Sunday, May 31, 2009

Sunday Linkfest: Last Call

Turned out that I was able to stay a lot more productive this weekend than I anticipated.

Not only was I able to take care of most of the home-chore list, but in getting up my planned posts, I actually uncovered more than a few surprising gems as well.

Here are the remaining links.

Browsers

Snapshot build with preview of the *new* Skin – Opera Desktop Team – Opera 10 Alpha stuff so there’s a here be dragons warning attached.  That said it is stable enough for casual browsing for the curious and will, by default, install into it’s own program folder to keep any existing release versions of Opera you may have intact.  It’s a very nice browser that needs much more credit that it gets.  It’s been drowned out by Firefox and Chrome and it is a shame.  It’s a bit hard to tell for non-regular Opera users but the new skin is polished and sophisticated.  Much more refined that either the default themes in Firefox or Chrome (IMHO).  The European roots shine through.

Portable Google Chrome 2.0.172.30 Beta (Google Translate) – Direct link to Caschy’s Blog where his updated Portable Google launcher is available including a newer Google Chrome release. Spotted via Lifehacker blog.

Microsoft Watch

The Case of the Slow Keynote Demo – Mark’s Blog – Mark Russinovich uses his l33t Windows powers of observation to trace a stuttery presentation element.  While the ultimate cause is probably unlikely to be encountered by most users, it is another example of using Process Monitor to deliberately drill down to the exact cause of the error.

Extended Support Begins for Windows XP—Support for XP Continues Until 2014 – Microsoft Support Lifecycle Blog. I knew this but it was good to see it again.  A gentleman at our church asked me last week what he should do.  He has a solid XP desktop system and two Vista systems.  For some reason he was under the belief that XP support was getting dropped this summer. Not true.  But he already had two Vista systems and wasn’t impressed with Vista to switch; particularly knowing that Windows 7 is just around the corner.  On the other hand, he would rather pull the plug on the system than run it “unsecured” and unsupported.  This was big relief.

And will likely be as well to all the enterprise deployments of XP Professional whose IT shops are patiently waiting to jump over Vista and begin taking a closer look at Windows 7 in a year or two.

From the post (emphasis mine):

Recently there has been a fair amount of press coverage regarding the end of Mainstream Support for Windows XP. Released at the tail end of 2001, Windows XP has been a solid hit in the marketplace and there has been some concern about what the move from Mainstream to Extended Support means for customers.

To be clear, Microsoft will continue to support Windows XP until 8 April 2014 – about five years from now. So what are the differences between Mainstream and Extended?

Microsoft divides support for Business and Developer products (including the Windows XP operating system) into two distinct timeframes: Mainstream Support and Extended Support. In a nutshell, Mainstream Support provides both consumers and enterprise customers with a full offering of support including complimentary support, design change requests, security updates and other kinds of updates for the product.

Extended Support does alter the range of support a bit, but for the vast majority of customers the essential core remains the same. For example, customers will continue to receive free security updates and can call in for paid support until the second Tuesday in April of 2014. Enterprise customers with Premier Support who may need non-security hotfixes (such as design change requests) should consider enrolling in an optional support program named Extended Hotfix Support (EHS). EHS is required by very few customers as the product has matured to the point where design changes are relatively infrequent. For more information on obtaining Extended Hotfix Support, enterprise customers should contact their Microsoft account representative.

Microsoft Support Lifecycle Policy – Microsoft Help and Support – Pretty charts that will probably confuse most everyone seeking to understand what the blog post above clearly states.  Have at it kids.

Security/Forensics

Stuff – Windows Incident Response blog. Darn if I was clever enough to come up with catchy post leads like that! ;-)  Seriously, it covers a nice swath of items including torrent use analysis, full-disk encryption evaluation, and some great System Event ID analysis.

Worth Reading: Analysing packed malware - The H Security. This was a neat find.  Heise brings notice that a Piotr Bania has a free PDF paper just released covering a new method developed to circumvent packing-protection methods used by malware authors.  This is great reading for malware analysts.  Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs (PDF) – Piotr Bania.  What was even cooler is that you may recall Piotr as the gentleman who recently brought us his Kon-Boot: Bypass Windows Login Security non-persistent boot kit tool.

Piotr Bania Chronicles – Yep.  I also was able to track down Piotr’s own personal blogsite as well.  Filled with some interesting posts.  I hope more good stuff is shared by Piotr in the future.

DEFT Extra – The DEFT forensics team, creators of the DEFT LiveCD has just released their Windows Utility launcher collection.  If you download the full LiveCD, you have two choices, boot a system into the DEFT linux environment and the associated tools, or you can put it into a running Windows system and then run the DEFT-Extra tools.  It’s a very nice collection of system utilities and some forensics-related tools as well.  Now you can download just that package and play with these.  Definitely some sweet tools here that just about any technician or sysadmin would find a good use for. Check it out!

L0phtcrack 6 – Live and Revived!  A powerful password auditing and recovery tool.  They are offering a free 15-day trial version for download along with a number of various versions for purchase depending on your deployment needs. See the Learn about L0phtCrack for screenshots and more.  Of course, if you are on a budget there is always the open source Ophcrack version.  I’d be interested to see some side-by-side comparisons…for some reason, my money would probably be on L0phtcrack 6.

Graphics

Paint.NET has got to be one of the easiest but most powerful freeware photo/image manipulation tools there is.  Sure it can’t compare with Photoshop and it’s not quite in the same graphic tool class as the GIMP either.  That said if you are looking for an advanced image tool, this is well worth looking into. It does require the .NET framework.

If you are an experienced Paint.NET user and looking for a bit of the cutting-edge when it comes to performance and features, you can always try out some of the Alpha-version releases of Paint.NET.  Only you won’t easily find them from the main product page.  You will have to go over to the Paint.NET v3.5 Preview Center pages to get them.

Yes these are bound to be a bit buggy and in need of additional refinement, but you might just walk away impressed with the performance or feature set offered.

Microsoft Research AutoCollage 2008 v 1.1 - Windows Live – Kurt Shintaku’s Blog.  This is a neat tool that auto-blend various images from folder into an integrated collage. See the main site-page AutoCollage 2008 for more information or Download it now for a free 30-day trial.  Demos at that link or you can purchase for $19.99 at the Microsoft Store.

Autodesk Project Dragonfly – Now THIS is cool.  Lavie and Alvis are all over this thing. Autodesk are the makers of one of the most powerful and widespread CAD programs out there.  I’m frequently working with the Autodesk file viewer to cover CAD drawings into Visio for our team.  Anyway, Project Dragonfly is an amazingly detailed and fun web-based 3D CAD application to do design and layout work for your home.  It’s fun and no CAD experience is necessary.

GSD Fan Bonus

So this neat utility find is a bonus treat for all you faithful GSD readers who actually made it to the bottom of this post.

Psimo File Mount – freeware -- Pismo Technic Inc. (Screen Shots)

Psimo offers a number of interesting products, but the one in particular you need to look for is the Pismo File Mount Audit Package.

