Month: August 2006

I got back in yesterday morning from a whirlwind trip to the west coast (hence the light blogging).  In the middle of our trip, we started hearing the reports of the big terrorist bust.  

We were fearing the worst when we got to San Francisco airport on Friday night .   American Airlines told us to get to the airport three hours before the flight to make sure we could get through.

Of course, the actual security check-in only took about 10 minutes.  For the first time in years, I got a pat-down, but otherwise, it was without incident.  We had hours to spend in the airport, which meant that we got to have a relaxing dinner and time to do some light shopping at a book store.  A waste of time but what the heck.

But I wonder about the security measures taken at airports these days.  Bruce Schneier editorializes today as to his thoughts on the matter:  

Hours-long waits in the security line. Ridiculous prohibitions on what you can carry onboard. Last week’s foiling of a major terrorist plot and the subsequent airport security graphically illustrates the difference between effective security and security theater.

None of the airplane security measures implemented because of 9/11 — no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews — had anything to do with last week’s arrests. And they wouldn’t have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn’t have made a difference, either.

Link here.

Good, solid intelligence work is what busts these plots.  9/11 was a failure of the intelligence community, not necessarily a failure of airport screeners.  The data was there, but it was ignored. 

While airport screeners have gotten much more polite and it’s not nearly as rough a situation as it was in the months after 9/11, we need to remind ourselves as a country that air travel is a vital, integral part of our economy.  Perhaps this means that we should stop allowing any bags, cell phones or laptops.  If that’s the case, then fine, let’s just make the decision and start making the security check-in process a rapid, pleasant experience.  It’s stressful enough to travel these days without having to deal with worrying about shaving cream and lighters.

Alex Eckelberry

Homeland Security: Fix Your Windows
In a rare alert, the U.S. Department of Homeland Security has urged Windows users to plug a potential worm hole in the Microsoft operating system. The agency, which also runs the United States Computer Emergency Readiness Team (US-CERT), sent out a news release on Wednesday recommending that people apply Microsoft’s MS06-040 patch as quickly as possible. The software maker released the “critical” fix Tuesday as part of its monthly patch cycle. The flaw addressed in MS06-040 is the only one among the updates that could let an anonymous attacker remotely commandeer a Windows PC without any user interaction. There will soon be worms that’ll exploit this MS06-040 vulnerability, so be quick to fix! It’s all over the press, but ZDNet has a good write up here.

Our friends at eEye created a free scanner that you can run on your network and quickly check which machines are vulnerable: It’s called the Retina MS06-040 NetApi32 Scanner and is here.

IT Pro: My Nine Biggest Professional Blunders
We’ve all had at least one or two embarrassing moments on the job, whether they involved inadvertently wreaking havoc on a system, making a social gaffe, or mishandling a project. IT pro Becky Roberts decided to come clean and share her worst career moments —along with the lessons she took away from each experience.

Mark Russinovich Teaches Very Last Public Windows Course
By now, many of you have heard about Microsoft’s acquisition of Sysinternals and Winternals and that Mark Russinovich has joined Microsoft as in the Platforms and Services Divison. Mark will be teaching his last public Windows OS internals and advanced troubleshooting class with David Solomon on September 18-22 in San Francisco. (David will continue to offer the class through his company, see www.solsem.com). For details or to register, click here.

Aberdeen Messaging Security Survey Invite
If you are into messaging security and want some free, fresh research, spend 10 minutes and fill out this survey. All responses are kept anonymous and the report strictly contains averages and statistics based on the results. To show their appreciation to anyone taking the time to fill out the survey, AberdeenGroup will send all survey participants a final copy of the report which they normally sell for $399. Here is the description of the survey:

AberdeenGroup is conducting a study to explore the successful methods used by best-in-class organizations to secure email, instant messenger, and web based communication while revealing the impact messaging security has on productivity and operational costs. Specific technologies will include inbound and outbound message and content inspection and control, anti-spam and phishing detection and protection, encryption, and messaging compliance monitoring and enforcement solutions. The solutions that will be examined will include appliances, software (server and desktop), messaging server, custom developed and ASP offerings based on both commercial and open source technologies. Take the survey here.

Windows Vista Upgrade Paths
WinITPro created a nifty little table that clarifies what Microsoft released about the available upgrade paths to the various versions of Vista. Any other versions of current OSs, including Windows 2000 and 64-bit versions of Windows XP, can’t be upgraded and will require a clean installation.

Step-by-Step Guide: Blocking Peer-to-Peer Applications
Although millions of people use peer-to-peer applications, don’t for a moment think these apps are above suspicion. They pose some very serious threats to your organization’s security. Learn more about these threats and ways to block peer-to-peer applications in this guide, here.

In-depth Guide: Server Consolidation Via Virtualization
In this special report, industry experts offer advice on why, when and how to use virtualization technologies to consolidate server workloads. At the new SearchServerVirtualization site here.

Windows Update Bug Brings Computers To Crawl With Scan
Windows experts said a bug in Microsoft Update causes computers to slow down considerably when scanning the system. Microsoft is looking into the problem. Find out more in this article at SearchWinIT here.

Redmond Comes Out With VoIP Hub
Did you know that MS is working on a single real-time communications and collaboration platform that includes a software-based voice infrastructure aimed at replacing IP-based voice hardware? Yup! They are going after those IP phones on your desk.

This Tuesday, Microsoft added yet another piece to the IP-based backend it is creating when it announced that its voice recognition technology would be folded into its forthcoming VoIP hub. The whole story is at Network World, and worth checking out, here.

Standardizing Management Modeling Language
Network World also came out this week with a an interesting piece of news about Microsoft taking a first step toward standardizing a management modeling language. This week Microsoft said it was working with a bunch of partners to create a standard modeling language designed to help corporations better manage their infrastructure.

Redmond and partners released the draft spec of the Service Modeling Language (SML) which is supported by system management heavies like HP, IBM, BEA, BMC, Cicso, Dell, EMS, Intel, Sun and is based on Redmond’s System Definition Model. If you run a large environment, this is worth reading, here.

Linux Cannibalizing Unix
According to IDC, in the US government enterprise server market, Unix is losing share to Linux. Unix used to be really strong in that segment, but it’s losing steam, being eaten alive by Linux which will rise from 11.6% in 2004 to 15.2% by 2009. Poor old Unix will drop from 34.8% to 30.1%.

Microsoft Readies VM Manager Beta
Microsoft’s foray into virtual machine management came closer to reality with the release of the first beta for its Virtual Machine Manager. Link here.

Stu

Symantec tears into Vista’s security model.  Good stuff, here. (Thanks JP).

Alex Eckelberry

How to decide whether to upgrade to 64 bit XP
Have you been tempted by the availability of 64 bit hardware to buy a new computer, but wondering what you’ll lose if you switch to the 64 bit OS? Aside from the issues over Blue Pill discussed in today’s editorial, here are some other things to be aware of before you take the plunge:

• You can’t upgrade 32 bit XP Pro to XP x64 and preserve your settings. However, you can dual boot the two on the same computer.
• MS-DOS and 16 bit Windows programs won’t run on XP x64, so if you have any of these that you still use, you’ll need to keep a 32 bit system around, or dual boot, to run them.
• Hardware devices must have 64 bit drivers to run on the 64 bit OS. Otherwise they won’t work.
• You can run 32 bit applications on XP x64, but they run in a Windows On Windows (WOW) subsystem.

If you’re running a 64 bit edition of Windows, let us know what you think. What 64 bit processor do you use (AMD or Intel)? What, if any, compatibility problems have you had (hardware and software)? What advantages have you noticed? Is the extra performance worth it? 

