Welcome to PChuck’s Network

December 31, 2006

Microsoft Windows is an incredibly complex operating system. Making an installation of computers running Windows work, at all, is a challenge. Making one work properly is even more of a challenge. Fortunately, thanks to the Internet, the problems which you may be observing today may have already been discussed, and resolved, by other folks before you. And there are many websites to give you advice, based upon those experiences.

Now, many websites offer you learned advice on various subjects; some on Windows Networking, as PChuck’s does. Many websites are procedure oriented. If you know what to do, they will give you details showing you how you can use a particular wizard. But – if you don’t know what to do, or how to solve a given problem, how are you going to find a solution? That’s like using a dictionary – some folks think that you can learn how to spell a word, by looking it up in a dictionary.

PChuck’s is organised by goal. For problem solving, it’s organised by symptom. Now, it’s not finished – few websites are ever actually finished. But give it a shot – it may have an answer or two for you.

If this is your first visit here, you may wish to start with the introduction, How To Get The Most Out Of PChuck’s Network.

Having reviewed the site introduction, you may find that there are several ways to benefit from the material here.

And check out my Links page, for extra interests of mine.

More articles are added frequently, and existing articles are revised even more frequently. Check here regularly, using a newsfeed reader for best results. And tell your friends about PChuck’s Network!

>>Top

Common Problems and Resolutions

“Error = 5” aka “Access Denied”
“Error = 53” aka “Name Not Found”
Intermittent Connectivity Problems When Computer Is Idle
Intermittent Server Visibility Caused By The Restrictanonymous Setting
Intermittent WiFi Connectivity Problems Caused By WiFi Client Manager Conflicts
Internet Access Problems Caused By DNS Problems
Internet Connectivity Problems Caused By A Corrupt Or Hijacked Hosts File
Internet Connectivity Problems Caused By The MTU Setting
Irregularities In Access To Individual Shares On A Single Server
Irregularities In Access To Network Neighborhood (Workgroup)
Network Access Affected By Limited Or No Connectivity
Network Access Affected By LSP / Winsock / TCP/IP Corruption
Network Access Affected By NetBIOS Over TCP/IP Being Inconsistently Set
New Network Connections Wizard Functionality Damaged By System Restore
Server Access Affected By IRPStackSize
Server Access Affected By User Not Granted Requested Logon Type
Server Access Affected By Maximum Simultaneous Connections
Server Visibility Affected By The Invisibility Setting
Server Access And Visibility Affected By Personal Firewalls
Server Access and Visibility Affected By Less Known Registry Settings
Well Known, Yet Mysterious, Errors May Have Simple Resolutions

>>Top

Tutorials

Asking For Help For Internet Connectivity Problems
Asking For Help For Network Neighborhood Problems
Hacking Defined
Layered Security
Malware (Adware / Spyware)
Network Neighborhood and the Browser
Networking Your Computers
Restrict Your Privileges
Solving Network Problems
Troubleshooting Internet Connectivity
Troubleshooting Network Neighborhood (Windows Networking)
WiFi Networking
WiFi Security
Windows Networking Concepts
Windows XP File Sharing

>>Top

Current Events

Jun 16, 2006: Patch Tuesday for June 2006
June 8, 2006: R.I.P., Windows 98, 98SE, ME, and XP SP1
June 7, 2006: Sharing The Pain
June 6, 2006: Happy Devil’s Day
June 2, 2006: Firefox V1.5.0.4
May 29, 2006: Dufus or Joe Job Victim? Your Call
May 23, 2006: 419 Operations To Be Recognised By African Governments?
May 18, 2006: There’s A Sucker Born Every Minute
May 17, 2006: Win Some, Lose Some
May 9, 2006: Black Tuesday Report
May 8, 2006: Does IPV6 truly have a future?
May 3, 2006: Firefox V1.5.0.3 Is Released
February 7, 2006: The Mozilla Firefox V1.5 Exploit Is Out
December 12, 2005: Beware: A New Yahoo Messenger Phishing Attack May Be Active!

>>Top

Diagnostic Procedures and Tools

Autoruns
Browstat
CDiag
CPSServ (NOTE: Requires download of PSTools (free).
Command Windows
Event Viewer
HijackThis
IPConfig
Local Security Policy Editor
My Personal Toolbox
Net Config
Network Setup Wizard
NTRights
Ping
PingPlotter
Registry Editor
Services Wizard
Static Route Table
System Restore
Watching What Your Computer Is Doing
Windows Explorer
WiFi Environment Analysis
WindowsUpdate Log Interpretation

>>Top

Using The Internet Properly

Bottom Post, Please
Download Software Selectively
Help Us To Help You
Getting Help On Usenet – And Believing What You’re Told
How To Contact Me
How To Post On Usenet And Encourage Intelligent Answers
Interactive Problem Solving
Please Don’t Hijack Threads
Please Don’t Spread Viruses
Provide Diagnostic Data As Text, No Attachments or Images
Provide Essential Details When Asking For Help
Please Use BCC:

>>Top

Networking / Security

Ad-Aware or Spybot S&D? You Decide
Beware Of Hidden Physical Personal Firewalls
Components Definition – Networking
Design Your Network Properly
Have Laptop Will Travel?
Computer Uniqueness and Security Needs
ICS Is Not The Only Possible Solution
Make Your Wireless Computer Connect Only To Your Network
NAT Router – What Is It?
NAT Routers With UPnP – Security Risk, or Benefit?
Online System Virus Scanning Services
Pop-Ups – How To Deal With Them
Protect Yourself – Restrict Your Privileges
Protect Yourself When Using A Public Computer
Protect Yourself When Using A Public WiFi LAN
Protect Your Hardware – Use A UPS
Quick Networking With A CrossOver Cable
Setting Up Two Routers On The Same LAN
Sharing Dial-up Internet Service With A Router
Spam Spam Spam – Spam Spam Glorious Spam: Early Spam, and Modern Spam.
SSID Broadcasts
WEP Just Isn’t Enough Protection Anymore
WiFi Will Never Be As Fast As Ethernet

