Author: Matt Fahrner

  • How to deactivate Adobe Digital Editions

    As found on an Adobe Forum

    To deactivate a PC with Adobe Digital Editions 1.x:

    1. Launch Digital Editions 1.x
    2. Enter the key-combination of <CTRL><SHIFT>D (<CMD><SHIFT>D on Mac OS)
    3. At the dialog, confirm that you wish to de-activate the machine
    4. Quit Digital Editions

    To reactivate and authorize the machine using the same or a new Adobe ID, just re-launch Digital Editions. You will be prompted to activate.

    This can apparently solve a number of random issues with Adobe Digital Editions. In my case I needed it because I used the wrong Adobe ID to activate!


  • Useful browser check…

    Apparently a lot of compromised browsers purposefully send a modified “UserAgent“, for instance:

    UserAgent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
    AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET
    CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

    that “AnitvirXP08” isn’t supposed to be there and best guess is it helps web sites that work with these viruses/trojans know the system is compromised.

    A web site to verify your agent to see if it has one of these is:

    http://whatsmyuseragent.com

    Unfortunately I imagine in time they’ll mask these a little better, like putting a bugus “.NET CLR” value that looks close enough to make it hard to see, but isn’t real and they can identify.


  • Fixing that stupid Cisco IOS telnet thing…

    One of the things that most drives me crazy about Ciscos is the default setting that makes when you’re at a Cisco IOS “exec” prompt that if you type something that isn’t a command, it interprets it as an attempt to “telnet” to a host. This is a real pain in the backside as all typos become unwanted telnet attempts. It’s just a dumb default really.

    Fortunately the fix is simple. Just go into the VTY settings and add a “transport preferred none”, eg:

    and that P.I.A. is fixed.


  • Unlocking a Cisco IP phone

    One of those things I can never remember! It’s:

    **#

    Lets you change the network configs among other things.

    Also can factory reset with:

    Settings> Phone settings> Press **2

    Works on older 7921 at least.


  • Favorite free Windows toys…

    Though I’m a Linux bigot, I work generally on a Windows laptop. Below is a list of my favorite free toys/tools that I use regularly. I’ve had good luck with all of them:

    • Unlocker Assistant – for unlocking pesky locked Windows files or drives.
    • I8kFanGUI – for controlling your laptop fans
    • TrueCrypt – for creating a mountable encrypted drive from a file or external media
    • CCleaner – cleans up your registry and other crap.
    • Cygwin – Unix emulation with complete Unix command set and environment for Windows
    • Malwarebytes – finds malware that most major AVs don’t.
    • TweakUI – free Microsoft tool (“PowerToy”) to tweak your system
    • Process Explorer – free system monitoring tool
    • Putty/WinSCP – great SSH tools (does telnet and FTP too)<
    • RealVNC – VNC remote desktop sessions
    • SolarWinds TFTP – standalone TFTP server useful for upgrading the IOS on a Cisco router
    • TeraTerm Pro – a much better replacement for serial Hyperterm (see UTF-8 version here for one with Windows installer). NOTE: The latest Putty now supports serial, so for basic uses that may be all you need.
    • WindDirStat – find where all your disk space is going.
    • Wireshark/WinPcap – for snooping networks
    • MBSA – Microsoft Baseline Security Analyzer to find your big security holes
    • Windows Installer CleanUp Utility – Microsoft tool to remove unremovable/uninstallable program entries
    • PowerBooster 2k – Hitachi laptop disk performance tool
    • Google Earth – just a cool way to look at the world
    • MediaMonkey – one of the best MP3 player/burner/managers I’ve seen.
    • Fat32Format – format FAT32 drives of any size
    • HDD Health – monitor SMART drive output (may also want to see SpeedFan).
    • UltraISO – great for unpacking/manipulating CD ISO images
    • FastStone Image Viewer – very quick JPEG/GIF/TIFF/RAW viewer and editor (good for single images).
    • Picasa – Very nice and fast image organizer and editor (good for directories of images)
    • SyncToy – Microsoft disk-to-disk, directory-to-directory synchronizer (faster than backups). Personally I actually use the for-pay ViceVersa PRO but…

    Enjoy!


  • Defaulting a Cisco interface…

    One pain with Cisco IOS is trying to get a configured interface back to defaults. Half the time you don’t even remember what those were.

    If it’s a sub-interface you can “no” it, but you will still have configuration left behind:

    cisco(config)#no interface ATM1/0.1
    Not all config may be removed and may reappear after reactivating the sub-interface

    with physical top level interfaces you can’t “no” them at all anyway.

    The answer is to use the “default” command:

    cisco(config)#default interface ATM1/0.1
    Building configuration…

    Interface ATM1/0.1 set to default configuration

    Curiously this doesn’t seem to clear PVC definitions!

    NOTE: If you do this on the primary physical interface, all sub-interfaces will be defaulted and deleted (which may or may not be what you want). So use carefully!

    UPDATE: Well the docs say the sub-interfaces will be deleted, but they’re not in my experience. Also it’s not even clear if this works on sub-interfaces. The combination of a “no” on the sub-interface first and then a “default” after the fact seemed to maybe work, but no promises.


  • How to remove a VLAN from a port in CatOS…

    I can never seem to remember how to “remove” a VLAN on a switch (eg: Cisco 6500) running the older CatOS. The new IOS based switches are much easier.

    Anyway, it’s actually quite simple, just force the port to VLAN 1 (assuming that is your default/native VLAN). For example if port 6/5 was set to a VLAN and you wanted to remove it, just type:

    set vlan 1 6/5

    and bingo it’s removed from the current VLAN.

    Often this is necessary when reusing a port that had a VLAN assignment but you want to use as a trunk.


  • How much Solaris memory?

    It’s a dumb but simple thing, but I can never bloody remember how to do it:

    How do you find out how much physical memory is on Solaris?

    Simple answer:

    prtconf

    Which also tells you gobs of other useful stuff as well. I usually use “top” because where I’m at we install it everywhere, but sometimes a box won’t have it…


  • A moment of mourning…

    Time to hold a moment of mourning. It appears that WPA (fortunately not WPA 2 yet) has been cracked:

    http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119258&source=NLT_AM&nlid=1

    http://www.itworld.com/security/57285/once-thought-safe-wpa-wi-fi-encryption-cracked

    I realize Erik Tews is probably a good person and all and probably believes he’s helping the world by finding this vulnerability before the “real” hackers do, but ultimately I’m unimpressed. The fact is, the real hackers aren’t finding the majority of these major holes, the researchers are. The hackers are just using the holes found by the researchers and exploiting them. Its not clear that if the researchers were to leave things “as they were”, that say WPA TKIP would have have ever been cracked.

    The truth is, and I’m not trying to insulting to Erik, that this is as much about the researchers’ egos as any efforts toward the supposed “common good”. In the end these hacks aren’t necessarily helping anyone but the bad guys.

    Ok, that’s a little too general. Some of these hacks/cracks are just too obvious, but some, like this one, clearly need the kind of effort that is less likely to be found in the hacker community and more likely to be found in the research community. In the end, since the later group is supposed to be the “good guys”, it would be better if they perhaps focused on something more constructive.

    Or perhaps to put it another way, “Stop helping us!”


  • The unfortunate truth about Exchange

    Up until the last year my workplace used IMAP servers running on Linux and Solaris to manage and deliver mail. Then we decided because of the collaborative benefits, particularly with mobile devices like Blackberrys, to move to Exchange. The results have been dramatic, and this chart made by Google to espouse their GMail product reflects what we saw (taken from this post):

    Google Email Chart

    As you see the “unplanned” outages go up dramatically with Exchange.

    While it’s true that this doesn’t show self-hosted IMAP services, the people I talk to seem to believe that the self-hosted IMAP solution is somewhere near or below Gmail in terms of outages. My own personal IMAP email, hosted at this site, basically never goes down.

    These figures also unfortuantely reflect conversations I’ve had with numerous other companies that have gone through similar transitions. While all enjoy the benefits of integrated calendaring and tasks, the email capability and reliability suffers significantly. And let’s face it, what is ultimately most important to a business – calendaring or email?

    Moreover, in one example email required a single server to maintain the IMAP email for an entire organization. Now with Exchange it takes six. The installation is also dramatically more complicated, requiring not one admin, but two. Also the data files are in MS-SQL, making them harder to fix and manage.

    Do these issues outweigh the benefits of Exchange collaboration? Personally I’m not sure either way. There certainly are advantages to Exchange. However I do feel Microsoft has built a product that is too complicated and too “heavy” for its own good. This particularly considering that much simpler applications can pretty much do the same thing.

    In the end I would pass a warning to shops thinking of moving to Exchange because “it’s the thing to do”. Make sure you are really aware of what you’re giving up. Those used to the unreliability of Exchange may think, “Oh, that’s just the way email is,” but those who have come from other solutions, will realize what they’ve given up.


  • How to convert to/from DOS format in VIM…

    It’s very easy, but also easy to forget how to convert to or from a DOS format file in Unix using “vim” (Vi iMproved), the Open Source “vi”. If the file is in DOS format and you want to convert to Unix, use the command:

    :set ff=unix

    note that “ff” is an abreviation for “fileformat” which you can also use.

