTROLLERS TO START WITH. A successful attack, again, on a domain controller could lead to complete risk to your AD.

Saturday, April 14, 2007

Windows 2000/2003 DNS Server Service Zero Day Exploit

A new buffer overflow vulnerability with the RPC protocol for managing the DNS service in Windows 2000 (all SPs) and Windows 2003 (all SPs) has been discovered by hackers. Upon successful execution of this exploit, the attacker can run code with the security equivalent of SYSTEM (which is pretty much everything but the kitchen sink).

Microsoft says, in this article, to apply workarounds which includes disabling the RPC management for DNS, local management of DNS will still be possible.

Some security companies have flagged this critical, and i must agree with them. A lot of people will run DNS on a domain controller which holds Active Directory. Having successfully exploited on these domain controllers could leave your entire AD at risk. This could mean all sensitive user, Exchange and other related data could be at risk

It is also possible to perform advanced RPC filtering using application layer firewalls. Simply block MMC RPC connectivity to servers running DNS.

Client operating systems such as XP or Vista are not affected. ISS has raised it's AlertCon to 2 following this zero day exploit. If the exploit codes fall into wrong hands, this could potentially be another MSBLASTER like affect to Windows boxes.

KB: http://support.microsoft.com/kb/935964

Friday, April 13, 2007

CurrPorts - A must have program in your support thumbdrive

Ever wanted to check what ports is a particular program listening on? Well, if you run Windows, there's an awesome tool called CurrPorts which has been around for sometime now. I used it this morning, and still loving it.

Windows itself can do a little to enumerate processes to ports but it's on CLI for now, i.e. NO GUI (i'm a GUI addict, i mean, why make things complicated right?)

Why i love CurrPorts?
  1. I can checkout what program is listening, communicating and responding to which port(s) including UDP ports. Double clicking the process will enlist all necessary information about that process/ports/application
  2. I can KILL programs, more hardcore then "END TASK" from Windows.
  3. I can run this to analyze application behaviors
  4. Its free and there's no crappy INSTALLERS, just run LAH!
  5. Runs on Vista (used to like ActivePorts, but it doesn't support Vista :(
This was my swiss army knife even these days when looking for worms/trojans especially when my faithful antivirus have no clue on what's going on. I just run Currports, terminate the lights off those bugs. Check out CurrPorts. Get it here.

Spam Storm

Some sources have confirmed a highest number of spam since 12 months ago containing security related messages and request users to patch files etc. Please be very careful, i do not know any klutzy security companies that send updates via emails. WELL THEY DON'T. Have a good weekend.

Read the full article: Here

Excerpt:
Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the [ http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015979 ]"Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers.

Thursday, April 12, 2007

Checklist for designing Active Directory

Well, i walked the web for a while now and finally i had to make a checklist myself of designing Active Directory. I hope this super simple guide helps presales, consultants and other enthusiasts out there..

10 Hot-checklist for Implementing/Designing Active Directory:
NOTE: Please know AD first then by running this checklist, you can't go too wrong.

1. Organization needs for AD
2. Forests and domain structures
3. Domain Name System, WINS and DHCP
4. Sites and Replication
5. Domain controllers, FSMO, GC
6. Organizational Units
7. Group Policy
8. Users, computers, groups and objects naming
9. Security (authentication, auditing, authorization, etc)
10. Schema extension, custom coding and application integration

Of course there are a little more things one must consider when designing AD but here's a good start to working on another list.

Hope this helps :)

Wednesday, April 11, 2007

Vista updates

Yesterday (Apr 10, 2007), Microsoft released 4 to 5 updates for Vista. I downloaded and patched the CSRSS manually and got 4 updates on WindowsUpdate program.

Also, there's a couple of high criticality vulnerabilities on Windows and anyone running Windows should immediately run Windows update. Some of these vulnerabilities exploits are publicly available and can execute codes remotely, so do not take things lightly..

Tuesday, April 10, 2007

Active Directory Bulk Editing GUI

What do you want to bulk modify today?

