August 2006 - Posts

Wiping a drive, the easy way

While poking around for a blog post on Susan's blog, I found this one, asking how to wipe a drive. Teacher, Teacher, I know the answer, I know:

cipher /w:<drive letter>

This command, built into Windows XP and higher, does a three-write pass over a drive to wipe all free space. You will, of course, have to mount the drive in a box that you can boot at least into WinPE, if you have that, or full Windows XP. That's the main drawback of using this method. I have an old USB hard drive enclosure I used for this, and for the money, it may be worth the $20 investment if you have a lot of drives to wipe.

If you are paranoid, or in the DoD, or the MOD, or the DOD, or one of the many other organizations across the world that have very stringent requirements for data disposal, crushing or grinding the drives is still the most secure option. However, if you are only trying to protect drives from my friend Simson, or folks like him, as opposed to hostile nation states, cipher /w should be just the ticket.

Posted 24 August 2006 10:15 PM by jesper | 4 comment(s)
Filed under: , ,
SMB Message Signing Troubles?

Susan posted this a few days ago, and I just thought it made sense to give it some more attention. SMB Message Signing is one of, if not the most, problematic security setting in Windows. It is commonly used to defeat man-in-the-middle attacks, but getting the settings to match on clients and servers is difficult given that the defaults are somewhat hard to understand. I talked about all this at some length in an article that I wrote last summer. The article was an attempt to clarify the area a bit and help people figure out how to use the setting without disabling communication in their network. While writing the article (and having to explain why the setting was so troublesome to senior execs) I also figured that the only way to solve the problem was to change the way the setting worked. The idea was to remove the ability to disable SMB Message Signing. If a system would always successfully negotiate SMB Message Signing then all the mismatches will go away, leaving you to only have to manage the potential overhead that signing introduces. This, however, would require a change to the behavior of both the redirector (the workstation service) and the server service, which could only be done by patching both components. On August 15, 2006, the hotfix that does exactly that was released. The hotfix is described in KB article 916846. It does exactly what I just said: it ensures that even if SMB Message Signing is disabled on one part to the communication and required on the other, the communication succeeds.

The hotfix does not, as far as I can tell, remove the overhead involved in SMB Message Signing. In small, bursty connections that overhead should be minimal, but in high-volume, long running transactions it could go as high as 40%. This will be addressed in SMBv2 in Windows Vista and Windows Longhorn Server.

 If you can live with the overhead, which you must be able to if you have decided you want SMB Message Signing, but you are having trouble getting the settings to match on all systems, this fix may be just the ticket. If you get it deployed your systems will be much more tolerant to misconfigured settings and your life should get a bit simpler all of a sudden.

Posted 24 August 2006 09:57 PM by jesper | 1 comment(s)
Filed under: ,
Admin Rights Hall Of Shame and Complaint Abuses

A few weeks ago I bought a copy of Nobeltec's Tides and Currents software. Nobeltec is a subsidiary of Jeppesen, well known for their aviation, and apparently now also marine, navigation charts. I was told this software was by far the best way to analyze currents for diving purposes.

When I received the software and stuck the installer disk into my Windows XP SP2 machine the installer was correctly identified by the operating system, and the dialog whether I want to run this installer as a different user popped up, as it should since I was running as a limited user. I gave it administrative credentials and it installed the software. Now I went to the start menu to run it, but did not find Tides and Currents. Instead I found something called "E-Chart Planner." However, E-Chart Planner did not actually work because my license did not include any of the charts for it. Tides and Currents seemed to be nowhere to be found. Eventually I located a binary called "tides32.exe" which seemed like it might be it. However, when I ran that, it told me I only had a license to use this for a single user, and that my trying to run it was a violation of that license.

None of this made sense, so I logged on as an administrator (the one that installed the software) and now I found Tides and Currents on the Start menu, right under the Windows Update icon. That icon was apparently installed under the user's profile, not under all users. The link went to tides32.exe, and if you clicked it, the software ran. This is when I contacted Nobeltec support to find out what was going on.

It turns out that the E-Chart Planner is a "bonus" software that you get, which does not actually run unless you spend around $500 on charts for it. It, however, had its links installed in the All Users profile. Tides and Currents itself was only installed in the profile of the user that installed the software. The reason tides32.exe did not work before was that it will not run as a non-administrator. At this point I have not run the app under LUA Buglight yet to see why, but I really don't think that is my job.