Now my favorite freeware tool to mount ISO files as a “virtual drive” has been SlySoft Virtual CloneDrive. Besides being free and stable, it’s just fun and easy to use.  Sure there is also Daemon Tools but it hooks deeper into the system and is toolbar/ad supported which has turned many former fans off it. There are some other virtual drive mounters as well that I have posted about and also the newer Gizmo Drive freeware utility as well. (Note: Gizmo Drive also supports Windows 7 in both x32/x64 bit platforms…)

I haven’t needed (yet) a Windows 7 compatible program but it appears Psimo File Mount is the solution for virtual drive ISO file mounting in Win 7. Nice.  Supports Windows 7 x32/x64 bit releases along with previous Windows OS versions.

What seems so appealing is that you can not just mount an ISO file as a virtual drive, but if you don’t need drive-letter access/operation, you can also use it to mount an ISO as a folder to view/access files.  That’s pretty handy.  Also handles ZIP files in a similar manner.

Hopefully you will be as impressed with it as I am.  Great tool for you ISO disk jockey’s out there.

Thanks for hanging around for the final call with me.

See you again at the counter real soon.

--Claus V.

Free: USAF-Hardened Windows Build (…well kinda…)

070824-F-5957S-367

Public domain photo: taken by U.S. Air Force Senior Airman Julianne Showalter

Windows: Locked and Loaded?

About a month-ago, there was a Wired story about how Microsoft had developed and offered a super-duper secure version of Windows to the United States Air Force to better protect it’s Windows deployments and users than the piddling-weak stuff that us private citizens get offered.

Microsoft Offers Secure Windows … But Only to the Government  - Wired Threat Level blog.

It’s the most secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days.  The only problem is, you have to join the Air Force to get it.

The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as a template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us.

Security experts have been arguing for this “trickle-down” model for years.  But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.

Upon which everybody who pays taxes AND uses Windows moaned and complained about things not being fair that the USAF gets something we don’t; an actual secure version of Windows.

Only one problem, journalist Kim Zetter got the story pretty darn close to being correct, but left out one important detail.

Namely, that there the USAF doesn’t actually use a super-weaponized-and-hardened version of Windows made just for them.

Ooops

Microsoft: There is no special version of XP for the Air Force – The Tech Herald – Security as covered by Steve Ragan:

The problem, and the source of the confusion about the article itself, is that Microsoft did not offer a new version or a special version of XP to the Air Force. All Microsoft did was help the Air Force harden GPOs (Group Policy Objects) and images used for deployments when the Air Force made that request.

“We agreed to assist, as we do with any company that hires us to assist in setting their own security policy as implemented in Windows. The work from the AF ended up morphing into the Federal Desktop Core Configuration (FDCC) recommendations maintained by NIST. There are differences, but they are essentially the same thing,” said Roger Grimes, Security Architect on the ACE Team at Microsoft.

“NIST initially used even more secure settings in the hardening process (many of which have since been relaxed because of operational issues, and is now even closer to what the AF created),” he added.

“In the initial article, a lot of the other improvements, such as patching, came from the use of better tools (SCCM, etc.), and were not necessarily solely due to the changes in the base image (although that certainly didn't hurt). So, it seems the author mixed up some of the different technology pushes and wrapped them up into a single story. He also seem to imply that this is something special and secret, but the truth is there is more openness with the FDCC program and the surrounding security outcomes than anything we've ever done before,” Grimes continued.

Schneier on Security: Secure Version of Windows Created for the U.S. Air Force – Schneier on Security – Even Bruce got caught up and had to make an update as the facts became known.

Bruce even included additional (and public) links provided by Microsoft for these projects.

Anyone can download the FDCC settings, documentation, and even complete images. I worked on the FDCC project for little over a year, and Aaron Margosis has been involved for many years, and continues to be involved. He offers all sorts of public knowledge and useful tools. Here, Aaron has written a couple of tools that anyone can use to apply FDCC settings to local group policy. It includes the source code, if anyone wants to customize them.

I’ve been RSS feeding Microsoft’s Aaron Magosis blog and work for a while now, but even his work on this project came as a surprise to me.

F D C C – Ensuring “Aim High” applies to all

What is really awesome (to me at least…as teased in this post title) is that the FDCC settings are actually released, almost fully implemented to the standards, in updated VHD virtual machine files for XP Pro and Vista.  Free (but time-bombed) for the taking, testing, and tweaking!

All this information and work is provided openly by the National Institute of Standards and Technology (NIST) and sponsored by the DHS National Cyber Security Division/US-CERT.

These recommendations were developed at the National Institute of Standards and Technology, which collaborated with OMB, DHS, DISA, NSA, USAF, and Microsoft to produce the Windows XP and Vista FDCC baseline.

  • F D C C – Federal Desktop Core Configuration main page

  • F D C C - Download Page – Filled chock-full-o-nuts of the VHD files for XP/Vista pre-configured (mostly) with these magical security settings, as well as Group Policy Objects (GPO) that could be deployed and tons of documentation on what exactly is going on.

  • F D C C - Agency Testing FAQ – Specifically jumps to the FAQ section on working with and using the VHD file packages for testing in Virtual PC sessions.

  • F D C C – FAQ – The top-page.  Lots to read so kick back and take it all in.

All-in-all it is amazing stuff.

I really appreciate the value that this information and the access to the VHD files offers.  It really allows system administrators and security folks to get a sense of just how usable a Windows system remains after many of these configurations has been applied.  Now, granted, the Windows systems won’t be quite as friendly to use as say, the way you’ve set up Grandma Flutter’s Windows system configured, but it will be much more secure.

Think of it as a free computer-lab course in Windows security best-practices configuration for the general public.

But Wait! There’s More!

Federal Desktop Core Configuration - Microsoft TechNet’s FDCC Blog. Frequently updated with notices of new FDCC releases and configuration policy changes.

Federal Desktop Core Configuration : Utilities for automating Local Group Policy management  - Microsoft TechNet’s FDCC Blog page with the tools for applying the LGPO for the FDCC configurations.

Federal Desktop Core Configuration : Kicking off the FDCC blog – Kurt Dillard introduces the mission and vision behind the FDCC release in this early (and massive) blog post.  I’ve snipped it down to (IMHO) the best key takeaway parts: 

…Microsoft has been collaborating with a handful of federal agencies to create actionable guidance and tools that agencies can use to implement the standard desktop and organziations who do business with the federal government can use to ensure their solutions are compatible with the locked-down configurations. I use the plural "configurations" because there are 2, one for Windows Vista and another for Windows XP. These configurations are collectively known as the Federal Desktop Core Configuration, or FDCC.

I know that many organizations are eager to see the details of the FDCC configuration. I've heard from federal agencies that want to start preparing to deploy FDCC as soon as possible. I've also talked to software companies that want to ensure their applications will be fully functional when run FDCC systems. I've also heard from systems integrators and IT services companies that want to be ready to help their federal customers to deploy and support the FDCC configurations. Microsoft has been working closely with the OMB, NIST, NSA, DISA, DHS, and the USAF and none of us want to publish guidance, tools, and other resources that will have to be updated and corrected repeatedly over the first few weeks.

At Microsoft we're creating and testing Virtual PC (VPC) images that we hope will help agencies and solutions providers to develop and test applications to run on FDCC compliant systems. These VPC images are not suitable for deployment, they'll be evaluation copies of Windows that will expire after a set period of time, but since they will be preconfigured they should help organizations to jumpstart their testing.

