Google’s announcement that it is pulling out of China over continued hacker attacks has highlighted problems in Internet Explorer. Wired has an article in which Dmitri Alperovitch says of the Google attacks: "We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack."

 

McAfee’s CTO blog breaks it down further and gives the name Operation Aurora to the attack. Technical details on "Operation Aurora" exploit and payload are on McAfee Labs Blog. McAfee will be hosting a webinar on Thursday to discuss the exploit and attack. Meantime, for those of us who like to play with Aurora, HD Moore recreated the exploit for Metasploit.

 

One concern that I have is script kiddies downloading and running the exploit across anything they can get their hands on, particularly in light of the press.

 

I wager many of you (like me) have to use Internet Explorer for business purposes. So please note that the current "Aurora" public exploits do not work if you are running IE8 with DEP enabled. If you are running older versions of IE, you might consider upgrading while Microsoft prepares the patch.

 

There is rumor that the exploit could be modified to bypass DEP. Such a modified exploit is currently not publically available. It will take some time before a modified exploit to be developed, which should give Microsoft time to patch.

Happy New Year! Thank you for bringing in the new decade with me.

 

Ten years ago, we thought, just maybe, this Y2K thing would cause widespread computer system breakdowns.

 

I was with an IT consulting firm and was working on New Year’s Eve. (What!? It was a Friday. Cut me some slack.) I had my young son with me at the office. We had hooked up analog call forwarding to send incoming calls to the vice president’s house, and we had armed him with a stack of paper workorders and an analog fax machine. The idea being, should pandemonium ensue, people would call firms such as ours. The VP would get a signed agreement and send in the techs. I was on-call for second level support.

 

Before I left, I shut down the network and PBX and disconnected power. You never can be too safe, right? After all, who knew how bad it would get. (Actually, we were doing much of this in a tongue-in-cheek fashion.)

 

My son and I drove home early. We picked up my wife, then very pregnant, and went to see a movie. It might have been Pokemon. It might have been Wild Wild West. None of us can quite remember and agree which movie it was now. Anyways, we were in the Krafft 8 movie theater standing in line when the first call came in.

 

I answered my trusty Nextel, fearing the worst. It was not even close to midnight but you never know. What had happened?

 

On the line was Thailand. My good friend had called to wish me a happy new year. Life was still going, he assured me, with no disruptions in Tokyo or Bangkok. We had a good laugh and chat.

 

My family enjoyed the movie. Then we dropped my son off at his grandmother’s. They had their party, and my wife and I had ours. The night passed quietly. Then the weekend passed quietly. Then my daughter was born and I forgot all about Y2K.

 

And before I knew it, it was 2010. Somewhere along the way, we hooked back up the firm’s computer and telephony equipment. Other bugs came and went. But Y2K, for me, was the dog that did not bark.

These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the network and storage adapters.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and install onto the local vhd. 

Configure apt-get to download the Lucid (2.6.32-7) kernel.

 

sudo bash

nano /etc/apt/sources.list

 

# added by -JWG- for Hyper-V integration

# The Lucid repository contains the 2.6.32-7 kernel

deb http://archive.ubuntu.com/ubuntu/ lucid main

 

apt-get update

 

Install the kernel and then comment out the repositories.

 

apt-cache search linux-image-2.6.32

apt-get install linux-image-2.6.32-7-generic linux-headers-2.6.32-7-generic build-essential

 

nano /etc/apt/sources.list

Comment out the #deb line

 

Validate the kernel after rebooting to ensure we are on 2.6.32-7.

 

uname -r

 

Enable the GPL integration components.

 

uname -r

sudo bash

cd /lib/modules/2.6.32-7-generic/kernel/drivers/staging/hv

insmod hv_vmbus.ko

insmod hv_blkvsc.ko

insmod hv_netvsc.ko

insmod hv_storvsc.ko

 

Add the modules to the startup file.