    If the file is Unix and you want to write DOS format, use the following command:

    :set ff=dos

    In both examples it is assuming you are ESCaped out of edit mode and the leading “:” is required.

    Note that the difference between the two formats is that:

    • DOS format ends each line with a CRLF (carriage-return line-feed) pair.
    • Unix format ends each line with a simple LF (line feed).

    Neither of these forms should be confused with the C language string delimiter ‘NUL’ which is an ASCII “zero”. That however is an entirely different subject.


  • Where to find the Windows XP “hosts” file

    Just like Unix you can add a static host to the Windows system. On Windows XP the file is usually found in the “intuitive” location here (may change depending on where you loaded Windows):

    C:\Windows\System32\drivers\etc

    This is also where the “lmhosts” file is found.

    The format is in standard ARPANET format. For more information see this Wiki page.

    Be warned though, putting entries in here essentially makes them static and thus if the target IP is changed in the real owner’s DNS, your local host entry may be pointing to the wrong place. That is why this is best avoided unless really necessary.


  • Just when you thought it was safe in the Universe again…

    Dang, now that’s a hack allright:

    http://government.zdnet.com/?p=3996&tag=nl.e539

    Fortunately they missed the “Create Black Hole” setting…


  • RedHat gets hit this time…

    It just goes to show, if you think you’re safe, you’re not. This time RedHat was hit:

    http://blogs.zdnet.com/security/?p=1784&tag=nl.e550

    This is pretty ugly since it involves the signing of certificates used to validate the RPM repositories and RPMs themselves. RedHat claims that the “passphrase“s for the certificates weren’t compromised, so no harm no foul. However it’s very concerning and in order to sufficiently mitigate may require manual intervention by all users or at least changes on all users’ systems.

    The problem here is if RedHat is wrong, forged RPMs could be created that appear “valid” and in theory if installed could infect customer systems compromising binaries et al. It would take quite a bit of effort here, including getting the RPMs into the repositories without anyone noticing, but it is not out of the realm of possibility, particularly when you consider what this hack in itself says about security.


  • Brilliant article with x-Hannaford CIO

    StorefrontBacktalk has a short but brilliant article with the former CIO, Bill Homa, of Hannaford grocery chain who suffered a major breach of credit card data:

    http://storefrontbacktalk.com/story/071108homa

    There are three particular points that stand out:

    1. That Microsoft is still so hole ridden as to put your company at additional risk.
    2. That PCI is still not sufficiently strong.
    3. That a security posture based only on perimeter defense is ultimately fallacious.

    In my experience PCI (also called CISP or PCI DSS) while certainly better than nothing, is still well below what is necessary to protect customer confidential data. Furthermore certain components of the credit card processing stream require less than ideal levels of encryption (I’m being generous here), providing simplified points of collection and attack for hackers (to note, there are plans to improve this).

    In regards to depending on “perimeter defense”, this quote particularly stands out:

    Most retailers have the philosophy of keeping people out of their network. It’s impossible to keep people out of your network. There are bad people out there. How do I limit the damage they can do? If you don’t do that, they’ll have free reign to do whatever they want.

    However I hardly think this mentality is limited to retailers. In my discussions with numerous peers in the computing industry, many shops, large and small, retail or non-retail are inflicted with this mentality. In fact I would consider it pervasive – “keep the intruders out and you’ll be ok.”

    But the honest truth is you can never keep them out and like a game of chess, everyday some new hole is found to subvert your external protections. Nor for that matter should you really trust your own employees, which are ultimately one of the largest sources of data compromise, and they are on the inside.

    The answer is “defense in depth“, with layers of security, some strong, some weaker, some on perimeter, some on the host, some in the software tools themselves, but the sum total providing sufficient security for the value of the asset(s) being protected (based on “risk analysis“).

    Until corporations start thinking this way, we can expect to see breaches like Hannaford’s continue for some time.


  • How to disable “dumprep.exe”

    If you’ve ever had a program spontaneously self destruct in Windows XP and/or you did a forced kill from the task manager for a “Not responding” application, you may have found it takes forever for things to come back to normal and meanwhile your drive is being banged on like crazy. Worse things usually drag to a halt.

    The culprit? “dumprep.exe”, a Windows built in that prepares a log file to send to Microsoft to report the “issue”, even if you don’t want to report the issue (like they’re going to read it anyway?).

