Evergreen Security Now!

2007/01/25

I have started to listen the Security Now! podcasts from the very beginning – sometimes in summer 2005. Unlike some  news-and-rumours podcasts that sound kind of weird if you listen them month later, this one did not loose a bit of it’s freshness. Even listening the story of Sony Rootkit discovery again was very entertaining. I am now at first “mod-4” Q&A podcast, Number 16.

Every time I listen to Steve Gibson, one of two things happens. Either I learn something new, or I discover new, better way how to explain something I knew about in a very nice, accessible way. Steve’s handling of differences between WEP and WPA, explanation why MAC address filtering gives no security and his VPN coverage was an excellent example of the later.

On the NAS building front: I have decided to go with 4 SATA + 1 IDE configuration and keep all 4 SATA disks fully RAID-5-ed. I have not yet decided which distribution I will put on. Probably will start with OpenFiler, but Ubuntu looks pretty good too and deservers a try. Btw, Peter is trying to convince me to use BIOS RAID and build a Windows 2003 server – but that is still a Plan B. If time permits, will move the yardstick on Saturday night. It may be delayed, because the biometric security project is quickly approaching the release phase and – as usual – time will be a precious resource.

Advertisements

How to recover lost Win XP password

2007/01/16

If it ever happens to you that you need to restart old computer which you have not logged on for 2-3 months and you find out you have no clue what the password could be, do not panick. Exactly this happened to me yesterday. Fortunately I have remembered reading something on lifehacker few days ago about bootable CD which contains live Linux distribution with password cracking open source software Ophcrack. It runs from CD only, does not touch your file system, only loads local SAM and tries cracking the hashes. And boy, it works !

I downloaded and burned the ISO and rebooted the old Windows box. It had the password in less than 8 minutes. Then, just out of curiosity, I booted up my Windows notebook which I use for one of the projects with the crack CD. On this notebook I use fairly reasonable password, 9 characters, combination of uppercase, lowercase and numbers, which is not valid word in any language (to avoid dictionary attacks). About two minutes after boot and start the notebook fan started to go full speed, a clear signal that the 3.2 GHz Pentium 4 HT works like crazy. The password was cracked in 18 minutes.

This thing is pretty scary, if you consider all possibilities.


The amazing free System Information utility for Windows

2007/01/13

I found today something that (after long time) make me to say Wow! – and it had nothing to do with Apple or OS-X. Simple small system management utility for Windows modestly named System info, written by fellow Canadian Gabriel Topala (originally from Romania, but living in Toronto, as I found out from his resume on his web site).

So what is so fantastic about this program:

– it is small (single file, 1.3 MB)
– portable no installer required
– free (although author welcomes donations and encourages registration)
– amazing depth. It gives you more information than you expected, often more than you were aware you may get!
The main (and only) window of the program has three panes:

croppercapture14.Png

The navigation tree contains three main nodes: Software, Hardware and Network.

Under Hardware you will find:

all disk information with free space, physical memory, all MB details (model, chipset, vendor, CPU type, socket, max speed, sensors information (CPU+disks temperature, voltage, fans), speed, bios maker, version, CPU information down to Feature Flags. You can e.g. verify if your CPU supports MMX instructions, virtual machine extensions or Processor serial number. Much more details than you wanted to know on system slots, devices, network card, video-card (including supported modes) and 3 screen long details on Direct X …
croppercapture16.Png

In Network portion:

croppercapture17.Png

you can see e.g. ARP table, MAC addresses and IP addresses of computers around you, windows shares, open ports (inclusive program name which owns them and domain name of remote host it connects to), and wide variety of scans in network neighborhood: FTP, HTTP, NetBios, SQL Server, Telnet, VNC, Oracle, RDP … you name it).

Software

croppercapture15.Png

Because I am software developer, it were the features from Software subtree that made say Wow! few times. Let’s start with details of the Windows XP (btw, including all service pack info and all installed patches, showing file name, version, installed data and for many of them with unistall command. As added value, it reveals the serial number and Windows XP product key which may come handy in case you lost the sticker.

You will get list of all installed applications with description, version and uninstall command. This list is MUCH more complete and detailed than what you get out of Control panel. For example, this are two entries for really old Java versions:

Name: Java 2 SDK Standard Edition v1.3.1_12
Versions: empty
Uninstall: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96539824-B716-11D7-88E8-0050DA21757E}\Setup.exe" -uninst


Name: Java 2 SDK, SE v1.4.2_03
Version: 1.4.2_03
Uninstall: MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142030}

The list was 278 entries old on my 3 year old installation of XP.

Special section “Applications” shows much more information for subset of installed programs. The much more in many cases (like Microsoft Office) means showing the product keys, serial numbers and versions of DLL’s that belong to the package (e.g. Visual C++ Runtime)

Very nice is File association section, which shows you name, path to executable and extension of the owner of every registered extension, as well all verbs (open, edit)

And now the killer feature: Processes. SI displays PID, executable name, version, description, parent PID, number of threads, priority, process creation time, lifetime, kernel/user time, size and full path to executable. The Explore menuitem from context menu selects the executable in Finder, I mean Explorer. Clicking on process shows all loaded DLL’s in lower panel (with path version, description, handle). The Loaded DLL’s view goes the other way: upper panel shows all DLL’s and after clicking on DLL you can see list of processes who loaded the DLL into their address space. Very interesting !

Extremely informative is also the section Drivers and NT Services, audio/video codecs, registered ActiveX controls. What is also very useful is list of all open files, including the name and path of the process who opened them. This way you can e.g. see that Skype has open well over 30 file even if you are logged off and inactive – just by sitting in the system tray .. It is very eye opening exercise.

Sysadmins at heart will like the Groups and Users info: all details, inclusive SID, last logon, when and whether will password expire, group membership in one clean page.

The tool allows few interesting security hacks: “Secrets” lists all Form auto-complete passwords (for both IE and Firefox). It can also help you reveal the “starred” password typed into Windows form password fields using menu Tools->Eureka. From Tools menu you can display all cookies, visited websites and Internet file cache.

If you are system administrator or have to keep few Windows machines alive and in good shape, you will want this tool. Go and give it a try – you will be very surprised what it can do for you. And if you find it useful, consider donation or registration – or at least try to help the author some other way (like spreading the word) – he deserves it !


Dealing with digital mess – Part 2: Passwords

2006/12/31

Today’s topic is dealing with sensitive information – such as logins, passwords, PIN numbers, credit card numbers and so on.

Up to last week, I was using the SplashID software to keep everything worth securing secure. I started to use SplashID back in 2001 when I bought the Palm based Sony Clie SJ30 (as replacement for wonderful Palm IIIxe). The Palm based program came with desktop counterpart that allowed editing of entries. Later in 2004 when I switched to Pocket PC, I simply purchased Windows Mobile version of the same software.

So – similarly as TheBat!, this was a legacy and similarly as TheBat! it had to go for two main reasons: closed source with proprietary format and Windows mostly. Technically, there is a Mac-OS-X desktop client for SplashID, but both Windows and Mac desktop clients are mainly add-ons to mobile platform counterpart. They focus on the problem of synchronizing one desktop with one or more) mobile device, but they do not do a good job in synchronizing two desktops.

I also found out that I do not really use the Pocket PC for other purposes than reading eBooks and sometimes looking up phone number or address. Since I have MacBook, the later happens really rarely, because Macbook wakes up almost instantly and it takes about same time to find address on PPC and Mac.
After some research and evaluation, I have decided to go with OpenSource solution KeePass. It is available for Windows as well as for MacOS and Linux, and in case I’d like to use my Toshiba again there is even a PocketPC version. The binary file format is 100% compatible – I tested out the file created on Windows works fine on Mac. I am not competent enough to judge the cryptographic capabilities of the system, but I trust the open source peer review process :-). The authors seem to know and care about security a lot – for example, after you copy password from entry edit form into clipboard, program automatically clears clipboard entry after defined amount of time (default is 10 seconds). Also user interface is very nice and what I liked is visual indication of the password strength – gives you some idea about how bad your passwords are. If you are really security conscious, it has nice generator of really strong passwords – the ones that you probably will not be able enter without clipboard.

I still need to solve the issue of synchronizing different desktop. For now I do it with workflow: whenever I make a change in passwords or logins (this implies I am online), I sent myself an email with attached latest password file and enter ToDo to update other desktops. The file is very small – for few hundred entries ~ 50 kB. The file sits in my mailbox and is always available. When I receive new password file, I erase previous one in mail archive. Not ideal, but workable – because the frequency of adding new entries and changing passwords is not that high.

A friend of mine is using USB stick on which he carries both the file as well as the KeePass software. This works too – assuming that you do not keep forgetting your USB key as I do. I have better results with email.

Final note to the conversion: it is possible to export the data as CSV file and import it to KeePass. What strangely was more efficient for me was to transfer the entries by opening both program and using clipboard entry-by-entry. This way I got rid of some really obsolete entries, verified many passwords and URL’s and changed several long overdue password.


Vista security and Java

2006/12/26

I had a brief MSN chat with friend of mine today, who tried to install and use Vista as development platform. I mean install on the real hardware, in order to use it as core operating system. I have no feedback yet on how Visual Studio works, but as he found out, his Ant build files he uses to compile and deploy Java programs stopped working – because Vista did not allow to copy Javascript files. I can understand why Javascript files are treated with caution – however, it should not be considered the same when a file is copied from a local file to a local file, rather then downloaded from the internet.

Problems like this one were not occuring on XP for two main reasons: one becase XP security was nowhere at the same level and two because pretty much every developer was running XP as administrator. Using an admin account for everyday work is bad for security and Microsoft tried hard to create system that would be actually usable when logged on as standard non-priviledged user.

If suprises like this one occur too often, people will likely decide to go back running as administrators again … which beats the idea of having better security under Vista. If I think about it, all code related demos at the “Ready for the new day” were done under administrator account. Is it because this is the only practical way how to develop application under Vista ?