Tired of writing VB scripts to modify Active Directory object attributes (users, groups, etc) then try out Microsoft Exchange team's ADModify.net. This is a cool tool do perform bulk modification of attributes of Active Directory and / or Exchange using a graphical user interface (GUI)

AD and Exchange administrators (or vendors) will find this tool indispensable and in a simple to use interface. But do remember, modifying the attribute values will immediately reflect on your AD and think about what's gonna' happen when it starts replicating attributes across your forest.

Alright some features drill down;
1. Supports AD 2000 or higher
2. Support Exchange schema extensions
3. Custom LDAP queries

Download and play around with this free tool but be careful not to make a booboo.

Source download: ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify

Guide/howto: http://www.msexchange.org/articles/ADModify-Change-Exchange-Specific-AD-User-Attributes.html

Psychic Whois


I found this tool website called Psychic Whois (http://www.psychicwhois.com/). It has a cool way of looking for WHOIS domain information in an autocomplete method. If you're a researcher or enthusiasts you could use the site for finding domain names quick and easy. Like the google of domain names, only with autocomplete.

Monday, April 9, 2007

Which Active Directory Schema?

Now that Microsoft released Windows 2003 R2, some customer have been facing issues making their R2 box a domain controller. This is simply because R2 requires an upgrade of the schema of Active Directory to a higher one from Windows 2003.

So, if you intend to use any of your R2 boxes as a domain controller, you must first upgrade the schema using adprep from the Windows 2003 R2, disc #2.

Also, disc 2 is the one that actually upgrades your Windows 2003 to R2. The first disc contains a slipstream version of Windows 2003 SP1. Disc 2 makes the box R2. So run the adprep from disc 2 and now you can introduce R2 boxes as domain controllers.

So what's the schema versions for different Windows boxes?
  • 13=Microsoft Windows 2000
  • 30=Original release version of Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 (SP1)
  • 31=Microsoft Windows Server 2003 R2

"You can verify the operating system support level of the schema by looking at the value of the Schema Version registry subkey on a domain controller. You can find this subkey in the following location:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

You can also verify the operating system support level of the schema by using the Adsiedit.exe utility or the Ldp.exe utility to view the objectVersion attribute in the properties of the cn=schema,cn=configuration,dc= partition. The value of the Schema Version registry subkey and the objectVersion attribute are in decimal. " SRC: Microsoft KB Reference:
http://support.microsoft.com/kb/917385

Sunday, April 8, 2007

iPod virus?


Kaspersky recently detected a potential program/virus dubbed Podloso that could be used and infect a linux based iPod's executables with the extension .elf. Right now, i guess there's no "real" virus *yet* that could spread automatically and do bad stuff to your cute-lil-ipod.

The best thing to do as a user of iPod now is not to panic *yet*. If they do bump into something that resembles close to a virus for these devices, rest assured, it will get posted here, someone will find a cure and someone will find another new ". More reading: Here.

It is an interesting breakthrough in malware vectors. It would come as no surprise if Zune, Xbox, PS2/3 and all those connect-capable devices be at risk.

Friday, April 6, 2007

Why you should disable dynamic objects caching on your proxy server

If you run a proxy server in your organization, please take note about enabling caching for dynamic objects. Dynamic objects are normally pages that change based on user inputs or is a similar page with different information based on who's logged on etc.

Why you should not enable caching for Dynamic Object?
Because, there's a chance that certain logged on pages like say for example, sites like myspace, blogger (this) can be cached and the results, when someone logs in, say for example, i logged in as sanjay@gmail.com to this blogger suddenly i see the blog of my colleague, say, Frank Rovers.

This is not a "vulnerability" per-se, its just that this is how proxies work if you ask proxies to cache dynamic objects and how authentication is "kept-alive" by these sites for convenience purposes.

I actually saw this in our own network and about 3 clients reported this same issue. I must admit this is also a poor implementation of authentication on these sites (including blogger!). Cookies or auth sessions should expire immediately when a person closes his/her browser or moves away to another page, or is idle, etc.

This "issue" can also present in cybercafes that enable proxies so, be careful especially in public places like these when logging on to these sites. For now, i've seen blogger.com and myspace.com loading multiple profiles of other people when i am suppose to see my own.