>>Top

Windows Networking / File Sharing

Address Resolution On The LAN
Browsing and Multiple Subnets
Domain vs Workgroup? Plan Properly
Cleanup Your Protocol Stack
Components Definition – Windows Networking
Local Name and Address Resolution On Your Computer
One Use For IPX/SPX
Setting Up File Sharing Properly
Windows 9x (95/98/ME) and the Browser
Windows NT (NT/2000/XP/2003) and the Browser
Windows XP / 2000 On A Domain

Today’s Security Alert

December 30, 2006

The Internet is a wonderful place to spend time – whether personally, professionally, or socially, you can travel to distant lands, and meet folks from the comfort of your bedroom / home office.

But it’s absolutely NOT a place to casually provide details about your self. And when you travel by internet, you absolutely must protect the vehicle (your computer) that you travel in. So stay aware what’s happening in Internet security.


12/12 If you have Yahoo Messenger, you may need to be aware that a new phishing attack, which uses YM, has started. IM security firm IMLogic reports in New Yahoo IM Phishing Attack Surfaces

The attack, IM.Marphish2.Yahoo, attempts to steal personal information by dupong a user into believing that they are in violation of Yahoo’s Terms of Service. The user is instructed to contact the “abuse department” through a URL that points to the 2wahms.com domain.

As always, please be very careful when presented any IM message that includes a URL. If the message is not part of an active conversation, OR if it’s from anybody that you don’t recognise, examine it with great suspicion. If you get an IM message, that contains a URL, from a friend, and you’re not in the middle of an active chat with that friend, take the time to verify that the message was intentionally sent. You could be helping both of you by doing this.


11/29 Yesterday, a friend wrote me for advice, as she was contemplating the purchase of a DVD burner for her recently purchased computer. I told her

Please don’t buy a Sony product.

And she didn’t. She bought a competitor’s product. This accomplished 2 things:

  1. One less sale for Sony.
  2. One more sale for a Sony competitor.

I just lit a candle. Will you light any?


11/23 Success – of a sort! BusinessWeek Online Sony’s Escalating “Spyware” Fiasco reports that

Overnight, Get Right with the Man dropped to No. 1,392 on Amazon’s music rankings. By Nov. 22 — after the news made headlines and Sony was deep into damage control, pulling some 4.7 million copy-protected disks from the market — Get Right with the Man was even further from Amazon’s Top 40, plummeting to No. 25,802.

The wrath of fans killed Sony’s CD copy controls, with the company pulling 52 titles off retail shelves, beginning the week of Nov. 14. But the wrath of bands could be far worse for the company — and for efforts to protect content in general.

Singers and songwriters are increasingly expressing frustration at devices used by record companies to protect digital content from widespread theft that results when CDs are copied repeatedly or popular tracks are given away on peer-to-peer (P2P) networks, such as LimeWire and BitTorrent.

Maybe, just maybe, Sony and the rest of the RIAA will decide that their customers (the ones that remain) deserve their respect, not their contempt. If they wish to stay in business, anyway.


11/22 The shenanigans by Sony aren’t the only thing to worry about this month. The Register Password-stealing keyloggers skyrocket warns us that

Hackers are on target to release more than 6,000 keystroke loggers in 2005, a 65 per cent increase from the 3,753 keyloggers released last year.

And their delivery mechanisms are getting pretty sophisticated too. ISC SANS More Sober Variants warns of the latest Sober variant, which may arrive in your Inbox disguised as a letter from a US Government agency like the CIA or FBI (as if).

Be paranoid. Be very paranoid.


11/21 The lawsuits against Sony have started. Mark Lyon, of SonySuit.com, has a comprehensive list of the various actions underway around the world.


11/18 The whole Sony problem started some time ago. I first reported it, personally, over 2 weeks ago. Today, SSX4life, in BBR Forums Sony – Opinion and Future, points out

If you put a frog in a boiling pot of water it will try to jump out and struggle for dear life. However if you put a frog in a cold pot of water and slowing bring it up to temp the frog will more than willing sit and boil to death.

If Sony and other music, software, “tech” company’s slowing remove the rights of the consumer to a CD / DVD / Peice of software that you purchased then then what will happen to the every day consumer…

This is a small quote from this very long thread, and several like it, in BBR Forums and elsewhere.

It is very dark here, and this blog is a very small candle. I’m going to light it, though, and join the Sony Boycott. If you care about your rights, as a consumer of electronic content, you should join the boycott, and sign the petition, too. Demand your rights – it’s your money that pays the salaries of Sony, and of the RIAA.


11/17 As predicted yesterday, Sony’s uninstall procedures created a vulnerability worse than the original rootkit. Websense Security Labs have now published an alert stating

Websense® Security Labs™ has received reports of websites that are using the Sony DRM uninstaller as a means to perform malicious actions on end user machines.

Any user who has downloaded and run the Sony uninstaller program is susceptible to this attack.

Various security software vendors, such as Sophos and Symantec, have produced reliable rootkit removal programs. I do not recommend that you use any software provided by Sony.


