Blog

On Thursday, October 23 2008, Microsoft released a critical out-of-cycle security update. This update addresses a vulnerability in the Windows server service that could allow remote code execution. Microsoft has rated this vulnerability Critical for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003. This vulnerability has been rated Important for all supported editions of Windows Vista and Windows Server 2008.

The update addresses the vulnerability by correcting the way that the Server service handles RPC requests. Additional technical details on the vulnerability and update can be accessed at:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

As a best practice, RPC functionality should not be exposed directly to the Internet. However as a precaution, CoNetrix recommends applying the update available from Microsoft as soon as possible.

If you have any questions or need assistance with this update, please contact CoNetrix at [email protected] or call (800) 356-6568.

Yesterday, the Federal Trade Commission (FTC) stated they would suspend enforcement of the new "Red Flags Rule" until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written Identity Theft Prevention Programs.  This does not affect the other federal agencies' (FDIC, OCC, Federal Reserve, OTS, & NCUA) enforcement of the original November 1, 2008 deadline. 

To read the new Identity Theft Red Flags rules and guidelines go to conetrix.com/Files/ITPP_Regulation.pdf

I had an issue with an XP workstation this week where a user could not connect to a certain dfs link in the dfs tree. The tree contained three root shares, one of those being the Apps folder. None of the PCs could map a network drive to the \\domain\Apps folder from explorer or using NET USE command. However, if the direct referral location was used (\\server\data\apps$), everything worked, so it wasn’t a permissions issue. After much troubleshooting and a couple reboots later, I came across an article regarding this issue (http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/f64f87c2-76bd-4e0d-a34e-31fd5f321ba2/). The issue is with XP SP3, of which each computer that was having issues had installed. The issue results from a corrupted DFS link entry in AD. XP prior to SP3 would ignore it, but SP3 will not. The solution is to delete and recreate the DFS link and then purge the DFS mup cache on the client by using the following commands (dfsutil is part of windows 2k3 support tools) [more]

Dfsutil /pktflush

Dfsutil /PurgeMupCache

The Vista firewall can only apply one profile (either Domain, Public, or Private) at a time.  So if you have one network interface that Vista has identified as connected to the domain and another network interface (a VMWare interface, for example) that Vista cannot identify, it applies the most restrictive firewall profile (Public) to both interfaces.   Obviously, this can break applications if your Public profile is locked down.

In order to fix this issue, you can either: [more]

1. Disable the VMWare network interfaces if you don’t use them.  They are not needed in bridged mode.
2. Tell Vista to ignore the VMWare network interfaces when deciding which firewall profile to apply.
   • Disable the VMWARE NICs (VMNET1 and VMNET8 in my case)
   • Run regedit and go to HKLM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
   • Here you will find a list of numbers (0000 to 0024 in my case)
   • Click through these keys until you find the one with value VMnet=the name of your VMWare NICs (\DosDevices\VMNET1 and \DosDevices\VMNET8 in my case)
   • Add the key *NdisDeviceType with a DWORD value of 1 for each NIC
   • Enable the VMWare NICS
   • While connected the Compu-Share domain and with the VMWare interfaces enabled, verify the fix worked by going to Control Panel->Windows Firewall.  The Network Location should be listed as “Domain network”.
   • Note: Some people on the Internet said that these registry keys are removed when you upgrade VMWare to a new version.  If so, you will have to add them back manually.

The FDIC has issued the attached examination procedures on identity theft red flags, address discrepancies, and change of address requests.

FDIC Red Flag Examination Procedures.pdf (61.17 kb)

OCC Red Flag Examination Procedures.pdf (288.41 kb)

Federal Reserve Red Flag Examination Procedures.pdf (270.51 kb)

We recently had a customer that switched Internet service providers.  After making the switch, users were getting “sending delayed” messages from the Exchange server.  The problem turned out to be caused by mis-configured DNS settings in the Exchange 2003 SMTP service.  Some e-mails appeared to be going through fine, while others were delayed and eventually dropped.  Sometimes, messages would go through, the other person would respond, and then they’d get a delayed notification for the originally sent message.  After some e-mails that were sent to CoNetrix were completely dropped, I started looking more closely at the SMTP service configuration.  I went through every setting and eventually found some entries for the old ISP's DNS servers buried in the following location: [more]

