Category: Uncategorized

Remember the old kids’ mantra celebrating the arrival of summer? “No more pencils, no more books, no more teacher’s dirty looks.” Well, students may be stuck with that last one for a while longer, but the first two are about to become obsolete year ’round, at least in some school districts.

My local newspaper ran a story last weekend titled “Schools toss aside texts for e-books”. It seems several districts in our area are doing away with traditional textbooks altogether. And who can argue with the fact that electronic books offer several advantages? They’re a lot easier to keep up to date, and they certainly weigh a lot less than those fat hardbacks that students are used to lugging around. Kids can carry dozens of books with them in the same space and weight that one “real” book occupies.  Link.

On the other hand, the digital nature of e-books also makes it easier to manipulate the content (a little rewriting of history, anyone?), and in order to use them, each student needs a computer. Asking parents to buy a laptop along with the rest of the list of first day school supplies seems a bit much, so the schools themselves are buying them and issuing them to students (at a cost of almost $900 each, according to the article). So, while students and teachers may be happy about this new way of doing things, already overburdened taxpayers may be less so (my property taxes for the public school district this year are well over $4000 – more than the taxes for the city, county, hospital district and community college district combined – and my district hasn’t even started buying laptops yet).

I’m a big advocate of teaching everyone to use new technology, but it seems to me there are some practical problems with this approach that haven’t been considered (or at least, haven’t been mentioned by reporters enamored with the “cool factor” of what the schools are doing). For instance, administrators expect to have to replace the laptops every four years. I wonder if that’s realistic, considering the fragile nature of portable computers combined with the rambunctious nature of school children.

What happens if a child drops his computer on the concrete and demolishes it a week after he gets it? Do the taxpayers get to pay for the repairs or replacement? Or do you require the parents to pony up, like when a child loses or damages a library book? What if they can’t afford it? Does the kid go without a computer (and thus without any of his textbooks) for the rest of the year? Will there be kiosks where kids who’ve lost their computers can stay after school to study?

And as we all know, physical damage isn’t the only thing that can render a computer unusable. Kids love to experiment; when they inevitably delete the wrong files, install some sort of malware, or otherwise mess up the operating system so that their programs won’t run, who’s going to fix it? Will the schools also have to hire on-call tech support personnel to spend all their time troubleshooting software? Or will they teach each child how to format and reimage the hard drive whenever anything goes wrong?

If the children will be doing all or part of their work on the computers (which seems logical and is implied in the article), where will they save their documents? On removable media so that when/if the OS gets corrupted as described above, the data won’t be lost? Will the school issue flash memory cards or USB drives, too, for that purpose? What if a child labors for hours or weeks to complete a paper, and then the file gets corrupted (will “my computer ate my homework” fly any better than the old dog excuse?)? Or will they be required to print everything out? Maybe the school will buy everybody a printer, too?

The article stated that some teachers still order “back up” textbooks to keep in the classroom, but many don’t. Suppose there’s a power outage. Does all learning come to a halt? Or what if the power goes down for the evening in a particular neighborhood? Will the students in that neighborhood be excused for not doing their homework? No more studying by candlelight these days.

How locked down will the student laptops be? Will students be able to get online with them, or will they be configured to use as standalone machines only? If the former, how do you keep kids from using them to chat with friends, surf the web (perhaps to inappropriate sites), play computer games, etc. Or should you even try to restrict their use to learning only?

Of course, the student laptop programs are being pushed by computer vendors (what a surprise) and some educators. But what do you think? Will giving every student a computer better prepare them for life in the 21st century and bridge the digital divide? Or will such initiatives turn into budgetary monsters that will devour taxpayers with far too little return on the investment? Is there a better way to provide access to technology, such as installing the computers in the classrooms instead, or helping to subsidize home computers for students whose families can’t afford them, rather than giving a portable to every child?

Deb Shinder, MVP

Randy Franklin Smith at ultimatewindowssecurity.com wrote us yesterday about some tips for using adminstrative template files (adm) to rapidly roll-out killbits against various zero days.