11/16 How much deeper can Sony go? The Inquirer Sony DRM infection removal vulnerability uncovered points out what many have discovered

According to Freedon To Tinker, the web based installer is a worse vulnerability than the original rootkit. More on the story here, FTT goes into detail. It seems the ‘cure’ from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine.

And to do themselves still more harm, they still claim to have only 20 infected CD titles out in the wild. USA Today Bad things hide in PCs using Sony BMG software reports

Sony says 20 CD titles use this form of copy protection, from British firm First 4 Internet, but it won’t say which titles. The Electronic Frontier Foundation, a non-profit civil-liberties group, identifies 19 on its http://www.eff.org website from artists including Neil Diamond, Van Zant, Celine Dion and Switchfoot.

However, many watchers of Sony have identified way more than 20. Such as IdiotAbroad, which currently lists 47.


11/15 The Sony issue gets bigger each day. Wired News Sony Numbers Add Up to Trouble reports that AT LEAST half a million computers are out there, infected with Sony’s dirty work. That number was arrived at by technical research, it is absolotely accurate at the mimimum, and is most likely a lot lower than the actual count.


11/14 The Electronic Frontier Foundation has now entered the picture. In the BBR Forum Microsoft will wipe Sony’s ‘rootkit’ and more, a copy of the advice sent Sony by the EFF, regarding what Sony needs to do to make its image right with its customers, was presented. We will now see how responsive Sony is.


11/14 The discussion about Sony’s activities is continuing, and it appears that the Rootkit discovered recently is just the tip of the iceberg. Check out BBR Forums SONY throws in the towel … for now, for a very fast moving thread with diverse opinions.

Also, for a comprehensive, and dynamic, list of CDs (or things that look like CDs but aren’t), that you do not want to buy, see the CDR Bad CD list.


11/13 Here’s a neat game. You load a free keylogger on your computer, downloaded from WhatPulse. You form teams, and try to beat each others keystroke counts. WTH?

OK, the keylogger has been checked out, and this version is free from anything malicious. All that it does is count keystrokes. But what about future versions, or imitators versions? At best, this game is blurring the line between malware and irresponsible game playing. And what happens if this gets bought out by the bad guys? I just know one of them must be looking at this right now – it’s just perfect for exploitation.

My personal opinion? Encouraging folks to install a keylogger, even something benign (right now) is not something I would recommend. I don’t think this is post Sony paranoia speaking – I would always feel this way. I think this is irresponsible. What do you think?


11/12 BTW, I’m curious. Are there any folk out there reading this, who think that the whole Sony Rootkit thing is much ado about nothing? Well, now that the story is out, folks are looking backwards at previously reported problems. Look at, for instance BBR Security Forum Some earlier signs of Sony’s rootkit…, with a list that bears investigation.


11/12 Sony has backed down, at least publicly. In BBC News World Edition Sony stops making anti-piracy CDs

Sony has said it will suspend the production of music CDs with anti-piracy technology which can leave computers vulnerable to viruses.

I will try to keep an open mind, but for right now, Sony is off my Christmas shopping list.


11/11 The Sony Rootkit story just gets better and better. NPR (National Public Radio, for those of you not USA citizens) did a piece on it Sony Music CDs Under Fire from Privacy Advocates. They interviewed Sony BMG’s Global Digital Business President Thomas Hesse, who had the gall to say for the record

Most people, I think, don’t even know what a rootkit is, so why should they care about it?

And here is my favourite interpretation of that blunder, from BBR Forums First Virus found that uses Sony Rootkit…

Most people, I think, don’t even know what a rootkit is, so we can get away with it.

And here’s a short list of other websites, which I have found, which are also discussing this:


11/10 The Sony Rootkit issue is not going to go away. The Electronic Freedom Foundation, in Are You Infected by Sony-BMG’s Rootkit?, provides an inventory of CDs that are using Copy Protection and the Sony Rootkit.

Now, as predicted, the bad guys are now using the Sony Rootkit to hide their own malware. The security firm Sophos reports in Trojan horse exploits Sony DRM copy protection vulnerability

Experts at SophosLabs™, Sophos’s global network of virus and spam analysis centres, have detected a new Trojan horse that exploits the controversial Sony DRM (Digital Rights Management) copy protection included on some of the music giant’s CDs.

The Troj/Stinx-E Trojan horse appears to have been deliberately spammed out to email addresses, posing as a message from a British business magazine.

Typical emails look as follows:

Subject: Photo Approval Deadline

And legal action has started in Italy. As reported by SmartHouse Police Called In To Investigate Sony

The group, calling itself the ALCEI-EFI (Association for Freedom in Electronic Interactive Communications – Electronic Frontiers Italy), filed a complaint about Sony’s software with the head of Italy’s cyber-crime investigation unit, Colonel Umberto Rapetto of the Guardia di Finanza.

Please let Sony know what you think of their antics. The RIAA has to be brought into control, and maybe this is one battle which may help. See The Sony Boycott Blog for other ideas about how to take action.


11/2 Is using a WiFi network, that you didn’t setup, theft? Some believe it is, others believe it’s not. I think there are a lot of grey areas.
If you have any feelings one way or the other, join BBR Forums (it’s free), and participate in this, and similar, discussions.


10/31 The RIAA continues to dig itself into a hole. Sony is now selling music which comes with self-installing software, in an attempt to enforce Copy Protection. If you try to play, for instance Get Right with the Man by the Van Zant Brothers, as distributed by Sony / BMG, on the CD player on your computer, you will have to install special drivers. These drivers protect themselves as a Rootkit.