You still want to know more details about the settings, don't you? The single most important requirement in the FDCC is that all normal users will have to log in without administrative privileges. Experience has shown us that taking away admin rights from users causes the most challenges: some applications stop working and some users get frustrated that they can no longer install whatever software they want and they can no longer make whatever configuration changes they want to their computers. You can get an idea of what the FDCC configurations will look like by taking a look at the Microsoft security guides (listed on the Resources page), the FDCC settings are similar to the Specialized Security - Limited Functionality (SSLF) settings in our guides. Some of the settings are less restrictive in the FDCC than the SSLF settings, additionally the FDCC covers several dozen less impactful settings that are not documented in the Microsoft security guides. 

Bonus Find: STIGS Security Checklist Resources

Security Checklists - Security Technical Implementation Guides (STIGS) and Supporting Documents website. Not directly related to the FDCC efforts, but provides additional checklists and documentation “…(sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration)…contains instructions or procedures to verify compliance to a baseline level of security.

Browse around to see if this material could be beneficial in understanding and implementing additional system security (and program security) within your organization.

There is also a DoD General Purpose STIG, Checklist, and Tool Compilation CD in both heavy and lite versions which contains most all of the material on the site.

You might also want to take a look specifically at these offerings:

Lock and loaded, indeed!

Cheers!

--Claus V.

Outlook Thread Compressor: New Escapee from Redmond

image

Nothing I like better than digging up an internal tool of Microsoft that gets released quietly on the web for free.

Particularly when it comes with all kind of dire warnings and a back-story about the legal-team at Microsoft not allowing it to be released on the Downloads pages by the developer for general consumption by the public for fear MS would be sued because it actually might lead folks who misuse it to delete their emails.

Fun!  Sign me up!

Outlook Thread Kompressor

Last night while stumbling across some new IT sysadmin blogs I found some recent references to this internal Microsoft tool for Outlook.

It is the coding genius of a Microsoft employee named Ewan Dalton.  And I think the only thing that would make it more impressive were to use the German word for “compressor…”

Thread Compressor is an add-in to Microsoft Outlook, which removed unnecessary emails from a "thread" - reducing the amount of storage required (maybe keeping your mailbox within its size quota) and reducing the number of emails you need to read.

TC was developed inside Microsoft from 1999 onwards, and attracted a large following (up to 30,000 users) but has never (officially) been made available externally, due to the fact that it will delete data unless it is configured not to. I've decided to share it more widely now.

Let me say that again: Thread Compressor, as it is configured by default, WILL DELETE DATA FROM YOUR INBOX.

If you choose to download it and use it from here, you do it with the author's blessing, but it's completely at your own risk and Microsoft cannot be held responsible for what it does.

If you're in any doubt about this, then do not use this tool.

image

Is that cool or what!!

It even supports logging of actions taken, and some advanced exception rules.

Basically what it does is to use internal-to-Outlook message id’s to figure out the parts of an email thread.  It then deletes all those emails that exist as part of a larger email thread version.

I’m horrible about this.  I will keep my original (sent) email, and the reply, and all additional replies as separately-saved emails.  That is likely one reason why my primary Outlook PST file is so very, very large.

Now, depending on your email-retention guidelines in the workplace you might need to save all those.  But if not, this tool promises to clean house and whittle down all those multiply-appearing instances.

Installation is not for the feint of heart.

The application itself works on all Microsoft Outlook versions (Outlook 2000, 2002, Office Outlook 2003, 2007) for Windows running on all versions of Windows post Windows 2000.

From the program page:

INSTALLING

* Firstly, download the ZIP and save it locally.

* Create a folder you'll find again - I'd suggest C:\Program Files\Thread Compressor or similar.

* Start a command prompt - WindowsKey-R then
cmd <enter> (though if you're on Vista or Win7, just press WIndowsKey, type cmd, then right-click on the cmd icon and choose "Run as Administrator")

In the command prompt, type:

cd c:\program files\thread compressor (or wherever you put the files)

regsvr32 comdlg32.ocx

regsvr32 msflxgrd.ocx

regsvr32 tabctl32.ocx

regsvr32 threadc4.dll

Download the latest CDO file from here, save it somewhere, expand it out and run the install from the ExchangeCDO.msi file.

Now start Outlook: how you actually install the addin will vary depending on your version of Outlook, but try:

Tools | Options | Advanced | Add-ins,

or Tools | Trust Center | Add-ins | [then hit Go to manage COM add-ins]

and add the threadc4dll file manually. If it's successful, you should see Comrpess Threads on the Tools menu, and you'll get a splash screen next time you start Outlook.

Got all that?

By the way, “CDO” stands for the Collaboration Data Objects package.

Like I said, a geek’s tool only for brave geeks.

What surprised me even more was that there were quite a few other posts referring / reviewing / remarking on this neat utility.

Outlook Thread Compressor download now available – Ewan Dalton’s (creator of Thread Compressor) The Electric Wand blog.  Good overview of the tool from the developer’s perspective.

Thread Compressor for Outlook - do you want it? – Ewan’s The Electric Wand blog post from 2007 where he teases about an earlier version and provides some credit to others who also worked on the guts of the tool.

* The really smart bit of TC was actually put together by a guy called Peter Lamsdale. All I did was take his algorithm - which I still have difficulty understanding much less explaining - and strap a UI around it. An earlier version of TC was published (unofficially) on a website and an article was written about it by Evan Morris. There is even an unconnected MSDN bit of sample code which is nowhere near as effective (IMHO)

In that post he also spells out some more warnings, besides the fact it really does an excellent job of deleting actual emails that are replicated in threaded replies:

... but some obvious potential downsides...

  • The assumption at the top of this post. If I reply to someone's email, but change the contents of their original message in the reply, then TC will retain the modified version and it will look like the originator really said that. There may be ways to work around this limitation now, but I never bothered to figure them out.
  • Legal compliance - maybe you need to keep a copy of every mail for compliance purposes: if so, users programmatically deleting messages could be a *bad thing*.
  • erm, can't think of any/many more...

Outlook Thread Compressor - saved 100MB of redundant e-mail for me! Use with care! - Aaron Tiensivu’s Blog

Thread Compressor for Outlook… works with 2007! – Kurt Shintaku’s Blog.

I can’t wait to get some free-time at work to load thin up on a test machine and feed it a copy of some of my PST files.

I’m planning on testing in on duplicate PST files first to I can get acquainted with it and have a better understanding of it’s operation before I go and feed it my real Outlook PST file.

This rates up there as one of the best software finds of May.

Bonus Outlook tools.

For some additional tools to help you manage Outlook files and contents, don’t forget about all the awesome (and portable) Outlook tools offered recently by Nir Sofer.

Outlook/Office Utilities - (freeware) – NirSoft.

NK2View - (freeware) - Did you know that if you use Outlook the email names used in the To/Cc fields are retained? The NK2 file is the "auto-complete" file. Great place to review if you are auditing an Outlook user's pc. Anyway, this handy utility allows you to view the N2K file, display all the email address records stored, and export them into various file formats. Handy for security techs.  Also allows you to quickly edit, sort, save/restore, and delete items in the file itself.  Particularly useful if you need to bulk-edit the contents due to changes/conversions in corporate address book items.

OutlookAttachView - (freeware) – This utility can help you locate, extract and/or remove attachments embedded in your Outlook email messages.  It displays the list of attached files in your Outlook's mailbox, and allows you to easily select all attachments that you need, and then extract them into a folder that you choose. 