So, again, if you run proxies in a large organization, protect people's privacy and do disable dynamic caching all together.

PS> I am blogging this via our corporate proxy but we've disabled dynamic objects caching :)

Thursday, April 5, 2007

ANI has been patched, but bugs are known and workarounds are available

If you patched your system with the ANI patch from Microsoft, it may break certain drivers such as the Networking & Audio ones from Realtek.

If you have this particular problem checkout this article: http://support.microsoft.com/kb/935448

(I guess if your network adapter is down, chances are you can't read this too, :P)

Microsoft releases patches for several GDI vulnerabilities including the new ANI vulnerability

This update is outside Microsoft's standard security update cycle thus clearly sends a message of the seriousness of these issues.

Customer using Windows should do Windows Update and/or read this article http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx where you can find more information about the patches available.

This KB article updates the following exploits/vulnerabilities:
1. GDI Local Elevation of Privilege Vulnerability
2. WMF Denial of Service Vulnerability
3. EMF Elevation of Privilege Vulnerability
4. GDI Invalid Window Size Elevation of Privilege Vulnerability
5. Windows Animated Cursor Remote Code Execution Vulnerability
6. GDI Incorrect Parameter Local Elevation of Privilege Vulnerability
7. Font Rasterizer Vulnerability

Wednesday, April 4, 2007

eEye Releases Temporary Patch for Windows .ANI Exploit

Microsoft hasn't released the patch, yet. So, if you are concerned about this exploitation, there's a temporary patch available from eEYE which can fix the issue until Microsoft releases an official patch.

Please test these files before using in production environment. Thie eEye patch should be removed once Microsoft releases the official patch. The patch doesn't work on x64 or Itanium based machines.

The patch and more information about the .ANI vulnerability can be found at:

http://research.eeye.com/html/alerts/zeroday/20070328.html

Free Web Conferencing Solution

If you're like me, who do presentations to customers etc and would like to do at the comfort of your office space, then try http://www.vyew.com/.

I've used it several times thought I'd share it this time around.

It is a free (and has a commercial) pure web based (flash) conferencing software that enables you quickly setup online presentation meetings and invite people while using just their browsers. Import word documents, PDF, PowerPoint and images and start presenting! It can also share desktops live, import screen captures and plug-ins.



It connects on HTTP(s) and if you require file transfer, then you need port TCP9102 and TCP9100, otherwise, simply use the default HTTP (80,443) to connect. It has a simple chat bar and can do free voice conference calls (within US) but you pay your normal long-distance calls if you are outside the US (sigh, otherwise, this would rock for my prezzo in the morning!). So now, i've just have to conf-call my clients ol' skool.

Apart having a funky color skin, this piece of tool is good enough with its free package that can offer up to 20 users per session. If you like it and want to have more connections, get the commercial version.


Well done Vyew!

Tuesday, April 3, 2007

Security Companies Have Raised Their ThreatCon/Alertcon..

Interesting, ISS Raised It's threatcon (alertcon, what have you) to 2. This is due to the .ANI exploitation code and trojan out there. Do read the articles i've posted for prevention and workarounds.

Do take this seriously, alert customers, friends and grandma!

Monday, April 2, 2007

Unleashing ISA's HTTP Filter Demon

Hey if you run ISA Server 2004 or higher, come on, make use of its HTTP filter. You don't need expensive software to block almost anything that "rides" inside the HTTP protocol without you knowing it. Even HTTPS session can be re-established by ISA so that nothing can tunnel through without your ISA "knowing" and "acknowledging" it.

Lots of people have asked me, so how do i block MSN, Yahoo, and other irritants on your network? Well, there's this good article from Microsoft, which you can use with any application layer filtering device to block or allow applications inside and outside your corporate network.
 http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx
Got questions on ISA or network designs? Let us know, we will help for nuts (Free!).

Gmail Paper and Google TiSP - Are these April Fool Jokes?

