Wednesday, August 30, 2006

Stay Secure!

This is definitely not good. During last one week two of my friends lost their yahoo accounts, possibly got hacked. Amit was on SANS security training in Singapore, with 65 other potential hackers security professionals. After the last day in his training when he came back home he realized that his Yahoo! Account password wasn’t working anymore. My other colleague, Sudhakar, accessed his yahoo mail on his roommate’s laptop and next thing he knew the following day was, his yahoo password wasn’t working anymore.

I can’t stress enough how risky it is to access your email/e-banks/e-commerce transactions over public networks or on some others’ machine. It is not a matter of having complete trust on someone you know well enough, even if that person happens to be your family member/close friend/colleague, because you can never be sure if his own machine is secure enough. You cannot rule out the possibility that his machine might already be hacked, and all it takes is just one attempt for you to enter your secret credentials on that hacked machine (or if he hasn’t intentionally been running malicious programs).

An end-user never bothers to secure his own machine apart from following regular recommendations – things like, keep the anti-virus definitions updated, install anti-spywares like Spybot & Windows Defender and keep the definitions updated, regularly scan your system with anti-virus/anti-spywares, blah-blah. But the important aspect we don’t usually realize is that there are other channels to hack into system and keep it infected in a manner that regular anti-virus/anti-spywares cannot detect. The biggest limitation with these scanning tools is that these are all definition based and not behavioral/pattern based. What this means is that unless the loophole/vulnerability/threat becomes visible in public domain and a patch/definition is released, these scanning tools will not be able to detect them. For example, anyone with a decent programming knowledge can develop a quick key-logger/virus/Trojan and release it within limited scope, may be within among his contact circle. Behavioral based scanning tool, on the other hand, keep monitoring the system at lower layers (of OS architecture) and are better able to detect system modifications that key-logger tries to make to activate itself.

The other aspect most people ignore is that they do not change the default system configuration. For example, after a typical Windows installation, quite a few system services get active which might not really be required for user, but which can act as potential security holes. Network services like ‘client for Microsoft networks’ and ‘file and print sharing’ are always active on all the network interfaces – physical network interface as well as wireless interface. Unless a good firewall is installed on the system, it is not very difficult to hack into the system using just these two services and activate some Trojan/key logger on that system. Rootkit is another new category of tools which are even harder to detect with traditional scanning tools.

Here are some quick recommendations. This is not an exhaustive and polished list, but just few quick ones on the top of my head. Of course, it goes without saying that if you use same laptop at both office and home, you should check with your system administrator before making these modifications. 

  • Always ensure that your system is completely patched with up to date hot-fixes. You can use Microsoft’s Baseline Security Analyzer to do the gap analysis and install all the required patches.
  • Never trust any system other that your own (secure) system for entering your credentials (email/banking/credit card/etc). Remember, all it takes is just one attempt, even if that system belongs to your closest friend/family member/colleague. I personally confess of having captured password details of my friends, though I have never (mis)used those details!
  • Disable Remote Registry service. An example where this can be exploited is, lot of instant messengers store user passwords in encrypted form inside registry. All it takes is extracting the relevant registry keys remotely and attacking it offline. Again, anyone who knows me, when I say to them that they haven’t changed their passwords for a long time, I really mean it (sometimes)! J
  • Even when using your own system over public wireless network, do not enter confidential details. The risk with these public hotspots is that you can never know that the person sitting next to you can possibly be running some network capturing tool to sniff your data packets to crack it offline later. There are tools available which can capture your network interface’s MAC address and inject those same MAC address in their own machine’s network packets to trick the wireless switch to send the returning packets to their system. If you really have to use public wireless hotspots for entering confidential details, do that only over VPN connection.
  • Disable ‘Client for Microsoft Networks’ & ‘File and Print Sharing’ on wireless network interface unless you use open wireless access in your office/home for logon authentication and/or sharing files/print attached to your own system. At home if you connect your DSL directly to your system, you should either install a good firewall or disable these two services on the interface where DSL connects (physical LAN port or wireless), because when DSL is directly connected to your system, it is your system which gets the public IP address and gets exposed to Internet. Do yourself a big favor and get a switched-router instead of connecting your system directly to public interface.
  • Avoid installing any third-party softwares without first testing it on some dummy machine. Use VMWare Workstation (paid) or Virtual PC (free) for testing softwares in isolated environments.
  • Regularly run Autoruns and Process Explorer on your system to monitor what all processes are configured to autostart and currently running. If all the entires in these tools scare you first, start getting yourself familiar with it. 

