Wednesday, April 7, 2010

Moving the blog to a new home!


 
Blogger is a great platform and worked well for me over the past few months; but recently I have been given the opportunity to be apart of http://securegossip.com/about/  and I humbly accepted it. In short, SecureGossip was created to unite all security & IT[secure coding, system administration, etc. that leads to complete security] blogs under one roof.

I hope all my readers will join me and subscribe to the new feeds, leave comments and just make http://infolookup.securegossip.com/ your new home.

Thank you to all the current readers and I hope to be exposed to more readers on this new platform, I will keep this blog up for a while before taking it down, but all new posting will be on the new site.

Again Thank you all!

Thursday, April 1, 2010

Who do you trust to find your ADS?


What are ADS or Alternative data streams?

Alternate data streams allow more than one data stream to be associated with a filename, using the filename format "filename:streamname" (e.g., "text.txt:extrastream"). Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. Only the main stream of a file is preserved when it is copied to a FAT-formatted USB drive, attached to an e-mail, or uploaded to a website. As a result, using alternate streams for critical data may cause problems.



Why you should care about ADS?

One reason you should care is even though this has been around for quite some time now its still has a very high rate of success when implemented in a piece of malware. The ability to hide behind a know system file without changing the file size can be very deceiving. 



Another important reason as stated by http://www.rootkitanalytics.com/, is due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'.


Below is a brief illustration of what this looks like:




Now before you start worrying yourself there is hope on the horizon thanks to tools like "StreamArmor" .


What is Stream Armor you might ask? 


StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It's advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams. 


Or as I prefer to call it, the first step in the first direction... Don't get me wrong the are other great tools out there like streams from Microsoft or Gmer but after using StreamArmor recently I don't see how I could go back to those tools.


I decided to see how  StreamArmor would performs when compared to  two of their competitors (Streams and Gmer ). I created several ADS samples and split them up into  two folders on my C drive, then scanned both folders with each program twice.


My sample streams included the following:
  • 12 streams in total
  • I placed various files (exe, png, and avi)  behind a few .txt, .doc, bmp and .pub documents.
  • I then encrypted one of those files, zipped two of them (one with Windows 7 build in compression and the other with winrar).
                                       Microsoft Streams Results 9 out of 12


Gmer scan results: 5 out of 12


StreamArmor results: 9 out of 12

                                              
In the end both StreamArmor and MS Streams  found 9 out of 12, none of them found the ADS that were zipped or the one that was encrypted (not that I expected the encrypted files to be discovered). At this point I am as confident as when I started writing this post "StreamArmor is my preferred choice". The ability to export great reports, easy to do run customize scans, and overall the results are not difficult to interpret.
                                                
For more further reading and examples visit the below links:

http://www.auscert.org.au/render.html?it=7967 


http://www.irongeek.com/i.php?page=security/altds


http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

http://www.gmer.net/

http://www.rootkitanalytics.com/tools/streamarmor.php




Tuesday, March 30, 2010

[Guest Post]Technology replaces the Technician

This posting initially started off as a discussion on the "Yahoo Computer Business group" by Hank Cranmore from  http://www.mobitech4u.com/corporateservices.html . The discussion was surrounding cloud commuting and the damaging effects it will soon have on most computer technicians businesses. This is due in part to how affordable it is to run your small business virtually from the cloud and drastically reduce the need for support contracts or better yet on site technical support.


Technicians are people skilled in a particular area. They serve their purpose in the strategic sense of demand and need until eventually, as with all things like this before, down thru history, technology replaces the technician.

Let me repeat that, "Technology replaces the technicians".

To make it worse, technicians are historically weak during periods of economic downturns or other disasters that destabilize their ability to continue to do what they do in the face of a more efficient and cheaper competitor.

Here are some favorite examples of mine from history of when technology replaces technicians in the past.

Example #1 - Spinning thread. In today's terminology a person who is skilled at spinning fibers by hand into thread or yarn would be labeled a Spinning Tech. They were replaced by a series of rapidly evolving technology. But not to fear, those that did not starve to death got jobs by the thousands working 12 hour shifts tending to the machines of the textile factories that replaced them.