How to use the Network Diagnostics Tool
Networking problems are one of the most frustrating types of computer problem you can have these days, since so many applications – including browsing the Web – depend on Internet connectivity. Because networking is complex and just one wrong setting can cause you to get those irritating “cannot display the webpage” messages in IE, these problems can also be tough to diagnose. But you can better track down what’s wrong and fix it with Microsoft’s Network Diagnostics Tool. Find out how to get and run it here.

And for a detailed tutorial on using it, see Charlie Russel’s article here.

You get error messages when you try to start or install an MS-DOS or 16 bit program
You can run old legacy programs written for MS-DOS or 16 bit Windows on your XP computer, but sometimes you might find that you get error messages saying the system file is not suitable for running MS-DOS and Microsoft Windows applications. Your only option is to select Close to terminate the application. What’s up with that? Usually, it means your config.nt, autoexec.nt and/or command.com file is missing or corrupt. You can fix the problem by reinstalling the files from the XP installation CD. For instructions on how to do so, see KB article 324767.

Explorer.exe stops responding when you use network shortcuts
If you have a Windows XP computer with SP1 or SP2 installed and you’ve also installed security update 821557, you might find that Explorer.exe stops responding and hangs up if you try to access network shortcuts on another computer using the shortcuts in My Network Places. This happens because of an increase in network traffic. There’s a hotfix available that will fix the problem, but Microsoft recommends you install it only if you’re severely affected by the problem. To find out how to get it, see KB article 841978.

“Up” button replaced by something better
The new Windows Explorer interface in Vista takes a little getting used to. We’ve had several folks ask “Where’s the ‘Up’ button that used to let us go up one level in the file structure?” and the answer is: it’s gone. But that’s actually not a problem, because it’s been replaced by something better. The folder path shown in the address bar is now clickable – you can click on any level in the path to go up one or more levels instantly (instead of clicking “Up” several times to go up several levels). It makes navigation easier – once you get into the habit. Try it; we think you’ll like it.

Black Hat attendees impressed with Vista security efforts
The Black Hat crowd isn’t an easy one to impress, and many attendees come in with a pre-set anti-Microsoft attitude, so it was interesting both that Microsoft decided to put their Vista security improvements “out there” at this year’s conference, and that a surprising number of those in attendance admitted to being impressed with those improvements. Read more here.

Deb Shinder

 

As computer users, we want to know when there’s a threat out there that makes our systems vulnerable to attack. Like Neo in The Matrix, most of us have no desire to take the little blue pill that will make us think all is well when it’s really not. On the other hand, we don’t like alarmists who scream from the rooftops that the sky is falling and make the latest computer security threat sound like doomsday incarnated. Sometimes it’s hard to know where the middle ground is.

We’ve gotten email from several readers over the last couple of weeks, concerned about a new type of malware that was created by a Singapore security researcher named Joanna Rutkowska and appropriately named Blue Pill. IT publications and blogs have sounded the alarm bells, touting the “undetectable” nature of the code and, in some cases, implying that the scope of the threat is greater than it is. Here’s a more balanced report.

At last week’s BlackHat computer security conference in Las Vegas, Ms. Rutkowska herself gave a presentation on how this technology works on 64-bit Vista. BlackHat was logical venue for this type of presentation. The annual conference has been going on since 1997 and brings together IT computer specialists, law enforcement and legal experts, and hackers. I’ve been a BlackHat speaker in the past and my husband Tom developed the course materials for the ISA Ninjitsu training session at this year’s conference and was on hand to field questions.

The presentation demonstrating Blue Pill took place on the second day of the conference. Despite being scheduled at the end of the day, it drew standing room only (or more accurately, “no more standing room”) crowds – not a surprise after all the publicity. Here’s what we’ve learned about the threat:

Blue Pill is a type of rootkit – that is, malware that conceals itself from security software. Although some articles and blogs have given the impression that it’s based on a vulnerability in the Vista operating system, it’s actually based on AMD’s SVM Pacifica virtualization technology (and Rutkowska herself has been very clear that the exploit is not based on any flaw in Vista). The Pacifica technology provides “chip level” virtual partitioning to allow for running multiple operating systems simultaneously on the same computer (virtual machines or VMs). Pacifica is an extension to the 64 bit x86 architecture and is included on the Athlon 64 and Turion 64 processors. Although Rutkowska’s Blue Pill prototype was developed to run on Vista, it can be adapted for Linux or any other 64 bit operating system that runs on this hardware.

