security

Defrag scareware

Dave Farquhar security, Windows , , , , , , , , , ,

This isn’t exactly news, as word has been going around for a couple of weeks, but if you haven’t heard about it elsewhere, there are some fake defragmenters going around.

I heard mention of it today, and it reminded me that I saw one last week when I was working on my mother in law’s computer. This was especially obnoxious, considering that at the time, I was running Firefox and I was visiting a mainstream site.

So there are a couple of things you need to keep in mind.
Read more

Unlocking the Malicious Software Removal Tool

Dave Farquhar security , , , ,

When Microsoft’s monthly security patches come down, if you’ve ever clicked on the button to see what it’s installing, you may have noticed the Malicious Software Removal Tool.

If you’re wondering, it’s a rudimentary antimalware tool that removes selected vermin from your system. It doesn’t remove all known malware. And I don’t know exactly how Microsoft decides what to remove and when. But given the number of people who don’t run any kind of antimalware software, it probably seemed like a good idea when they rolled it out in 2005. And in the first 15 months they pushed the tool out with the monthly patches, it removed 16 million instances of malicious software. Not bad.

The tool has some power that you can unlock that normally isn’t exercised when you do your monthly updates.

Note: In a corporate environment, you may not get the Malicious Software Tool automatically if you’re managing Windows updates yourself. Microsoft has instructions for deploying it to your enterprise.

Read more

Don’t use Internet Explorer this Christmas

Dave Farquhar security , , , , ,

In case you haven’t heard elsewhere, there’s a nifty unpatched vulnerability for Internet Explorer floating around. And it’s actively being exploited. Metasploit, an exploit toolkit used by penetration testers and script kiddies alike, is able to detect and utilize it.

Under these circumstances, Microsoft has been known to rush out a patch before the next scheduled Patch Tuesday, but the Christmas and New Year’s holidays will obviously slow things down.

In the meantime, installing Firefox and/or Chrome is prudent. I have and use both, since, to my knowledge, there hasn’t been a time yet when both of the two most popular alternative browsers had unpatched exploits in the wild.

How to clean viruses off other people’s systems safely

Dave Farquhar security, Viruses, Windows , , , , , , ,

What should you do when someone hands you a computer, tells you they think it has a virus, and asks you to clean it?

Proceed carefully, that’s what. You don’t want to infect your other computers with whatever it has.

To get it gone safely and effectively, you really need two things: an antivirus live CD, and a spare router.
Read more

Speeding up a sluggish HP Mini 110

Dave Farquhar Hardware, security, Windows , , , , , , , ,

My mom’s HP Mini 110 Atom-based netbook (with the factory 16GB SSD) was hesitating, a lot. Frankly it was really frustrating to use–it would freeze up for minutes on end, for no good reason. It was so slow, calling it “sluggish” was being kind. But it’s fixed now. I did six five things to it. Here’s how to speed up an HP Mini 110.

Read more

Fix host hijacks or host file hijacks for free

Dave Farquhar security, Software, Viruses, Windows , , , , , , ,

Sometimes your antivirus will tell you that you have host hijacks or host file hijacks, but not elaborate on how to fix them. Some people charge way too much to fix them. Here’s how to fix host hijacks or host file hijacks for free.

A former classmate’s computer suddenly stopped letting him get to search engines. Aside from that, his computer appeared to be normal.

Fortunately he had some antivirus and antispyware software installed, so he was able to run it and get a relatively clean bill of health, but he still couldn’t use Google or Bing or Yahoo.

One of the pieces of software he ran mentioned a host hijack or hosts file hijack, but didn’t offer to clean it up without ponying up some serious bucks.

That was enough to tell me how to clean it up though. You don’t have to buy anything. Read more

Blocking malware at the operating system level

Dave Farquhar security, Windows , , , , , , ,

In recent months I’ve been recommending that everyone run Adblock Plus with the malware domains subscription, to get extra protection beyond what your antivirus/antispyware suite can give. Given a choice between detecting and blocking bad stuff, or not downloading it at all, it’s much better to not download it at all.

There are some downsides to this. Adblock Plus uses a fair bit of memory. It’s tolerable on my desktop PC with 2 GB of RAM, but less so on my netbook with 1 GB of RAM. And if you have to use a browser that doesn’t have a compatible version of Adblock Plus available, you’re unprotected.

The solution is to block at the operating system level, using the hosts file.

Here’s a script that does it, with instructions.
http://www.ericphelps.com/scripting/samples/Hosts/index.htm

But I know of one malware site list that his script doesn’t use: http://www.malwaredomainlist.com/hostslist/hosts.txt.

Read more

Buffer overflows explained

Dave Farquhar security , , , , , , , , , , ,

Buffer overflows are a common topic on a Security+ exam. The textbook explanation of them is confusing, perhaps even wrong. I’ve never seen buffer overflows explained well.

So I’m going to give a simplified example and explanation of a buffer overflow, similar to the one I gave to the instructor, and then to the class.

Read more

Something to try when ERD Commander’s Locksmith doesn’t work

Dave Farquhar security, Servers and Networking, War Stories, Windows

So maybe you’re like me and you’re administering a system that fell off its Windows domain, and the system was built by your predecessor’s predecessor, the local administrator account was renamed, and nobody has any clue what the account name or password is.

And you try ERD Commander because it worked in the past, but not this time…Usually the Locksmith works. But in this case, it didn’t, and of course everyone wanted the server back online an hour ago. We tried everything else we could think of for about three days, including downloading some things that I was sure would get me a visit from a security officer. Nothing worked. At least when I got the visit from the security officer, he just wanted to know why there were repeated attempts to log in with certain accounts.

“I was trying to hack into my own server and it seems I’m not a very good hacker,” I said. Duh.

So I found myself standing at the server with another sysadmin, having used my last idea. “I don’t suppose you have any ideas?” I asked. “I figured if you did, you would have said so by now, but…”

He shook his head.

Finally, I had one last idea. I asked him what he set the password to when he used ERD Commander.

“Password,” he said. “To make it easy to remember.”

Aha! A light went off. This system was hardened to require stronger passwords than just an 8-character alphabetic password. I had a hunch that was what was keeping us from being able to log in using our hacked account.

So we booted off the ERD Commander CD yet again, connected to the Windows installation, located what we were pretty sure was the renamed local adminstrator account, and I reset it to the standard mixed-case special character password we use for the local admin accounts.

We held our breath, rebooted, and tried to log in.

Success. Finally.

So if ERD Commander isn’t working for you, try using a stronger password to satisfy your local system policy.

And just in case you’re wondering why a computer falls off a domain, computers have usernames and passwords just like users do. Occasionally the passwords get reset. If for some reason the domain controller thinks a member computer’s password is one thing, and the member computer thinks it’s something else, you end up with a computer that says it’s on the domain, but can’t authenticate against it. The solution is to log in with a local administrator account, then either run NTDOM.EXE from the Windows Support Tools, or remove the computer from the domain and add it back in. You can just put the computer in a workgroup, ignore the dialog box that says you have to reboot, then add it to the domain, and then reboot.