We continue to get nailed by ActiveX vulnerabilities including advisories on the XMLHTTP 4.0 and WMI Object Broker ActiveX controls. 

This nasty trend of zero-day vulnerabilities leaves you defenseless until Microsoft releases a patch unless you take the time to set the kill bit. 

[I recently] pointed out that a custom administrative template would help you to  push out kill bits via group policy and subsequently roll them back after associated patches are released and deployed.  

Well, don’t bother trying to write the custom ADM template, I’ve already done it for you and shot a video, Death of an ActiveX Control, demonstrating how to install it in about 5 minutes. 

It’s free and there’s no forms to fill out.  To watch the video and download the ADM template browse over to http://www.ultimatewindowssecurity.com/killbit.asp.   I can’t say the video is as dramatic as its title but I think you’ll find the content valuable.

Thanks Randy!

Alex Eckelberry

On the XMLHTTP vulnerability: So far, we have only one confirmed sighting of this exploit, and it’s on an obscure website. If you ask me, this is a pretty crappy exploit (in that it doesn’t work all that well).  We downloaded the page and according to Virustotal, only McAfee detected it. 

Meanwhile, we are seeing the daxtcle.ocx exploit on a couple of sites, but it also is not widespread.

Just be careful out there.

Alex Eckelberry
(Thanks to Roger Thompson)

Looks like the Vxgames crew (nasty malware distributors) is getting into fake codecs. These sites do not have links to files… yet.  

IP: 66.235.181.40   
video3x-codec(dot)com       

IP: 66.235.181.40   
3xcash(dotbiz       

And the lies from the Video3x-codec site:

Q: What is a Video3X-codec?
A: Video3X-codec is a special next generation video codec for ADULT movies only.

Q: How is it work?
A: While processing adult movies, all the peculiarities of them are taken into consideration. So, on the base of that the quality of image and sound is greatly improved and they become more real than an ordinary movie.

Q: What’s the difference between free and paid versions?
A: Paid version does not contain any loadable advertising modules. Movie and codec updates are made automatically and absolutely free.

Q: What do I get if I use the codec? What is it for?
A: You get access to a huge collection of porn movies. Everyday’s update of movies, multinisheness and structered, convenient list.

Q: How often are the movies updated?
A: Practically every day.

Q: Cool! Will it run on my computer?
A: If you computer’s operating system is Windiws 95 – Windows XP, then you can use the codec. It integrates to Windows drivers and you can watch movies by any player, compatible with Microsoft Windows.

Obviously, do not download these codecs.  They are bad news.

Patrick Jordan

There is a new vulnerability out there, and SANS has reported it in the wild.  

We are on the lookout for sites and I will update as we get more information.

For now, here are your references:

Microsoft Security Advisory #927892 “Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution”

Secunia “Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability”

Securiteam “ActiveX – reason of the newest Windows 0-day, again”

CERT advisory.

Alex Eckelberry
(And thanks to Juha-Matti Laurio)

Our Lucha Libre videos are now on YouTube.

 

Round 1

 

Round 2

Alex Eckelberry

If you’re in Orlando for the CSI conference, a number of Sunbelters (including me) will be wandering the halls — causing inordinate amounts of trouble, of course. 

Alex Eckelberry 

Gromozon is a vicious piece of malware which installs on a user’s PC and does almost every crafty trick available to avoid detection and removal, including creating its own user account, using rootkit technology, renaming its files, and a whole host of other nasty things. And it’s certainly popping up on the radar out there in the security community.

But now these Gromozon jerks have gone a step further — making the program itself seem like it’s authored by someone else — a legitimate security researcher.

Of all things, the authors of this malware have inserted code in Gromozon which implicates Marco Giuliani of authoring it! Marco is a perfectly upstanding security researcher who, in fact, created a Gromozon removal tool for PrevX.

It’s absolutely incredible. Marco has the whole story here.