OutlookStatView - (freeware) – Nir is on a roll! For all you Outlook junkies out there, this tool can gather a lot of great statistics on your email habits. Quoting from Nir’s description, “OutlookStatView scans your Outlook mailbox, and display a general statistics about the users that you communicate via emails. For each user/email, the following information is displayed: The number of outgoing messages that you sent to the user (separated by to/cc/bcc), the number of incoming message that the user sent to you, the total size of messages sent by the user, the email client software used by this user, and the time range that you send/received emails with the specified user.”

Cheers!

--Claus V.

Saturday, May 30, 2009

Cisco VPN Clients and Windows 7

Update: See more important information at bottom of post.

When I am outside the network and need to get in, I use a Cisco VPN client for XP Professional (32-bit).

It’s very straight-forward to install, get configured, then get connected.

So far I haven’t had to mess with Cisco VPN clients and either Windows 7 or 64-bit versions of Windows (or both at once).

However, I was asked the other day IF there was a solution for running Cisco VPN on Windows 7 64 bit.

Not a direct one that I know of, yet.

From the VPN Client - Cisco - Cisco Systems page:

The Cisco VPN client supports Windows 2000, XP and Vista (x86/32-bit only); Linux (Intel); Mac OS X 10.4; and Solaris UltraSparc (32 and 64-bit). For x64 (64-bit) Windows support, you must utilize Cisco's next-generation Cisco AnyConnect VPN Client.

Cisco AnyConnect VPN Client – Support pages has quite a lot of info on this product. In the   Release Notes for Cisco AnyConnect VPN Client, Release 2.3 the supported Windows systems are pretty tight.

Windows Versions

Windows Vista—32- and 64-bit Microsoft Windows Vista SP2 or Vista Service Pack 1 with KB952876.

Windows XP SP2 and SP3.

Windows 2000 SP4.

No official support for Windows 7.  Though I guess someone might be brave enough to dump it on a Windows 7 64-bit system and see if the Vista 64-support is close enough to carry over.

Cisco VPN Client Solution for Windows 7 64-bit (for now)

The only work-around that come to my mind (as well as Nicholas Caito) was to create a 32-bit OS virtual machine of XP or Vista and then load the traditional Cisco VPN client into that container.  Then launch and run your connection needs from within that VM.

Nicholas Caito’s illustrated how-to is linked below:

Cisco VPN Client Solution for Windows 7 32-bit (for now)

Windows 7 32-bit users are also a “bit” on their own as well.

However, there has been quite a lot more work done by the frustrated sysadmin crowd on this front.

The main complaint is that once folks go to install the Cisco VPN client on Windows 7, they seem to be working fine but get treated with a BSOD on reboot.

Bummers.

Fortunately, there seem to be well-regarded workarounds…and they do require a bit of work.

From Aaron’s hard-fought efforts:

Updated with notes from JoshP - 100% working:
I have tried many--many different ways to get the Cisco VPN client install on Windows 7--all resulting in BSOD (ndis.sys). I have found the following procedure has worked 100% of the time on multiple hardware platforms (including VMware):

1. Install Cisco DNEupdate.
2. Reboot
3. Take ownership and delete ndis.sys (in c:\windows\system32\drivers).
4. Take ownership and delete ndis.sys.mui (in c:\windows\system32\drivers\en-us).
5. Install Cisco VPN Client 5.0.04.0300.
6. Reboot
7. Windows 7 will repair itself (should take a few seconds) and automatically reboot.
8. Cisco VPN Client should work without any other tweaks.

As Mark Wilson points out in his blog post (linked below) The DNEupdate is actually the Citrix Deterministic Network Enhancer (DNE) update .  He provided this direct link to the installer file.

So with full props to Aaron, Mark, and Brenton, go get your Cisco VPN for Windows 7 on.

As for me?

Well, I’m resigned to the likely-hood our shop will be chugging on down the tracks on XP Pro deployments for many years to come…

It’s a mixed blessing.

Claus

Update:  While chasing down another rabbit on the intertubes, I found this post which has quite a lot of great information regarding Cisco VPN clients and Windows 7 compats:

From that post, Ashish Jain the Program Manager, Routing and Remote Access provides extensive VPN client tables with linkage on the following VPN clients for Windows 7: AT&T, Checkpoint ,     CISCO, Citrix , F5 , Juniper , NCP , NetGear , Nortel , SafeNet , and Sonic Wall .

If you have to do VPN support, it might be worthwhile to bookmark or RSS feed the Routing and Remote Access Blog

As I’m interested only in the Cisco client, here is an edited version of that particular table that Ashish provides:

CISCO

VPN Client

Platform

Version

Download URL

More information

Tested on Windows 7 Build

Cisco AnyConnect VPN Client (SSL VPN)

x86

2.3.x

Click Here

You must have a Cisco.com user account to download.

7048

Cisco AnyConnect VPN Client (SSL VPN)

x64

2.3.x

Click Here

You must have a Cisco.com user account to download.

7048

Cisco VPN Client (IPsec)

X86

5.0.5+

Click Here

 

 

Cisco VPN Client (IPsec)

x64

5.0.5+

Click Here

No official support for this version planned by Cisco. Use the Cisco AnyConnect VPN Client for both Windows 7 and x64 support

7048

 

There you go for now….

--C.V.

Kon-Boot post (minor) update

Just a couple of additional notes regarding the recent post on Kon-Boot.

TrueCrypt 6.2 Update and Kon-Boot Protection

Commenter “Bozo” posted this question:

Hey Claus, could it be that TrueCrypt gathers some info about the BIOS (for example, size of BIOS and a hash code)? and the too much memory error reflects TrueCrypt detecting BIOS corruption?

And my response was thus:

I don't think so.

Now, I'm not a TrueCrypt advanced user. I've used it in this test for whole-desk encryption/preboot authentication, but mostly I use it to create truecrypt volume files that can protect key files.

As far as I know, TrueCrypt doesn't do any BIOS hashing. And I guess that's a good thing. Imagine the headache you would have if it did and you did a BIOS flash to upgrade the system. Bummer.

While I was responding, I did check in with TrueCrypt for more info and discovered some more items that could have a bearing on Kon-Boot.

On May 11th, 2009, True Crypt released version 6.2 with new features.

The boot loader now supports motherboards with BIOSes that reserve large amounts of base memory (typically for onboard RAID controllers). Note: In order to be able to take advantage of this improvement under Windows Vista, you will have to install Service Pack 1 or higher first. Service Pack 1 for Windows Vista resolved an issue causing a shortage of free base memory during system boot. (Windows Vista / XP / 2008 / 2003)

See also these links:

All this really left me with the impression that the TrueCrypt “pre-boot authentication” was programmed to load itself into the BIOS memory range before it allows the handoff to the system boot. I (still) haven't looked at a TrueCrypt encrypted system's MBR at the sector-level, but I suspect once the BIOS loads to the RAM section, that points to the MBR where it finds the instruction set to load the TrueCrypt loader which has to load into the same lower basic memory range shared with the BIOS.

Normally that wouldn't pose any problems, but in the case of a Kon-Boot, pre-load, it has already loaded it's own modified instruction set into that same BIOS memory range first. So when TrueCrypt comes along and tries to jump on the hay-ride trailer, there is no room left so it fails out.

When I did the first Kon-Boot protection test with TrueCrypt in my original post, I used version 6.1a as can be seen in the screen capture.