I sprayed coffee out of my nose reading these two new services Google's offering (well, one actually , TiSP)

Apparently, Google is providing free Internet from your toilet, called TiSP (probably stands for Toilet Internet Service Provider) and Gmail Paper which is a service to print and distribute emails from Gmail to hardcopies right to your door step (even attachments get printed).

Oh man, what else will these folks think of more huh? But then again, there's a lot of "privacy" concerns around Gmail paper and of course, the toilet bit, i just hope it's an April fool's joke.
Anyway, kudos Google for being so crazy. Love you guys!

Here's the excerpt from the FAQ from TiSP that had me expelled liquid from my nose.

"How can Google offer this service for free?

We believe that all users deserve free, fast and sanitary online access. To offset the cost of providing the TiSP service, we use information gathered by discreet DNA sequencing of your personal bodily output to display online ads that are contextually relevant to your culinary preferences, current health status and likelihood of developing particular medical conditions going forward. Google also offers premium levels of service for a monthly fee (see below).Note: We take your privacy very seriously. So we treat all TiSP users' waste-related personal information with tremendous discretion, in accordance with our Privacy Policy."

Nasty Piece of Code

Was doing some reading online and found this little piece of code to remove blogger.com's top navigation bar (or called navbar).

Login to your blog. Go to template, find, Edit HTML. In there, copy and paste these codes between the head and variables section in this link: http://blogger-templates.blogspot.com/2005/01/remove-navbar.html

Please note, this is blogger.com's way of promotion, and blogger provides a decent set of blogging service without much ads etc for Free. So, before removing, ensure you give back something to blogger.com like me, i have their logo in my blog :)

Sunday, April 1, 2007

Where Do I Place My ISA and DMZ?

With the introduction of Exchange 2007, there's been a lot of upselling of ISA Server. Don't get me wrong, ISA 2006 is an awsome firewall, it's rock solid. So the question now exist, i've got my superb Exchange 2007 now in my internal network and i wan't to use ISA to protect my Exchange resources (MAPI publishing, RPC-HTTPS, OWA, etc). Where do i place my ISA and my DMZ?

Simple, look at sample diagram below;, now you don't need to pay consultants thousands of bucks to design something like this. (Note, this is perhaps a setup ideal for a small to medium organization)



Let me explain a little of this diagram above

  1. My first firewall is my traditional firewall. This box should filter all those incoming traffic not explicitly allowed by your organization. Outgoing packets can go freely without restrictions. Later, i will share why you can confidently do this and therefore reduce complexity in your network.

  2. The DMZ is placed in between the ISA and my 1st FW. Please note, this server is now "published" by the 1st FW and not ISA. In here, you should only keep boxes that will not contain data for a long time (a temp repository) like a web server, smtp server etc..

  3. Finally, the ISA comes in. ISA's default GW is the 1st FW.

Lets talk about NAT.


1stFW (liveIP) --NAT/Route --> ISA --NAT/Route > Internal Networks


So, the DMZ IP network will act as ISA's external network but you can still use private IP addresses. Some of these IPs will be the publishing IP for your internal networks, just imagine them as public IPs.

Another huge benefit of having ISA there is to do Proxy-ing. Now that i've mentioned to allow all traffic outbound on the 1stFW, ISA takes the responsibility to ensure certain ports and protocols are allowed. Doing this, having one place for internal to external traffic control simplifies management of security in your network. Users can be authenticated and authorized to sites or services that are allowed by your organization policies.

Even VPN should work fine in this design where ISA can terminate the VPN connection after a NAT done by the 1st FW.

Got a better idea? Share with us here. Write me .. highsecurity@gmail.com

Windows .ANI File - Zero Day Exploit

There's a new exploit of Windows without a patch (yet). The vulnerability is in the .ani file extension used for animated cursors in Windows. The exploit allows attackers to run code and potentially take ownership of your computer.

Most antivirus should have already been updated with this type of attack therefore, do update your antivirus pattern and wait until MS releases a new patch for this vulnerability. The current status from MS is to do a workaround, not the best solution but it should mitigate the attack. Vista users using IE7 are protected becauses of the "Protected Mode" feature in IE.

Exploit info here.