Alex Eckelberry

Ever since the BBC did an article on fake codecs, there’s been a flurry of press on the issue.  We’ve been talking about these for over a year and it’s good they’re getting attention. These fake codecs are certainly out there, and while they are currently mostly used on porn sites, there is certainly the opportunity for them to move to more mainstream venues (no surprise, since porn is often the leading indicator of technology on the Internet.  [I might, however, question seeing these fake codecs on sites like YouTube (baring being promoted through banner advertisements and the like), due to the way these fake codecs work and how videos are uploaded.] 

Now, some of the articles infer that downloading videos themselves is potentially dangerous.  Just to clarify for everyone, these fake codecs need to be installed, which requires a direct user action.  The way they typically work is that you click on a video, and get a fake dialog box which says something like “you need to install this in order to view this video”. 

For example, here’s a sample from today:

First, you get a message in the Windows Media player

Clicking on “click here” brings up the XP security dialog:

That’s a bad codec.  But here’s an example of Zango (180Solutions) doing the same type of thing for the adware Seekmo, isntalled from a video site called smithhappens(dot)com:

In the case of Seekmo, you’ll get popup ads from 180solutions. 

If you don’t allow the codec to be installed, you’re very likely going to be ok (of course, there is always the chance of an exploit being used to install a codec, but I’m giving you the general picture here).

So if you go to a website to view a video and it asks you to install something, be very careful.  Even legitimate codecs like DivX have the chance to be abused.   In the case of DivX, for example, I would go to the DivX site and install it directly.

Alex Eckelberry

Vista: Only the Shadow Folder Knows
One of the most potentially useful new features in (some editions of) Vista is the concept of “shadow folders,” which uses the shadow copy technology to allow you to revert back to previous versions of your files. The shadow copies are created automatically each day, and whenever you install an application or driver. To find a previous version of a file, you just open its Properties and click the Previous Versions tab — but note that this feature only comes with the Business, Enterprise and Ultimate editions of Vista. See how it works here.  

How to Reinstall System Restore
The System Restore feature in Windows XP is a great one – but sometimes it quits working properly (or at all). In this case, you may need to reinstall it. Here’s how:

1. Click Start | Run.
2. In the Run box, type %Windir%INF. This should open your WINDOWS directory to the INF folder.
3. Find a file named SR.INF (if you have Explorer configured to hide common file extensions, it may display as SR).
4. Right click the SR.INF file and select Install. Windows may prompt you for your Windows installation source path. If you have service packs installed, point it to the %Windir%ServicePackFiles folder.

After the System Restore files are reinstalled, restart Windows.

Important note: this process will remove any existing system restore points.

How to Find Out if your Processor is Overheating
Here’s a handy little free utility that will read the sensors built into your motherboard and warn you if your processor is overheating. It works on all Windows operating systems from 9.x to XP (we haven’t tried it on Vista yet). Link here.

Download: Outlook Junk E-Mail Reporting Tool
Unlike anti-virus programs, multiple spam filters can play nicely together and provide you with better protection against unwanted email. If you use Microsoft Office, you can add another layer of spam catching with the built-in junk mail filters. And now you can make those filters more efficient by reporting any spam that still gets through to Microsoft. Doing so is a one-click operation when you download and install the Junk E-mail Reporting Tool here.  (If you’re not happy with the Junk Mail filters in Outlook, you might consider doing a free trial run of our antispam tool, iHateSpam.)

Can’t configure automatic updates?
If you are having trouble configuring automatic updates (going into the Automatic Updates dialog box in Control Panel and all the options are grayed out), there are a couple of solutions.

The simplest and most common solution is that you aren’t logged on as an administrator. So first try logging on with an admin account.

If that doesn’t work, it may be that a policy has been enabled in the registry. To fix this, in your registry editor go to HKEY_LOCAL_MACHINE SOFTWARE Policies Microsoft Windows WindowsUpdate AU. In the right pane, delete two values: AUOptions and NoAutoUpdate.

Now go to this location: HKEY_CURRENT_USER SOFTWARE Microsoft Windows CurrentVersion Policies WindowsUpdate. In the right pane, delete this value: DisableWindowsUpdateAccess.