When you try to play any similarly Copy Protected music, which is protected by First4Internet’s DRMServer, you will first have to agree to a EULA. Upon agreeing to the EULA, DRMServer will be installed on your computer. To protect DRMServer, which runs a process $sys$DRMServer.exe, your system will be modified to prevent you from even seeing any traces of processes named $sys$(anything) on your system. This, my friends, is a Rootkit.

This assinine and poorly constructed attempt, to subvert the integrity of your computer, was recently discovered by Mark Russinovich, author of RootkitRevealer and a multitude of other very useful system utilities. Mark further discovered that, if you attempt to un install the DRMServer drivers, your CD player will become inoperative. This, my friends, is a badly written Rootkit.

Mark further discovered that the Rootkit will hide other files, such as one that he created in a test.

I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view.

This, my friends, is a dangerous Rootkit. What if one of the bad guys writes a very bad application, with programs using names protected by DRMServer, and gets it installed on your computer?

Here is another, slightly less techie oriented, viewpoint of Sony’s sorry mess. Be patient, this article is on a slow server.

Please let Sony know what you think of their latest attempt to continue a system which was valid, only marginally, in the 1950’s.


10/9 Vista is Coming! I just recently spent 4 very intense and brief days in Seattle, as a guest of Microsoft, at MVP Summit 2005. I got my first actual look at Vista, and was treated to half a dozen very detailed descriptions about technical features of Vista. Security wise, it is 2 to 4 times as significant as Windows XP, as Windows XP SP2 was to Windows XP RTM. I can’t say more, but I will be updating my personal impression of it, as time permits. Watch this blog.


8/26 Occasionally there is good news. Today, just 2 weeks after Zotob hit the Internet, the US FBI and others arrested two suspects in its creation. CNet Nes.Com reports in Arrests made in probe of worm that hit ABC, others that the two suspects arrested are suspected of creating both the Mytob and Zotob worms.

This is only a start, but maybe fear of arrest, and fear of execution (as the good news on 7/26 described), might lessen the onslaught of malware just a bit.

But don’t stop protecting yourself just yet. Just don’t give up.


8/17 ZDNet Security Windows worms knocking out computers reports on the ongoing evolution and spread of Zotob, with the latest family member which Symantec has named Zotob.G. F-Secure suggests that the newer versions of Zotob are the product of rival gangs, each busily creating their own botnets.

“We seem to have a botwar on our hands,” Mikko Hypponen, chief research officer at Finnish software security firm F-Secure said in a statement issued on Wednesday.

“There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines,” he said.

Please patch your systems. If your system is infected, you might not notice anything right now. When the bots are activated, that might change.


8/16 The Zotob threat in particular, and the MS05-039 vulnerability in general, having stabilised (not gone away, just stabilised), ISC SANS is Back to InfoCon Green. Zotob is now just another worm, in the background noise on the Internet. Like other worms, it continues to mutate, and has most recently been identifed by Symantec as Zotob.E, which is an IRC Bot.

Zotob this afternoon successfully infected CNN, ABCNews, and the NYTimes.

Your computer could be next, so protect yourself. Patch up. But please, and this is an important distinction here, do not protect yourself indiscriminatly.


8/15 Zotob continue to evolve.

ISC SANS Zotob Update now reports that Zotob is adding a mass mailer to its payload. In Other Words, Zotob has now become part of the spammers world, and is probably providing financial reward for its releaser. Anybody surprised?

In another unfortunate turn of events, ISC SANS Zotob affecting some XP SP2/2003? recommends that you protect your servers by disabling anonymous connections. Note that they cover themselves by saying “…this will require testing to ensure it does not break valid applications.”.

Seemingly a harmless and simple change to make, it has been my experience that, if you depend upon seeing a neat list of all of the computers on your network, in a portion of your desktop known as “My Network Places”, or “Network Neighborhood”, that disabling anonymous connections will also disable any server from being displayed there. I’m trying to get a confirmation out of Microsoft. Right now, if you are reading the SANS diary referenced above, please don’t go disabling all anonymous connections, at least without knowing the possible consequences.


8/14 ISC / SANS now reports the detection of the first worm to use the MS05-039 vulnerability. The new worm, Zotob, has been reported by Symantec currently in two strains – Zotob.a and Zotob.b.

So the predictions from Friday, which prompted SANS to go to a Yellow Alert, have been proven to be correct.

Patch up, folks. Please.


8/12 Happy Black Tuesday Week, everybody. Yes, last Tuesday was the first Tuesday of the month. And Microsoft issued a suite of updates, including 3 Critical ones. You may see them reviewed in the SANS Diary Microsoft Security Bulletins for August.

Don’t go away yet, though – this gets better. Today’s SANS Diary POC code available for multiple updated MS vulns announces that, of the 6 vulnerabilities admitted to by Microsoft, no less than 4 of them have Proof Of Concept code published, which will exploit the announced vulnerabilities.

And we’re not done yet. The MS05-039 vulnerability, Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588), is expected, by SANS, to become a critical issue over the weekend. Three separate exploits for that vulnerability have been announced during the past 24 hours. Proof Of Concept code is expected to be superseded by active attacks, during the next few days.

The Internet Storm Center main page is now at Yellow Alert. This is only the second time that I can remember this being the case since they implemented the colour system.

Both Microsoft, and SANS (and myself) all recommend that you apply all Critical Patches – MS05-038, MS05-039, and MS05-043 – at your most immediate convenience, if not sooner; and the other three – MS05-040, MS05-041, and MS05-042 – soon afterwards. All users of the Internet thank you for your cooperation.


8/11 The bad buys are getting either more brazen – or more desperate – you decide which.