Below are the excerpts from MS's security advisory for the workaround on this issue:

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

  • Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector.Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.
  • Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
    Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability.
  • Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
    • The changes are applied to the preview pane and to open messages.
    • Pictures become attachments so that they are not lost.
    • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

Friday, March 30, 2007

10 + 1 Best Practises for Implementing an SMTP server

I will share with you some experiences from implementing a good SMTP engine to avoid being spammed, being categorized as spam etc. This article is product independent therefore if you run Exchange, Windows SMTP, ScanMail, Notes or whatever, this is something good to consider.

This guide specifically focuses on larger organizations, but of course, large/small is just a definition based on the number of users but you may apply them if you so wish.

1. Always put a dedicated SMTP box in a DMZ or internal network. SMTP is relatively a simple and fast protocol so it doesn't really require a super end machine. Have redundancy if needed by simply doing an internal DNS MX with weights without the need of expensive load balancing hardware. Or, if you run Windows, use NLB.

2. Put Anti-malware and Antispam scanning on both the SMTP gateway and your internal email server. Disable NDRs if possible. Do not cross scan between your host based antimalware engine and your protocol based antimalware engine. This can slow down it's performance tremendeously.

3. Register all your email servers that eventually send emails out with a reverse lookup DNS. Do not send emails out directly from internal email servers unless they are equally protected like your SMTP engine or using these tips.

4. All SMTP talkers (this could be your email server or even your client if they send emails out directly using the SMTP protocol) should use RFC1918 addresses not Live IPs for all internal hosts. This because all SMTP chatter will stamp addresses in their headers and if you use a non RFC1918 number, there's a chance the emails will get checked by your recipient's host email server and perform a reverse lookup and of course, you won't be the owner of that Live IP and you can be categorized as spam.

5. Place email send and receive limits. The last thing you need is an email server retrieving 100MB of attachments. There's always secure file shares for that.

6. Verify internal users sending email using your SMTP with your LDAP or similar. Some form of authentication is a good start. As for external users sending you emails, you cant authenticate ..too bad. If possible disable NDR for non-existent recipients. The NDR should be generated by the sender's email server, not yours!

7. Do not run SMTP engines/filtering on your firewall!. Firewalls do not need this unnecessary burden because your SMTP engine is suppose to clean up messages.

8. Do not use your internal mail server as your secondary MX, you are better of not having a secondary MX. Internal mail servers are where all the "juices" are, so if you get whacked, your data is at risk. Spammers have known this trick and sometimes send emails to secondary MX servers in hopes that there's no antispam/antimalware engine installed on them.

9. Create a SPF record on your DNS. Sender Privacy Framework is very easy to setup and can be implemented in mere minutes.

10. Disable relay on all email servers, both internal, external etc.

11. Test all your SMTP server's implementation by running auditing tools such as Nessus - SMTP/product TCP/IP based auditing, www.dnsreport.com - DNS configuration test, abuse.net/relay.html- relay test,

Any of those terms you don't know or want more info, you can write me or simply Google it up.

Happy hosting!

Thursday, March 29, 2007

How to automatically disable/enable your proxy settings

Tired of turning off your proxy settings when outside the office? Well, yea, me too. For a long time now there's a simple and effective way to do this by using a PAC file or Proxy Automatic Configuration file. This PAC file is a simple text document stored inside your computer and is referred by your browser before connecting to the internet.

The PAC uses javascript language to simply do a IF and THEN and ELSE condition. Here's the script of my file i am using, its named proxy.pac

---code start:don't copy this line---

function FindProxyForURL(url, host)
{ if (isInNet(myIpAddress(), "10.10.0.0", "255.255.0.0"))
return "PROXY proxy.mcsb.com:8080";
else
return "DIRECT";
}


---code end:don't copy this line---

Now, create a file, say, proxy.pac using notepad.exe, copy the above code into the file you just created, then save it.

Next, you will have to "tell" your browser to use this auto configuraiton file. Here's how.