Here are some quick directions on what you should have on your system: 

Don't believe me? Read this:

Tuesday, August 22, 2006

How To Capture Network Traffic on Local Computer

A great tip from Joe about sniffing network traffic on local computer -

How & Why You Should Backup Registry Files

If you ever come across Windows boot error when it fails to load one or more (corrupted) registry hives, you can follow the steps explained in MS KB307545 to recover from corrupted registry. Having said that, lets understand few non-obvious facts.

When Windows is installed, it creates a backup of all the registry files in \%SYSTEMROOT%\repair\, whereas all the active registry files that Windows uses during run time are stored in \%SYSTEMROOT%\System32\Config. If any of the registry files inside \Config folder is corrupted, you can use Recovery Console to recover registry files from \repair folder to \config folder. There is however one significant consequence - the system will lose all the softare installation settings and system configuration done since Windows installation because registry files inside \repair folder are never updated after Windows installation, so after recovering those files the system essentially goes back to the same state when it was first installed (KB307545: "...This registry was created and saved during the initial setup of Windows XP. Therefore any changes and settings that occurred after the Setup program was finished are lost...").

To avoid this consequence, you can periodically update \repair folder using NTBACKUP tool. NTBACKUP doesn't have any specific option to update registry files, but all you need to do is take a System State backup, which will create a flat .BKF file, but will also update the \repair folder with copies of all registry files from \config folder. You can later delete that .BKF files because all we want to accomplish here is to update \repair folder with the most recent copy of registry files. It is also very easy to automate this entire process by creating a scheduled backup job which runs once a week (or depending on how frequently you change system settings or install/uninstall softwares) and overwrites the same BKF file. Here is a related article which addresses similar requirement -

Wednesday, August 16, 2006

Spywares Will Be Spywares

As soon as I heard about free DJ softwares – KraMixer & MixSense – both from Kramware, I immediately went ahead and started the installation, only to realize that both come bundled with Save software L

Few years ago, Save software used to be a very ‘popular’ spyware – just as prominent as GAIN and few others were. I had not heard about Save afterwards until I came across these two freewares from Kramware. Nevertheless, still to give it a shot and see if anything has changed in its ‘spyware’ behavior, I went ahead and installed KraMixer along with it’s Save and search bar components. Yes it was not only Save, but also a search bar that came bundled with it (though its installation was optional). Another reason why I still installed it was that it mentioned Save is NOT a spyware! Now this was interesting. I did hear a while ago that GAIN had made efforts to come out of spywares category, but had never heard about Save making similar efforts – only if it had been technically true. Anyway, after the installation I fired up couple of monitoring tools (ethereal, filemon, autoruns, procexp, ollydbg) to see what these no-more-spyware softwares are up to.

Just to pause here to give a quick context – by the basic definition of spyware, it is a piece of software that monitors users’ browsing habits and sends that information to software owners. It is a broad category of software – ranging from monitoring just the websites users visits, to as severe as intercepting users’ personal information (e.g., emails, passwords, etc.). This information is then used by those vendors to send spam mails and targeted advertisements. That is how they make money.

Ok, coming back. As it was obvious, when I ran Spybot S & D and Windows Defender, both caught Save.exe and its search bar as potential spywares. Now, those same softwares, just to avoid being called as spyware, apparently have changed their modes of operations. Instead of sending users’ browsing habits back to their software owners, they now do the analysis locally on users’ machine about which advertisements to show. As an example, I installed kramware’s software on a fresh virtual machine and visited sites of Spybot S&D and Windows Defender . Because both are anti-spywares, after few minutes IE started showing pop-up related to all the anti-spyware softwares. What goes in the background is, as revealed by Ethereal dump, Save.exe downloads a small database from its website and saves it inside C:\Program Files\Save\Save.db. Save.exe also builds another database store.db in the same folder apparently to keep track of all the websites user visits. Save.exe and search bar components build user’s browsing habit by regularly monitoring IE’s index.dat to peek into all websites user visits (I’ll probably write more about these index.dat files in my future posts – it is worth a complete post for itself).

Still, one good thing about these Save softwares is that whatever they intend to do, they do with user’s consent as they have mentioned in their privacy policy. But the realization, that something running on my machine is constantly monitoring my browsing habits, still bothers me.

Kramware: find some place else, not my system; I would rather pay for a commercial software.

Saturday, August 12, 2006

Installing Visual Studio 6 on XP SP2

If you try to install Visual Studio 6.0 on Windows XP SP2 system, the setup prompts to update MS JVM and restarts. Sometimes even after the restart it prompts to install MS JVM again, and gets into this infinite loop.

A workaround is to copy the CD contents to a folder, open SETUPWIZ.INI, and delete the line VmPath=ie4\msjavx86.exe . Setup will not prompt for MS JVM install anymore.

If Setup.exe crashes on XP SP2 system, set the compatibility mode on SETUP.EXE to 'Windows NT 4.0' or 'Windows 2000'.