The reason this rootkit is so difficult to detect is because the operating system is running inside the hypervisor, or VM, whereas the rootkit is running underneath the VM. Since the rootkit files are outside of the virtual OS, there’s no way for the operating systm to detect that they’re there. Microsoft Research had previously developed a proof of concept VM rootkit called SubVirt. You can read more about the VM rootkit concept here.

Here’s the good news: Blue Pill was developed by a security researcher, not a hacker. Rutkowska and others are working on methods for detecting VM-based rootkits. Meanwhile, it’s not out there in the wild. Also, since it’s based on the Pacifica technology, unless you’re running an AMD 64 bit processor, your system is not vulnerable to Blue Pill. (However, Intel also has a hardware virtualization technology called VT, previously code named Vanderpool. It’s possible that such an exploit could be developed for it, too). Finally, Microsoft has vowed to find a way to prevent Blue Pill from being used on Vista before the final version of the OS ships.

Bottom line: it’s great that researchers like Joanna Rutkowska are warning us (and the hardware and software vendors who can do something about it) that threats like this exist. What’s not so great is the way some folks in their blogs and on the message boards are spreading the FUD (fear, uncertainty and doubt) that this is a sign that Vista is not secure. Ms. Rutkowska has diligently tried to counter this misinformation; here is one of her own posts on seclists.org.

What do you think? Should the tech media splash news of new exploit types all over the headlines, or does this just give hackers ideas? Should we wait to report on them until a solution has been found? Do you prefer to know about possible threats, even if they aren’t “in the wild” yet?

Or would you prefer to take a Matrix-type blue pill and live in your own little world, protected from such nasty knowledge? Do tech writers tend to oversensationalize these stories, or do we downplay them too much? 

Deb Shinder

Eegawds, I have never seen an attack like this on this blog.  Massive comment spam attack.

I’ve cleared them out, but may have inadvertently killed one or two comments.  Sorry, nothing intentional.

Alex

 

Some interesting pics here and here via Funsec.

Alex Eckelberry

 

We’re in the process of adding archiving functionality to our email security product, Ninja.  If you’re involved in managing email for a business, we’d love your feedback. Link here.

Alex Eckelberry

An “amateur” video posted on YouTube turns out to be made by slick PR firm DCI, who represents Exxon.

This is a stunt of pure audacity and sheer stupidity. 

I suppose what really ticked me off about this video is that it takes the position that science and fact are boring — and that X-Men is more fun!  Just the kind of message we want to send to our kids.

You can see the awful video at YouTube, here.  More at /.

Alex Eckelberry

Eric Howes, Sunbelt’s director of malware research, has started an interesting thread over at SpywareWarrior about creating standards around antispyware testing.   Link here, feel free to pipe in with any thoughts you might have.

Alex Eckelberry

Ok, so now AOL is going to be free (at least for broadband users).   But on top of a less-than-steller review, a tape of a subscriber who had a rather hard time cancelling his AOL account and the recent exposure of AOL’s “retention” training manual, we have the story today of a dead person who can’t seem to get off of AOL.

Wild.

PhotoShop is now in the news after a photographer at Reuters (probably a freelancer) seemingly faked a picture of a bombing in Beirut.

The photo was obviously hacked, and very poorly at that. 

Here’s the modified picture, obviously manipulated:

Via little green footballs.

And here’s the actual picture:

Via Sportshooter.com.

And who exposed it?  A few people on the Internet, apparently starting with a blog post at LittleGreenFootballs.com. 

Power to the people.

Alex Eckelberry

Update:  Photographer says he was “trying to remove dust marks”.