Example #2 - Computer. Not our modern day computers, but people who in a time of great illiteracy could perform math computations with great skill. The word computer has existed since at least 300 AD. Up until the point in time they were replaced by machines, human computers were employed wide and far. They were the first computer techs. The first computer business was similar to a CPA but was not limited to money. A business could send a batch of calculations to the corner computer shop and it would be processed by hand, by computer techs into final numbers. One of the largest calculations in history processed by human computers was 21,000 pages long and took 7 years to complete. Something had to change. The first computer techs were put out of business by machines set in motion by Charles Babbage. Not sure what happen to those techs, but it was just in time for WW I, the great depression labor camps (CCC), WW II and the growth of Corporations.

What will replace the computer tech? Technology!

Ever hear of a calculator tech lately? Nope!

The calculator on my desk is cheap, disposable and now that I think of it, I dont even need to change the battery. It could run forever! If I break it, I replace it. All I need to do is to buy it and operate it.

If I did break it and did not have time to go buy another one, I would just turn to a virtual calculator on my computer or a calculator app out on the internet, or "The Cloud".

But what if that little calculator could also be any business machine I needed it to be? An internet interface?

The ultimate end of computer techs will be the "Walmart" scenario. When replacing your internet interface is as cheap and easy as going to the corner Walmart, picking the color and style of your choice and paying less than a new shirt to replace the shirt you lost as a computer tech.

Prior to that, as the work and demand goes away, former techs will work by the thousands for tech mills such as central repair depots, remote support centers and Onforce type dispatch services. Again awaiting the final "Walmart" stage.

Freelance techs can evolve into Technology Consultants and then Technology Consultants can evolve into Business Consultants.

Eventually, virtual hardware and software activation cards hanging on hooks at Walmart like gift cards will replace most technology consultants and then preconfigured activation "suites/packages" cards will threaten most business consultants.

But do not worry. History has proven that techs will be taken care of one way or the other after they are replaced.

Independence? Many weavers and spinners enjoyed great independence while it lasted. When it ended, it was bad. Ironically, it was only when weavers were without work did the last "die hards" focus on becoming experts at marketing and sales as a last resort to bring in more business. Eventually the need to support a family forced them to join the ranks of employees again.

So bottom line, technology replaces technicians.

Thursday, March 18, 2010

Troubleshooting Configuration Management NetMRI


Problem: While configuring our NetMRI appliance I notice that I was unable to view the configuration for serveral of our Routers and Switches, if I looked under Network Explorer --> Devices à Entire Netork I can see I have 20 devices but under the "Configuration Management" tab I am only able to see 6 devices.




                                                             Fig 1


                                                    Fig2                       


After clicking on one of the devices from within the "Network Configuration" tab, and selecting the "Errors" option I was greeted with the below message:

                                                       Fig 3
Solution:
After receiving the above error I knew it was time to log into this Switch and re-configure the SSH RSA key.
Switch Commands to delete the SSH rsa key then recreate a new one:

config t
no crypto key rsa (naturally you would think this is the command, but it's not instead it tells you the correct command)
crypto key zeroize rsa
crypto key generate rsa
1024 (when ask for the RSA key bit)
wr mem
      
Once that's done the next step is the log into the NetMRI appliance to reset the authentication information and update the device. This will occur automatically after 24 hours, or you can do it manually but navigating to Network Explorer --> Devices
then click on the device in question and go to the "Settings" tab -->"Config File Collection" and click "Reset Authentication info" then "Update" and lastly "Get Configs".




Check your error tab again for good measure if all goes well look under the config tab and you should now be able to manage the configuration on this device.

Monday, March 15, 2010

All Things SNMP

I am working on a project whereby I have to configure our entire Network Infrastructure and a few high profile servers to be monitors by NetMRI and our Orion. Now since most of our devices are already being monitored by several other devices in the pass, I will try to illustrate the approach I took while doing this project.
Phase 1 (Backup and Cleanup)
It’s extremely important to make sure you backup your current running configuration before making any changes, and if you do have to make changes try to do them off hours so if something does goes wrong you wouldn’t get a million calls coming into the HelpDesk from angry workers. Before attempting the below you will need to first setup a TFTP server on your computer, here is a link to one of my favorites à http://tftpd32.jounin.net/.
  1. At the Router> prompt, issue the enable command, and provide the required password when prompted.
The prompt changes to Router#, which indicates that the router is now in privileged mode.
  1. Copy the running configuration file to the TFTP server:
3.  CE_2#copy running-config tftp:
4.  Address or name of remote host []? 64.104.207.171
5.  Destination filename [ce_2-confg]? backup_cfg_for_my_router
6.  !!
7.  1030 bytes copied in 2.489 secs (395 bytes/sec)
CE_2#
  1. Open the configuration file with a text editor. Search for and remove any line that starts with "AAA".
Note: This step is to remove any security commands that can lock you out of the router.
  1. Copy the configuration file from the TFTP server to a new router in privileged (enable) mode which has a basic configuration.
10.Router#copy tftp: running-config
11.Address or name of remote host []? 64.104.207.171
12.Source filename []? backup_cfg_for_my_router
13.Destination filename [running-config]?
14.Accessing tftp://10.66.64.10/backup_cfg_for_my_router...
15.Loading backup_cfg_for_router from 64.104.207.171 (via FastEthernet0/0): !
16.[OK - 1030 bytes]
17.