With the change of Version 6.2 and its support for systems that load/reserve larger amounts of base-memory for the BIOS, I didn’t know if TrueCrypt still provides that "protection" or not since it...just the situation which might occur with Kon-Boot jumping into the base system memory range first..

So I tested it this morning on an XP Pro virtual machine

I set a new local-user account password and verified I could not log onto the account unless the correct password was used. Then I booted it with Kon-Boot and successfully bypassed the password to verify Kon-Boot was working correctly.

Then I used TrueCrypt version 6.2 to fully encrypt the drive, set a volume password for pre-boot authentication.

I booted the system again with Kon-Boot

2009-05-30_112712

Nope; TrueCrypt still would not boot the system and gave the same error as last time:

Error: BIOS reserved too much memory: 569

It seems that once Kon-Boot had injected itself into the boot memory, there still wasn’t enough base system memory left for TrueCrypt to do its thing and bring the system up.  So the boot kit hack failed even under version 6.2.

I would say this, it looks like TrueCrypt's "protection" against boot kits (Kon-Boot specifically) is more accidental than by actual design (as in Microsoft's TPM mode).

The Real Benefit of WDE

As I mentioned in my earlier post, Microsoft’s Trusted Platform Mode (TPM) acts in concert with a TPM system-chip to authenticate the core system files during the boot process.  If the expected measurements are off, then the system won’t continue booting.

Whole Disk Encryption (WDE) is another solution offered by quite a few vendors both for $$$$ to free.

I mentioned three:

In listing them and demonstrating their (current) ability to shrug-off Kon-Boot’s smoke-and-mirrors manipulation of the BIOS to boot-loader to kernel loading, I may have left the wrong perception of their protection.

Unlike TPM, I believe that the protection they offer against off-system (LiveCD) booting boot kits like Kon-Boot is purely incidental.  Specifically, while they do serve to prevent Kon-Boot from staying resident past their authentication scheme (if they will allow it at all), that isn’t actually the true security they provide to the system.

Whole disk encryption, when properly deployed, renders data on the entire disk (or encrypted volume(s)) completely inaccessible to unauthorized folks.  Period.

If anyone were to boot a system with a LiveCD, capture an image, or yank the drive, all they would find is apparently “randomized” garbage across most all the sectors.  Sure it is theoretically and practically possible that the passphrase could be brute-forced and broken, but WDE should discourage all but the most determined or persistent or resource-supported folks.

Because whole disk encryption solutions prevent unauthorized, unauthenticated access to the drive—period—boot kits like Kon-Boot, Vbootkit, and BootRoot just don’t work because the penetrator first has to authenticate the pre-boot loader protection, and un-encrypt the drive to get working. And then, if they did have (or breach) the WDE layer, they still wouldn’t be able to use Kon-Boot to get past the local-user password.

Granted, if someone can break the WDE layer authentication, then the have pretty much pwned the system and could off-load files from the system, booted to or past the OS security layer at will.  And if that is the case, you my friend have much more serious issues to worry about than Kon-Boot protection.

So, the whole disk encryption security layer isn’t based on Microsoft’s rather weak, traditional local-user account security management model, but on a hardened independent authentication layer first.

Does that make sense?

Of course, if there is a root-kit already embedded on the system (or gets embedded on the system while the system is running in a decrypted-state) then whole disk encryption won’t help terribly much.  Sure you still have to authenticate to get on the system, but once it is running, the root kit will kick off like any other system and start doing its dastardly deeds.

And that, gentle readers, will require another solution: GSD post : Anti-Rootkit Tools Roundup Revisited.

So yes, these (and possibly other) pre-boot authentication/whole-disk encryption solutions can block Kon-Boot, but the real security protection they offer is even greater.

Cheers!

--Claus V.

Monday, May 25, 2009

Kon-Boot: Bypass Windows Login Security (and some helpful blocking solutions)

A number of weeks ago I received a tip from TinyApps.Org Blog that has become a real safari event.

From the developer’s description:

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as 'root' user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems :) Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far :) Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

…it provides support for Microsoft Windows systems and also the Linux systems listed in the next sections. Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually - without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot (however its quite possible other versions of listed Windows systems may be suitable as well):

Windows versions of logins that it supports/bypasses are: Server 2008 Standard SP2 (v.275), Vista Business, Vista Ultimate, Server 2003 Enterprise, XP, Windows 7.

Although not a “well-known” tool (yet), notice of Kon-Boot is slowly beginning to show up around the blog-o-sphere and security blogs.

I’ve avoided posting on it for some time as (like TinyApps blogger Miles) I’ve felt compelled to first try to understand what it is, how it may be working, and what impact (negative/positive) it might have on a system.

To use it, download one of the image files (I used the CD ISO) and burn the ISO file to a disk.

Boot your target Windows system from the CD and you will get the Kon-Boot splash screen.

Hit <Enter> or the spacebar to start the injection process.  If the BIOS/system “supports” Kon-Boot some programming checks will be displayed and the boot will hand off to the normal Windows loader processes.

Once at a Windows login screen, enter the user account name you wish to access and bypass the password.  Note: you must know this ahead of time unless the user name is set to save/display automatically.

Then you can either leave the password-field blank and click on through, or you can enter whatever garbage you want for the password. It doesn’t matter.  The password has been magically bypassed!

I have tried it on a number of systems once I had some firmer knowledge of the tool and in my cases; it worked as promised.  Completely bypassing the Windows GINA login on XP systems as well as Vista and Windows 7 (of which the login’s don’t actually use the GINA method of XP/W2K, but it works anyway).

Cool.  Very frightening from a sysadmin standpoint, but cool nonetheless.

In my mind, it would be irresponsible to post a “come and get it” call for this tool without first trying to see if it left any malicious files, root-kits, or other “baddies” behind in it’s wake.  As well as to offer some mitigation suggestions.

Thus begins the journey.

What Kon-Boot Does on the Surface

Many business (and some home users) who run Windows decide that one good method to protect their system from unauthorized access is to set up one or more (local system) user accounts.  These accounts then have passwords placed on them which (theoretically) should discourage unauthorized users from logging onto the system and accessing the applications and data.

System administrators and Windows security folks know this is actually a pretty weak model.

If that is the only security measures implemented on the system, then a penetrator/hacker/administrator just needs to apply one of a number of well known and documented methods to bypass the authentication.  Some of these methods include:

  • Ophcrack (and L0phtcrack 6) – cracking the password SAM files with tables

  • Offline NT Password & Registry Editor – blanking the password,

  • Yanking the drive and placing in another system to access the files directly, bypassing the OS, or

  • Booting with a “LiveCD” and accessing the files in place, again bypassing the OS.

However, these techniques have some drawbacks.

Ophcrack can/does work but unless the passwords are fairly simple, the attack can take some time to work and is not always successful in a reasonable amount of time.

The Offline NT Password & Registry editor is quite successful in its methods, but by “blanking” the password, leaves evidence to the primary user that something has been breached.

Yanking the drive or booting with a LiveCD are quite doable but may not be time-practical or hardware-practical solutions.

Kon-Boot would allow someone to drop in, boot the system directly, bypass any Windows account login security, poke around under the local account, then pull-out without letting the end-user be any wiser.  Of course an incident response investigation might find some evidence tracks afterwards, but with the password left intact, it might take a while to notice the breach.