 

nano /etc/initramfs-tools/modules

 

# added by -JWG- for Hyper-V integration

hv_vmbus

hv_blkvscb

hv_netvsc

hv_storvsc

 

update-initramfs -u

reboot

 

 

Confirm that the modules are loaded. You will have full network and disk integration. The mouse integration (Inputvsc) is currently provided by Citrix Project Satori and has not yet been patched to 2.6.32-7.

 

lsmod | grep vsc

 

These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the mouse, network adapter, and storage adapter.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and install onto the local vhd. 
Download the Linux Integration components for Windows Server 2008 R2 (LinuxIC v2.iso).
Download the Citrix Project Satori mouse driver (Inputvsc.iso)

Configure apt-get to download the previous version of the kernel, which includes first flushing and renewing the encryption keyring.

 

sudo bash

 

apt-key list

apt-key del 437D05B5

apt-key del FBB75451

 

apt-key list should now return an empty list.

 

Install the keyring

apt-get install debian-archive-keyring

 

Load the key for the ftp.us.debian.org and security.debian.org.

 

cd /home/tiger/.gnupg/

mv gpg.conf gpg.con~

 

gpg --keyserver wwwkeys.eu.pgp.net --recv 9AA38DCD55BE302B

gpg --list-keys 9AA38DCD55BE302B

gpg --export 9AA38DCD55BE302B > 9AA38DCD55BE302B.gpg

apt-key add ./9AA38DCD55BE302B.gpg

apt-key list

 

Add the repositories to the end of the sources list, and update the apt list.

 

nano /etc/apt/sources.list

 

# Repository for older kernel versions

# added by -JWG- for Hyper-V integration

deb http://ftp.us.debian.org/debian etch main

deb http://security.debian.org/debian-security etch/updates main

 

cd /usr/src/

apt-get update

 

Install the kernel and then comment out the repositories.

 

apt-cache search linux-image-2.6.18

apt-get install linux-image-2.6.18-6-amd64 linux-headers-2.6.18-6-amd64 build-essential

 

nano /etc/apt/sources.list

Comment out the two #deb lines.

 

Modify the menu.lst file so it defaults to the 2.6.18-6 and reboot.

 

nano /boot/grub/menu.lst

default 2

reboot

 

Validate the kernel after rebooting to ensure we are on 2.6.18-6.

 

uname -r

Insert the LinuxIC v2.iso disk, copy locally, and install the drivers.

 

sudo bash

 

mkdir /opt/linux_ic

cd /opt/linux_ic

cp -R /media/CDROM/* /opt/linux_ic/

./setup.pl drivers

cat drvinstalls.err

 

The only error should be "make: udevcontrol: command not found" and "make: *** [install] Error 127". These simply indicate that we will need to manually add the services to the init modules file.

 

Insert the Inputsvc.iso disk.

 

mkdir /opt/inputvsc

cd /opt/inputvsc

cp -R /media/CDROM/* /opt/inputvsc/

./setup.pl drivers

cat drvinstall.err

 

Again, the only errors should be related to the modules. Edit that file now.

 

nano /etc/initramfs-tools/modules

 

# added by -JWG- for Hyper-V integration

netvsc

blkvsc

storvsc

inputvsc

 

update-initramfs -u

reboot

 

Confirm that the modules are loaded. Then it is play time.

 

lsmod | grep vsc

Matriux is a vulnerability assessment / penetration testing Linux distribution. The team's beta release was the beginning of this month, and I have been playing around with the distro for the past couple weeks. What can I say? I am a sucker for Latin motto's ("Aut viam inveniam aut faciam" or "I shall find a way or make one") and for cleanly laid out VA/PT toolsets.

The bonus, for those running Hyper-V, is that Matriux is a Kubuntu based and comes with the Jaunty kernel (2.6.28-13-generic). Setting up a Hyper-V security appliance is as simple as creating a vm, using the legacy network adapter, skipping the hard drive, and booting off the downloadable ISO. Matriux works right out of the box within Hyper-V.

You can compare this to the Slax VA/PT distros, which do not support the network adapter. Often times, these distros do not even support the mouse. Using the Matriux Live CD in Hyper-V is a breeze. For an environment to support a demo or an occassional vulnerability assessment, you cannot ask for more.