By now I had a nearly useless message back from the support department where they basically just told me what the E-Chart Planner software was and how much it would cost me. I responded by asking how to make Tides and Currents run as a non-administrator. After a couple of days I got a response back that said "This software needs to be installed and run under and[sic] Administrator account in Windows." After another round of e-mail I found out that "Unfortunately I am unable to answer your questions regarding the need to be logged in as administrator. I can only describe how the software functions."

I now asked for a refund. The support department told me to contact sales, so I sent a message to the Sales department. After a week, I got a response, in the form of a newsletter advertising an upgrade to some other software Nobeltec sells! Thank you, but I will probably never spend money on a Nobeltec product again!

Nobeltec is not only ignoring my request for information on how to return their flawed software, they are using my messages to them with those requests to fatten up their spam lists! This is obviously unethical, but would not be illegal if it weren't because their newsletter is not compliant with the CAN-SPAM act - it does not contain a physical address for the sender.

At this point I am debating what to do. I have sent yet another note to the sales department asking for my refund, and requesting to be taken off their mailing list. I have obviously referred their software to Threatcode.com and their spam mail to spam@uce.gov, and I thought it appropriate to warn others not to waste $100 on this software that requires you to put your computer at risk to use it. I guess I will wait and see if the sales department finally responds before I take any further steps though.

Posted 17 August 2006 10:01 PM by jesper | 12 comment(s)
Filed under: ,
Interesting Phishing Twist

The other day I got a phishing mail purporting to be from E-Bay. That part in and of itself was not unusual. What was interesting was that the link used a different technique to disguise itself than what I have seen before. Instead of using a URL made up of an IP address or some nonsense, it bounced the link through Google. The link looked something like: http://www.google.com/url?q=http://blogs.technet.com/jesper_johansson. A user that is alert would see that the link goes to Google, and wonder about why it is not going to E-Bay, but since Google does not look that suspicious, that probably won't raise many concerns.

This may not be new. It could just be that I have not noticed as I do not usually pay attention to phishing very much. It also appears that while this one used Google to bounce the link off of, you can use ebayobjects.com, or MSN.com for the same purpose. Of course, you can also translate the URL using Tiny URL and others. This means that people need to be very vigilant about where they are going and only validate the site using the certificate it presents and the URL shown in the address bar once they got there; not the URL they clicked on to get there. All of us who work in security owe it to people we know to make sure they understand this. Sites that do not present certificates are almost certainly fake.

There are exceptions to this. Discover Card and many others persist in using an optimization technique whereby they do not actually show a certificate on the login page. Only the form action uses SSL, which means the password is encrypted as it goes across the wire. However, they yet to understand that encrypting credentials is only one of the objectives of SSL. Discover Card still does not grasp the objective to enable the end user to ascertain that they are actually sending their password to the right server. And they wonder why phishing is so lucrative against the credit card industry?

Posted 17 August 2006 01:55 PM by jesper | 1 comment(s)
Filed under:
Welcome To My New Blog

Welcome to my new blog! Some of Microsoft's wonderful Most Valuable Professionals (MVP) offered me a blog on this new site they set up on condition that I keep using it. That seemed like an easy one.

Until I leave Microsoft on September 1 I probably will not be writing much professional content in here. Until then, you will have to be content with things like a nice picture of some giant plumose anemone's I saw last weekend when a group of people from Bubbles Below went up to dive the McKenzie Wreck in British Columbia:

 

Besides, this gives me a chance to try out the gallery feature in Community Server.

BTW, we found out that when you enter Canada by boat, you must still stop by and say hi to the friendly uniformed customs and border patrol people; even if you intend only to dive and not even to step onto Canadian soil. The uniformed, armed, and somewhat annoyed, border patrol agents in the really zippy inflatable informed us of that, after they had boarded our dive vessels while the lot of us were down on the wreck. We were informed that "Canada is a sovereign country, eh" and "under no circumstances are you do deviate from a direct course to the customs station in Sidney."

All in all, the diving was as good as you can expect it to be on a summer day in the Pacific Northwest - in other words - spectacular. We also ended up in the middle of a spectacular show put on by a pod of resident Orca's on the way back to Anacortes. We had a big male swim right under our boat and a baby and mom put on a jumping contest about 50 meters off the port bow.

I will try to put in more of a diverse set of content here than what I used to, always retaining a focus, of course, on information security though. Right now, that content will have to wait a few weeks though. Hope you don't mind too much. If you want to look at some more dive pictures before then check out the galleries at the Bubbles Below web site as well as some other pictures I put on the-johanssons.com.

Posted 13 August 2006 12:20 AM by jesper | 6 comment(s)
Filed under: