LabMice.net - The Windows 2000\XP\.NET Resource Index
Home | About Us | Search |

Last Updated December 10, 2003

Daily Briefing - August 2003

Welcome to our Blog! We've decided to start this web log as a way to communicate new changes to our site, discuss various happenings, and share occasional rants about a variety of topics (mostly tech related). We hope to keep it fun, interesting, and brief. And as always, we don't intend to follow any of the traditional blog rules. If you'd like to send us feedback about the site or comments posted in the Blog, just drop me a line at bernie@labmice.net
HomeBlog
 
      

Archive

August 2003
July 2003
June 2003

 
 

 

Thursday, August 28
Amidst all of the chaos caused by the recent virus outbreaks and blackouts, a good friend of mine called me over the weekend and wanted advice on backing up her hard drive in the event of data loss. To date, she had been using CD-R media to create backups of critical files, but over the past year this "critical data" category has grown to several gigabytes in size. I recommended a Maxtor 3000LE 120GB external hard drive in combination with Symantec Ghost. The Maxtor drive is portable, very easy to use, and plugs right into your USB Port. If you're running Windows XP, there are no drivers to install and you can use the external drive to backup your entire drive or individual directories. Symantec Ghost is great for creating flawless periodic snapshots of the entire system and has saved me countless hours when I've need to swap hard drives or recover from data corruption. Unfortunately, my friend decided to try and find a copy of Ghost via Kazaa instead of her simply purchasing it for $50.00. (I don't think this was a case of simply being cheap, I believe she may not have had much experience with Ghost and wanted to try a fully functioning version before buying it.) Unfortunately something went horribly wrong and after the installation, the system wouldn't boot at all and it's unclear at this point if her data is still recoverable. While this incident may have still happened with a full version of Ghost, the simple fact that she got her copy from a file swapping service raises several additional issues. Where the source files intentionally modified by someone? Could a malicious program have been inserted? Could the source files have become corrupt after being copied again and again over the peer to peer network? Without access to the CD and support from Symantec how will she recover her data? Kazza, BearShare, and other file swapping networks are fine for MP3's and other non critical files (legal issues aside), but when you set foot into the "warez" arena you may be in for more than you bargained for. It's human nature to want something for nothing, but you need to think about the risk vs. reward. Is saving $30 or $50 in software worth the risks of playing Russian Roulette with your data? Even if you're successful 9 out of 10 times, is $300 worth it? Not to me. 


Wednesday, August 27
If I was a bit disappointed with antivirus vendors on Monday (see the blog entry below), I'm hoping mad today! First let me start with McAfee. After being a Symantec customer for years, I bought a copy of McAfee AntiVirus professional edition with a 5 user license ($150.00) as a test platform for the lab. While it appears to work fine on the desktops, McAfee wrecked havoc on my 2 laptops that were using Linksys wireless network cards. The software installed fine, and worked for a few weeks until I downloaded a new update to the virus definitions. Both machines suffered catastrophic network configuration failures and after troubleshooting them for hours, I finally reloaded them from a Ghost image. Yesterday, I began having problems again - shortly after downloading new virus definitions. I actually didn't suspect McAfee as the culprit at first, until I started typing my error messages into Google. What I found were several newsgroup postings featuring the same issues I had, with several people complaining they occurred shortly after updating McAfee. As a test I uninstalled McAfee, and like magic the network problems went away. I've seen similar reports from a variety of network administrators in corporate environments - bizarre system instabilities that seemed to occur immediately after and update that were resolved by uninstalling McAfee antivirus. As far as I'm concerned, I will never install McAfee on a production server or workstation - ever. Which brings me to Symantec, who announced today that it is incorporating product activation into it's next version of NAV. I guess we all knew that if Microsoft's product activation scheme succeeded, it would be copied by the rest of the industry. What bothers me is the recent industry practice of charging for the antivirus software and then charging again for updates. I believe it should be one or the other. Pay $30.00 and get the software with 3 years of updates (by which time you'll probably have a new operating system), or pay $10 per year and get the basic software for free. Why am I being charged twice? The Symantec licenses for my production workstations expire this month, and I had thought of switching to McAfee until these issues surfaced. So what are my choices? Actually plenty. AVG AntiVirus makes an excellent product that is free for home and non-business users (including free definition updates). You can also purchase their Professional Edition for $33 and get free definition updates for 2 years. I've already installed AVG on 2 of my home systems, as well as my parents PC's. So far, its worked flawlessly and I plan to move all of my lab and production PC's to AVG before the end of the year. While most corporate customers can't just suddenly switch anti-virus vendors and redeploy software to thousands of PC's, consumers can. Next time McAfee and Symantec bug you to renew your subscription or upgrade your software, send them the message that you're not going to take it anymore. Vote with your wallet.