    Fortunately it’s easily disabled:

    • Go to “Control Panel” (classic mode).
    • Double click on “System”, which will bring up the “System Properties” panel.
    • Select the “Advanced” tab.
    • Click the “Error Reporting” button near the bottom.
    • Choose the radio “Disable error reporting”.
    • Click “OK” to all the windows until you’re out.

    Done – “dumprep.exe” is disabled. If you ever have an actual issue to report to Microsoft, you can reverse these steps to turn it on again. The default is kind of dumb really as there’s no way Microsoft could ever keep up with all the output from their (bug laden) OS.


  • WPA versus WPA2?

    So what’s the difference?

    Not much or a lot depending on your opinion. WPA uses TKIP for key management, whereas WPA2 uses AES-CCMP. Usually depending on how the AP has been set up, you can use either (TKIP or AES-CCMP) interchangeably, thus using WPA or WPA2 as needed. Many older devices like those running Windows Mobile 5, only support WPA with TKIP, while WPA2 is now required for Wi-Fi Alliance‘s “WiFi CERTIFIED” moniker.

    This is a pretty rough overview, however in the end the general consensus is WPA2 is more secure due in part to it’s use of the government/industry preferred AES protocol for key protection. However WPA is probably sufficient for the vast majority of uses and is infinitely better than using WEP protocol. WEP really is only useful for keeping your average neighbor off your network – any mildly serious attacker will be able to compromise a WEP based wireless network.

    As long as I’m on the subject, hiding your SSID is also basically a useless joke as there are so many tools to sniff them even when not set to “broadcast”. Either use WPA(2) or further encapsulate your traffic over a VPN connection. Still, in general as an extra layer of protection, you ought to disable “broadcast SSID“, though because of the way the protocol works the benefit is honestly nearly nil. Still, “layered security” is the way to go.


  • WPA resources

    When researching using WPA on Ciscos I ran into a lot of useful URLs as resources. If you’re in the same bind, you may find them helpful too:

    Not a pretty list, but still good to put somewhere!


  • What is 802.1x?

    If you’re investigating things like enterprise WPA and/or NAC based network control you’ll probably run into the fact that it uses 802.1x protocol. So what is 802.1x?

    Basically the long and short of it is IEEE 802.1x is just a protocol to pass EAP over wired/wireless LANs. EAP on the other hand is just a protocol to take the AP/RAS/switch/router out of the stream of authentication. It is a way of tunneling the authentication request to a Radius server and let the two figure out the authentication without the AP/RAS/switch/router having to handle it.

    A good primer on the subject is here:

    http://www.networkworld.com/research/2002/0506whatisit.html

    Incidentally the user unfriendly term “supplicant” will often come up. Much as it sounds like something fancy, it isn’t. In most regards it just means the client you’re trying to connect to the network, however more officially it’s the process(es) on the client taking care of the 802.1x authentication. The client runs the supplicant to authenticate, to quote:

    The wireless node that requests authentication is often called Supplicant, although it is more correct to say that the wireless node contains a Supplicant. The Supplicant is responsible for responding to Authenticator data that will establish its credentials. The same goes for the access point; the Authenticator is not the access point. Rather, the access point contains an Authenticator. The Authenticator does not even need to be in the access point; it can be an external component.

    So ultimately the “supplicant” is really a program running on the client. Also see:

    http://tldp.org/HOWTO/html_single/8021X-HOWTO

    which also is a useful document.

    As a final note, often the EAP passed in the 802.1x conversation is encapsulated in what’s called “PEAP” (yes, all of the acronyms are a pain!). Essentially PEAP is a public key based method of encrypting the EAP payload via SSL/TLS, thus protecting the authentication from prying eyes.


  • If using WPA-PSK, use a long key!

    If you must use WPA-PSK (meaning WPA with a pre-shared key, rather than WPA using 802.1x authentication via Radius), make sure your key is sufficiently long. Ideally 20 characters or more.

    To quote:

    Robert Moskowitz’s article, “Weakness in Passphrase Choice in WPA Interface,” describes a theoretical attack on WPA passwords. The tools WPA-psk-bf, CoWPAtty and WEP Crack are implementations of this attack and have demonstrated the ability to break WPA-PSK keys that are 20 characters or fewer. The Aircrack tool suite operates in an active or passive mode to gather the data required to launch these attacks. In passive mode, the Aircrack tools capture the four-packet authentication handshake between an AP and client. The handshake is then processed through a WPA breaking tool for an offline brute-force attack. If the attacker has not captured the handshake, the Aircrack tools active mode will force a disassociation and reassociation.

    For more see this article:

    http://www.chips.navy.mil/archives/05_jul/web%20pages/Wireless_networks.htm

    which gives a fairly comprehensive overview of the challenges here.