Sunday, April 22, 2007
Apparently, provider HOTLINES were swarmed with messages requesting clarification from subscribers.
How lame can one be? Very, very lame. The LAME-O-Meter has hit the roof..
Thursday, April 19, 2007
It's odd as to why Symantec categorizes this threat as Low (for now). I would think its pretty high as the fixes for MS DNS is still in the bakery. So, please ensure your AV and Windows is constantly updated. As for the DNS issue, please apply the workaround as seen in my previous posts.
Excerpt from this article:
The worm scans network for computers vulnerable to the following vulnerabilities and exploits them:
Monday, April 16, 2007
Remember to run the WORKAROUND FIX in my previous post to ALL DOMAIN CONTROLLERS TO START WITH. A successful attack, again, on a domain controller could lead to complete risk to your AD.
Saturday, April 14, 2007
Microsoft says, in this article, to apply workarounds which includes disabling the RPC management for DNS, local management of DNS will still be possible.
Some security companies have flagged this critical, and i must agree with them. A lot of people will run DNS on a domain controller which holds Active Directory. Having successfully exploited on these domain controllers could leave your entire AD at risk. This could mean all sensitive user, Exchange and other related data could be at risk
It is also possible to perform advanced RPC filtering using application layer firewalls. Simply block MMC RPC connectivity to servers running DNS.
Client operating systems such as XP or Vista are not affected. ISS has raised it's AlertCon to 2 following this zero day exploit. If the exploit codes fall into wrong hands, this could potentially be another MSBLASTER like affect to Windows boxes.
Friday, April 13, 2007
Windows itself can do a little to enumerate processes to ports but it's on CLI for now, i.e. NO GUI (i'm a GUI addict, i mean, why make things complicated right?)
Why i love CurrPorts?
- I can checkout what program is listening, communicating and responding to which port(s) including UDP ports. Double clicking the process will enlist all necessary information about that process/ports/application
- I can KILL programs, more hardcore then "END TASK" from Windows.
- I can run this to analyze application behaviors
- Its free and there's no crappy INSTALLERS, just run LAH!
- Runs on Vista (used to like ActivePorts, but it doesn't support Vista :(
Read the full article: Here
Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the [ http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015979 ]"Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers.
Thursday, April 12, 2007
10 Hot-checklist for Implementing/Designing Active Directory:
NOTE: Please know AD first then by running this checklist, you can't go too wrong.
1. Organization needs for AD
2. Forests and domain structures
3. Domain Name System, WINS and DHCP
4. Sites and Replication
5. Domain controllers, FSMO, GC
6. Organizational Units
7. Group Policy
8. Users, computers, groups and objects naming
9. Security (authentication, auditing, authorization, etc)
10. Schema extension, custom coding and application integration
Of course there are a little more things one must consider when designing AD but here's a good start to working on another list.
Hope this helps :)
Wednesday, April 11, 2007
Also, there's a couple of high criticality vulnerabilities on Windows and anyone running Windows should immediately run Windows update. Some of these vulnerabilities exploits are publicly available and can execute codes remotely, so do not take things lightly..
Tuesday, April 10, 2007
Tired of writing VB scripts to modify Active Directory object attributes (users, groups, etc) then try out Microsoft Exchange team's ADModify.net. This is a cool tool do perform bulk modification of attributes of Active Directory and / or Exchange using a graphical user interface (GUI)
AD and Exchange administrators (or vendors) will find this tool indispensable and in a simple to use interface. But do remember, modifying the attribute values will immediately reflect on your AD and think about what's gonna' happen when it starts replicating attributes across your forest.
Alright some features drill down;
1. Supports AD 2000 or higher
2. Support Exchange schema extensions
3. Custom LDAP queries
Download and play around with this free tool but be careful not to make a booboo.
Source download: ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify
Monday, April 9, 2007
So, if you intend to use any of your R2 boxes as a domain controller, you must first upgrade the schema using adprep from the Windows 2003 R2, disc #2.
Also, disc 2 is the one that actually upgrades your Windows 2003 to R2. The first disc contains a slipstream version of Windows 2003 SP1. Disc 2 makes the box R2. So run the adprep from disc 2 and now you can introduce R2 boxes as domain controllers.
So what's the schema versions for different Windows boxes?
- 13=Microsoft Windows 2000
- 30=Original release version of Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 (SP1)
- 31=Microsoft Windows Server 2003 R2
"You can verify the operating system support level of the schema by looking at the value of the Schema Version registry subkey on a domain controller. You can find this subkey in the following location:
You can also verify the operating system support level of the schema by using the Adsiedit.exe utility or the Ldp.exe utility to view the objectVersion attribute in the properties of the cn=schema,cn=configuration,dc=
Sunday, April 8, 2007
It is an interesting breakthrough in malware vectors. It would come as no surprise if Zune, Xbox, PS2/3 and all those connect-capable devices be at risk.
Friday, April 6, 2007
Why you should not enable caching for Dynamic Object?
Because, there's a chance that certain logged on pages like say for example, sites like myspace, blogger (this) can be cached and the results, when someone logs in, say for example, i logged in as firstname.lastname@example.org to this blogger suddenly i see the blog of my colleague, say, Frank Rovers.