The above assumes you’re using a standalone (non-domain) Windows XP computer. If your computer is a member of a Windows domain, a Group Policy applied by your domain administrator may be preventing you from changing the auto update settings.

Error 1068 when you try to turn on ICS
If you attempt to enable Internet Connection Sharing in XP by running the ICS wizard, you might get an error message that says the dependency service or group failed to start. This means there is some service that’s needed by ICS, which is not turned on. To address the problem, you need to check out the status of the relevant services and turn on any that are disabled. For a list of the dependency services and instructions on how to turn them on, see KB article 827328 here.

Can’t log onto XP after removing spyware
If you use Ad-Aware by Lavasoft and it removes the spyware program wsaupdate.exe, you may not be able to log onto your XP computer because the spyware also makes a change to the registry that is not fixed by removing it. You can use the Recovery Console to fix the problem. For complete instructions, see KB article 892893 here.

Deb Shinder, MVP

Fake sites which lure you into either a fake codec or a security scam program.  Stay clear of these.

85.255.118.242 
iesafepage(dot)com

These were created yesterday, on Halloween:

85.255.118.210 
iesecuritybar(dot)com         

85.255.118.197 
ivideocodec(dot)com           

85.255.118.198 
ns2.ivideocodec(dot)com     

85.255.118.197 
ns1.ivideocodec(dot)com     

Patrick Jordan, Sr. Researcher

 

IP: 69.50.188.107   

vidcodecs(dot)com  

IP: 69.50.188.107   

truecodec(dot)com  

These codecs are bad news, don’t install them.

 

Patrick Jordan, Sr. Research

 

Yesterday during Halloween, we held our first-ever (and hopefully last) Lucha Libre fight, right here at Sunbelt Software.

The fight, between El Perro Grande and Senor del Dolor was refereed by Eduardo Rapido and took place in our building lobby and outside.

If you really want to completely waste time, you can view the footage for yourself.

Part 1 (indoors):

Windows Media High res

Windows Media Lo res

Part 2, outdoors, which shows El Perro Grande being unmasked

Windows Media High res

Windows Media Lo res

Bonus footage — more of the same

Credits:

El Perro Grande: Sunbelt’s IT Manager, John Jacobson
Senor del Dolor: Sunbelt’s VP of Product Management, Greg Kras
Eduardo Rapido (Spanish for “Fast Eddie”): Martin Hine, sales account manager

As a final note, I want to assure everyone that yes, we do actually perform work at this company.   It’s just that we also take our time to have a bit of fun!

 

Alex Eckelberry

My friend Song Z. Huang, co-founder of Soonr (a startup in the mobile data space), shared his insight with me today as to “what’s the best phone”.

Which phone do I recommend? This is a question that I get ALL THE TIME… we are always testing on many different phones. Also, I get to do a lot of demos. Often times certain carriers work better in a particular location than others. So what’s the solution? Multiple phones of course! So recently I took all the phones out of my bag an took a picture of them all.

Here’s a little picture and a quick overview of every phone in my bag.

Left to Right, top to bottom:
 
LG Fusic – Sprint EVDO service. Great for demo of a consumer phone. Unique feature is the iPod like front control with a built in FM transmitter to send music to the radio. Problem is that the FM transmitter is super weak.
 
Nokia N93 – Cingular (unlocked World Phone). This phone has a 3.2megapixel camera that does a good job on pictures. It also has a video recording mode which is quite good for a camera phone. The unique feature is that it has real optics and a video outcapability for projected demonstrations. It also has wifi, which can make for a snappy demo.
 
Sony Ericsson K800i – Cingular (unlocked World phone). This is the undisputed champ of camera phones. It has a 3.2megapixel camera that doesn’t suck! The flash is a real xenon flash instead of a sorry LED that does nothing useful. The unique feature is the excellent camera.
 