For Internet Explorer Only (will update how-to in Firefox soon, doesn't seem to work with it)
Go to Tools >> Interent Options >> Connections Click on LAN Connections, check the box, "Use automatic configuration script", then place this line into the empty box therein.

file://c:/proxy.pac

The above is true provided you are accessing this file from a local PC, you could also place this file into a server etc (web server).

Say OK several times to close the configuration screen. Now reload your Internet Explorer. So, if you are in your corporate network (mine is 10.10.0.0/255.255.0.0) it will use your corporate proxy (mine is proxy.mcsb.com).

So, here are the variables you MUST change to correspond to your own network:

Network: 10.10.0.0 (change to your network)
Subnet Mask: 255.255.o.0 (change to your subnet)
Proxy: proxy.mcsb.com:8080 (change to your proxy IP or name like the example here, after the colon is the port of your proxy server, if it is port 80, you do not need to specify the colon or the port number)

The proxy.pac file can be a real huge monster to do things like high availability for proxy server, support multiple Networks (my example only support 1 network).

More information can be found at: http://en.wikipedia.org/wiki/Proxy_auto-config

Tuesday, March 27, 2007

Manage your AD - ADManagerPlus

ManageEngine has a product called ADManager plus. ADManager plus runs a self website and can run on your Windows based OS like XP, 2000(3). The free edition is limited to manage a single AD domain in a forest.

Here's the list of features

  1. Delegate-able administration - You can give rights to your Help desk and Administrators separately
  2. It has a dashboard view of users reports, system reports and other customized reports.
  3. You can quickly search objects and edit them right from your browser.
  4. Bulk user and group management and operations (e.g. create/edit bulk users etc)
  5. Can manage certain Exchange related tasks and terminal services attributes.
  6. Reporting - A list of predefined reports and customizable reports

This tool simplifies management of AD without the need to program scripts. It is secure and runs on any browser and it does not need to reside on your Domain Controller, just configure the connection and have rights to connect.

You can view the demo here: http://demo.admanagerplus.com or download free or trials at http://www.admanagerplus.com

Happy administrating :)

Sunday, March 25, 2007

SHA-1 Is Now Crack-able

Cracking MD5 (Message Digest 5) and now, SHA-1 (Secure Hashing Algorithm), she and her team are a bunch of geniuses. They managed to crack the widely used SHA1 hashing algorithm which supposedly, succeeded MD5 after being scrambled by the same Chinese Associate Prof. Wang Xiaoyun of Tshinghua University and Shangdong University of Technology.

This lines up a series of questions i guess about your current implementation, and of course, what's next. Big software companies should take this seriously. It will be in no time that the reverse engineering techniques are available publicly, till then, scramble for another scrambler.

Source article: http://en.epochtimes.com/tools/printer.asp?id=50336

Saturday, March 24, 2007

If you use Windows 2000 DNS (for Active Directory ..etc) use only Secure Updates

Windows 2000 and later gives you the option to configure your DNS as Active Directory Integrated Zone (ADIZ). This mode is required for name and service automatic update and its super crucial to a successful Active Directory (and some of other MS products like Exchange) implementation.

When enabled in this mode, clients or servers can send an update request DNS packet to the DNS service in Windows and this will be updated inside the DNS service or name records.

However, administrators and implementors, do remember that you should enable secure updates only in the automatic update configuration. Why? Cause otherwise, it's very easy to send a change DNS record update packet and change, for instance, the web address of an internal or external (if you configure split headed dns) host and redirect requests to a malicious site.

An example would be to change proxy.company.com to your PC IP!!!. Users are challenged and they provide user name and password pair. Unknowingly, they have successfully submitted these credentials to your internal password repository. There's only the mind that can limit what other crazy stuff you can do with these type of attack.

So, please enable secure updates only in your DNS automatic update settings.

DNSFUN source: http://securitydot.net/xpl/exploits/vulnerabilities/articles/1578/exploit.html

Friday, March 23, 2007

Google Analytics
















Google Analytics is a cool free Site Tracking tool from, oh, you guessed it, Google. I use it for my blog sites (this) and other sites that i help manage. The best thing of it is that its free. You would need of course a Google account (e.g. Gmail) to start with.