Monday, August 25
Symantec announced that their next version of AntiVirus software will detect keyboard loggers and spyware. What took them so long? For years antivirus companies have resisted extending their products to include a wider variety of malware that usually make up Trojans. Strictly speaking, the formal definition of a virus is simply any program that is self replicating and can "infect" other computers. Viruses doesn't actually have to cause any damage to meet the definition, and many don't. On the other hand, many Trojans don't "self replicate" beyond mailing themselves to every address found on an "infected" PC, but they almost always cause some form of damage. At first, antivirus companies resisted updating their programs to combat these threats. As pressure from consumers mounted, the antivirus vendors began to expand the scope of their software to catch the more prevalent Trojans. In my opinion, detecting keyboard loggers should have been a function of antivirus software 10 years ago. But why the delay in catching the other forms of spyware, specifically programs that track your internet usage and launch pop ups wherever you go. While not strictly viruses, many people view these programs as malicious software and the popularity of programs like AdAware bears this out. In many cases, these programs function like Trojans. Users are duped into installing software that may in fact cause system instability. Sounds like something that should fall within the scope of my antivirus software. While I applaud Symantec's efforts to expand their software, I still think that they're way behind the times. Instead of being innovative, these companies are simply responding to the success of products released by other vendors - often with poor results. Things may become even more interesting if Microsoft steps into the arena. Microsoft is under tremendous pressure to deliver on the trustworthy computing initiative, and the rash of Windows specific viruses and worms are certainly hurting their credibility. Microsoft has already built a simple firewall into Windows XP and is including anti-spam features into Outlook 2003. With the recent purchase of an antivirus company, and the changes being discussed in relation to re-evaluation the role of Windows Update, is it possible that Microsoft could build antivirus software into the next version of Windows? Will this launch another round of antitrust allegations?


Friday, August 22
While the government is still looking into the causes of the blackout that occurred last week, a number of people are starting to question whether the failure of the control mechanisms could be related to the MSBlaster worm. The current theory of events is that the power failure started when a single transmission line feeding the city of Cleveland (my hometown) sagged into a tree and failed. About 25 minutes later, another transmission line feeding Cleveland failed as well. This caused the system to start drawing 2200 megawatts from Michigan, which started a cascade effect that stretched into Ontario and eventually the Atlantic coast. A recent thread on BugTraq theorized that if the computers running
SCADA (Supervisory Control and Data Acquisition) programs became infected, the normal regulatory mechanisms could fail. These systems run Windows 2000/XP and directly control key portions of the electrical distribution network via a master control panel at the power station and several remote terminals. We already know that a nuclear power plant just outside of Cleveland was hit by MSBlast, and that a generator sub facility in Philadelphia was affected as well. It seems reasonable that if MSBlaster managed to get a hold on one part of the network because of poor IT security, it could make its way to more critical systems. The utility companies have a long history of network security vulnerabilities and massive bureaucracies that can hamper any improvements. Our recent rush to improve Homeland Security by posting a few guards at power plants completely ignores the fact that these system are rotting from the inside out. Given the propensity for cover-ups in this industry, we may never know the real cause of the blackout. The game of public finger pointing, denials, and musical chairs will continue for months and I suspect that the government's finding will be inconclusive at best.  


Thursday, August 21
Sick of hearing about viruses yet? Between MS.Blaster and the new round of the Sobig worm, the tech news outlets have been talking about little else. Earlier this month (Aug 4) I wrote about a friend who said he was sick of all the media coverage on viruses and simply tuned them out. (At the time I was warning about the RPC vulnerability that is exploited by MS. Blaster) As you can probably guess, one of his systems became infected in the last few days. I'm betting he won't be tuning out future virus warnings. There are some predictions that the impact of W32.Blaster will "shock" users (and companies) into becoming more diligent about patching their systems. While this may be true for some people, I think there will always be the group that just doesn't "get it". Case in point: I've heard a number of first hand accounts from support personnel who have cleaned up a user's system after it was infected with W32.Blaster (or other viruses) only to have the user re-infect the machine within a few hours. You would think the first experience might have made them more cautious and diligent about the process. But they continue anyway. My theory is that it really is the same people who propagate viruses (and chain letters) every time. It may not be politically correct to say it, but perhaps there really are some people who really shouldn't be near a PC. Unfortunately, many of these people are in management, which means they won't change their behavior (or their company's) any time soon. Companies that don't already "get it" this late in the game aren't likely to suddenly wake up and start becoming aggressive about network security and keeping their systems up to date. For those who do get it, Microsoft has released 2 new updates (MS03-032, MS03-33), and revised 2 older updates (MS02-040 and MS03-030) that could allow users to take over systems. Don't wait for the next worm to patch your systems!


Wednesday, August 20
W32.Blaster may be getting all of the press, but the Sobig Worm has resurfaced with a new variant that is flooding e-mail servers worldwide. What seems to be compounding the problem is the auto-replies being sent by e-mail gateways when they detect the virus. Since Sobig.F worm spoofs the senders e-mail address, these replies are being sent to the wrong people. Since my e-mail addresses exist in so many people's mailbox, I always get a good survey of what's going around at the time.  This morning my virus scanner caught 247 e-mails that contained the Sobig worm. I also received 700 e-mails from auto-responders from all over the world notifying me that any one of the 7 e-mail addresses I use on the site sent the virus to whatever e-mail server. If this is typical, then 70% of the network traffic being generated by Sobig.F is from e-mail gateways, and not the worm itself. This is insanity. Since spoofing the source address is such a common tactic with e-mail worms, shouldn't we rethink the tactic of sending a notification message? Perhaps vendors can engineer these gateways to handle -email messages more intelligently. Either by looking for evidence of spoofing and identifying the real senders e-mail, or allowing administrators to turn off auto-reply for worms that are known to spoof addresses. If software allows you to turn off the auto-notification function, you may want to think about disabling this practice for a few days until the worm is under control.


Monday, August 18
Microsoft managed to make it through the weekend and thwart the denial of service attack against the Microsoft Update web site, primarily by taking down the URL for windowsupdate.com In terms of clarity and simplicity, I think it was a rather brilliant solution. I'm so used to Microsoft over -engineering everything, I really thought they were going to try and code their way out of this one. Nope - they just eliminated the target entirely. Users who clicked the Windows Update icon in their tool bars were unaffected, since it resolves to
windowsupdate.microsoft.com  There have been a number of lame W32.Blaster variants discovered in the last week, but the most interesting one is Worm.MSBlast.D which operates the same way the original worm does, but uninstalls itself automatically if the host system reports the year is 2004. What's even more astounding is that it also removes the original MSBlast worm if it is present, and patches the system against the RPC DCOM Buffer Overflow Exploit by downloading the patch from Microsoft's Web site. It even reboots the system afterwards! Could this set a precedent and inspire "helpful" viruses? What if a "white hat" hacker had written the original worm to simply patch systems that it found vulnerable to the RPC exploit, instead of inserting malicious code? Would antivirus companies still write code to stop it?


Friday, August 15
I apologize for the late update to the site, but being based in Cleveland, Ohio we've only had our power restored in the last hour. Things aren't as bad as the news is making them appear. Sure it's hot and a bit uncomfortable, but not unbearable. Most people are behaving themselves, and it was heartening to see that +90% of the drivers were obeying the 4 way stop rule at non functioning street lights. All this could have been much worse. For one - it could be the middle of winter, when the temperature in Ohio gets near 0 degrees Fahrenheit. Still, I certainly feel for those stuck in elevators, trains, gridlock traffic, and other snarls caused by the outage. Many of you on the east coast are getting to test out how well your disaster recovery plans are working. For those who need a little help tweaking theirs, check out our disaster recovery section for sample templates and tips. Our Incident Response section may be helpful as well. For now, I'm grateful that power has been restored, although there are still blackouts and a danger that the grid could go down again. Since our servers are based in Atlanta, Georgia the web site has been unaffected and should continue to be available even there are additional blackouts. I am a little surprised that a problem in one sector can take out an entire grid this size so easily. I hope the office of Homeland Security is paying attention, and can upgrade the current controls to prevent this type of shutdown from happening again.


Thursday, August 14
It didn't take long for a variant of the Blaster Worm to appear on the web. This version is almost identical to the first except that the name of the executable has changed to "teekids.exe" and the registry entry is
"Microsoft Inet Xp.." While Blaster is losing steam and the rate of infections appears to be slowing, the new variant is spreading at a respectable rate. To date the user community has been lucky - neither of these worms have a very destructive payload. While the shutdown sequence is annoying, it would have been easy for any virus writer to include script that could delete files or disable the operating system. One lessons that has been learned is that firewalls aren't just for broadband users. Many dialup users who have been infected with W32.Blaster could have been protected by a simple $30 firewall like  ZoneAlarm Pro or BlackICE. Microsoft has also announced that it will enable the Internet Connection Firewall by default on future shipments of Windows XP.


Wednesday, August 13
Microsoft has been busy upgrading its Knowledge Base Articles to make them more user friendly - especially articles written for Windows XP Home Edition. The new article format includes color screen shots that accompany detailed walkthroughs, and even images of hardware components to help the non technical user understand network components. I haven't heard any news if Microsoft is planning on revamping all of it's existing articles, or extending this format to other platforms (Windows Server 2003, Exchange, SQL, etc.,) but will certainly make some procedures easier to follow and understand. Hopefully it will encourage more users to refer to the Microsoft Support Site for troubleshooting and how to information, even though the typically ignore XP's much improved Help system.


Tuesday, August 12
Although the new "MSBlast" worm is spreading slower than "Slammer" and "Code Red", I've already received a rash of calls from dial up users who are infected and receiving "the RPC service terminated unexpectedly" errors which shuts down their machines within minutes of connecting to the internet. What makes this interesting is that dial up users seem to be getting infected at a higher rate than broadband users,  presumably because it's easier to keep their systems patched using Windows Update. Microsoft released a patch for this vulnerability on July 16th and has been urging users to update their systems, but this task is a little cumbersome for the 56k crowd. One system I looked at (which hadn't been patched since XP SP1) reported 27 critical patches pending, totaling 36 Mb - a hefty download for a dialup connection. To make matters worse, Symantec doesn't do a great job of automatically removing MSBlast, requiring users to turn off system restore, perform a registry edit, and use task manager to kill the msblast.exe process. Not to difficult for the computer savvy, but beyond the average users capabilities. (Update: Symantec has released an automated tool for removing MBlast) Either way, this will be a big mess to clean up and will definitely tarnish Microsoft's reputation for Trustworthy computing. Another interesting "feature" of this worm is that it doesn't require any user action - it spreads by scanning IP addresses and checking for the existence of the RPC vulnerability. If found, it installs itself of the host system and keeps scanning for more vulnerable systems. The only positive thing about this worm is that it's inefficient and spreading slowly. That doesn't mean other virus writers will copy its basic functions and create a more destructive worm with a faster infection rate.