If you are doing regular assessments, there are a couple limitations with Hyper-V. The legacy network adapter performs at 100 Mbps (significantly slower than the 10 Gbps speed of the standard network adapter.) The Live ISO is read-only, too. The mouse integration is present, but it is not the seamless integration one is used with Windows vms. Oh, and the mouse integration does not work when connected to Hyper-V over RDP. To get full functionality, you will need to install Matriux into a vhd and install the Hyper-V integration components.

The Jaunty kernel does not support integration. You have two options: (1) downgrade Matriux's kernel to 2.6.18 and install Hyper-V's integration components; or (2) upgrade Matriux to the Lucid kernel (2.6.32-7) and enable the Hyper-V GPL code. Option (2) provides faster performance and is in-line with the Matriux planned Beta 2, but it does not support the full mouse integration.

Detailed steps for both options are in the links above. For those who want to skip to the chase and simply try out Matriux under Hyper-V, I have done the steps for you. You can download the security appliance from SimWitty's website. Enjoy!

Matriux beta (0.9.4) with 2.6.18-6 kernel
Matriux beta (0.9.4) with 2-6-32-7 kernel

Thank you to the Matriux team for a smooth, well done security distribution beta. Thanks goes, too, to Tom Houghtby for providing the Linux knowledge and guidance that made the integration possible.

jwg

VDS returns the following when you select a partition format that it does not recognize:

 

C:\> Diskpart

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> list part
DISKPART> select part (id)

Virtual Disk Service error:
The pack is not online.

 

The pack is not online error (VDS_E_PACK_OFFLINE 0x80042444L) is returned when Diskpart attempts to get the file system properties on, say, an ext3 or hfs+ file system. Diskpart works only with Fat and Ntfs file systems. If the goal is to delete the non-Microsoft partition, use the clean command.

 

DISKPART> list disk
DISKPART> select disk (id)

DISKPART> clean

 

An SSL/TLS renegotiation attack has been carried out against Twitter. The Register has some details on the Twitter attack, while Educated Guesswork has the technical details on the renegotiation vulnerability itself.

 

SSL/TLS renegotiation has been used to get a web server to downshift its cipher and key length before. The new angle is using renegotiation to cause both the web server and the browser to renegotiate and create a man-in-the-middle scenario. Once in the inserted in the middle of web server and browser, the attacker can access the HTTP stream unencrypted.

 

Being an IT operations security guy, my focus is on auditing for and protecting against the weakness. The mitigation is simple: disable renegotiation. As for auditing, you can use openssl on any Linux OS to test.

 

sudo openssl s_client -connect www.yourhosthere.com:443

 

You will see the certificate chain, server certificate, SSL handshake, and SSL session details. The session is established when you get prompted verify return code: 0 (ok).

 

Now suppose OpenSSL reports verify error:num=20:unable to get local issuer certificate.)I have seen this error on GoDaddy websites. To resolve, browse to the website with Firefox. Open the certificate viewer and click the details tab. There, below the details, click the Export button. Save the certificate file in the x.509 PEM format with a .pem extension (Example: godaddy.pem). Then rerun OpenSSL and specify the certificate authority file.

 

sudo openssl s_client -connect www.yourhosthere.com:443 –CAfile godaddy.pem

 

Make an HTTP request and then request renegotiation.

 

HEAD / HTTP/1.0

R

 

The error ssl handshake failure indicates the web server is denying renegotiations.  If OpenSSL renegotiates successfully, you will see a new certificate path and then read read:errno=0. Contact your web server administrator if the server renegotiates.

 

 

(Update 2009-12/18: You can use the Matriux distro to perform the above steps.)

To use the command line to bring a disk online, create a partition, and format it, run the following commands:

 C:\> Diskpart

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> online disk (if the disk is not online)
DISKPART> attributes disk clear readonly
DISKPART> clean
DISKPART> convert mbr (or gpt)
DISKPART> create partition primary
DISKPART> select part 1
DISKPART> active (if this is the boot partition)
DISKPART> format fs=ntfs label=(name) quick
DISKPART> assign letter (letter)
DISKPART> list volume

The following are common errors you may see if you miss a step: 

DISKPART> clean
DiskPart has encountered an error: The media is write protected.
See the System Event Log for more information.

Resolution: run attributes disk clear readonly before trying to clean the volume and create the partition.

DISKPART> convert mbr

Virtual Disk Service error:
The specified disk is not convertible. CDROMs and DVDs
are examples of disks that are not convertable.

Resolution: clear all data off the disk before converting by running the clean command.

DISKPART> create partition primary
Virtual Disk Service error:
There is not enough usable space for this operation.

Resolution: run clean before trying to create the partition.

DISKPART> format fs=ntfs quick
Virtual Disk Service error:
The volume is not online.

Resolution: online the disk, create the partition, and convert to mbr before formatting.

Since the work of a technologist is primarily mental, I am always on the look-out for ways to boost mental capacity. One way is thru food. Below is my recipe for a "brain train" smoothie. The drink provides a number of nutrients recognized for improving memory and cognition.

The smoothie weighs in around 500 calories. It equates to two servings of fruit and a half serving of vegetables. Consuming two smoothies daily fulfills the FDA recommended allotment of fruit and veggies.

Feedback is welcome, drop me an email. The drink is very much a work in progress.

Ingredients

1/2 cup or about 12 frozen dark sweet cherries (1/3 frozen package)
2/3 cup frozen blueberries (1/4 frozen package)
1/2 cup frozen chopped spinach (1/2 frozen package)
2 cup low-fat yogurt (1/2 large container)
2 heaping teaspoons Soy protein powder
1 heaping teaspoon cinnamon
1 shot espresso coffee, chilled

Directions

1. Make a shot of espresso and chill it.
2. Use the food processor to thoroughly chop the cherries, blueberries, spinach, soy protein, and cinnamon.
3. Use the food processor to mix in the yogurt.
4. Use the food processor to whip in the espresso.

Additional information

Complete nutritional information is available in an Excel spreadsheet.
http://www.jwgoerlich.us/papers/jwg-brain-train-smoothie.xlsx

Blueberries

"University of Redding have shown that eating blueberries may ‘increase powers of concentration by as much as 20 per cent over the day.’"
http://www.telegraph.co.uk/health/healthnews/6168870/Blueberry-is-food-for-thought.html

Caffeine and coffee for boosting focus, energy, and possibly growing neurons.

Smith, A. (2202), Effects of caffeine on human behavior, Food And Chemical Toxicology
http://www.ncbi.nlm.nih.gov/pubmed/12204388

Korkotian, E., and Segal, M. (1999), Release of calcium from stores alters the morphology of dendritic spines in cultured hippocampal neurons, Proceedings of the National Academy of Sciences
http://www.ncbi.nlm.nih.gov/pubmed/10518577

Caffeine clue to better memory
http://news.bbc.co.uk/2/hi/science/nature/472473.stm

Cinnamon extends the effects of the smoothie by leveling out the blood sugar.

Spoonful of cinnamon helps blood sugar stay down
http://www.reuters.com/article/healthNews/idUSCOL07026020070620 
Hlebowicz, J. (2007), American Journal of Clinical Nutrition

Choline

The smoothie provides choline from yogurt, spinach, and soy protein. "A new research study done at MIT suggests that a combination of choline, omega-3 fatty acids with the uridine improved memory and learning in gerbils, and may have benefits for Alzheimer patients."
http://www.fasebj.org/cgi/content/abstract/22/11/3938
http://www.cholinebaby.com/cbblog/2008/07/choline-omega-3-and-uridine-bo.html
http://www.nal.usda.gov/fnic/foodcomp/Data/Choline/Choline.html

Spinach

The smoothie provides ample folate from spinach. "Observational studies show that low folate and elevated homocysteine concentrations are associated with poor cognitive performance in the general population."
http://www.uiowa.edu/~centrage/News/Newsletters/Newsletters%202006/Newsletter%20April%2006/Alzheimers,%20Cognitive%20Decline,%20Nutrition%204.7.06.pdf

Excerpted from Alzheimer's Disease, Cognitive Decline and Nutrition Newsletter
 

In the classic ASP days, there were a few ways to deliver content to the client in Excel. The more difficult way was to install Office XP/2003 on the web server. Then the ASP code would use COM to bind to Excel, CreateObject("Excel.Application"), and create the workbook and sheets programmatically. This was a bit of work and required a second, separate block of code that duplicated in Excel the code that created the web page report.