A new feature of this blog will be weekly IT security news. Targeted at system administrators, it’s a recap of events as well various tools.  From our weekly newsletter, WServerNews.  

Redmond’s One Big Vista Mistake
Well, if you believe recently published data from Jupiter Research, about 50 percent of companies either won’t deploy Windows Vista at all or will wait at least 13 months after the system’s November corporate release to begin installation. Why am I not surprised?

There’s a lot that stands in the way. First of all hardware. You need some pretty advanced ‘schtuff’ to run Vista flawlessly. But there are also upgrade issues. For instance W2K users will not be able to upgrade to Vista, but can buy it at a discount (you will need a clean install though). XP Pro users will only be able allowed to upgrade to the Vista Business and Ultimate editions due to complications arising from built-in XP Pro features.

And what is Redmond’s One Big Vista Mistake? Ballmer admitted recently that one big, wrong decision led to all the Vista delays. They took a “Big Bang” approach and tried to overhaul all of the OS core components at the same time. That strategy eventually led to a fiery development crash. But now they have their act together, and the new OS seems to be a lot more secure than earlier ones. The proof is in the pudding though, so we’ll believe it when we see it.

Check this out: Free Web Employee Directory + Secure Self Service – rDirectory for Active Directory. Link here.

August: Another Big Patch Month
They will release 12 security bulletins next Tuesday to fix holes in both Windows and Office. Ten patches are for Windows, with at least one rated as “critical”. The other two security updates, at least one of which also is rated “critical,” affect Office. The patches, some of which will require a restart, will be released on Aug 15. That same day, they will release an updated version of its Windows Malicious Software Removal Tool.

Learning Guide: Managing Virtualized Environments
This guide explores best practices and pitfalls to avoid when managing virtualized environments. You’ll find virtualization performance, security and configuration checklists, tips, white papers and more to help you manage your virtual environment efficiently (free registration required).  Link here.

Three Ways To Improve Wireless Network Access For Your Users
Wireless networking has been a massive boon for those organizations with employees constantly on the go who need to have network access no matter how far they are from a LAN port. If your company has workers who rely on wireless networking, here are three tips to improve your wireless strategy – especially if the company has it in multiple locations (free registration required).  Link here.

Why HTTP Can Hurt Exchange ActiveSync Attachments
Exchange ActiveSync uses certain custom extensions on the HTTP protocol — called HTTP “verb” commands — that are sent in the context of an HTTP request to tell the server what the mobile client is trying to accomplish. If one of these “verbs” is blocked by a proxy, firewall or server-side constraint, attachment synchronization to mobile devices will fail. The same issue can create SharePoint errors as well. At SearchExchange, here.

Filemon, Regmon Will Stay Free
Sysinternals founder Mark Russinovich says Microsoft’s top priority is keeping widely used admin tools like Filemon, Regmon and Process Explorer freely available. At SearchWinIT.com here.

eWEEK Labs Review: From MOM to SCOM?
Microsoft SCOM 2007 streamlines a host of operations, but there’s no upgrade path. SCOM 2007 Beta 2 System Center Operations Manager 2007 Beta 2 is a big step forward for Microsoft’s management platform, although there is no way to upgrade current MOM installations. New user roles, design templates and discovery methods will ease installation and make the product easier to use in audit-conscious organizations. The Lab Review is recommended, it’s at the eWEEK site, here.

Redmond Management Deck Shuffle
Microsoft announced yesterday that Brian Valentine, senior vice president of the Windows Core Operating System Division (COSD), Dave Cutler, a senior technical fellow, and Amitabh Srivastava, corporate vice president of COSD, will leave the Windows team after the completion of Vista to pursue other opportunities within the company. After Vista is released to manufacturing, Cutler and Srivastava will work to develop Microsoft’s Live online products and services directly with Ray Ozzie, Microsoft’s Chief Software Architect. Jon DeVaan will serve as senior vice president of engineering and will share co-leadership of COSD with Valentine until his departure. DeVaan will assume full control of the division following Valentine’s exit.