Since people are getting more and more suspicious of ANY email that asks them to fill out private information online (which is good), ZDNet Security: New scam asks people to fax away data reports that the scammers are now asking you to download a form, fill it out, and fax it to a toll free phone number.

Whether the bad guys giving you a phone number is a stupid move on their part (you can give the number to the police, who can locate the bad guys), or a genius move (the bad guys know you would try to do that, so you would never believe that it was a scam), is being debated.

One thing is obvious: You can not trust ANY email that asks you for ANY personal data, in any form. End of story.


8/3 The Internet is a big community, composed of lots of little communities. And the bad guys, and potentially bad guys, are getting into the act, in new ways, all of the times.

Everybody wants a new ways to get “eyes” – that is, to put up a web pages, and get visitors to come once, and come back, over and over. One of the newer ways is to provide online databases, “free” to all who wish to participate. Create a new type of community, in other words.

What a neat idea. NOT.

A couple months ago, we had the Birthday Reminder database. Send us your email address, and your birthday. And send us your friends email addresses, and their birthdays. And “we” (our automated mailer) will email YOU when one of your friends birthdays is coming up. What a deal.

Can you say “Identity Theft”? I bet you can, if you try.

This month, we have blatent online databases – Online Contact Databases. According to SANS It Takes a Village…, a popular service Plaxo now lets you store all of your contacts data in their “free” online database. And then emails all of YOUR friends and invites them. And it’s all free. Right.

To broadly paraphrase one Internet wise guy, “If someone emails YOU and tells you that YOUR birthday and / or email address has been added to their online database, and asks you to add your friends to your entry, please forget that I’m your friend.”.

Seriously. DO NOT EVER add my name, birthday, email address, or anything about me, to any online database without ME telling you to do so, and what database to add it to. And don’t be holding your breath waiting for me to name one that I consider safe. And if I do find one, chances are, it won’t be free.

TANSTAAFL. I’ll be a nice guy.


7/29 And a new worm hits the Internet. The worm, Hagbard.A, passes itself off as an IM from one of your friends, and trys to trick you into downloading a free version of a hot video game, as, according to ZDNet Security, Worm poses as pirated ‘Grand Theft Auto’.

Except what installs itself on your computer is no game, it’s a server program, so YOU can serve up another copy of the worm to your former friends. As one of YOUR former friends just did to you.

Be skeptical, folks. And when you get an IM with a URL in it, always ask yourself if your friend would actually send that. Then ask your friend to verify.


7/28 When asked for technical advice, by someone with AOL, I’m usually tempted to say something curt like “If you have AOL, then you’re beyond my ability to help you”. A lot of Networking and Security snobs will say that anyway.

Today, that attitude shouldn’t apply. If you have AOL, particularly Bring Your Own Internet, where you pay for AOL content but have another ISP, you’re just like any Internet user. So, since you hopefully understand about the need for Defense In Depth, aka Layered Security, you setup a NAT router and / or a personal firewall, just like any other Internet user. And you’re just as safe as any other Internet user. Right?

Wrong.

With the AOL Bring Your Own Internet service, you setup a Virtual Private Network between your network and AOL. You get AOL content, but it’s safer than the rest of the Internet, because the VPN means no unsafe traffic from non-AOL sources. If you can trust AOL, then you’re safe.

Unfortunately, the AOL VPN goes from your computer, thru your personal firewall, and thru your NAT router, as protected content. Neither your personal firewall nor router filter it in any way. And if the AOL content ever becomes dangerous, your network is wide open. Lawrence Baldwin, of myNetWatchman, provided Why you should block AOL Client on a corporate network, which explains the problem in more detail, some time ago.

Today, SANS offers The Penetrating Packets: Spam E-Mail (scroll down a bit from the top of their page, there’s no direct link), which is a real live example of how someone’s AOL connection, thru his home network, caused contamination of an actual workplace network.

If you have AOL (and I won’t get into what I don’t like about it), particularly AOL with BYO Internet, please examine how your firewall / router / other Layered Security is setup. Please harden your network with a bit of extra care. Don’t trust the AOL backbone any more than you must.


7/26 As a follower of Christianity, we are taught to love our enemies. Nonetheless, it’s hard not to feel some small bit of pleasure in reading SecurityFocus Russian spammer murdered.

Apparently, even though spamming is not illegal in Russia, someone there saw fit to end his arrogant abuse of the Internet.

The elimination of one bad guy can only be a small improvement in the world; Lord willing, more of his coworkers might be hoped to follow him. We have the right to enjoy the Internet and all of its legitimate improvements upon our lives without having to put up with abuse by Kushnir and his peers.


2005/07/26 The increasing popularity of blogs has now drawn its share of imiitators, including the bad guys. A Blog, which is simply a bulletin board or discussion forum with easy to use software, can be setup by most folks with any technical skills, and that apparently includes some bad guys, who are now luring the innocent to their sites from email and Instant Messages.

According to ZDNet Security Phishing twist relies on bogus blogs, once lured to a malicious blog, the unwary victim’s computer becomes infected with software designed to steal sensitive information, such as passwords and bank account information. In a later article Attackers lurk on photo sites, firm warns, we learn of one noted case

When a victim clicks on a link, the computer becomes infected. In one case, a greeting card was displayed and a tune played in the background while spyware was being installed on the compromised PC, Websense said.

Once again, if you’re going to surf the web, particularly from IM and email, please protect your computer.


2005/07/15 Are you one of 220 million US consumers who are trying to get a copy of your government mandated free credit report? According to SecurityFocus Report: Squatters a major problem for credit-report site, if you don’t type in the URL http://www.annualcreditreport.com/ very carefully, you may quite possibly end up on one of 200 imitation or openly bogus websites.

