Blog

Recently one of our clients was having problems viewing an image that was embedded (not a linked image) into an email. Other recipients of this same email and the image would display correctly. Where the image should have appeared, there was simply an outline of where the image should appear with a red X in the upper left hand corner of the image blank. After checking to make sure the Outlook security settings were configured to display images in emails, I discovered that the little known (and invisible) OutlookSecureTempFolder was ‘full’ and that by emptying it out, images would display correctly in the emails. Here’s the nitty-gritty of what was happening: [more]

When you open attachments/images directly from an email (as opposed to saving the attachments to another location then opening them from that location) within Outlook, a copy is written to a temporary folder referred to as the OutlookSecureTempFolder. This particular user’s folder was ‘full’ (although she still had plenty of disk space.)  The trick is that to regular users this folder is invisible (even if you’ve enabled the “Show Hidden Files and Folders” setting) and its name is randomly generated. In Outlook 2007 that randomly named directory resides by default at:

In Windows XP:
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Outlook\ XXXXXXXX, where XXXXXXXX can be any random characters.

In Vista:
C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\XXXXXXXX,  where XXXXXXXX can be any random characters.

To find (and change if you like) the location of this randomly generated folder path, look in the registry at: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security\OutlookSecureTempFolder

Once you find that directory, you can simply type the path directly into Windows  explorer, delete the temp files that are there, and your emails will now begin to display images. Now you can see all of those oh-so-wonderful image-laden forwards that your grandmother sends you!  If you want to bump up your security and avoid this problem at the same time then take a look at our recommendation of automatically deleting Temporary Internet Files when you logoff/shutdown in a previous post.


 

Google released a beta version of its new web browser "Chrome" last week. Since its release, several vulnerabilities have been discovered including drive-by software installs and buffer overflows.

Google has released updates to address several current issues, but more vulnerabilities will probably be discovered over the next several weeks and months as the product is refined. [more]

CoNetrix recommends customers avoid installing Chrome, or any other beta application, in production environments due to the potentially high risk of exposure.

For more information about individual issues in Google's Chrome, refer to the following link: http://code.google.com/p/chromium/issues/list


 

On our Information Technology Audits, one of the things we do is spot check workstations to see if it appears employees are storing nonpublic customer information in documents on their workstations.  One of the reasons we discourage storing confidential files on a user's local computer is that it helps prevent the loss of confidential data if a computer is stolen.  When looking for these files, most people know to check on the Desktop and My Documents folder.  However, there is a location where these confidential files can exist that is commonly overlooked - the user's Temporary Internet Files directory.  There are a few different ways a file with confidential information can unintentionally end up in your Temporary Internet Files. [more] One way a copy of a file can be left in the Temporary Internet Files directory is when the document is an attachment to e-mail messages and it is opened.  Another situation where a file would be saved to the Temporary Internet Files is when you download and open a file from a webpage on your local intranet or any other website. 

We recommend deleting your Temporary Internet Files everytime you logout/shutdown to avoid unintentionally storing files with confidential information on your local hard drive. There are a couple ways to do this. The most reliable way to delete the files is to setup a script that runs automatically when you logoff or shutdown the computer.  Here is a good example of a script to delete Temporary Internet Files by the Scripting Guys at Microsoft TechNet.  If for some reason you must store confidential files on a workstation then you should look into protecting the hard drive of that system with full disk encryption.


 

I received a new hard drive recently and was going to use ThinkVantage Rescue and Recovery to restore my current system to the new drive.  During this process I discovered that Rescue and Recovery requires that you restore a backup from the same location where the backups were made. [more] I have my backups configured to go to an external HD (using eSata with PCMCIA card).  The external hard drive is labeled “2nd Hard Drive” in R&R.  When I got the new drive in, I ran a full backup (3-4 hours), then swapped hard drives.  I was able to boot into the R&R environment, but didn’t have drivers for my PCMCIA card so I couldn’t restore using eSata.  My external HD also has connections to allow it to be used as a USB drive.  I was able to boot into R&R off of the external HD over USB, but no backups were showing up on the “USB Drive” (or any other backup locations).  I was afraid R&R was saving the backup location as part of the backup and just couldn’t see my “2nd Hard Drive” backups on a USB drive.  I swapped physical disks again, did another full backup over USB (8-10 hours), swapped disks again, and was able to boot and restore my “USB backup”.  This is just something to consider when your choosing a location to store your Rescue and Recovery backups.


 

Using a clipboard manager can really save time and make working on a computer easier.  I have been using a free open source application named Ditto.

Here are some of the key features:

  • Easy to use interface
  • Search and paste previous copy entries
  • Keep multiple computer's clipboards in sync [more]
  • Data is encrypted when sent over the network
  • Accessed from tray icon or global hot key
  • Select entry by double click, enter key or drag drop
  • Paste into any window that excepts standard copy/paste entries
  • Display thumbnail of copied images in list
  • Full Unicode support (display foreign characters)
  • UTF-8 support for language files (create language files in any language)
  • Uses sqlite database (www.sqlite.org)

 

I recently moved my laptop backups to an Acomdata external hard drive.  I noticed that it mounted two partitions, a hard drive partition and a CD partition, but did not worry too much about it since I had plenty of disk space on the hard drive partition.  The CD partition was created by the manufacturer to store their disk utilities and, like a normal CD, appeared to my laptop as read-only.  After saving multiple backups to this disk, I received a new internal hard drive and tried to restore from the backups on the external hard drive.  However, I could not boot to the external hard drive because my laptop would only recognize the CD partition during boot, not the hard drive partition.  [more]

After some Googling, I discovered that these CD partitions have caused quite a few issues, including not allowing some Linux distributions to mount the hard drive partition.  The easiest fix at first seemed to be to take the hard drive out of the external casing, connect directly to a desktop PC's internal hard drive controller and re-partition/format the entire drive.  Right before giving in to this solution, I found a blog post on LinkedIn which is no longer available.