I guess Steve Gibson‘s scepticism about early adoption of Vista was not far off (again). Let’s wait for real stories from real use scenarios and maybe even a Service Pack 1 – and then evaluate whether Vista is already prime-time ready for a developer.


Few more podcasts

2006/12/21

Unfortunately, as of previous Sunday I have run out of the backlog in Security Now! episodes, which means that with all three of my favorite podcasts (Twit, Windows Weekly and Security Now!), I am pretty much dependent on their weekly releases. This is a problem, because the sum of 5-7 weekly commutes to work and back (about 15 minutes one way) plus about 40 minutes in a gym every day equals to about 6 hours of required podcast quality content, and the new episodes of three podcasts above cover barely half of it.

So I needed to enhance the podcast menu. Here is what seems to work and what worked less:

1) Merlin Man’s 43folder podcast. As with Steve Gibson, I listened up to the current one and enjoyed it a lot, specially the episodes with David Allen. Fast paced, entertaining, informative. I liked Merlin humor.

2) FLOSS – do not run away, this has nothing to do with that scary profession, it stands for Free Libre Open Source Software. I started to listen from the beginning. It is interesting to hear the people you know through their code or technical achievements as living human beings. The quality of the podcast (both audio and moderation) is not as good as other Twit series – but I guess Leo cannot be everywhere and content is heavily dependent on the guest. So far I am at episode 4, the episode #2 with Ben Goodger (Firefox) was interesting, the #3 (Rob Malda aka CmdrTaco of Slashdot) was not so great.

3) Cranky Geeks. Run and moderated by John C Dvorak. First I thought this will be something as good as TWIT, but it was not quite so. Maybe it’s selection of the guests, maybe selection of the news they focus on, but IMHO John put together with few more cranky geeks without compensation of basically positive, enthusiastic person such as Leo leads to overcrankyfication (at least for my taste buds). Second – the commercial breaks. There are way too many and way too annoying. I can accept TWIT’s 2-3 commercial plugs about Dell, Vista or Astaro, but this is an overkill. If John does not make you cranky, the ads will. Use with moderation 🙂

I have also downloaded back episodes 1 to 45 of Security Now! which were not in iTunes subscription – at least I have not discovered how to make them apper there from the grc.com and will listen to them. Unlike the news based podcasts, the topics are still very valid and relevant. Thanks, Steve and Leo – you are fantastic.


FEOTD: Stealther

2006/12/06

Today’s extension is from the area of – surprise surprise – security and privacy. I guess I am getting slightly paranoid from all the security related stuff I am listening to. But I promise I will switch back to “standard” TWIT, MacBreak and Windows Weekly to compensate the security heavy topics. But it certainly true that the more you are aware of what is technically possible, the more hostile Internet you will see …

The extension name is Stealther and it can help you surf the web without leaving a trace in your local computer. What it does is temporarily disable the following:

  • Browsing History (also in Address bar)
  • Cookies
  • Downloaded Files History
  • Disk Cache
  • Saved Form Information
  • Sending of ReferrerHeader

In other words, with Stealther on, you can visit dubious sites without leaving traces on your local computer – this is the key. It is important to understand what it does NOT do because people sometimes get false feeling of security when using tool like this. Even with Stealther on,

  • Remote site still will know your external IP address
  • you will be vulnerable to all exploits to the degree your browser is vulnerable (with Firefox, you will be much better of than with IE version <= 6, but not really secure
  • full history of your interaction with the site can be recorded at the site or at your ISP

Simple experiment can visualize what exactly is the difference between surfing with and without Stealther: using the LiveHTTPHeader extension, let’s click a link ‘Firefox Help and add ons’ on Firefox default start page and compare the difference. Here is the HTTP request without Stealther (ignore the line numbers, they are from Smultron):

picture-5.png

and here is same request with Steather on:

picture-6.png

What is missing is the Referrer link – the foreign site will not know where you came from. Which may or may not be important. Other than that – the site will still get all information about your browser version and OS, which can be used (in case of malicious Web site) to render page that will try install spyware or virus or benefit from known browser exploits.

Despite of that, Stealther is very useful to control cookies. In Firefox, you can set option that every attempt to set cookie can be examined and manually confirmed. If you decide to do that, you must have a patience of a saint, because browsing will become very annoying sequence of deciding whether you allow or disallow cookies. With Stealher, you can keep your browser setting on less draconian (and more practical) level and activate “cookie killer” on request, whenever you will enter zone of aggressive sites that may try to trace your digital pathways.

Stealther does pretty decent job in covering your trails on local computer side. It is very small, fast and non-intrusive. Of course, if you want *really* to be sure you have not forgotten anything, the best way is to install Linux in virtual machine with Firefox browser, surf from the VM environment and throw the virtual disk away after you are done. Do not forget to use few anonymizing proxies (ideally located in different countries) and start your surf from public anonymous internet location like Bridgehead . Hush hush …