At best, you will be charged a $35 fee for the same information which is available from the genuine website for nothing. In extreme cases, you may become an identity theft victim, if you unknowingly provide your SSN and other details to one of the more malicious websites.

The link to the genuine website is above. Or, type the URL very carefully, as “www.annualcreditreport.com”. Or, as Paul Dixon recommends, contact the credit bureaus by phone or mail.


2005/07/14 Oh by the way, for those of you using Firefox (and I hope that includes most of you!), Firefox V1.0.5 has just been released. Install it, please.


2005/07/13 Another chapter in one of my favourite serial security articles – Follow the Bouncing Malware VI: Hypnotized and EULAgized was published today. For those of you who are new to this web page, FTBM is a repeating yet every changing look into how clever the malware authors of the world are getting.

Follow the Bouncing Malware is a SANS feature that started about a year ago, as one unprotected computer was exposed to the Web, and its ensing infections recorded in detail. It was so popular that it’s author has repeated his experiment 5 times since the original, with something new each time.


2005/07/12 Happy Patch Tuesday! Microsoft released 3 critical patches today. Start patching.


2005/07/12 So, almost 2 weeks since the last alert. Boring? Not really. True, there haven’t been too many new threats. I’d guess that the bad guys have been too busy managing their ongoing activities, selling their services, and traveling to the bank with all their illegally earned cash, to create any new threats.

Who needs new threats? The increase in botnet activity quadrupled in April thru June of this year, compared to the previous quarter. That’s from a McAfee Quarterly Report, as reported by ZDNet Security: Computer hijacking on the rise.

Don’t be part of the increase – keep your computer clean – practice Layered Security.


2005/06/28 Earlier this month, I alerted you to an old threat that had just been enhanced by its creators, making it even more of a nuisance. Bagle, renamed MitGlieder, had been released in a new, enhanced, form with extra powers.

Well, ZDNet Security reports that MitGlieder.BQ was released last weekend. So keep being very careful what email you open – look out for surprises, because this one is a surprise that you don’t want!


2005/06/22 If you use secure websites that require a username and password, make sure that you protect yourself against phishing attempts from malicious websites. The latest threat? If you surf to a malicious website, that isn’t already blocked by a Layered Defense, the website could open a window from a website that you trust, then a pop-up window on top of that from their own website. If the pop-up window doesn’t display any details about where it comes from, you could be fooled into thinking that it’s from the trusted website underneath.

You enter your username and password to the trusted website into the phishing window, and the bad guys now have your username and password.

The solution? Don’t trust pop-up windows that don’t include an address bar or a lock icon that verifies that it came from a certified source.

See if you’re vulnerable! Run the Secunia Multiple Browsers Dialog Origin Vulnerability Test.

For more details, read Microsoft Browser Windows Without Indications of Their Origins may be Used in Phishing Attempts, and ZDNet Pop-up vulnerability found in major browsers.


>>Yesterday’s Alerts


NAS Has Its Own Limitations

December 26, 2006

I needed a larger hard drive to store my movie collection. My server was maxed out, and I didn’t feel like buying a new computer, so I bought a computer in a box, aka Network Attached Storage.

But what makes NAS so attractive is also a limitation. Since NAS is, by design, accessible to all operating systems, you’ll find that it’s not predictable, like NTFS, and Windows Networking.

So NAS is a great solution, if you need a quick, inexpensive storage boost. But know the limitations.

NetCheck Source

December 18, 2006

Besides using network monitoring tools like The Dude, sometimes you need detailed information. Occasionally, having the same detailed information, for all computers on the network, is useful. If you need to extract that same bit of information, repeatedly, scripting the extract is the only thing to do.

This is where NetCheck comes into use.

NOTE: Using NetCheck successfully requires that you have a working administrative account setup, and in use, on your LAN. Make sure that you have the authority, before wasting your time.

Take the following code (everything INSIDE the “#####” lines). Please DO NOT include ANY portion of the “#####” lines. Follow instructions below, precisely.

  1. Create folder C:\Utility on your computer, and make that folder part of the Path.
  2. Download PSTools (free) From SysInternals. Copy all components of PSTools, unzipped, into C:\Utility.
  3. Open Notepad. Ensure that Format – Word Wrap is not checked. Highlight then Copy the code (Ctrl-C), precisely as it is presented below, and Paste (Ctrl-V) into Notepad.
  4. Add a list of your computers – substituted for “pc1 pc2 pc3” – into the third command. Note: This list is case insensitive – “PC1” is the same as “pc1”.
  5. Save the Notepad file as “netcheck.cmd”, as type “All Files”, into C:\Utility.
  6. Run it by Start – Run – “netcheck”.
  7. Wait patiently.
  8. When Notepad opens up displaying c:\netcheck.txt, first check Format and ensure that Word Wrap is NOT checked! Then, copy the entire contents (Ctrl-A Ctrl-C) and paste (Ctrl-V) into your next post. Or, examine the file yourself.

Do this from each computer, please, with all computers powered up and online. Running this code from each computer will give us a more complete picture of how each computer is setup, and what each computer can see from the others. On a completely working LAN, the multiple copies produced should be symmetrical. Running this, repeatedly, would be redundant. Since you’re here, it probably won’t be for you.