Try it out: www.google.com/analytics


It works by embedding a tag inside your website pages. Just add these few lines of codes and start to gather interesting information about your visitors. It can produce custom or built-in reports in charts and exportable in XML, Excel etc. Select a range of dates in which you would like to generate these reports and its immediately updated in your browser.

You could also add profiles to administer and generate reports, setup goals to your website.

Large organizations to small people like me, use this tool for fun or to generate useful information about trends and make informed decisions about your website and future developments.

Malaysian DVD Pirates Out To Kill Sniffer Dogs?

Funny article. Apparently, some bad-ass Malaysian DVD pirate ring wants to hunt down and kill 2 dogs, Lucky and Flo, apparently, sniffed out their stash of DVDs and caused those pirates RM3mil in losses. As its media worth, Malaysian govt will now beef up security around the two hounds.

My 2cents worth about piracy: Well, for movies, its good to have pirates, cause you get to "preview" entire movies. But, folks, come on, if you like it, buy original la...

Also, i think pirated DVD makers will face another, and even more furious problems, and that's Bitorrent. With the release of Wimax licenses and growing internet facilities, people are gonna' download movies and stuff right out of their Bitorrent client, for free!!

I hope those DVD pirates don't go after Bram Cohen now..

Source: CNET , Malaysian Wimax License

Monday, March 19, 2007

RSA into AntiTrojan

RSA, famous for its authentication and encryption techniques recently announced a service to protect users from trojans. Called RSAFraudaction, is a service, an end-to-end solution that covers the identification, analysis, blocking, and shutdown of attacks.

RSA will get my vote in their offerings. They have far been quite an authority when it comes to certain aspects in security but only time and trojans will tell...

Would like to check it out more and if there's anything worth the effort, it will be posted :)

Convert stuff for free at Zamzar


Was given this site http://www.zamzar.com. It has the facility to convert stuff like movies, document, images and audio straight from your browser to your email. For free, for real!.

Did try to convert a MOV (Apple Quicktime) and it did quite a wonderful job.

What's even more cool, it can skin Youtube out of its shell and have the video posted into your email. More online video sites supported too.

Check it out and give us a review here.

PS> Erm, one note of caution, i am not too sure of any possible privacy concerns, therefore, i would not use the facilities for confidential and private materials. Perhaps you should read their privacy statement here.

Thursday, March 15, 2007

Windows 2003 Service Pack 2 (and XP Pro 64bit) Released

Without much notice, publicity, hue and cry, Microsoft released Service Pack 2 for Windows 2003. This release introduces significant collection of patches and a couple of new features to the operating system.

From experience, upgrading SP1 of Windows 2003 a while back broke a lot of things including 3rd part applications, so, make you do your homeworks and test in non-production environments before deploying SP2. Please also disable Automatic Updates for SP2 if you wish to do testing first and if Automatic Updates are turned on in your production machines. There's a toolkit available to do this here.


W2K3 SP2: http://www.microsoft.com/technet/windowsserver/sp2.mspx.

Firekeeper - An IPS for Firefox


I came across and installed this tool from mozdev.com that protects Firefox (1.5 or higher) against common browser based attacks on malicious sites. You can create your own rules and block off anomalies if you know how to script the rules out.

The product is currently in Alpha (pre-beta, pre-release), so take all necessary precautions when using in production environments. The rules are taken off and simplified from Snort (http://www.snort.org), the open source Intrusion Detection System.

Check it out: http://firekeeper.mozdev.org

Debug Internet Explorer

When browsing the internet, your browser does a lot to make websites and pages look pretty to you. There's frames, pictures, html, java etc. loaded everywhere in these seemingly simple pages. But, there's more *interesting* information and source codes being loaded in the process of it to while and after your pages appear.

Sometimes, it would be useful to see what component (and their breakdowns) are loading for many reasons including troubleshooting, code debugging & reverse engineering and security snooping!

Download and check out DebugBar (http://www.debugbar.com) for Internet Explorer. Once you've loaded the software, click on View (Tools), Toolbars, click on Debugbar and you'll see a left side frame showing the technical breakdown of the website you loaded in your browser.