Get Yer Red-Hot Compute Cluster Servers Rite Heah!
As expected, Microsoft announced this week customer availability of its first entry into high-performance computing circles. Windows Compute Cluster Server 2003 was released to manufacturing (RTM) in July with customer deliveries starting this month. Read more at ENTMag, here.  

Microsoft Reveals Additions to W2K3 SP2
Redmond revealed more detail about some new features of the coming SP2 for Windows Server 2003. The development team released more data on their Windows Server Division Weblog this week. Instead of repeating everything, you should definitely check out their blog!

Stu

 

Want to know exactly what’s happening on the net, without having to launch a browser every time? You could always use the Internet Traffic Report (ITR) client from Analog/X: 

So just what exactly will this wondrous program do? Most of the time it will sit happily in your system tray (normally in the lower right of the desktop, where the time is shown). While in the system tray, it will indicate the current ITR rating for network performance. Not in the US? No problem, in the configuration you can specify which region you would like to monitor, and that will be the ITR rating displayed! But the ITR client doesn’t stop there, it also includes a super-fast trace route utility to help spot problem areas on the Internet, as well as let you see what other computers you move through when going to other locations on the net. A visual ping utility is included, to help visualize what’s happening – while the graphs look cool, the import information is the minimum, maximum and average output displayed at the bottom.

It’s on their links page. There is a blue sidebar on the right of the page that has their tools on it, where you can download the ITR client.  Page link here or you can click here for a direct download.

Alex Eckelberry

Seattle: “Winning the War on the Spyware Battlefield” – Join renowned spyware researcher and Sunbelt’s Director of Malware Research, Eric Howes, for an engaging discussion on the scope of the spyware problem, as well as outline how CounterSpy Enterprise can help better protect your organization from spyware threats.

Hosted at the Microsoft office in Issaquah, WA on Thursday, August 24th. Register here.

Alex Eckelberry

Ingo Haupt, a student at Johannes Gutenberg University, is doing a study on corporate blogs. 

As an incentive for the participation in this survey, three $25 shopping coupons will be raffled amongst participants, who complete the questionnaire.

If you’d like to be a participant, take a few minutes and fill out the survey. The link is here.

Alex Eckelberry

Online here via Xavier.

If you’re there or going to Defcon, say hi to the Sunbelters that are there — Eric Sites, Joe Wells and Casey Sheehan.

Alex Eckelberry

You may notice that Google is getting a bit more proactive about protecting surfers.  For example, we ran across this site today, with a warning from Google:

Users are referred to StopBadware.org, which the Harvard-based organization with corporate sponsorship from Google and Sun (and which Sunbelt’s Eric Howes is on the working group).

Alex Eckelberry
(Thanks Adam Thomas)

I’m a bit confused. Network World, a worthy and highly respected IT publication , ran a story this morning with the headline: “Juniper researcher Michael Lynn crashes Cisco party at Black Hat”.

The article goes on to say:

“…Michael Lynn, who now works for Cisco rival Juniper Networks, evaded the security checks Cisco had put in place for the party, which included a name check and legal identification. Lynn and his friends, declaring “Cisco owes us a drink,” gleefully posed in front of a Cisco sign inside the Pure Nightclub.”

Not true, according to Gadi Evron, who was actually went to the party with Michael Lynn. 

We went to the party, registered, said hello to a couple of Cisco employees who knew who each and every one of us was (bouncers), a club bouncer, and entered the party. One of many community fun after-parties that come with these conferences.

So far so good. Cisco was fun and the party was great. Mike spoke with many Cisco guys (no hard feelings on either side, it seems, we’re all in the same industry) and we even got our pictures taken together.

Link here.

Alex Eckelberry

if you’re still worried that you’re having too much fun reading it, just view it in WorkFriendly. 

Alex Eckelberry
(Thanks Mercen4ry)