Monday, August 11
Although I happen to like Microsoft's operating systems (as if you couldn't tell), there are a number of people who buy PC's with Windows preloaded. According to the Microsoft license agreement that appears when you boot the PC, you are entitled to a refund from the manufacturer if you don't agree to its terms. The real trick is getting a refund. The first obstacle is that you can't print the agreement unless you agree to it. But the biggest hurdle is getting the PC manufacturer to actually get you a refund.
Steve Oualline managed to get a $199 refund (plus court costs) for Windows XP by taking his PC manufacturer to small claims court after they reluctantly offered a refund based on their wholesale costs ($10.00), not the typical $90 -$120 many OEM's charge. The day before the court battle, the OEM offered a $199 refund (the retail cost of the software), but this included a gag order preventing Steve from talking about his experience and didn't cover his $130 in court costs. So why am I highlighting this case? Because the tips provided in this article apply to other pre-bundled software as well. In addition, you may have an existing and broader license for Windows XP in your company, and shouldn't have to pay twice for software when you buy a new PC.


Friday, August 8
Security Vendor Rainbow Technologies released a study that revealed that most users frequently mishandle their user IDs and passwords and often call the help desk when they forget their passwords and can't log in. (I'm sure this will come as a big shock to any network administrator). In addition, the survey discovered that password policies at many companies are very weak and few companies require complex passwords or require that users change their passwords on a regular basis. Somewhere along the line, someone decided that the estimated costs involved in enforcing a more effective password policy ($100 - $300 per user) isn't worth the cost of lost or stolen the data. But that doesn't make sense either. What is your company's data worth? Probably a lot more than a $100 per employee. Which means companies are "gambling" they won't have a security incident. That's a bit like living in trailer park in Kansas. The other side of this argument is why are we still using passwords? Biometric devices have become so cheap, they're being built into every day items like PDA's and cell phones. Fingerprint scanners have been built into keyboards, mice, detachable USB devices and even laptops for years. These devices could reduce identity theft, if they were used in place of signatures and PIN numbers. Microsoft and Novell support biometric authentication and while these devices aren't perfect, they are getting better everyday and deserve a second look. While they might be a little expensive for the everyday users, they are ideal for high risk devices such as laptops, servers, and workstations that interface with sensitive data. If you've already implemented biometrics at your company, drop me a line and let me know what you're experience has been.


Thursday. August 7
The Register released a report yesterday outlining the security threat posed by memory sticks and USB flash drives, something we warned our readers about back in February. What the new report doesn't mention is the new breed of compact USB enabled wireless network cards that can also be discretely attached to any system and enable hackers to establish an instant adhoc wireless network. While these devices are not driverless like the USB Flash Drives, the installation is still very simple and likely to go unnoticed. Just plug them into a USB port, configure the device, and surf anonymously (or hack the network) from a nearby location. While the range of these devices isn't great, the technology is improving rapidly and this hack could become more popular in the future. To date the only way to lock out the USB ports on your PC is by using SecureWave's software. We're hoping Microsoft will release an update to Group Policy that will allow administrators to control what devices can attach to a USB port. Until then, you may want keep an eye out for these devices.