Now since the primary web page report was generally a table, an easier way to export to Excel was to send the same Html table. The ASP code would simply switch the content MIME type, Response.ContentType = "application/vnd.ms-excel". Some developers went the extra step to specify the file name and extension, Response.AddHeader "content-disposition", "attachment;filename=Output.xls". You could also do the same for a .csv file using "text/csv" and "attachment;filename=Output.csv. " This was cleaner and meant that essentially the same code created both the Excel and the web output.

The trick worked as follows: Internet Explorer opened the web page, the web server returned Excel’s MIME type, Internet Explorer passed the file onto Excel, Excel opened it and converted the Html to the columns and rows the person expected. That the file extension (*.xls) did not match the file content (Html) was not really a concern. Excel did its trick and the content was displayed.

The problems began when attackers used the same trick to send malformed files thru Internet Explorer to Excel. Several security hotfixes addressed the various malformed spreadsheets (MS07-015, MS07-023, MS07-025, MS07-044, MS08-016, MS08-043, MS08-057, MS08-074). These all addressed the various ways Excel could be compromised by files with content other than well-formed Excel, but of course did nothing to prevent malformed Excel content in the first place.

To address this point, Excel 2007 introduced the concept of Extension Hardening.  Extension Hardening does checks ahead of time to ensure that the file content matches the extension and, if applicable, the MIME type. The upside of Extension Hardening is that it blocks one vector for malformed Excel content attacks. The downside is that it also breaks the classic ASP method of Excel reporting.

Further, there is no granularity in the setting. Extension Hardening cannot be turned off for some websites or content sources, and on for others. It can only be disabled, enabled with a prompt, or enabled with blocking. Extension Hardening can be controlled during installation by the Office Deployment files, or afterwards by group policy or editing the registry.

Registry:

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security]
"ExtensionHardening"=dword:00000000

Possible value settings: Allow different (dword:00000000); Allow different, but warn (dword:00000001); Always match file type (dword:00000002). If the 
ExtensionHardening value is not present, Excel defaults to Allow different, but warn.

Group Policy Administrative Template (Excel12.adm):

Node: Microsoft Office Excel 2007 \ Excel Options \ Security
Setting: Force file extension to match file type
Possible values when enabled: Allow different (dword:00000000); Allow different, but warn (dword:00000001); Always match file type (dword:00000002).

Microsoft Office Deployment:

Node: Microsoft Office Excel 2007 \ Excel Options \ Security
Setting: Force file extension to match file type
Possible values when enabled: Allow different (dword:00000000); Allow different, but warn (dword:00000001); Always match file type (dword:00000002).

Implications of the Setting:

1. When set to allow different, Excel 2007 behaves like Excel 2003 and opens files from the web with Html content and application/vnd.ms-excel MIME type.

2. The following dialog box will display for web content when Extension Hardening is set to allow different, but warn:

The file you are trying to open, 'filename.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?

3. The following dialog box will display for web content when Extension Hardening is set to always match file type:

Excel cannot open the file 'filename.xls' because the file format for the file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file.

(In the warning dialog, you can press Ctrl-Shift-I to display the error code 101590 in the lower-right corner.)

For more information:

Microsoft Article 199841, How To Display ASP Results Using Excel in IE with MIME Types
http://support.microsoft.com/kb/199841

Microsoft Article 317719, How To Export Data in a DataGrid on an ASP . NET WebForm to Microsoft Excel
http://support.microsoft.com/kb/317719

Microsoft Article 948615, When you open a file in Excel 2007, you receive a warning that the file format differs from the format that the file name extension 
specifies
http://support.microsoft.com/kb/948615