On the other hand, sysadmins and Windows gurus who have to service systems often find user’s who have forgotten to provide them the password so I suppose it could be a useful tool for legitimate and authorized situations.

What it Is / What it (May) be Doing Deeper

Turns out Kon-Boot fits nicely into a class of hack/security tools called boot kits.

These are an old and well-established small class of tools.  They have recently started to gain notoriety in security circles again with a number of newer exploit proof of concepts released.

  • eEye BootRoot – “…presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads.”

  • eEye SysRQ2 – “…a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup. It was first demonstrated at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh as an example of applied eEye BootRoot technology.”

  • NVlabes Vbootkit 2.0 – a proof of concept tool which grants various abilities to elevate permissions to SYSTEM level, as well as start telnet server automatically and do some user-password manipulations.

While similar to root kits, boot kits operate (generally speaking) a bit differently.  Depending on the specific boot-kit code they might inject themselves into the OS kernel during the boot process, patch memory registers, and then do their deed.  Some may be persistent.  By that I mean once loaded on a system they stay present after reboot.  Others may be memory-persistent only.  They are “installed” in memory, function, but when the system is reset no trace is left behind.

Kon-Boot purports to be the later.

Turns out there is a quite a lot of great and highly technical material on understanding the principles of boot kit methodologies.

Unlike eEye’s BootRoot and the Kumars’ Vbootkit, the developer of Kon-Boot, Piotr Bania, has decided not to release the Kon-Boot source code so examination is based (currently) on known technologies and examination of systems on which Kon-Boot was used.

IANMR (I am not Mark Russinovich) but it seems that the process by which most root kits work is fairly well understood now.

Based on what I have read and the research others have done on this and other boot kit tools that are "open" in the code, it likely hijacks the memory during the BIOS to bootloader process. From there it hooks INT 0x13 to control content of memory sectors loaded by NTLDR and begins patching areas of the kernel specifically dealing with the security profiles and user SAM files dealing with user logon authentication and the GINA/login-authentication processes. With these patched, the operator can access these profiles without any password input needed. What makes this tool (and Vbootkit) interesting is that they take the normal stay-resident MBR boot kit design and do it all on the fly (apparently) leaving no trace on the system behind. That's pretty sophisticated stuff. Particularly when it has been coded to work on both Windows as well as Linux kernels.

Because of the BIOS memory injection it appears to perform, some system BIOS’s may not be supported and could cause Kon-Boot to fail. So it isn’t a 100% success in all possible conditions.  Also some users have said it BSOD their systems in various comments around the web.  Some have even reported it nuked their systems for unknown reasons.

That certainly hasn’t been my experience. It was easy for me to get on a disk and booted all systems I tested it on with no ill effect (continue reading).

Many of the links posted above referencing boot kits have great illustrations and diagrams on how this works exactly.  I wasn’t able to get permission to use material from those presentations, so go check them out for all the great pictures, descriptions and technical details.

It is really fascinating and cool stuff on how the BIOS memory is hijacked, and how next the injected code in memory patches the kernel and tells it to ignore password requirements for the user accounts.

It is also this shared similarity with MBR boot kits likely leaves some (as seen in various comments around the web) that it must be leaving a MBR boot kit behind.

Does it Leave a Root Kit Behind?

This is the million-dollar question.

Many folks think so.

Limited testing seems to suggest that, as Piotr claims, it does not leave any lasting or persistent changes to system on which it is executed.

It is conceivable and technically possible it could infect the BIOS, MBR, as well as allocated/unallocated hard-drive space.  It might also change/patch critical Windows system files.

I tested Kon-Boot post-usage via a suite of root-kit scanners and found nothing amiss.  But that may or may not mean anything.  What was really needed was a detailed baseline system scan using change-detection program, reboot and use Kon-Boot, then reboot and take another system scan to check for file/folder changes. 

Fortunately for us, Miles Wolbe from TinyApps.Org Blog has taken this task upon himself to try to explore.

He has graciously given me permission to post his findings.

Miles’s plan was structured as follows:

1. Save images of BIOS, CMOS, Video BIOS, and MBR with NSSI (run from bootable CD) and save snapshot of Windows install with InstallWatch Pro
2. Boot with Kon-Boot, be amazed at password bypass, turn off computer
3. Repeat step 1
4. Perform diffs

And his results were as follows (as combined from numerous emails):

Here are the results of my Kon-Boot tests:

Computer:

Dell Inspiron 600m

Changes to system after running Kon-Boot and then rebooting:

   MBR: none
   Video BIOS: none
   BIOS: none
   File system / registry: see attached ZIP file

Tools used:

Phoenix WinPhlash and dumpvgabios (BIOS and Video BIOS) as described here:

http://icrontic.com/forum/showthread.php?t=30777

NSSI (MBR and Video BIOS) Also dumps BIOS, CMOS, PCI, and more, but these did not work well for me.

diff and md5 (comparison of dump files)

InstallWatch Pro (file and registry changes)

EFS file encryption is not circumvented by Kon-Boot. That is, if you bypass the login password for "Joe" via Kon-Boot and he has an EFS encrypted file named "doc.txt", you will not be able to open it ("Access is denied" message is returned).

After bypassing login password with kon-boot, the user accounts applet shows "create a password" for the current user instead of "change password". if you try to enter a
password, the following error appears: "Windows cannot change the password."

Just to clarify: the strange user accounts behavior persists only while kon-boot is
active.

Please note that while Kon-Boot will let a user into the password protected Windows account, it will not allow access to any encrypted/password-protected files that would also have to be authenticated.  I guess that is something.

Also, it does not seem to allow password-bypassing of Domain configured accounts or other network GINA supported authentication requirements. It only seems to work on Local Windows user accounts.

I haven’t had the time to try it, but I would also like to capture a memory-image ( Tools:Memory Imaging - Forensics Wiki) of a system running normally, then recapture the memory-image while Kon-Boot is running, then difference the results.

That might point out any memory resident changes Kon-Boot makes.

So, as far as we can tell at the moment it appears--based on limited testing--that Kon-Boot should be “safe” to run on a Windows system you might be authorized to access.  However, I highly encourage you to do your own controlled and protected testing before making any such deployments organization-wide.  Don’t blame us if something bad happens.

Messing around with boot kits and root kits is always a dangerous and dicey prospect.

As someone once said, “Trust, but Verify.”

Defeating Kon-Boot (Easy but Crippling Stuff)

So how can the system administrator defeat Kon-Boot deployments and enhance security.

Well some easy methods come to mind:

Basically lock down the system so Kon-Boot can’t be used to boot the system.

Yeah.  It will annoy your users to hell, but it will assist with security.

However that may not be enough, or you may want to leave a certain amount of usability to the system.

BitLocker and TPM Protection

In a discussion with cdman183 at his Hype-Free blog he put me on another technique that seems very successful in blocking Kon-Boot/boot kit operation (assuming the MBR hasn’t been pre-infected); disk encryption / pre-boot authentication.

Microsoft offers its Trusted Platform Mode (TPM) and BitLocker solutions that help authenticate supported OS versions during the boot process to ensure they have not been modified.

Before explaining how BDE mitigates this attack the following picture may help set some context for the scenario. 

This is what a 'normal' OS boot from a hard drive looks like when BDE has been configured to use a TPM 1.2 module.