##### Start NetCheck Base Code

@echo off
@echo NetCheck V1.00 >c:\NetCheck.txt
for %%a in (pc1 pc2 pc3) do (call :Loop1 %%a)
notepad c:\netcheck.txt
goto :End

:Loop1
set NetCheckCmd=psexec \\%1
if /i %1!==%computername%! set NetCheckCmd=
@echo.
@echo NetCheck %1
@echo. >>c:\NetCheck.txt
@echo NetCheck %1 >>c:\NetCheck.txt
@echo. >>c:\NetCheck.txt
%NetCheckCmd% ipconfig /all >>c:\NetCheck.txt
@echo. >>c:\NetCheck.txt
%NetCheckCmd% net config server >>c:\NetCheck.txt
@echo. >>c:\NetCheck.txt
%NetCheckCmd% browstat status >>c:\NetCheck.txt

:End

##### End NetCheck Base Code

Centralised (Structured) Wiring In Your Home

December 6, 2006

If you have two computers, you connect the two computers with a single cable, Computer A to Computer B. I’ll bet (hope) that you don’t have just that, though. You probably have at least one more computer – your router (which is connected to the broadband modem). So you have a cable from the router to each computer. This is assuming that you aren’t using WiFi to connect either computer, and again I’ll point out that WiFi is not a good substitute for Ethernet cable.

So you have your router, and a couple computers, in the same room, and you run Ethernet cables between them. But are all computers in the same room? Not if you have a well planned house. You’ll probably have one or more of

    An office computer, for financial and secure activities.
  • An entertainment computer, in the den / family room, for fun.
  • A second computer, in the den / family room, for music / videos, with a large screen (what used to be called a television / stereo / home entertainment center).
  • In your kitchen, you need a computer for recipe access, maybe for inventorying and ordering food.
  • How about one in the garage, for reference when you work on the car?
  • The bedroom, for late night web surfing (no, we won’t discuss that any further).

Now, there are so many reasons why having separate computers, with different designs, will be relevant.

  • Locational convenience. Why walk into another room, to use a computer in there, if you have one in front of you?
  • Redundancy. One computer will not last forever. Maybe last year’s office computer is now in the bedroom, and your first computer, old and grungy, is in the garage. If one computer dies, it will be inconvenient to walk into the other room to continue the current activity, but you can do that easier than having to fix the one computer on the spot.
  • Security. The web is full of dangers. Each different website may have its own dangers, and I’d bet that different types of websites will focus those dangers. Restricting different activities to different computers makes sense. Keep your office computer, with financial secrets, safe and secure, by keeping it very clean. Other computers, other activities.
  • Sharing house space. One person can be in the office, doing financial chores, another in the garage, doing auto or home maintenance, and a third in the kitchen, preparing a meal. And each using a separate computer.

So now that we’ve admitted to needing computers all over the house, how do you plan to wire them to each other? One long cable – Garage to kitchen to den to living room to office to bedroom? Please don’t do that.

Any properly planned business has one or more centralised and secured rooms for wiring and for central equipment (servers). The home of the future will too. The hub room will be where the video communications (“cable TV”) and voice communications (“telephone”) services will enter from the outside. There you connect your internal cabling. And from there, you make home runs to each room.

This is where you start. More and more homes are being built, with network cabling designed and installed just as coax (“television”), electrical, and voice (“telephone”) cabling is. A requirement, not a luxury.

Using The Internet As A WAN Link? Use A VPN.

December 4, 2006

Stable and secure Windows Networking depends upon properly designed, routed, subnets. IP routing was designed to make Local Area Networks connect, yet still observe geographical relationships. Using routers between LANs allows localisation of some domain services (browsing, name resolution), but wide spread availability of others.

When you route IP connectivity thru wiring that you own and control, all connected LANs are as safe as any of those LANs. Threats on the outside (Internet) stay on the outside.

What if you have 2 LANs, distant from each other, and can’t justify the expense (initial or ongoing) of a leased or owned communication line? If both LANs have Internet access, you can still connect them, just use the Internet as the WAN link.

But wait! I hope you know how dangerous the Internet can be. It’s bad enough when accessing it as clients. Plain old web browsing is bad enough, how about running a server on the Internet? OK, how about running all of the computers on your LANs thru the Internet? Why not hold up a $100 bill, and stroll thru Times Square in New York City? See if you get anywhere alive.

But you can connect your LANs thru the Internet, if you design the connection properly. A controlled, encrypted tunnel between your LANs, using routers that support a Virtual Private Network (aka VPN) will do this fine.

A VPN will be a lot easier to setup, and more stable and secure, when properly planned.

Each LAN Is Addressed By Its WAN Address.
The VPN routers setup static tunnels between each other. Setting up a VPN router requires identifying the other router(s). If you can’t provide a fixed IP address for each router, you’ll have to use a domain name, registered with a dynamic DNS service like DynDNS, TZO, or the like.

Hardware Compatibilty Is A Must.
There are various conventions and standards for establishing, and conducting, authentication and encryption in a VPN. Each router manufacturer will likely have some variation, however small. The easiest, and most stable, VPNs will use router hardware of the same make, model, and firmware level.

LAN Subnets Must Be Unique.
A VPN provides a routed connection between LANs. In order for routing to work best, you have to have different subnets on each LAN. When you setup a VPN between LANs that were setup before being connected, you may have some LANs using the same subnet. You can’t have stable LANs, each having the same subnet, connected by a router.

Use DNS For Reliable Name Resolution.
On most small LANs, you’ll use broadcasts for name resolution. Broadcasts aren’t routable; each IP subnet is, by definition, a broadcast domain. If you want computers on one subnet to access computers on another (which is, presumably, why you’re setting up a VPN), you’ll want to use computer names, not IP addresses. DNS based name resolution is the only way to go, for anything more complex than a single local cluster of computers.

Use Domains, Not Workgroups.
If you use Network Neighbourhood to identify and access other computers, you’ll need browsing to work between the subnets connected thru the VPN. A properly designed domain structure will make browsing work much better.

