markwilson.it

Author: Mark Wilson

  • Windows NT 4.0 and Windows 98 threat mitigation guide

    Microsoft has published the Windows NT 4.0 and Windows 98 threat mitigation guide, which identifies security issues in networks that include computers running Windows NT 4.0 and 98, explaining the best hardening strategies that an organisation can use until they are able to upgrade these operating systems.

  • Windows AutoPlay on a USB flash drive

    I’ve been looking at using the AutoPlay functionality in Windows to launch an HTML document each time I insert a USB flash drive. Controlled using a file called autorun.inf, AutoPlay is designed for CDs, but I see no reason why it should not work with other removable media.

    There is an excellent overview of the autorun.inf file on the Moon Valley Software website. Although autorun.inf files are easy to edit using a standard text editor such as Notepad, the Moon Valley Autorun.inf Editor is a free download from the Moon Valley Software website, which includes a particularly useful feature to locate and display icon resources within a .DLL.

    Using this, I soon had a file which changed the icon and name for the USB flash drive when I inserted it, but I could not get it to automatically launch an HTML document.

    After some searching (most notably a TechRepublic post), I discovered that the open command in autorun.inf only recognises programs. Windows 2000 and later recognise the shellexecute command to open other file types, for example:

    [autorun]shellexecute=index.html

    Once open= is replaced with shellexecute=, the context menu in Windows Explorer recognises index.html as the default action for the device, but for some reason it does not launch when I insert the USB flash drive into either of the PCs I’m using today. I checked out Microsoft knowledge base articles 155217 and 314855 but found the PCs were correctly configured to AutoPlay.

    Searching the ‘net brought up a host of utilities (some free, some not) which are designed to extend the AutoPlay functionality, but by far the most useful utility was autorun.exe (a free download from the Tarma Software Research website, not to be confused with Peter Harrison’s AutoRun from the imagespro.com website). I found that autorun.exe would execute the commands in my autorun.inf file, but still not automatically launch when the USB flash drive was inserted.

  • (Probably) the smallest server in the world

    This weekend, I set up my new network attached storage (NAS) unit, which may well qualify as one of the world’s smallest (and least expensive) servers. It’s a Linksys Network Storage Link for USB 2.0 Disk Drives (NSLU2), coupled with one of my ultra-portable external storage devices.

    The NSLU2 is a low-cost device for converting any USB storage into NAS. It is basically a tiny Linux server with an 10/100 Ethernet port and two USB 2.0 connections (mine cost £59.99 from Amazon). What’s more, it seems to have developed quite a following with those who are hacking the device to make it a more useful Linux server.

    The NSLU2 gets slated in a CNET review, but basically you get what you pay for and for this price I’m not sure that you can really go wrong. It seemed to me that most of the CNET feedback was from consumers (with limited technical knowledge) who expected to connect their FAT or NTFS-formatted USB disks and access them across the network. The NSLU2 won’t let you do that as it uses the Linux ext3 file system, but once formatted on the NSLU2 they should still be readable on a Windows system with an appropriate file system driver.

    Having said that, Linksys do not help themselves and much of the negative feedback will be down to the terrible documentation supplied with the product. I needed to carry out some Internet research before I could get mine working using two important pieces of information:

    • It initially uses an IP address of 192.168.1.77/24 (not DHCP). To change that using thesupplied software you need your client to be on the same subnet. Alternatively just go to http://192.168.1.77/ and it will launch straight into the web interface.
    • The initial administration username and password are both set to “admin”.

    I’m not going to provide a full review as there are some good ones out there already – the best ones that I’ve found have been at MacOS X Hints (concise) and at Tom’s Networking (more extensive).

    Basically, for low-cost NAS, the NSLU2 is great; but it is definitely for a SOHO environment only, and I’m already looking at the Buffalo LinkStation Network Storage Center for when I need some more storage in a few months time. The main reason I didn’t go with the LinkStation from the start is that it’s a £220 investment and for £60 my NSLU2 will keep me going for a few months until it starts a new life as a Linux project.

    Links

    Linksys Network Storage Link for USB 2.0 Disk Drives
    Linksys NSLU2 datasheet
    Hacking the NSLU2: Part 1; Part 2; Part 3; Part 4; Part 5
    Linux on the NSLU2
    NSLU2 Linux
    Buffalo LinkStation Network Storage Center

  • Ultra-portable external storage

    I’ve found the solution to my portable storage needs: an old (20Gb) laptop hard disk from my internal IT support department and a cheap (£2.99 + postage) USB enclosure picked up from eBay.co.uk. One of my clients bought something similar a few months back and it has taken me this long to get hold of a suitable hard disk; but now I have a decent amount of portable storage that I can format with NTFS (or any other file system I choose) and transfer between PCs at home and work.