(NOTE:  There may be some slight innacuracies in the 'All boot blobs unlocked' column according to Jamie but they aren't really important for the concept I'm trying to illustrate. :))

In a VBootkit system boot - I believe the boot process flow looks like this (any mistakes are mine)

In the picture above - you can see that the boot process has been detoured a bit by the presence of a Vbootkit CD causing an additional MBR to be read during the OS boot (this MBR presumably then jumps back to the one on the HDD after hooking INT13).

Well it is my understanding, based on my discussion with Jamie - that this will cause BDE in TPM mode to fail to boot the OS because the 'measurements' stored in the PCR in the TPM will be incorrect or will be unexpected in value - which will cause the TPM to fail to unseal the VMK which will lead to a boot failure. 

What this all means is that when the boot manager (BOOTMGR.EXE) goes to unseal the VMK stored in the TPM 1.2 module - the TPM will respectfully decline. :)

  • BitLocker, TPM won’t defend all PCs against VBootkit 2.0 – Techworld – Basically the augment here is that it doesn’t work because many (most?) Windows OS versions are home/consumer version that do not contain the TPM support found in Windows Enterprise/Enthusiast versions.  Nor does all (mostly older) hardware support TMP solutioning.

Solutions for the rest of us

So what if you have a system that doesn’t support TPM mode protection against boot kit high-jacking and you don’t want to disable all the CD/USB/etc booting methods?

Well, like I said, go with whole-disk encryption and/or pre-boot authentication.

  • PGP Whole Disk Encryption – This commercial solution offers protection against Kon-Boot.  I tested Kon-Boot against PGP WDE system. 

The system allowed Kon-Boot to load normally, Kon-Boot injected itself into the BIOS memory handoff, and then I was presented with the PGP WDE loader.  It did not change the requirement to enter a valid passphrase at all. You could not bypass this requirement.  So I entered a valid passphrase and the Windows system booted normally. It appeared that the PGP to Windows boot loading process completely scrubbed Kon-Boot’s memory presence away as I was not able to log into the local Windows accounts (which Kon-Boot bypasses) unless I entered a valid password.

Hurray.

PGP is a commercial solution. While they do offer lighter versions for home/SOHO users, it may not be practical for folks on a budget.

Fortunately at least two well known and trusted solutions are available for free.

  • TrueCrypt - “freeware” – This product offers whole-disk encryption and requires pre-boot authentication.

In my test of this solution, I used a Virtual PC session of XP Pro.  I set a password and verified I could not log onto the account unless the correct password was used. Then I booted it with Kon-Boot and successfully bypassed the password.

Then I used TrueCrypt to fully encrypt the drive, set a volume password and tested again.

I booted the system again with Kon-Boot

2009-05-09_113947

Note that TrueCrypt could not boot the system and gave the following error:

Error: BIOS reserved too much memory: 569

It seems that once Kon-Boot had injected itself into the boot memory, there wasn’t enough left for TrueCrypt to do its thing and bring the system up.  So the boot kit hack failed.

It is possible that different system BIOS may offer different amounts of available memory so this might not be fool-proof.

But it is a start.

The third solution is awesome:

  • CE-Infosys CompuSec – This German company offers a wonderful whole-disk encryption with pre-boot authentication solution.  It is 100% free.

In my test of this solution, I used a Virtual PC session of XP Pro.  I set a password and verified I could not log onto the account unless the correct password was used. Then I booted it with Kon-Boot and successfully bypassed the password.

Then I used CompuSec to fully encrypt the drive and set up pre-boot authentication with a password and tested again.

I booted the system again with Kon-Boot

2009-05-09_133053

CompuSec caught a checksum error and refused to let the system boot.

Rebooted without Kon-Boot, entered the pre-boot authentication password, and was on my way back to the protected system.  No Windows password bypassing was allows.

Granted, CompuSec takes a while to configure once installed (it does install quickly).

However, the developers provide almost unheard-of documentation and manuals on how to deploy, use and operate their product.

It would be good advice to read all such things before using/installing such a product, but even more so for those that deal with encrypting your entire system.

You don’t want to make a mistake here!

Final Thoughts

I don’t feel that I have done a good job really digging into Kon-Boot and boot kit threats.  There is so much technical information to process and a single blog post really can’t do it justice.

I do hope that this humble post might lead the curious into exploring those better technical materials I posted by real security field experts, as well as encourage others to do like Miles did and perform their own system testing and validations of the tool.

This is not new technology, though the implementations may be repackaged a bit. The security implications remain.

General Windows Local user accounts are inherently insecure to knowledgeable penetrators and a variety of proven methods exist to breach these accounts.

Solutions exist but they generally (by design) reduce the functionality and present numerous barriers for easy and convenient operation of Windows systems by users.

Pre-boot authentication, TPM, and whole disk encryption methods might be the best (current) solution to protect against boot kits.

It remains unknown it me (at this point) what would happen if a pre-MBR boot kit infected system had any of these solutions applied, post-infection.  Would the configuration fail? Would the MBR infection remain resident?  Would it work afterwards?

Special thanks and public gratitude to both Miles and cdman183 for their work and guidance in helping me to understand the implications, verifications of, and mitigation solutions for this current round of boot kit attack.

Like I said, really cool, but kinda frightening…

Cheers.

--Claus V.

Sunday, May 24, 2009

Sunday Linkfest Salvo

image

USS Texas (BB-35)
Firing her 14"/45 main battery guns, during long range battle practice, February 1928.
U.S. Naval Historical Center Photograph from
USN Ship Types--New York class (BB-34 and BB-35)

Windows 7 RC Shelling

As previously noted, I’ve been loading Windows 7 RC on our laptop systems here at the house.  One requirement of this is to pick and install some AV/AM protection.  Microsoft kindly provides links to some “free” AV/AM software that is compatible with Windows 7. Local TechBlog guru Dwight Silverman also details why this is a good idea: TechBlog: Getting the Windows 7 RC? You’ll need protection.  But be careful, many of the offerings listed by Microsoft, while good, are also significantly time-limited and may require some registration hoops to go through.

Instead of going with one of these, I decided to give Sunbelt Software’s VIPRE security product a go.  Thanks to a generous reach-out by Alex Eckelberry some time ago, I’ve got a few full-licenses for our home systems.  As blogged before briefly here, I love VIPRE.  I had seen a link ( Vipre from Sunbelt now compatible with Windows 7 – PlanetAMD64 ) that indicated that VIPRE would work with Windows 7 so I thought I would see how it did on our Windows 7 RC (64-bit) installations.

I downloaded VIPRE and (despite Windows 7 not being “officially” listed under the VIPRE Requirements tab) started an install.  It went on just fine on my Gateway system in Windows 7 RC 64-bit.

However the updates would not, no matter what, kick off.  It just stayed at definitions 0.

So I tried “kick-starting” it by manually downloading the VIPRE DAT files and then pointing VIPRE to update from this source file.

That did the trick.  Once seeded with the definitions, all subsequent auto-update actions have launched, downloaded, and installed without fail.

Curiously, when I did the same thing on Lavie’s Compaq notebook (also Windows 7 RC 64-bit) this trick wasn’t required.  It kicked off the updates just fine automatically.

I’ve not had any issues at all running/scanning/configuring Sunbelt Software’s VIPRE under Windows 7 RC 64-bit.  It is rock solid and remains highly recommended.