Palm Treo 700P – Sprint EVDO. The elegance of the Palm OS is still prevalent. This phone is fast and works flawlessly. The 320 x 320 screen is stunning and the Bluetooth profles are not restricted in anyway. All this, and it does mobile TV. If only I could get an Ajax browser on this, life would be perfect.
 
Motorola Q – Verizon Wireless EVDO. This is my 3rd Q. The first one just died one day and started flashing weird bars on the screen. The second one I got wouldn’t hold a charge for a day and kept shutting itself off. When I was just about ready to crush the crap phone, they sent me a third. This one is delivering on the promise. This stylish form factor and nice feature set makes it a phone I can live with….until it probably dies again.
 
HTC PPC6700 – Sprint EVDO. The keyboard on this phone and the wifi make it very useful. The surprise is that it’s sluggish a hell even though it has a 400mHz processor. We’ve all passed this phone around the office and it doesn’t stick anywhere. I think it’s Windows Mobile 5 that is slowing things up and making it hard to use. There’s promise here, but for now, there are better phones out there. Unique feature is the slide out keyboard and the built in wifi.
 
BlackBerry 8700c – Cingular. The undisputed champ when it comes to email. That’s what you buy a Blackberry for. These guys have still done the best job of creating the ultimate email machine. The browser is sub-par, the phone is only passable, and there’s no multimedia features at all. Still, the stellar screen and email capability makes this the one to take when you absolutely must do email.
 
Which phone is the best? It all depends on the location, situation, and need. There is no one best phone… sorry, but that’s the truth.

Personally, I’ve had my share of PDAs and Blackberries, but I’ve settled on a simple Nokia GSM phone with no bells and whistles.  But that’s because I like something that fits small in my pocket and really don’t need all the advanced features. I’ve even gotten to the point where I don’t bother to bring a laptop with me when I travel — it’s a hassle in airports, and technology is so ubiquitous these days that I just grab any old machine while on the road or borrow a co-workers laptop and remotely access my office email when I need it. Now that I have a car with Bluetooth capability, I’m thinking of upgrading to a Bluetooth compatible phone, but I still won’t bother with a smart phone.  Of course, that’s just me — I’ve become fairly ascetic when it comes to technology.

What do you think?  What’s your favorite, bestest phone ever?

Alex Eckelberry
 

 

Since the early days of the company, Halloween has been a major event here at Sunbelt.  It’s evolved into a highly elaborate ritual which includes a parade down our main drag to the local coffee shop (replete with the locals gawking), a contest for best costume, and then a feast of pizza at lunch.

With so many employees, it’s hard to get all the pictures in here, but here are some choice ones.

A friendly fellow in tech support.  Really, it’s ok — you can call us anytime, toll-free.

Allen McDaniel, lead programmer on our iHateSpam consumer product.  I think he’s been reading too much spam.

No software company is complete without its complement of witches. 

Lucha Libre, Sunbelt style.  More on that later…

People in marketing… never trust them, bloody pirates.

Yes, it’s true.  The clones have arrived.

Taking over the local coffee shop.

That’s Ruthanne in sales.  I guess we need to pay more to our sales people.

The leaning tower of Sunbelt pizza.  

Last year’s Halloween blog post here.

Alex Eckelberry

Earlier today, I blogged about an exploit that has been getting some attention, that I felt really wasn’t worth getting too worried about.

As part of the piece, I questioned turning off ICS, because I felt it would disable the Windows firewall. 

However, Corey Nachreiner at WatchGuard made the following point to me:

…I too think this very low risk vulnerability has been over hyped in the media’s headlines. However, …as far as I can see, properly disabling ICS does not kill or disable the Windows XP firewall.

If you have a multi-homed XP machine, just go into the advanced properties of any network adapter and you can clearly see that you can uncheck the ICS component ( the “Allow other network users to connect through this computer’s network connection” box) while still keeping the XP firewall enabled.

So I don’t see why …disabling ICS kills the XP firewall. On the other hand, disabling ICS does obviously prevent any other client computers that were using ICS before from reaching the Internet. But it doesn’t kill the Firewall.
 