18.1030 bytes copied in 9.612 secs (107 bytes/sec)
CE_2#

Phase 2 (Configuring Routers/Switches/WLAN Controller)

During this phase, I first logged into each appliance and run the following commands just to get a quick idea of what user accounts are configured on the device, and what are the SNMP settings.
sh run | inc snmp
sh run | inc user
Once I have gotten the above information I can build my configuration file. In our case we are removing old community strings and SNMP host while at the same thing updating the devices with the new information.
=============================
Updating Configuration on Cisco 3560
==============================
Config t
no snmp-server community public RO
no snmp-server community private RW
no snmp-server user pubic pubic v1
no snmp-server user pubic pubic v2c
snmp-server community $y$10g
username L0gg3r password P@$$\/\/0rd
snmp-server host 192.168.3.6  $y$10g

===================================
Configuring SNMP on Cisco WLAN
====================================
SSH into
config  snmp version v2c enable
config snmp community create $y$10g
config logging syslog host 192.168.3.6  (maximum number of host this controller supports is one)
save config (answer Y)
you are set!

Once that’s all setup its time to log back into both Orion, and the NetMRI appliance and verify it configured correctly but triggering a few test alerts.
Additional Information
In the end your logs are only as useful to you if someone looks at it!

Tuesday, March 9, 2010

You Cannot Copy or Move Messages to Public Folders

Yesterday I received a call from a user who was unable to do the following,  "Use the Mark Complete flag" in Outlook or "Copy message from their inbox to a share public folder". After researching the issue I came across this article from Microsoft that solved the issue. 


Solution:


To resolve this issue, remove the explicit Deny for the Everyone group on these permissions:

  1. Start Exchange System Manager.
  2. Under the Folders object, right-click the Public Folders object, and then click Properties.





 Fig1


3. Click the Security tab, and then click the Everyone group.

4. Click to de-select the Deny check box for the three following permissions:

     * Create public folder
     * Create top level public folder
     * Create named properties in the information store

Fig2                                  Fig3

5. Click Apply, and then lick OK to close the properties.

Now you can go back to organizing your emails!

Thursday, February 25, 2010

VMware IP Address Already Assigned to Another Adapter

I got the following message when I was attempting to change the DNS address on a few of  my VMware Servers today.

The IP address XXX.XXX.XXX.XXX you have entered for this network adapter is already assigned to another adapter Name of adapter. Name of adapter is hidden from the network and Dial-up Connections folder because it is not physically in the computer or is a legacy adapter that is not working. If the same address is assigned to both adapters and they become active, only one of them will use this address. This may result in incorrect system configuration. Do you want to enter a different IP address for this adapter in the list of IP addresses in the advanced dialog box?
In this message, XXX.XXX.XXX.XXX is an IP address that you are trying to set and Name of adapter is the name of a network adapter that is present in the registry but hidden in Device Manager.



I tried  Microsoft's suggestion in this article "http://support.microsoft.com/?kbid=269155" however it didn't work for me. I had to create a "system environment variable" and give it the value of "1". Once that was completed I was able to follow the rest of the article. I removed all hidden adapters except for the "RAS Adapter" and I was then able to add the new IP address.

How to create a system variable:

On a Windows machine right click "My Computer" --> Properties --> Advanced tab--> Environment Variables--> System variables -->Click new --> Specify a "Variable name" (devmgr_show_nonpresent_devices)  and the "Variable value" which is 1



Enjoy now you can rest easy!

Reference Links:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1179

http://support.microsoft.com/?kbid=269155