    The enclosure I bought is mostly aluminium, with a single LED to indicate power and/or drive access, and is just big enough for a slimline (9.5mm) laptop disk drive. It has a Y-shaped connector cable, with two USB 2.0 connectors at the forked end and a proprietary connection at the other, which is used to power the unit. I’ve found that I need to use both connectors to draw enough power on a Compaq or Dell laptop (The Compaq and IBM desktop PCs I tried seem to work with just one connection). Supplied with a driver CD (for Windows 98), screws, and a mock-leather wallet, I had no problems getting Windows XP to recognise it (without any additional software), and whilst the disk I was given only spins at 4200 RPM, it seems plenty fast enough for my needs.

  • Mozilla Firefox – make the switch today!

    Alex Coles showed me the Firefox browser last week and ever since then I’ve been hooked! With the recent (and highly-publicised) run of flaws in Internet Explorer (IE) resulting in bodies such as US-CERT advising users to consider switching to an alternative browser, the browser marketplace has been opened up again, leading to IE’s market share slipping and the Mozilla website reporting 3,592,687 million downloads of the Firefox preview release as I write this (1.3 million of which were in the first week).

    So why is Firefox so great? Well, for a start it’s fast. It takes about the same time as IE to launch, but seems about 4 times faster to render popular websites (e.g. BBC, or The Register). Previously, I had thought it was my connection that was slow – not my browser! One of the major features is tabbed browsing – I wasn’t convinced as to the difference between multiple tabs in a single browser and multiple copies of a browser, but it just seems easier to work with! Installation is easy too – it’s compact (at 4.5Mb) and even imports my IE settings. Like the latest IE version, it has an integrated popup blocker; but it also includes integrated search tools for Google, Yahoo and others in its toolbar. It just seems more elegant.

    Actually (much to my own surprise) I’m becoming a bit of an open source fan. I use FeedReader as my RSS aggregator and now Firefox is my browser of choice. I’ll probably start looking at the Mozilla Thunderbird e-mail client too.

    Internet Explorer is not dead – it still holds more than 90% of the market, but as Firefox rises in popularity, perhaps Microsoft will look seriously at a full redesign, including a host of new features? We can but hope.

    Get Firefox!

  • No feature pack for ISA Server 2004

    Last week I was at a Microsoft TechNet evening where the speaker indicated that there may not be a feature pack for ISA Server 2004 and instead any new features will be held over for ISA Server 2006 (codenamed Wolverine). This includes network access protection (NAP) and all of the other filters, tools, etc. that did not make it into ISA Server 2004.

    The issue of NAP is an interesting one as the Microsoft website indicates that this will be incorporated into Windows Server 2003 release 2.

  • The perils of running an unsecured FTP server

    Last week I got hacked.

    I’d opened up my previously stealthed firewall to:

    • Access my home network when I’m at work;
    • Allow one of my friends to post some large files to my FTP server.

    The trouble is that I hadn’t been carrying out the best practices that I would advocate for my enterprise clients. Despite last month’s post on securing IIS, I had just opened up the standard ports to a standard IIS server which wasn’t even in a demilitarized zone (DMZ).

    I didn’t think I’d be a target for a hacker but within a few days some guys in Italy and Belgium had started abusing my FTP server to dump their files (this article from ZD Net leads me to believe that it’s a common practice). I don’t know what the contents were. I deleted them quickly to be safe and shut down the firewall until I could implement something more secure.

    Thankfully, I got off lightly (this time). I checked the logs last night and my new security measures are keeping the intruders out. If you do need to provide an FTP service, you might like to read the windowsecurity.com article with 10 steps to secure an FTP server.

  • Starting to look at Linux

    Tux the Linux penguinA few years ago I had an abortive dabble with the Macintosh world when I bought myself an iMac for digital video work (back in the days when FireWire cards for PCs were expensive and the associated Windows support was patchy). The iMac was great in that I had it working within 10 minutes of unpacking it and it looked good, but I couldn’t adjust to MacOS 9 (I hadn’t used a Mac since Uni’) so it gathered dust for a couple of years before I sold it to one of my Mac-obsessed friends.

    Now I’m thinking of having a play with another operating system that I haven’t touched since Uni’ – Linux. But this time the reasons are different. When I started out at ICL in 1992 I worked in a mainframe support centre and saw Unix as the “next big thing”. Over the next couple of years I had some exposure to various Unix operating systems, but my work took me towards PCs running MS-DOS and Windows, connecting to NetWare and LAN Manager servers. I started to learn NetWare but found myself turning towards Microsoft and now I find myself in the situation where I’ve known MS-DOS for 16 years, Windows for 14 years, and worked with LAN Manager (together with its NT-based derivatives) for the last 10 years.

    So why the change of focus? Basically I figure that the popularity of Linux in the back office seems to be on the increase, and the delay to (and stripping of functionality from) the next version of Windows (codenamed Longhorn) might just lead to an increase in the number of organisations running a version of Linux on the desktop.

    I’m not deserting Microsoft technologies – they’ve helped me build a successful career so far and I hope that continues to be the case for many years to come, but I think Linux may be stepping out of the shadows and will be a significant competitor over the coming years. Even Microsoft are waking up to the fact:

    “Linux isn’t going to go away. Our job is to provide a better product.”

    [Steve Ballmer, Chief Executive, Microsoft]

    I bought myself a copy of the Complete Linux Handbook (the editorial content of which is a little biased against Windows, but no surprises there!) and the first issue I’ve come across with Linux is knowing which version to use. One thing I’ve found is that the major distributions are anything but free! I’ll probably switch my primary home PC to SUSE 9.1 (now owned by Novell) and keep Windows XP on the others (including my work laptop).

    On a related note, this week’s IT Week contained an interesting pull-out section entitled “The open debate – Linux or Windows? Expert advice for decision-makers”. The version at the VNU website is not exactly the same, but it looks like a good information source for this hot topic.

  • Protection against mobile malware

    As mobile phones offer more and more computing functionality, anti-virus technologies for smartphones have become an inevitable reality.

    Back in June 2004, the Symb/Cabir-A worm was released (as reported by the BBC and others). The target is the Symbian operating system – just as for Windows on a PC, virus-writers and hackers will attack the largest user base first.

    Let’s face it – no hacker will get any credit for exploiting a security hole in something obscure – that’s why Microsoft gets so much bad security press and Linux and Macintosh users say “my system is secure” – in reality they are probably no more secure than a well-configured Windows system, just not such a target.

    According to an article at the PC World website, Nokia are addressing the issue by teaming up with F-Secure to offer subscription-based anti-virus protection for their Series 60 smartphones, starting with the forthcoming Nokia 6670. Quoting from Nokia:

    “F-Secure Mobile Anti-Virus is available for the Nokia 6670 imaging smartphone, providing automatic, transparent real-time protection against harmful content locally on the mobile phone. Updating the phone’s virus database can be done either over an HTTPS connection or, in critical cases, by SMS message.”

    Cabir uses bluejacking as a mechanism to spread and as most people are oblivious (no nice IT department managing the security of consumer mobile phones!), the best advice I can give is to set your phone to undiscoverable or hidden. There is also some advice on “mobile malware” at the Nokia website.

    You can learn more about Bluejacking at the BluejackQ website. To make matters worse, a colleague of mine found this document, which suggests some people are thinking of using it as a marketing channel.

  • Get ready to pay for your Hotmail

    In a somewhat cynical (IMHO) move, Microsoft is hiding behind security to drop access to its free Hotmail service from Outlook, Outlook Express, and presumably from competing e-mail clients. The service (which uses web based distributed authoring and versioning – WebDAV) will still be available, but users will have to pay for it. To Microsoft’s credit, I believe that AOL and Yahoo! already restrict such access to paid subscribers.

    According to the BBC, users who want to use Outlook to pick up their Hotmail messages will have to pay $19.95 (£11) for an annual subscription to Hotmail Plus or the $99.95 (£55) a year for MSN Premium. Users who are already using the technology to download their messages will be able to carry on using the service for free until April.

    MSN say they have decided make the changes because spammers were exploiting the system (do they think spammers will be put off by a $19.95 annual charge?). They have already taken other steps to prevent spammers using Hotmail by limiting the number of outgoing messages on free accounts to 100 per day and introduced extra validation requirements when opening a new account.

    The withdrawal of free WebDAV access began on September 27th for new users and will become effective for all users worldwide in 2005.

    Links

    Microsoft Nixes Outlook, Outlook Express Access to Free Hotmail Accounts
    Hotmail fees for Outlook access