This isn’t very hard, . . . → Read More: Forcing a Window Media Player library rescan]]> If you’re using your Windows Media Player (WMP) as a Windows Media “server” to share your music library, yet don’t use WMP directly to manage your media (I use the much more rich MediaMonkey) then you may want to force a library rescan when you add new tracks to your file-store(s).

This isn’t very hard, but it isn’t entirely intuitive either. However it’s simple enough. Select the WMP window, hit the “ALT” key and a menu will pop up. Select “Tools / Apply media information changes”, eg:

Should do the trick.

Ramnit’s man-in-the-middle looks like an actual social-media or bank-account sign-in page that captures a user’s ID and password, and sometimes other personal information en . . . → Read More: BankInfo Ramnit Article]]> Tracy Kitten at BankInfo has an interesting article about the Ramnit worm which is worthy of a read (even I would say by the general public). Ramnit is particularly pernicious because:

Ramnit’s man-in-the-middle looks like an actual social-media or bank-account sign-in page that captures a user’s ID and password, and sometimes other personal information en route to the actual log-in page. The difference, however, is that the page in the middle captures authentication data and allows the attacker to gain access to the victim’s accounts at will.

That said, I’m not sure I agree with the solution espoused:

“Passwords are not very useful for anything anymore,” [Bill] Wansley says. “They are just too easy to forget, copy or break. Everyone needs to go to multifactor authentication [emphasis added] – like Google has recently – for social-media sign-in, and certainly for anything that is for financial or medical-related accounts.”

Certainly a challenge-response methodology would be effective if the response were dynamic (like say an RSA key fob or equivalent smartphone software), however if the two-factor authentication is two static values then there’s nothing that stops the malware from ultimately being designed to capture both factors. It would be “false security” to believe this is a permanent solution.

It then goes on to say:

Passphrases are better than passwords, but multifactor authentication is the new standard. “Nobody should be using their social-media passwords or phrases for their financial accounts,” Wansley says.

While I absolutely agree that users shouldn’t use the same password for financial or other sensitive websites, I’m not absolutely convinced that making stronger passwords is generally an answer. Yes, if you are using straight dictionary words (which the websites should prevent), you are at risk, however a mix of case and say a numeric basically makes the passwords externally uncrackable. That is provided the website properly implements delays and lockouts to the process.

In my opinion too much emphasis in the industry is put on strong passwords where people confuse the idea of a compromised hash (the encrypted form of the password) to external brute-force attack. If the former happens one should simply assume the password is compromised regardless of how strong it is. However most recent compromises involve either brute-force external attacks or outright compromise of the cleartext password – those are different animals than a hash loss. Again, a marginally strong password with delays and lockout will easily survive brute-force attack from an external source (ie: the web).

That’s not to say a degree of password strength isn’t important, but making password too difficult to remember can be counterproductive as it encourages users to write the passwords down or use other insecure methods. In that regards “passphrases” can be a benefit – they can be easy to remember and strong at the same time.

I think too often security professionals focus on what works for them and not the reality of the end user community they are servicing. Sure that gawd awful password complexity requirement is the ideal, but if your end users end up writing it on a post-it or in an Excel spreadsheet the game is over.

Why?

Because while they could be going someplace useful, they could also be going to . . . → Read More: Why I hate tiny-fied URLs…]]> In theory if the world were filled we universally good people, “bitly” and “TinyURL.com“, which given long URLs provide short ones, are a great idea. However whenever I get one I find that I’m frankly terrified to click on them.

Why?

Because while they could be going someplace useful, they could also be going to a giant virus laden web site, or a nasty bug exercising Flash app, or even a porn site that’s going to get me in dutch at the job.

I mean here’s one:

http://bit.ly/pSd3GJ

How do you know where it goes? It happens to go to my resume, but it could go to a virus, a trojan, something completely inappropriate (or even illegal).

Again, it’s a wonderful idea, and certainly more power to those who can stomach them, but I can’t. Heck I even get them sent to me by security professionals.

Granted, even when they are URLs that clearly go to well known sites you are always at risk, but the extra obfuscation (as nice as it is) really increases your risk. No offense to the owners of “bitly” or “tinyURL.com”, they certainly are providing a public service, but it’s one that is too nerve-wracking for this security professional.

/alarms or /media/alarms or /media/audio/alarms /notifications or /media/notifications or /media/audio/notifications /ringtones or /media/ringtones or . . . → Read More: Adding ringtones to Android]]> To add ringtones (or notifications or alarms) to Android phones, connect the phone to your computer and go to the top level of the drive that is mounted. Under that drive you can create (though they may exist already):

/alarms or /media/alarms or /media/audio/alarms
/notifications or /media/notifications or /media/audio/notifications
/ringtones or /media/ringtones or /media/audio/ringtones

In theory putting it under “/media/audio” (the third version given) should be a little cleaner. It also sounds like you can put it just about anywhere and tap on the track to select “Use as phone Ringtone” (I have not tried this though).

This is under Android OS 2.1. Your mileage may vary with other versions.

The Android API documentation is here, however it doesn’t look all that useful for the average end user.

http://www.intel.com/p/en_US/support/detect

since many if not most desktops/laptops include some Intel based chipset (even if it isn’t the main CPU), then this is a pretty useful site to use.

If . . . → Read More: Useful Intel links…]]> Two links from Intel are particularly useful for desktop/laptop users. First, this tool will find out if the Intel drivers you’re using are up-to-date:

http://www.intel.com/p/en_US/support/detect

since many if not most desktops/laptops include some Intel based chipset (even if it isn’t the main CPU), then this is a pretty useful site to use.

If you’re interested to know what Intel chipsets your system uses without checking for updates, this downloadable tool is useful:

http://www.intel.com/support/chipsets/inf/sb/cs-009266.htm

When run it lets you know what at a minimum your mainboard chipset is (assuming it’s Intel).

Of course AMD users mileage will undoubtedly vary. Note that both of these are Windows only apps (sorry).

http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/

highlights something that is becoming more apparent:

SSL certificates probably aren’t worth the bits they’re printed on.

Forgetting that there is a fairly regular stream of issues with the authorities, companies like GoDaddy issue certificates for all of $12 with nearly . . . → Read More: SSL certs – probably not worth the bits they’re printed on…]]> This failure of the trusted Certificate Authority (CA) “Comodo”:

http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/

highlights something that is becoming more apparent:

SSL certificates probably aren’t worth the bits they’re printed on.

Forgetting that there is a fairly regular stream of issues with the authorities, companies like GoDaddy issue certificates for all of $12 with nearly instantaneous issuance. That is, clearly there’s not much validation going on. Way back when it took days to get certificates issued, involved real paperwork, actual calls from issuers, and DUNS lookups, etc.

This may still be the case with organizations like Verisign, but given that for most browsers GoDaddy is equally trusted and that pretty much no one looks at the certificate signers, one weak authority essentially compromises the whole system.

The answer?

Certainly Extended Validation (EV) certificates help, though those are generally overpriced and end users for the most part don’t actually care (that is, for most of us, you’re still going to use non-EV sites regardless).

No, probably the answer is to not trust SSL certs as a metric of “identity”. Just because a site has a valid cert doesn’t mean that it’s a legitimate company or even actually is who it says it is. Instead you need to use other techniques – like Google searches to see if the site is a scam.

It should be otherwise, but essentially the keys have been given away. In many ways unfortunately at this point (at least for non-EV), signed certs are simply a “jab fee”. The browser may as well silently accept self signed certs – the cert’s true value is mostly for enabling encryption (and that doesn’t require a trusted authority).

Mar 12 15:05:33 192.168.1.1 3129: 003121: *Mar 12 15:03:03.195 EST: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:525214740 1415 bytes is out-of-order; expected seq:525170856. Reason: TCP reassembly queue overflow – session 192.168.1.5:53022 to 208.79.250.63:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

sometimes accompanied by hangs in . . . → Read More: Zone Firewall TCP reassembly size]]> If you get something like this in your Cisco’s IOS firewall log:

Mar 12 15:05:33 192.168.1.1 3129: 003121: *Mar 12 15:03:03.195 EST: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:525214740 1415 bytes is out-of-order; expected seq:525170856. Reason: TCP reassembly queue overflow – session 192.168.1.5:53022 to 208.79.250.63:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

sometimes accompanied by hangs in downloads, then what is happening is you are blowing out the buffers used to reassemble TCP segments when the segments have arrived “out-of-order” (also abbreviated “OoO”).

The problem for a stateful firewall or IDS/IPS is it often needs to see more of the packet stream than just the initial segment to make a forwarding/block decision. Thus it has to collect these segments together, however sometimes the segments don’t arrive “in order”. This can particularly happen when VPN is used.

In order to get around this, it essentially collects the streaming segments going by in a queue until it can find the missing segment (assumed to be “out-of-order”). It queues those packets in memory, but for obvious reasons it cannot have infinitely sized queues – it would run out of resources. In fact if it did, this would offer a very effective DoS (Denial of Service) attack.