This author spent some time with Acomdata support and got them to provide a software tool to remove the CD partition while it is connected externally via USB.  In the end, I moved my data off of the external hard drive, ran the tool, formatted the external hard drive as a single partition, moved my data back, and was able to boot/restore from the external hard drive.  I even have a little bit of extra space now that the CD partition is gone.


 

While working on a task to try and synchronize thousands of a users files using Windows’ Offline Files feature, I decided to investigate this feature more closely. I haven’t used offline files much, so while reading up on this feature I discovered that there are two kinds of offline files: Regular Offline Files, and Temporary Offline Files. The regular offline files are the ones that you specify to synchronize manually by right clicking on a file/folder and choosing “Make Available Offline”. These offline files are always available offline and there isn’t a limit to the amount of data you can synchronize this way. Temporary Offline files are a different story…[more]

Temporary Offline Files:

When users access their files sitting on servers on the network, these files are cached on the local disk (if the Offline Files Feature is active). They remain available when the portable computer is disconnected from the network. 

Upon reconnection on the network, the modified files will be resynchronized with their copy on the servers (According to the Offline  files settings available thru Tools->Synchronize->Setup in any Windows explorer window). These kind of files are called temporary offline files. They are temporary in the sense that the cached copy might be erased locally after use. Usually files that have not been accessed recently will NOT be available while offline. The “Amount of disk space to use for temporary offline files” slider (seen below), applies only to these temporary offline files, NOT to the ones you manually specify. 


 

Paraben has released a new electronic device designed to capture all data that a cell phone contains.  The device is called the Cellular Seizure Investigation Stick or CSI Stick.  The device plugs into a cell phone's data port and can copy all the data off the device including: e-mails, instant messages, text messages, call logs, contact lists, spread sheets, pictures, movies, or anything else stored on the device (even deleted files that haven't been overwritten).  In addition, the device leaves no trace that data was compromised.  Currently a long list of Motorola and Samsung cell phone models are supported, but the company states that more manufactures and models will be supported in the next generation.  [more]

The device was built primarily to help government agencies gather forensic grade data from cell phones, but it is available to the public.  The device costs $199 and the software to analyze the captured data on your PC runs $99 to $895 depending on the features you need.  The next time you loan your cell phone to someone or leave it unattended be aware that someone could quickly steal all the data off of it by simply plugging in a CSI Stick.  To reduce the risk of this threat you should store as little sensitive data on your cell phone as possible and never leave your cell phone unattended.


 

The Microsoft Exchange Server 2007 database portability feature allows a mailbox database to be mounted on any server in the same organization. In previous versions of Exchange, a database could only be mounted in the following places:

  • Recovery storage group
  • Server with the same name as the server that the database came from
  • Another server in the same administrative group

The database portability feature removes the previous limitations and handles the issues that they presented. Database portability was implemented for the following reasons: [more]

  • Reliability is improved by removing error-prone manual steps in the recovery processes.
  • For a lost clustered mailbox server scenario, the clustered mailbox server needed to be recovered before clients could access Exchange databases.
  • Exchange mailbox data is non-server specific, so accessing that data should also be non-server specific.
  • Database portability reduces the end-to-end recovery times for various disaster recovery scenarios.

At the Extensible Storage Engine (ESE) level, Exchange databases are portable. However, Exchange Server 2003 imposes certain restrictions before bringing a database online at an alternate location that do not allow databases to be portable. Database portability removes all but one such restriction, which is that the database needs to be from the same Exchange organization. A portable database is of no use, unless clients can be redirected to the mailbox data at the alternate location. With the Microsoft Office Outlook 2007 and the Exchange 2007 Autodiscover service, clients are redirected to the new server when they try to connect.

Note: Database portability is only offered for Exchange 2007 mailbox databases. Public folder databases are not portable. This is because replication between public databases is controlled by each database being linked to and accessed through a specific server. The preferred way to move public folder data between servers is to replicate it rather than copy the database files to a different server. If you copy a public folder database to a different server, it will no longer replicate with other databases.


 

During attempt to temporarily free drive space for Disk Defragmenter to run, I had stopped the IIS web service and moved the Update Services folder, which is WSUS, to another disk drive.  After running the defragmenter, I moved the folder back and started the service up again.  Later that week, I noticed that clients had not been reporting in to WSUS. 

After server reboot, the event log reported that a service failed to start.  The only automatic service that was not running was “Update Services”.   Starting the service manually allowed me to access the WSUS management console, but another event log message was written each time I restarted the service that stated: 

“Event ID: 506 - The SelfUpdate Tree is not working.  Clients may not be able to update to the latest WUA client software and communicate with the WSUS Server.” [more]

On every server, including the WSUS server, MBSA kept failing to check security updates from the WSUS server.  WSUS client check-in is served through IIS as a site called “Selfupdate”.  It is important to allow anonymous access to the directory using an IUSR account managed by IIS.  I went back to the “Update Services” folder on the disk drive and manually added the Internet Guest Account (the IUSR account that was listed as the anonymous IIS account) and gave it “Read & Execute” permissions.  Moving that folder to another drive had likely removed the IUSR permissions for the folder.

I restarted the “Update Services” service and no longer got the Event ID: 506 message.  I ran registry commands to get Windows Updates to check for updates again on one of the servers and it reported to WSUS.  A little later, other machines began to report in as well.