NOTE: Although the website doesn't explicitly mention support for Vista and IE7, i've tried and works well.

Wednesday, March 14, 2007

Microsoft OneCare destroys Outlook PST

If you run OneCare 1.5 and have a malware email sent to your Outlook email client, there's a large potential that the OneCare scheduled scanner will place your entire PST file under quarantine or other actions depending on what the administrator has set (which could include even deleting).

What's really disturbing is that this problem existed in version 1.0 and was fixed and now in version 1.5, the issue crops up again, and with its exposure of its products, it smaked off lots of innocent user's PST file.

There's a patch expected to be released Tuesday (today 13th).

The issue could also affect other email clients including Outlook Express, so do exclude email extension for scheduled scans for now till M$ fixes their boo boo (Again!!!)

Tellme Networks - Phone based google?

Imagine, just pickup the phone, dial a few numbers, then simple speak your search criteria and you get information just like how you would get by doing a search on Google, MSN or Yahoo.

Tellme Networks - The phone based google to search for information, people and businesses. Living here in KL, i wouldn't wanna try it but if you want, give it a shot. 1-800-555-TELL (8355).

Also, rumors have it that Microsoft is planning to buy these guys over. I guess the software giants see a potential in a solution of such, perhaps its time to pay a lil' attention,

Tellme....what the future (may) hold.

Link: www.tellme.com

Google Calendar vs. OpenXchange Calendar

Our CEO recently request me to do a write up, a comparison between the above products. So after about 2 hours of playing around with both calendaring solutions my conclusion in shortest form possible, Google is fancy and OpenXchange is sufficient.

Links:
OX: www.open-xchange.org
Google: www.google.com/calendar

Summary:

Both Google Calendar (GC) and OpenXchange’s Calendar (OX) has pretty much the same features from a shared calendaring point of view. Both products require an account with the basic email, where other users can share some or parts of the entire calendar. Both products are easy to use from their web consoles but OX offers a connector to use in your native Outlook.

From a business processes and functional point of view, both products can achieve almost similar functionalities but OX is an internal product thus the creation and maintenance of accounts can be managed by our local support and helpdesk

Google Calendaring features that got my eye.

  1. Calendar sharing – Everyone with a Gmail account is entitled to use this feature through web or GoogleDesktop
  2. You can create events inside your calendar and then share them by means of invitation, even if they don’t use Google (as Google implements iCal, a standards compliant calendaring which can integrate with popular email clients such as Outlook, Outlook Express and Mozilla Thunderbird.) However, the information in those email clients are static thus changes to the calendar would need another invite.
  3. Natural language recognition – If you type “Meeting with BNM at 12.30” it will automatically create a related event with the related time/date in that natural sentence (using quick add function)
  4. Ability to create events and invite guests with reminders, guest comments, RSVPs
  5. Ability to publish calendars privately (so you can privately view your calendar without logging in) or publicly (so you could share with the world and have people either edit/manage events/entries)
  6. Ability to create multiple calendars per user
  7. Ability to search by time, location and natural search
  8. Calendars are accessible through mobile phones
  9. Ability to get invitations through SMS and emails.
  10. Ability to integrate with Google Desktop which means we do not need to login to gmail
  11. Ability to “take the calendar” to our own domain e.g. mcsb.com
  12. Import and export existing calendars to Google

OpenXchange Calendaring

  1. Calendar sharing – Everyone with our email system can use this feature through either web or Outlook (it’s a piece of software has a price to it)
  2. You can create events inside your calendar and then share them by means of invitation, even if they don’t use Google (as Google implements iCal, a standards compliant calendaring which can integrate with popular email clients such as Outlook, Outlook Express and Mozilla Thunderbird.) However, the information in those email clients are static thus changes to the calendar would need another invite.
  3. Ability to create events and invite guests with reminders and RSVPs
  4. Ability to search calendars using natural search
  5. Import and export existing calendars to OX
  6. It’s our own email server which means we can do pretty much everything we want
  7. New version includes RSS feeds
  8. Ability to integrate with Project Management modules in their Groupware