Tuesday, August 5
Now that Windows XP has been out for a year, the paranoia surrounding Microsoft's product activation has subsided to the point that other software companies have released similar activation schemes. But does product activation really stop piracy? From the start Microsoft has said that the feature was designed to stop casual copying, and not thwart the determined hacker/cracker. Sure enough, it wasn't long before a number of hacks and key code generators appeared on the web. Software pirates were also quick to distribute corporate versions of XP Professional that still required a key, but not activation. Microsoft countered these efforts with a "feature" in XP Service Pack 1 that blocked updates on XP Professional installations using a product ID that was in use by almost 90% of all pirated copies. In the event a contractor or other individual had used this blocked key to install XP in a corporate environment instead of checking to find out what the legitimate key was, we published a very popular article on how to change the product ID in Windows XP Professional. At first, Microsoft threatened to sue under the DMCA claiming we were offering a method of bypassing copy protection features. After a few weeks of negotiating with the legal department we were allowed to republish a modified version of the article and then Microsoft published their own version. But ever since I published that article I've been flooded with e-mails from users asking for CD Keys for XP Professional and Home Edition. Usually they have some elaborate story of how they "lost their CD and the activation key" but got another copy without a key, blah, blah, blah. Some claim their PC crashed and they don't have a recovery disk, or they had XP Home Edition but "acquired" a copy of XP Pro and want to know if their original key code will activate it. (No, it won't) Whether these claims are true or not, it does show that people are still trying to bypass Microsoft's anti piracy measures and are having some difficulty doing it. So in a sense it's working. The big question now is, what's next? Windows XP Service Pack 2 is due to be released soon and could possibly include a few countermeasures of its own. Will Microsoft include a tougher activation scheme in Longhorn, its next desktop operating system due in 2005? Will they ever consider following the RIAA's heavy handed example and subpoena ISP's for the addresses of users and take people to court? Would lowering the price of Windows XP curb piracy?


Monday, August 4
A friend of mine (who is also a network administrator) recently confessed that since virus warnings are issued so frequently, and he isn't gullible enough to open and execute attachments, he simply ignores them. What's more, he states he is sick of seeing them. Apparently they're getting to be a little like news reports of natural disasters in areas that always get the same natural disasters. It's not news, just part of the risks involved in everyday life. Fair enough.
But earthquakes aren't preventable, and viruses are. And not just from the point of a network administrator, but from the end user level as well. The latest annoyance, the MiMail Worm, comes as a ZIP attachment with an HTML and a UPX compressed Win32 EXE file. Although it uses social engineering to get users to open the attachment (claiming to be from your ISP and threatening to shut down your account), it actually requires a few steps to execute and assumes the user knows what to do with a ZIP file. Even Microsoft assumed that anyone computer savvy enough to decompress a ZIP file would be savvy enough to know this was a ploy, and so they issued a statement downplaying the threat. So why did thousands of people fall for this? Was there a false sense of security because it contained a ZIP file and not an executable (EXE)? Did they really believe admin@isp.com was going to shut down their e-mail accounts? One thing is certain. If they would have paid attention to the virus alerts, they wouldn't have opened the attachment.


Friday, August 1
I am not a big fan of my local phone company, SBC Communications. Not only has the service been poor here in Cleveland, but they've been fined millions of dollars by several states for failing to meet their service level agreements. Things were so bad that during the years my girlfriend worked at SBC, she would avoid admitting it in public as it always generated a strong negative response. (Almost as bad as working for the IRS). So I was a bit surprised to learn that SBC is the only ISP that is standing up to the RIAA to protect the privacy rights of its customers. For those who have been living in a cave, the RIAA (Record Industry Association of America) has been going after people who trade music online using peer to peer software (Bearshare, Kaaza) by tracking their IP addresses, subpoenaing the ISP's to reveal the persons identity, and then suing the individual for damages and lost revenues. Not wanting an expensive legal fight with the RIAA, most ISP's happily sell out their customers and move on. In this case, only a small unit of SBC (PacBell communications) is fighting the subpoenas, and there is no word as to what the overall support from SBC is, or if other units around the country are standing fast as well. Perhaps this will inspire other major ISP's (Earthlink, AOL) to do the same and put a stop to the RIAA's witch hunts.
 

 

  

 


Send us your feedback!
If you have any questions, comments, or suggestions that would help us improve this page, please drop us a line and let us know!

Dell Business Weekly Promo

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.