(And yes, a GSD blog post perspective on VIPRE is still planned!  Stay tuned.)

Lifehacker - Install Windows 7 on Almost Any Netbook - Windows 7 netbook – Lifehacker – Nice how-to on getting Win 7 on a Netbook.  The deal here is that many netbooks do not have an optical drive.  The workaround is porting your Windows 7 ISO install files over onto a USB stick and installing from there.  Good info to keep handy.  And even if you do have an optical drive to use on any system you are loading Windows 7 on, if your system supports it, installing from USB generally results in a faster install time as USB media is much faster in the transfer rates than optical media.

Windows 7 RC UAC security vulnerability: Auto elevation – 4sysops blog – Michael looks at an ongoing security issue with Windows 7 that doesn’t seem to have been fully solved quite yet.

The myth about the standard user in Windows Vista and Windows 7 – 4sysops blog – More security musings on Windows 7 (and Vista) from Michael.  Good reading.

15 Things To Do After Installing Windows 7 RC - Tweaking with Vishal. Miscellaneous tips and pointers to consider attending to after you load Windows 7.

XdN Tweaker - (freeware) - Current Version v 0.9.1.6 just released this May now adds Windows 7 to it’s awesome tweaking support.  Available in both an exe installer and a portable zip version, this tool still remains my #1 favorite (out of many, many, many) great Windows tweaking tool.  A must have for Windows 7 RC users.

Native VHD Support in Windows 7 -- Windows Virtualization Team Blog.  More official news and technicals on Windows 7’s VHD booting support.

Windows 7 - Seamless Apps in Windows Virtual PC (Virtual XP) and Application Compatibility – Scott Hanselman’s ComputerZen blog.  Scott has a great walkthrough on deploying XPM mode virtualization on Windows 7.  He provides wonderful screen-captures as well for the image-needy.

Flashy Copenhagen UX concept, white paper made available – Rafael Rivera Within Windows

Copenhagen User Experience from Copenhagen Concept on Vimeo.

Nice concept work but I have to confess. I usually disable the GUI effects on menus and such in XP/Vista.  They get annoying at work when I am trying to power through the daily grunge.

Bit more at this Windows enthusiast Cullen creates "Copenhagen" user experience concept video - iStartedSomething Long Zheng’s blog. Check out the comments for feedback (lovers and haters alike).

Utility Broadsides

Highlighter v1.1.1 Released – MANDIAN M-unition Blog – This incredible log/text-file analyzer has gotten some major feature and bug fixes.  Go get now!

The best MSI Extractor -- the back room tech.  Julie tips us to a MSI extractor tool called Less MSIerables.  Is is sexy and even supports command-line.  Now, I usually always reach for my Universal Extractor software when unpacking installers in my quest for “portable” applications.  However, Less  MSIerables has a great GUI and handles MSI files with power.  I particularly like it’s previewing features.

live.sysinternals.com – link to Sysinterals site where you can download/run almost all of the incredible Sysinterals tools without needing to unpack them.  Not much there in way of descriptions or how-to’s but if you know these tools, this is a great site to use to run them on the fly.  Supports execution via command-line as well.  For the full roundup of tools and descriptions see Windows Sysinternals: Documentation, downloads and additional resources

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or  \\live.sysinternals.com\tools\<toolname>.

NirSoft Utilities Panel – Not quite as extensive as live.sysinternals above, Nir does provide this page which also has unpacked, immediately downloadable/executable versions of his most popular utilities.  Get the full offerings at Nirsoft’s Freeware Tools and Utilities for Windows page.

By the way, check out Nir’s unapologetic broadside at AV companies that slam many of his tools as “malware/hackware” NirBlog: Antivirus companies cause a big headache to small developers.  Nir does a great job unloading the issues and problems that many small utility developers face with their wonderful tools when crossing the big AV/AM companies. I run into this almost weekly when the company AV policy alerts and quarantines yet another valuable sysadmin/forensic tool as a “hacktool” or “trojan”.  Since we lowly sysadmins don’t have access to modify the Symantec AV policy settings we have to just shrug and move on.  It’s a loosing fight for us..and our customers when we can’t deploy a solution because it has been blacklisted.

The largest security tools list – Interesting website that classifies and links quite a large number of great security tools for a variety of OS platforms.  At least check it out and bookmark it.

What’s My Pass? – New website (to me) that provides a large number of security-cracking posts and tools.  While I don’t at all condone password cracking for fun-and-profit, as a sysadmin I am frequently called in to crack documents, systems, passwords as the user is gone or has forgotten the information.  And at least by understanding and knowing these tools, as a security responder, you could have a greater knowledge in your investigation work.

What’s My Pass also offers two FreeWare tools of their own. The second is great:

TechTools 1.1 - freeware

Based off of the idea of Bryce Whitty’s “Computer Repair Utility Kit” from Technibble.com. The downfalls of Bryce’s idea was that he had the complete package with all the tools offered for download on his site, which of course sucked up bandwidth, and some authors of the applications, while freeware, wanted the only download of their software to be at their own sites.

To bypass these problems Tech Tools uses Ketarin, which is an application downloader that checks to see if an application has been updated and downloads it if so.

So I’ve compiled a list of apps that that were part of the original tool, and either
subtracted or added them due to their portability. i.e. if the program had an installer i didnt include it, I used mostly standlone executables for this first package.

You use Ketarin to first download all your tools and it will automatically extract them to their categorized folders.Once Downloaded you can then open Pstart.exe ,its menu is already configured to show the downloaded tools. You would then use Ketarin weekly to auto-update all these tech tools so you would always have a fresh copy of the program on your USB.

This is a great alternative solution as the original “Computer Repair Utility Kit” is no longer available.

See these links to see what you missed on if you didn’t grab it while it lasted:

Computer Repair Kit Packs Dozens of Tools in One Portable Package - System Recovery - Lifehacker

Be prepared! 57 great Windows repair tools all in one place – Chron.com TechBlog

Also related:

Anti-Malware Toolkit v1.06.157 – Lunarsoft – Acts as a central anti-malware/anti-virus tool and program downloader.  Select the items you wish to download and it will auto-download the files to appropriate folders.  In many cases, users must still “install” the applications locally, but this does  provide “one-stop” downloading for harried support staff.

WSCC - Windows System Control Center – (freeware) - KLS Soft

image

Let me let them explain why it is so cool.

WSCC is a free, portable program that allows you to view, execute and organize the utilities from various system utility suites. WSCC is only an interface, you need to download and install the utilities separately. Alternatively, WSCC can use the http protocol to download and run the programs.

WSCC uses the included WSCC Console to execute command line applications.

WSCC is portable, installation is not required. Extract the content of the downloaded zip archive to any directory on your computer.

This edition of WSCC supports the following utility suites:

  • Windows Sysinternals Suite (including support for Sysinternals Live service)
  • NirSoft Utilities

So basically you just download the zip file and unpack it.  It’s pretty tiny to start out with.

Launch it.

You can configure it to point to the location where you have stored all these tools previously (Sysinternals and Nirsoft), or set it up so it can execute the Sysinternals tools from their Sysinternals Live location on the Web.

(more details in this GSD post: Grand Stream Dreams: Windows System Control Center (WSCC): Awesome Cool!)

Cheers!

--Claus V.