Book review – Spies Among us

Spies Amoung Us: How to stop spies, terrorists, hackers and criminals you don’t even know you encounter every day by Ira Winkler was a little disappointing we thought. Well, probably the most likely reason is that we’ve heard it all before. Security isn’t as destination it is a process as all good security professionals know. Ira’s book covers a wide range of topics but the answers are always very simple and usually just require common sense. We suppose that in this day and age that is what is missing from most people. Why would someone from Nigeria ask you to allow them to transfer money through your account for a significant handling fee? C’mon, now really, but you’d be amazed at how many people just that scam alone fools. From memory we think email scams are Nigeria largest earning export.

This book is probably a good read for someone who really hasn’t had to think too much about security. It does provide plenty of real world examples of how professionals perform penetration tests of businesses and generally how they walk away with the information they require with a few days. It is probably a good book to get your boss to read to convince them to spend more on security but as we all know this is highly unlikley. Why? Simply because security is all about maintaining the status quo in managements eyes. They think that it doesn’t contribute to profits and it doesn’t reduce expenditure so what good is it? In the face of this sort of attitude we like to ask – “What do you have to do to be 100% certain that a break in will not re-occur once your computer systems have been compromised?“ – Answer “The only way to be 100% certain is to wipe EVERYTHING (servers, workstations, the lot) and reload“. How expensive is that going to prove boss?

The cost of proactive security is always far cheaper than reactive security but not many businesses understand that until it is too late. If you don’t see the benefit of security then read Spies Amoung Us before your business becomes a victim.

Why isn’t this a critical update?

Got wireless? Have you got this “patch” from Microsoft? KB917021 . If you don’t then I’d make sure that you do. You’ll also have to download it MANUALLY, yes manually it is not available from Windows download at all. Why is this “patch” important? Well …

Changes for nonbroadcast networks

In Windows XP with Service Pack 2, Wireless Auto Configuration tries to match preferred wireless networks to wireless networks that broadcast their network name. If no network matches a preferred wireless network, Wireless Auto Configuration sends probe requests to determine whether the preferred networks are nonbroadcast networks. In this manner, a Windows XP wireless client advertises its list of preferred wireless networks. An observer may monitor these probe requests and configure a wireless network by using a name that matches a preferred wireless network. If the wireless network is not secured, this network could enable unauthorized connections to the computer.

Yes, you read right. If you have Windows XP with Service Pack 2 and all the patches and a wireless adapater that you leave on even when it is not connected to a wireless acess point then without this patch Wireless Auto Config sends probe requests to determine whether the network you used to connect to are there. Bottom line Windows XP wireless client tells anyone who wants to listen its list of preferred wireless networks. This ain’t good.

Also while you are in fiddling withyour wireless setting turn off your wireless adapters ability to connect to ad hoc networks. This option is default on Windows XP and may allow someone to connect to your computer via ad hoc wireless if you leave your wireless card turn on.

Safest bet? When you aren’t using wireless on your laptop – turn the adapter off.

DNS Vulnerability

Possible DNS vulnerability on SBS2003 server as per the Microsoft article :

http://www.microsoft.com/technet/security/advisory/935964.mspx

The simple fix for the time being is :

1.	On the start menu click ‘Run’ and then type ‘Regedit’ and then press enter.
2.	Navigate to the following registry location: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters”
3.	On the ‘Edit’ menu select ‘New’ and then click ‘DWORD Value’
4.	Where ‘New Value #1’ is highlighted type ‘RpcProtocol’ for the name of the value and then press enter.
5.	Double click on the newly created value and change the value’s data to ‘4’ (without the quotes).
6.	Restart the DNS service for the change to take effect.

New ISA 2004 stuff

Use the updated firewall client on Windows Vista machines.

ISA 2004 Service Pack 3 is also now available. We are still in process of testing it out so can’t give any real recommendations just yet. However, if you feel game give it a go and let us know what you find. To find out what improvements have been made in this service pack click here.

Apply service packs manually

So we have been testing ISA Service pack 3 on our virtual machines without issue. Next stage was to load it onto our production machine. Normally, we recommend that any service pack be manually downloaded and installed rather than being applied from Windows Update. However, since we’d had such success at installing the service pack from Windows Update we thought, “What the hell?”

During the installation via Windows Update we got the following nasty error :

Error 0xc004038b

The Microsoft server storage service is unavailable

What the? Ok, now the firewall service is stopped and won’t restart. Hmmm…ok reboot. When the system reboots we get a failure to find a boot device. Ok, so now this is looking really bad.

Well, it turns out the CDROM was faulty and being the first boot device it was working just enough to allow the system to think that it could boot to it but failing enough to prevent it booting. So after replacing the CDROM we could boot to the server console screen again – Phew. Problem was the Firewall service still wouldn’t start. So we had to download ISA 2004 Service Pack 3 via another machine and then apply it to the server.

One more reboot later and everything is back the way it should be functioning happily. Lessons learnt :

– Only apply service packs for applications after downloading them manually

– A faulty CDROM can cause your system not to boot.

Now we just waiting on patch Tuesday from Microsoft. There should be a few updates tomorrow for us to install – again.

Shadowprotect IP address not "sticking"

We have been using Shadowprotect of late to image server hard disks. Typically, before we do a major upgrade or service pack install we boot to the Serverprotect CDROM and image the contents of the disk to an external USB hard disk. Now this is great provided the machine supports USB2 (480MB/sec transfers) but really bad if it only has USB1 (11MB/sec transfers). So whatta you do if the machine only has USB1, which many “older” servers have.

You can typically do a transfer via the network card, since network cards in servers typically support 1,000MB (Gigabit). With Shadowprotect you can enable networking and make use of Windows networking to image to another machine. Problem is when we booted to the latest version of Shadowprotect the IP address we wanted wouldn’t seem to “stick”. Turns out there is a bug in the latest version of the networking. The way that you overcome this is simply to boot into the “legacy” environment (which is an option during the boot of the Shadowprotect CDROM). Once in the legacy environment you set an IP address, map a network drive and then backup/restore data at high transfer speeds.

ISA 2004 trace files

Was recently checking free space on the C: drive of a server and discovered two HUGE (>400MB) files. ISALOG.BIN and ISALOG.BAK. I wonder what these are? Well :

ISA Service Pack 2 includes an error-level tracing mechanism that operates continually in the background. If necessary, the tracing information is available for Microsoft Product Support Services. The tracing mechanism does not collect personally identifiable information.

Tracing takes place in the background, and has a negligible affect on ISA Server performance. A 400 megabyte (MB) file (%windir%\debug\isalog.bin) is created by Service Pack 2 on each computer running ISA Server services, to contain the tracing information.

We recommend that you use the default settings for this feature. However, if you want to modify the tracing mechanism, you can do so through the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ISATrace. To change the size of the file used by tracing, change the value of CircularlLogSizeMB. To disable tracing, change the BootTracing value to 0. This does not delete the file, which has to be deleted manually. After registry changes, restart the computer so that the changes take effect. If you create the registry key before installing Service Pack 2, and set the BootTracing value to 0, the tracing file will not be added during the installation, and tracing will not be enabled.

Full info – http://www.microsoft.com/technet/isa/2004/plan/sp2.mspx

Interestingly they reside on the C: drive of our server even though ISA is on D:. We can’t really see the need for them so perhaps we’ll reduce their size since space is currently a bit of a premium.

It would have been nice to know that we’d lose almost 1GB of free space by installing ISA 2004 SP2! But now we do right?

Uninstalling Symantec Livestate 6.x

Recently attempted to uninstall Symantec Livestate Recovery V6.0 so we could upgrade to V7.0 and it failed withe the following error : Internal Error 2343. After contacting Symantec support it turns out that they have a special batch file that “uninstalls” V6.0. Beware that there is a different batch file if you want to uninstall V6.5 so make sure that you ask Symantec Support for the right version.

We ran the batch file and rebooted the server and came up with a services not started error. When we went into Administrative Tools | Services we found that there was still a Livestate service. We would have thought that the batch file removed this. Symantec tech support also confirmed that this should have happened. It wasn’t until we mentioned that we have installed Livestate on drive D: that Symantec tech support informed us that the batch file assumes that Livestate is on C: drive. D’oh.

So if you have installed Livestate 6.X on anything but the C: drive you’ll need to make the following changes after you run the batch file Symantec tech support provide :

1.Run Regedit and delete following entries:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall – Find LiveState Recovery entries and delete them.
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Symantec LiveState Recovery
     HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveState Recovery

2. Delete LiveState folder in Program Files

3. Restart server