Servers -> SERVERNAME -> Protocols -> SMTP -> Default SMTP Virtual Server -> Properties -> Delivery tab -> Advanced -> Configure

This configure allows you to specify “external DNS servers”.  Apparently, based on the name, someone thought the real “external” DNS servers should be used (instead of the local DNS service that uses the external servers as forwarders).  I removed the old ISP server entries and replaced them with the external DNS servers of the new ISP as a test.  Once I did this, e-mail started sending immediately.  I then changed the entry to the local IP of the server (so the local DNS service would be used).  Things continued to work.  Setting those DNS entries is not part of our normal server setup procedures, so I'm not sure where the DNS entries originally came from.  They may have been populated by some "wizard", so keep the SMTP DNS settings in mind if you ever have a similar problem.

I have been using an application launcher called AppRocket for years.  I have now switched to Find And Run Robot (FARR) (http://www.donationcoder.com/Software/Mouser/findrun/index.html).  It is a great timesaver to run an application launcher instead of navigating through menus or spending hours setting up special shortcuts, etc.  Here are a few features that I think make FARR superior to other methods of launching programs and documents. [more]

• It does not build an index beforehand, so it is always up to date.  You can arrange the order of the directories it searches, so the rarely used ones will be searched last.  As soon as it finds a match for what you have entered, you can launch it.
• It uses rules to determine the order matches appear, such as recently launched items get a higher rating.
• It has a plugin system and many plugins have been written, such as one to search your clipboard history, firefox/opera plugins.
• Aliases can be set up so that parameters can be passed – the selected text passed to search engine, for example.

Software from Donation Coder is free but supported by donations.

What do you get the paranoid schizophrenic who has everything?

An "EnhancedHardDrive" from Ensconce Data Technology, of course! Tired of destroying your hard drives at home the old fashioned way using fire/thermite? How barbaric! How messy! The EDT Enhanced Hard Drive will flood itself with an acid mist using up to 17 remote triggers, rendering the drive forensically unrecoverable. [more]

After talking with a customer about how to dispose of old hard drives, I started doing some research on different data disposal methods and I happened upon EDT's site. I doubt any of use will encounter anything of this level of security, but it seemed interesting so I thought I'd share. It seems like the niche market for a product like this would be pretty small, but I recently read that their sales goal for this next year is somewhere around 25 million. Someone's got something to hide :)

 

The following Special Alert was released by the FDIC concerning e-mails being sent that claim to be from the FDIC.  These e-mails are attempting to trick recipients into installing unknown software on personal computers. The subject line of the messages is: "Funds wired into your account are stolen." Here is a copy of the FDIC's Special Alert: [more]

The FDIC is aware of e-mails appearing to be sent from the FDIC that ask recipients to open and review an attached file. Currently, the subject line of the e-mail states: "Funds wired into your account are stolen." The e-mail is fraudulent and was not sent by the FDIC.

The fraudulent e-mail tells the recipient that proceeds from identity theft crimes have been wire-transferred into their bank account. The e-mail then directs the recipient to open and review an attached copy of their bank account statement and to contact their bank account managers.

The attached file is actually an executable file containing malicious code or software. Recipients should consider the attached file as a malicious attempt to collect online banking credentials or other personal and confidential information that could be used to gain unauthorized access to on-line banking services or perpetrate identity theft and other criminal activities.

Recipients of the fraudulent e-mail should not reply and should not attempt to open the attached file. According to reports received by the FDIC, many antivirus software programs have been detecting and removing the malicious attachment before the e-mail is delivered. However, if a recipient does open the attachment, the FDIC recommends updating anti-virus software patches and performing a complete scan of the computer and network, if applicable. If a computer becomes infected and the user encounters difficulties removing the malicious code, users should contact their anti-virus software vendor. The FDIC highly recommends using anti-virus software.

For additional information about safe online banking and avoiding online scams, visit http://www.fdic.gov/consumers/consumer/guard/.

For your reference, FDIC Special Alerts may be accessed from the FDIC's Web site at www.fdic.gov/news/news/SpecialAlert/2008/index.html.