Friday, August 11, 2006

VBScript: Using Disconnected Recordset for Sorting Data

Assuming you need to create a script to list all the subfolders and their sizes within a particular folder, and sort them to see which folders occupy maximum space (e.g., all the user profiles within \Documents and Settings). A traditional approach, at least to somone new to VB Scripting, would be to dump the output in CSV format in a file and open the file in Excel to sort the list. Thats what I used to do so far!

A better approach would be to use something called Disconnected Recordset. Recordsets are usually associated with Databases and connection objects. Disconnected Recordset is similar but not associated with any back-end databases. It remains in memory only within the scope of code execution. Although limited in featues, disconnected recordsets still offer basic functionalities like Sorting. So, with disconnected recordsets, for the above script, we can create on-the-fly recordset, sort the folder names based on their sizes within the code itself and write the sorted list in any text file format (CSV, HTML). Here is how we go about doing it:

Const adBSTR = 8
Const adDouble = 5
Const MaxCharacters = 255
Set DataList = CreateObject("ADOR.Recordset"
, adBSTR , MaxCharacters
"ProfileSize", adDouble


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder("C:\Documents And Settings\")
Set colSubfolders = objFolder.Subfolders
For Each objSubfolder In colSubfolders
"UserName").Value = CStr(objSubfolder.Name)
"ProfileSize").Value = objSubfolder.Size

DataList.Sort = "ProfileSize DESC" ' Use DESC/ASC to specify sort order.

Do Until DataList.EOF
    WScript.Echo DataList.Fields.Item("UserName") _
vbTab & DataList.Fields.Item("ProfileSize")

There are few things you need to take care of when using disconnected recordsets. While defining the fields ("UserName","ProfileSize") make sure you specify the right kind of data type for the field that matches the kind of data it needs to store. In this case, folder size could be as large as couple of GBs, therefore Integer would not be the right datatype for "ProfileSize" field. The complete list of all possible data types is available here. You might also have to use data conversion functions while storing values to these fields as I had to use CStr() for getting folder name. If you are not sure what datatype the retrieved value will have, you can use VarType() function to find that out, which will give a numeric value corresponding to its datatype. Here is the complete table.

VBScript: Add Leading Zero to Date Function Output

When you generate reports/files using VBScript periodically, it is always a good idea to suffix the file name with date/time components - e.g., "REPORT_20060811" - as it makes files easier to locate because they would already be sorted.

Using functions Year( Date ), Month( Date ), Day( Date ), subcomponents can be extracted to create filename suffix. You can also use DatePart( datetype,date ) function to extract the same components. But the problem with using any of these functions as they are, is that you would not get proper sorting orders because these will output single digits for numbers less than 10. For example, the following two lines of code will generate date components which will not have proper sorting order

strDate = Year(Date) & Month(Date) & Day(Date)
strDate = DatePart("yyyy",Date) _
        & DatePart("m",Date) _
        & DatePart("d",Date)

To generate the string which will have the right sorting order, you need to append leading zeros to entries less than 10. That is what the following line of code does. It appends leading zero to all the entities, extracts 2 characters from right, and builds the string.

strDate = DatePart("yyyy",Date) _
Right("0" & DatePart("m",Date), 2) _
Right("0" & DatePart("d",Date), 2)

Wednesday, August 09, 2006

VBScript: Does WMI Support Querying Local Security Policy?

For doing a regular health check of our servers, I created a VBScript which queries all the relevant information (free disk space, registry size, security log size, etc.) and dumps that into a HTML file. One particular information I wanted to query remotely was one of target machine's Local Security Policies - "Log on as a service" (under User Rights Assignments).

Apparently, WMI does not have any support to enumerate Local Security Policy, probably because of security reasons. While looking for some third-party tool, I came across DumpSec, which does show remote machine's User Rights Assignments and other Local Security Policies. The problem though with this tool is, it is primarily GUI based and does not show all the rights. Even though it supports command-line parameters (C:\>DUMPSEC /rpt=RIGHTS /saveas=CSV /outfile=report.txt), it still requires output file name to dump the result instead of showing directly on the console. You are then supposed to parse that output file (may be by using FIND) to retrieve the particular piece of information. For example, executing C:\>FIND "SeServiceLogonRight" report.txt would reveal something like this:

SeServiceLogonRight,MACHINENAME\ASPNET,Log on as a service
SeServiceLogonRight,NT AUTHORITY\NETWORK SERVICE,Log on as a service

This obviously doesn't seem very efficient from scripting perspective. It would have been lot easier to get those details via Windows' scripting engine or WMI. On the positive side though, these limitations are motivating me to write my own program to query Local Security Policy (LSP) entries. Gotta revisit Charles Petzold's masterpiece on WIN32 APIs! J