I understand that ICS relies on some of the Firewall’s functionality to work. Because of this, if ICS dies improperly it will take the Firewall with it. However, I don’t know of the Firewall relying on ICS to work (as far as I can tell). So you can disable ICS without disabling the Firewall.

I think that Corey may be right here, but will continue to research this.  At any rate, the real point of my blog post stands — a potential vulnerability in ICS is just not that big of a deal. 

Alex Eckelberry

UPDATE:   nCircle has lots more posted to clarify the whole “disable ICS” issue.  You do not have to disable the ICS/Firewall service to mitigate this exploit, thus shutting down your Windows firewall.  More here.

A bit of flurry about an exploit available in Internet Connection Sharing (ICS).  Basically, this exploit allows an attacker to shut down the Windows Firewall.

While any exploit is something to be concerned about, this one is not a big deal and is not worthy of mass panic.  George Ou writes on this issue here, worth reading.  

To distill the problem, first ask yourself:  Do you even use Internet Connection Sharing?  

If you’re like most people, you don’t.  In fact, Internet Connection Sharing is something most people don’t even know about — it’s a little-used feature that Microsoft has been shipping since Windows 98 that allows one computer’s internet connection to be shared by others.

Maybe it’s used in third world countries, where one dial up connection is shared by others (while some poor fellow gets the job of having to bicycle to keep the generator going). But ICS is just not part of any current network topology.  And for those who share a DSL or cable modem through ICS — let me give you a word of advice.  If you can afford the $50 per month for your service, then pay even half that amount for a cheap firewall/router.  Really.

Second, if you do use Internet Connection Sharing, realize that this exploit only affects you from the inside of your LAN.  Yes, folks, this is not something where you have to go to a website and get hacked.  It is exploited from within. 

Reguly at nCircle, the fellow who is chatty about this particular exploit, has recommended a solution that might not be the best course of action — disabling ICS (which will kill the Windows firewall, not the approach I would be the most sanguine about) and blocking port 53.  [Update — I have to correct myself — it’s true that if you kill the Firewall/ICS service, you kill your Windows firewall.  But as the nCircle folks point out, you can simply disable ICS and keep the firewall going, mitigating this exploit. More here.]

You want the solution?  Follow Secunia’s advice: “Use another way of sharing the Internet connection”.  Yup, like a cheap router/firewall (unless you’re still stuck on the bicycle generator).

Alex Eckelberry
(Hat tip to George Ou.)

UPDATE:  More here at nCircle on disabling ICS.

Part of our dev team is under intense pressure to get a new product out.  Walking down the hallway today, I saw this sign on the office door of one of our developers and couldn’t help laughing (TestTrack is the program we use to track bugs, and it assigns a number to each defect).

 

Now that’s focus!

Alex Eckelberry

Chad Loeven joins us as VP International and Business Development.

Before joining Sunbelt, Loeven served as vice president of business development for Montreal-based email security vendor Vircom, where he held international channel and business development responsibility, signing the largest OEM deal for Vircom during his tenure. Prior to Vircom, Loeven held various executive management positions at The Messaging Architects, overseeing the daily operations and international channel networks, and IndustryHub where he was responsible for technology direction, product strategy, and sales and marketing.

Corporate propoganda here.

Alex

Analyst says disclaimers are bad becuase:

Any standardized, boilerplate text is a godsend for a malicious network sniffer who’s hell-bent on stealing your secrets. Imagine you are trying to commit corporate espionage by tapping into an ISP’s network and watching all the network packets go by. It would be like drinking from a fire hose: very difficult to select the packets containing email text from the organization you’re targeting. However, if you knew that organization used a standard disclaimer, you could have your packet sniffer search for packets containing that text. It’s likely it would pick up a very large proportion of the messages you’re interested in.

Link here.

I disagree and admit to being somewhat baffled by this article.  A bad guy can just as easily sniff for source IP, the From address, domain, etc.

And even if the message is encrypted,  that data won’t be because it needs to be cleartext in order to be sent — then you would get some of the details regardless of what is done to the message.    

Alex Eckelberry