Connectivity Between And LAN And The Internet Can Affect Its Connection With The Others.
A VPN connection between any two LANs requires Internet access by both. If one LAN has a dual WAN business class DSL service, and the other has residential class dialup, how secure and stable will that VPN be?

Security On Any LAN Can Affect The Others.
VPNs are used to connect geographically separate LANs, and imply some degree of trust between those LANs. The computers on any LAN, connected to a VPN, are only as secure as the computers on the LAN with the weakest security policies. Review, and synchronise security policies before setting up a VPN.

Knowing What’s On Your LAN

December 3, 2006

Whenever you are diagnosing a network problem, whether it involves simple Windows Networking connectivity, or file sharing, you can run native Windows commands like “net view”. This tells you what servers can be seen on the LAN.

But “net view” operates under Windows Networking. When you’re diagnosing a network problem, you have to start at the lower levels, and work upwards. What about some diagnostics at a lower level, just to verify IP connectivity?

For an immediate scan of the subnet, I rely upon two free products – AngryZiber Angry IP Scanner, and Softperfect Research Network Scanner. Both tools will start with the subnet that your computer is attached to, and scan each possible IP address on that subnet. For each IP address responding, you can find out host name, MAC address, and response time. This is a good start, for finding, and tracking, computers on your network.

Remember, though, both of these products list hosts using Internet Protocol. If your LAN uses alternate transports like IPX/SPX or NetBEUI, neither will be very useful.

The File And Settings Transfer Wizard

November 20, 2006

One of the many benefits of having a domain is the ease in managing user accounts and profiles. The user accounts, and profiles, start on the domain controller, and are replicated onto the client computers as necessary. The domain controller is updated, with any changes to the profile, from the client computer. When you move to a new computer, the updated profile is copied from the domain controller.

When you’re in a workgroup, managing accounts and profiles is not so simple. Next time you have Windows Explorer open, look at “C:\Documents and Settings”. Look at your personal profile folder structure in there. How do you find and copy all of the settings, and personal files, in there? Doing that, file by file, could take forever.

So we have the File and Settings Transfer Wizard, to export all personal settings, and profile files, for installation on another workgroup computer. To run the wizard, go to All Programs – Accessories – System Tools.

When you run the wizard, you have 2 main choices.

  • Export
    This is the computer I want to transfer files and settings from.

  • Import
    This is the computer I want to transfer files and settings to.

Should you choose to Export, you must then choose what media to use.

  • Direct (serial) cable.
  • Network.
  • Removable media (“Floppy” drive or similar).
  • Removable drive or network drive.

Should you choose to Import, you are asked about how you ran (or intend to run) the wizard on the old computer.

  • Create a wizard disk in removable media.
  • You already created a wizard disk.
  • You will use the XP CD wizard.
  • You already ran the wizard on the old computer, and have exported everything.

WiFi Authentication

October 28, 2006

When you setup your computers on your network, and your network is used by more than one person, you’ll likely have files and folders on your computer that you don’t want other people to access. Windows file sharing, and access permissions, is an intricate subject with many possibilities.

When you setup your WiFi LAN, you probably have simpler goals.

  • Allow you (and your family, friends, co-workers, other folks you know) to connect to your LAN.
  • Prevent folks you don’t know from connecting to your LAN.

With these simple goals, you setup very simple security. Give everybody (every computer) a simple, pre-shared key. WPA-PSK is the simplest effective solution for securing your WiFi LAN.

Given the possibility that you might not want everybody to have WiFi access permanently, WPA-PSK may not be versatile enough for you. You can setup individual access, using 802.1x, or RADIUS based, authentication. To use 802.1x authentication, you have to setup 3 components.

  • A RADIUS server.
  • Your router or WiFi access point.
  • Your WiFi clients.

If you select 802.1x authentication when you setup your WiFi client, and you don’t have a RADIUS server, your WiFi client will spend a lot of time needlessly trying to contact a RADIUS server. If your WiFi connection drops regularly, and resumes with no action taken by you, check your WiFi client, and make sure that 802.1x authentication is not enabled.

Interestingly enough, 802.1x authentication is a selectable feature on most client connections, Ethernet as well as WiFi. Selecting 802.1x authentication on an Ethernet LAN, without a RADIUS server, isn’t usually a problem, as it is with WiFi.

Using A DNS Relay On Your LAN

October 13, 2006

As I discuss in The DNS Server Settings On Your Computer, your ability to resolve server names into addresses is almost as important as the ability to contact the servers in the first place. The DNS client structure offers multiple options.

If your Internet service goes thru a NAT router, you may be using the router as a DNS relay.

        DNS Servers . . . . . . . . . . . : 192.168.0.1

Normally, as I discuss in the other article, you would not want a single DNS server. But if you have Internet service thru a single failure point (the NAT router), you might as well get DNS there too. If the NAT router goes out, you won’t need DNS. Simplifying your setup makes sense here.

If you have a collection of computers, you can configure all of them to use the NAT router as an intermediary DNS server. The router maintains the actual DNS server relationships with its upstream feeds, checking the primary, secondary, even tertiary servers, as necessary. Each client has to worry about one relationship – the router.

But this can be a problem in one case. If your NAT router can be overloaded, it’s possible that DNS relay functions may fail, while simple routing continues. The DNS relay function in ICS, if your Internet service depends upon an ICS server, appears to be subject to interruption when CPU load on the system is high.

This may be yet another reason why ICS is not a good solution for sharing Internet service.


Follow

Get every new post delivered to your Inbox.