Thus, there are defined limits set to the TCP reassembly queue. Those limits are actually fairly small to start (16 entries and 1 mb), thus you may want to adjust them if you are regularly seeing messages like above.

Using the old CBAC method of inspection, you could insert the following command:

ip inspect tcp reassembly {[queue length packet-number] [timeout seconds] [memory limit size-in-kb] [alarm {on | off}]}

However with the newer Zone Firewall inspection methods don’t use the same settings. Instead the new command format is:

parameter-map type ooo global
tcp reassembly alarm {on | off}
tcp reassembly memory limit memory-limit-kb
tcp reassembly queue length queue-length
tcp reassembly timeout time-limit-secs

To note the defaults are as follows:

parameter-map type ooo global
tcp reassembly alarm off
tcp reassembly memory limit 1024
tcp reassembly queue length 16
tcp reassembly timeout 5

So, if say you wanted to quadruple the default queue/memory lengths:

parameter-map type ooo global
tcp reassembly memory limit 4096
tcp reassembly queue length 64

Note it’s not clear if a dropped segment appears the same as an “out-of-order” segment to the router – that is with a dropped/lost segment the router keeps expecting it to arrive, just out of order. Thus the error could be telling you more that you’re dropping packets than you’re blowing out your “out-of-order” queues. Unfortunately I cannot find documentation one way or another on this.

Also to note if you’re increasing the queue length, you might want to increase the timeout (“tcp reassembly timeout time-limit-secs“), however 5 seconds is an awful long time for a segment that might be out-of-order not to arrive. As bandwidth increases, while it is likely that more packets/bytes might come in to blow out the queue, it’s unlikely they would take more time to do so (quite the opposite – an out-of-order packet at higher bandwidth is if anything likely to show up sooner, not later), thus I wouldn’t expect this to need adjustment.

vmkfstools -d eagerzeroedthick -i <virtual-disk-source>.vmdk <virtual-disk-target>.vmdk

Note that this will completely expand the size of the filesystem (ie: it will no longer be “thin”).

I needed this not to convert a “thin” filesystem to “thick” filesystem, but a “thick” filesystem to a clusterable “thick” filesystem. The default . . . → Read More: Converting VMware virtual disk to “eagerzeroedthick”]]> Pretty simple from the console really:

vmkfstools -d eagerzeroedthick -i <virtual-disk-source>.vmdk <virtual-disk-target>.vmdk

Note that this will completely expand the size of the filesystem (ie: it will no longer be “thin”).

I needed this not to convert a “thin” filesystem to “thick” filesystem, but a “thick” filesystem to a clusterable “thick” filesystem. The default of “zereodthick” for thick filesystem does zeroing as needed on the fly, whereas “eagerzeroedthick” zeros out beforehand (which takes longer). The former, “zeroedthick” isn’t compatible with clustered filesystems, or more particularly, the required setting of “SCSI Bus Sharing” to “Virtual” while “eagerzeroedthick” is.

“eagerzeroedthick” corresponds to the vSphere Client setting when creating a hard disk of “Support clustering features such as Fault Tolerance”. It is incompatible with “Allocate and commit space on demand (Thin Provisioning)”.

More about clustering on the same VMware machine (though aimed at Microsoft unfortunately) can be found here:

http://www.vmware.com/pdf/vi3_35/esx_3/r35u2/vi3_35_25_u2_mscs.pdf

To note, renaming virtual disks is equally as simple via the CLI (which the vSphere Client will not allow):

vmkfstools -E <original-virtual-disk>.vmdk <renamed-virtual-disk>.vmdk

Note that in the case of any of the “thick” versions actually have two files which can be confusing, a file that doesn’t have “-flat” and one that does. In that case choose the one that lacks “-flat” for the operations and “vmkfstools” will automatically handle the “-flat” version as well.

“The computer industry is the only industry that is more fashion-driven than women’s fashion,” Oracle founder Larry Ellison commented on cloud computing recently. “Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane.”

I think there’s more to it than just . . . → Read More: Larry Ellison on “Cloud Computing”]]> Via SwissInfo:

“The computer industry is the only industry that is more fashion-driven than women’s fashion,” Oracle founder Larry Ellison commented on cloud computing recently. “Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane.”

I think there’s more to it than just gibberish – stuff like Google Apps is a great and usable example, however it’s true everyone is jumping on this and my mailbox is absolutely blown out with “cloud computing this” and “cloud computing that”. Half of it is in fact pure gibberish.

Not surprising, Stallman hates it:

http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman

He makes some good points about why you should be wary. I think what you should take away from his comments is that if you are thinking of using cloud computing, go in with your eyes open (as opposed to it’s just plain “stupid”).