Wednesday, June 27, 2007

Beware of Fake Microsoft Patch

The spam will have a subject of:
Microsoft Security Bulletin MS07-0065 - Critical Update

The body claims to have a patch for a zero day vulnerability, but contains

For more detail, please see this SANS alert:

A real, legitimate Microsoft Security Bulletin will be a PGP Signed text message.

Tuesday, June 26, 2007

Busy with SAS70

I have not kept up with this blog for the last week or so because I am very busy with SAS70 security auditors. If you want to know what this is SAS70 thing is all about, drop me a comment. Now, back to the hot seat =)

Tuesday, June 19, 2007

Firefox 2.0 becoming a PIG ?

Recently Firefox 2.0 (I am on to be exact) seems to either have a memory leak or is simply becoming a resource hog. It is currently using over 200mb or memory with just three tabs open. Also, it seems that in time the auto complete features of both the address box and the search box use more and more CPU and become slower and slower. I get the old typing one character at a time response in these boxes.

I mention the slower over time because I will leave Firefox open for days because I have network monitor tools running in a couple of tabs. If I restart Firefox it will start back up using about 36mb of memory with my initial two tabs open. Looks like a mem leak to me! I guess the short term fix is to restart Firefox daily.

Also, as a side note... I had used Fasterfox a few weeks ago and with Fasterfox it seemed to chew up memory much faster and performance degraded within hours. So much for Fasterfox. I uninstalled Fasterfox and to get back to original Firefox (Slowerfox ???) and now it is back to taking a couple days to getting back to a crawl.

Anyone have more info or a fix for this out there?

Monday, June 18, 2007

.hk TLD attack warning

I came into the office today and noticed a flood of email with subject lines like:

[name] sent you a [domain].hk! Greeting

Inside, the message invites you to view a greeting card within 30 days. This URL contains malicious code that attempts to exploit Internet Explorer vulnerabilities among other Windows vulnerabilities.

Email server administrators should take action immediately to filter and kill these messages.

See more here from SANS:

Tuesday, June 12, 2007

APC MX5000 Battery Acid

In the past, we have had several battery acid spills from the old APC Matrix 5000 Smartcell XR battery units. These units essentially use automotive type batteries in the XR cabinet that are sealed and set on their side. If one of these batteries fails, they often overheat and will leak acid from the sealed caps. In fact, we have had a couple that blew the caps out and created a serious spill.

The best way to prevent a serious acid spill is to check these units at least once per day for excess heat. A quick check can be done by simply running your hand over the front of each unit to detect any raise in temperature. The temperature raise is quite obvious from the "normal" room temp. It is important to disconnect a overheating battery as soon as possible to prevent an acid spill. The bad battery led indicator on the front of these units is pretty much useless as they do not detect most of the battery problems so don't rely on it.

If you detect heat, do the following:
  1. Unplug the input and output cables from the back of the unit to drop it off line from the main electronics therefore removing the load.
  2. Do not open the front cover until the unit temperature returns to room temp.
  3. Replace all 4 batteries - Replacement battery set - APC Part# RBC14 which costs around $500.
If one of your battery units has started leaking, do the same procedure, except make sure that you use eye and hand protection when removing the old batteries.

If you open the front cover of a unit with suspected bad battery, you can identify which of the four batteries is bad by it's bulging sides and/or leakage from the caps on the connector side.

So if you detect a battery acid smell in your data center, check those old XR battery units!

Monday, June 11, 2007

Vista Trials - Legacy Hardware

I set out to see what Vista would do if attempted to install on an old(er) generic "white box" machine. You might say Why? it's just going to fail. Yes, I expect it to fail but how would it fail and how well (or bad) would Vista handle it?

Time to hit the computer lab.

So I took a older machine (see specs below) to the computer lab, slapped a DVD drive in it and booted the Vista CD. To make a long story short, it actually installed but failed to start up. The most amusing thing was that there was the old Blue Screen Of Death during startup that flashed over the screen so fast that I could not read it, but it was certainly there. So much for Vista doing away with the old BSOD!
End of short story...