This is not a "vulnerability" per-se, its just that this is how proxies work if you ask proxies to cache dynamic objects and how authentication is "kept-alive" by these sites for convenience purposes.
I actually saw this in our own network and about 3 clients reported this same issue. I must admit this is also a poor implementation of authentication on these sites (including blogger!). Cookies or auth sessions should expire immediately when a person closes his/her browser or moves away to another page, or is idle, etc.
This "issue" can also present in cybercafes that enable proxies so, be careful especially in public places like these when logging on to these sites. For now, i've seen blogger.com and myspace.com loading multiple profiles of other people when i am suppose to see my own.
So, again, if you run proxies in a large organization, protect people's privacy and do disable dynamic caching all together.
PS> I am blogging this via our corporate proxy but we've disabled dynamic objects caching :)
Thursday, April 5, 2007
If you have this particular problem checkout this article: http://support.microsoft.com/kb/935448
(I guess if your network adapter is down, chances are you can't read this too, :P)
Customer using Windows should do Windows Update and/or read this article http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx where you can find more information about the patches available.
This KB article updates the following exploits/vulnerabilities:
1. GDI Local Elevation of Privilege Vulnerability
2. WMF Denial of Service Vulnerability
3. EMF Elevation of Privilege Vulnerability
4. GDI Invalid Window Size Elevation of Privilege Vulnerability
5. Windows Animated Cursor Remote Code Execution Vulnerability
6. GDI Incorrect Parameter Local Elevation of Privilege Vulnerability
7. Font Rasterizer Vulnerability
Wednesday, April 4, 2007
Please test these files before using in production environment. Thie eEye patch should be removed once Microsoft releases the official patch. The patch doesn't work on x64 or Itanium based machines.
The patch and more information about the .ANI vulnerability can be found at:
I've used it several times thought I'd share it this time around.
It is a free (and has a commercial) pure web based (flash) conferencing software that enables you quickly setup online presentation meetings and invite people while using just their browsers. Import word documents, PDF, PowerPoint and images and start presenting! It can also share desktops live, import screen captures and plug-ins.
It connects on HTTP(s) and if you require file transfer, then you need port TCP9102 and TCP9100, otherwise, simply use the default HTTP (80,443) to connect. It has a simple chat bar and can do free voice conference calls (within US) but you pay your normal long-distance calls if you are outside the US (sigh, otherwise, this would rock for my prezzo in the morning!). So now, i've just have to conf-call my clients ol' skool.
Apart having a funky color skin, this piece of tool is good enough with its free package that can offer up to 20 users per session. If you like it and want to have more connections, get the commercial version.
Well done Vyew!
Tuesday, April 3, 2007
Monday, April 2, 2007
Lots of people have asked me, so how do i block MSN, Yahoo, and other irritants on your network? Well, there's this good article from Microsoft, which you can use with any application layer filtering device to block or allow applications inside and outside your corporate network.
Got questions on ISA or network designs? Let us know, we will help for nuts (Free!).
Login to your blog. Go to template, find, Edit HTML. In there, copy and paste these codes between the head and variables section in this link: http://blogger-templates.blogspot.com/2005/01/remove-navbar.html
Please note, this is blogger.com's way of promotion, and blogger provides a decent set of blogging service without much ads etc for Free. So, before removing, ensure you give back something to blogger.com like me, i have their logo in my blog :)
Sunday, April 1, 2007
Let me explain a little of this diagram above
- My first firewall is my traditional firewall. This box should filter all those incoming traffic not explicitly allowed by your organization. Outgoing packets can go freely without restrictions. Later, i will share why you can confidently do this and therefore reduce complexity in your network.
- The DMZ is placed in between the ISA and my 1st FW. Please note, this server is now "published" by the 1st FW and not ISA. In here, you should only keep boxes that will not contain data for a long time (a temp repository) like a web server, smtp server etc..
- Finally, the ISA comes in. ISA's default GW is the 1st FW.
Lets talk about NAT.
1stFW (liveIP) --NAT/Route --> ISA --NAT/Route > Internal Networks
So, the DMZ IP network will act as ISA's external network but you can still use private IP addresses. Some of these IPs will be the publishing IP for your internal networks, just imagine them as public IPs.
Another huge benefit of having ISA there is to do Proxy-ing. Now that i've mentioned to allow all traffic outbound on the 1stFW, ISA takes the responsibility to ensure certain ports and protocols are allowed. Doing this, having one place for internal to external traffic control simplifies management of security in your network. Users can be authenticated and authorized to sites or services that are allowed by your organization policies.
Even VPN should work fine in this design where ISA can terminate the VPN connection after a NAT done by the 1st FW.
Most antivirus should have already been updated with this type of attack therefore, do update your antivirus pattern and wait until MS releases a new patch for this vulnerability. The current status from MS is to do a workaround, not the best solution but it should mitigate the attack. Vista users using IE7 are protected becauses of the "Protected Mode" feature in IE.
Exploit info here.
Below are the excerpts from MS's security advisory for the workaround on this issue:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
- Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector.Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.
- Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability.
- Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
• The changes are applied to the preview pane and to open messages.
• Pictures become attachments so that they are not lost.
• Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.