The BSOD caused it to crash and force a reboot, then upon booting from the CD again I was presented with the "Vista failed to start, what do you want to do" with the repair installation option. I tried the repair and of course, was presented with the same BSOD reboot "feature".
Next I removed all PCI cards and replaced the AGP graphics card with another and tried again. The net result was that I tried a number of format and re-install with an empty PCI bus and three different graphics cards and replacement RAM and had the same result every time. This leads me to believe that it simply did not like something on the mother board. My bet would the the chip set, but who knows?

Machine specs:
Motherboard: ABIT-TH7
Processor: Intel P4 1.7ghz
RAM: 2 x 512mb RAMBUS (also tried a 2 x 256mb set)
HDD: IBM 60gig IDE
Graphic: Nvidia AGP, ATI AGP, S7 chip PCI

Moral of the story... don't waste your time with Vista on old retired hardware.

If someone has had success with Visa on legacy hardware, I'd like to hear your story here.

Thursday, June 7, 2007

Killer Command Line Tips Part 1

I am going to throw out a series of my favorite Windows Command Line shortcuts and tips.
Part 1 - Navigating directories.

One of the most clumsy aspects of using the Windows command line is traversing the file system directories. Here are a few tips to save some keystrokes and time.

1) Use directory name masking. Did you know that you can use * as a mask in the CD command?
Example: cd \brainstrain
This can be shortened to cd \br*
The typed out portion must be unique or it will change to the first directory name that matches the mask.

2) When you CD to a long directory name with spaces in it where you would quote the name like "program files" you can leave out the last quote.
Example: cd "\program files"
can be shortened to cd "\program files
and... using tip 1 and 2, you can do this
cd "\prog*

3) You can drag and drop a folder from Explorer into a CMD window. Windows will paste in the full directory path including quotes. Once the path is in the CMD window, change focus to the CMD window, hit HOME to get to the beginning of the cmd line, then type cd /d (with insert on), then hit enter.
Note: the /d option of the cd command is only required if you included the drive letter in the path AND the drive is different than the current drive.

4) Use the "Open Command Window Here" power toy found here:

This is the XP version that also works in Windows 2000 (afaik). With this power toy, you simply right click on a folder name in Explorer, then click Open Command Window Here. A new CMD window will be opened with the folder being the current directory.

5) Use environment variables. The following changes to the temp directory:
cd %temp%
or, change to the user profile directory:
cd %userprofile%

Note - Don't use the masking methods in batch files because as directories are added or changed, the mask may not change to the directory name you would expect. Always spell everything out in full in batch files.

These methods work in Windows 2000 and later operating systems (however... not tested with Vista).


Look for more Killer Command Line Tips in the near future.

Monday, June 4, 2007

IIS 5.0 authentication bypass exploit

A recently discovered (Dec 2006) IIS 5.0 exploit raises the bar for you to secure your web servers.

Actually, the most interesting aspect to this issue is that Microsoft has not released a patch to correct the exploit, but instead is showing the world how the exploit works and using it as a scare tactic to get you to upgrade to IIS6 (Windows 2003 server). Check this out:

IMHO, this is yet another shameless cheap shot by Microsoft to push you into an upgrade. They actually show you how to use the exploit but offer no solution except to strongly recommend upgrading.

The cheap fix for those running IIS5 is to use URLSCAN and make sure you are blocking the .htw extension.
.htw is the webhits extension which is not widely used so unless you have a specific need for it, block it by running the IIS LockDown Tool and make sure you enable URLScan during install. I believe that .htw is blocked in most template installs but you should check the urlscan.ini after install to make sure.

For more info on the exploit, see the SAN alert here:

Friday, June 1, 2007

Knowledge Base Alertz Notification

For those of you that need to keep up on Microsoft bug fixes (read security issues!) the task can be a real pain in your backside... to say the least.

To help ease the pain there is a service by Scott Cate at
This free service will send you daily email alerts when a new KB article is posted for each KB area that you select.
Check it out, and Thank You Scott for creating this service!

YouTube Virgin

YouTube Virgin no more.

Just published my first YouTube video and I must say that I am somewhat hooked.
Found a great tutorial for making great looking YouTube videos here:

The process was of course time consuming but these days, even the free tools do a good job, even for a media dummy like me as I have always been more of a data guy. One thing that I didn't realize is that Microsoft actually has a nice free encoder that did a nice job. Windows Media Encoder WME:

Check out my first video here: