James O'Neill's Blog

August 7, 2012

The cloud, passwords, and problems of trust and reliance

Filed under: Privacy,Security and Malware — jamesone111 @ 9:02 pm

In recent days a story has been emerging of a guy called Mat Honan. Mat got hacked, the hackers wanted his twitter account simply because he had a three letter twitter name. Along the way they wiped his Google mail account and (via Apple’s iCloud) his iPhone, iPad and his Macbook. Since he relied on stuff being backed up in the cloud he lost irreplaceable family photos, and lord only knows what else. There are two possible reactions Schadenfreude – “Ha, ha I don’t rely on Google or Apple look what happens to people who do” , “What an idiot, not having a backup”, or “There but for the grace of God goes any of us”.

Only people who’ve never lost data can feel unsympathetic to Mat and I’ve lost data. I’ve known tapes which couldn’t be read on a new unit after the old one was destroyed in a fire. I’ve learnt by way of a disk crash that a server wasn’t running it’s backups correctly. I’ve gone back to optical media which couldn’t be read. My backup drive failed a while back – though fortunately everything on it existed somewhere else, making a new backup showed me in just how many places. I’ve had memory cards fail in the camera before I had copied the data off them and I had some photos which existed only on a laptop and a memory card which were in the same bag that got stolen (the laptop had been backed up the day before the photos were taken). The spare memory card I carry on my key-ring failed recently, and I carry that because I’ve turned up to shoot photos with no memory card in the camera – never close the door on the camera with the battery or memory card out. I treat memory cards like film and just buy more and keep the old cards as a backstop copy. So my data practices look like a mixture of paranoia and superstition and I know, deep down, that nothing is infallible.

For many of us everything we have in the cloud comes down to one password. I don’t mean that we logon everywhere with “Secret1066!”  (no, not my password). But most of us have one or perhaps two email address which we use when we register.  I have one password which I use on many, many sites which require me to create an identity but that identity doesn’t secure anything meaningful to me. It doesn’t meet the rules of some sites (and I get increasingly cross with sites which define their own standards for passwords) and on those sites I will set a one off password. Like “2dayisTuesday!” when I come to use the site again I’ll just ask them to reset my password. Anything I have in the cloud is only as secure as my email password. 
There are Some hints here, first: any site which can mail you your current password doesn’t encrypt it properly the proper way to store passwords is as something computed from the password so it is only possible to tell if the right password was entered not what the password is. And second, these computations are case sensitive and set no maximum password length, so any site which is case insensitive or limits password length probably doesn’t have your details properly secured.  Such sites are out there – Tesco for example – and if we want to use them we have to put up with their security. However if they get hacked (and you do have to ask , if they can’t keep passwords securely, what other weaknesses are there ?) your user name , email and password are in the hands of the hackers, so you had better use different credentials anywhere security matters – which of course means on your mailbox.

So your email password is the one password to rule them all and obviously needs to be secure. But there is a weak link, and that seems to be where the people who hacked Mat found a scary loophole. The easiest way into someone’s mailbox might be to get an administrator to reset the password over the phone – not to guess or brute force it. The only time I had my password reset at Microsoft the new one was left on my voicemail – so I had to be able to login to that. If the provider texts the password to a mobile phone or resets it (say) to the town where you born (without saying what it is) that offers a level of protection; but – be honest – do you know what it takes to get someone at your provider to reset your password, or what the protocol is ?  In Mat’s case the provider was Apple – for whom the hacker knew an exploitable weakness – but it would be naive to think that Apple was uniquely vulnerable.

Mat’s pain may show the risk in having only a mailbox providers password reset policy to keep a hacker out of your computer and/or your (only) backup. One can build up a fear of other things that stop you having access to either computer or backup without knowing how realistic they are.  I like knowing that my last few phones could be wiped easily but would I want remote wipe of a laptop ? When my laptop was stolen there wasn’t any need to wipe it remotely as it had full volume encryption with Microsoft’s bitlocker (saving me a difficult conversation with corporate security) and after this story I’ll stick to that. Cloud storage does give me off-site backup and that’s valuable – it won’t be affected if I have a fire or flood at home – but I will continue to put my faith in traditional off-line backup and I’ve just ordered more disk capacity for that.

October 18, 2010

An unexpected call from a help desk? Hang up.

Filed under: Privacy,Security and Malware — jamesone111 @ 2:04 pm

My phone rang: it was my dad. Father/son combinations don’t ring to chat like mother/daughter ones do, and Dad had been having computer problems. Specifically, Excel had been crashing but managing to recover his work. Each time it had offered to send data to Microsoft and each time he had declined. Then his phone had rung and the caller said it was about the problems he was having problems with his computer.

To me this was immediately suspicious, there is nothing in the Microsoft reporting process which sends personal information like phone-numbers. In fact when you register Windows you don’t put a phone number in, and it is not stored anywhere in the configuration of the machine.  Dad doesn’t have a support contract with anyone so even if personal information were being sent I wouldn’t expect a phone call.  It would need quite some call centre to manage a courtesy call every time an app crashed. The  only way the caller could know that there was a problem and have his details was if something malign on the machine was telling them.
Dad assumed the caller was legitimate:  he assumed they’d been given his details by Microsoft, we only give your personal information to a 3rd party if you have requested a specific service which needs us to do that, or said you were happy to be called about something specific by a partner (which is Opt-in, not opt-out).   
They had his confidence and things now went from bad to worse, the caller got Dad to give him remote access to the PC for 50 minutes. There’s no telling what went on in that time, but at this stage I had to assume his machine could be doing anything and everything on it machine was potentially compromised. Changing passwords would do no good if a key-logger had been installed.
After 50 minutes they called back and told Dad they’d removed 300 viruses from his machine (A bit of a dent for the Anti-virus software he was using, and almost certainly untrue) and signed him up for a £180 support contract which he paid by credit card. When he went to use the card… as if you couldn’t guess, it bounced.  

I told him to turn everything off and quarantine the PC. Having realised he’d been taken in, he took steps to get his credit card re-issued, and he set about changing all the passwords which might have been exposed on this machine -using a different one. He’d heard about someone whose stock portfolio had been compromised: the crook had changed address and bank details and it was only when they tried to sell everything, that the broker’s system spotted something might be wrong. I had to visit, and

  • Remove the hard disk and connect it to another machine.
  • Copy all the data off, for safety,
  • Scan for Malware (nothing found)
  • Roll windows back to a checkpoint before all this occurred.
  • Re-apply updates from Windows updates since that check point
  • Replace the anti-virus he was using with Microsoft Security essentials and let it scan the machine (nothing found).
  • Re-run the Malicious Software Removal tool (MRT.EXE) – again nothing was found.

My father was a smart man – smarter than me if I’m honest – and although he has been retired for nearly 20 years I don’t think he has lost his wits. I spent the afternoon of that phone call moving between rage and incomprehension – how could he be so stupid. (Many readers will know the famous “Word Perfect support call ” story – put that into Bing or Google if you don’t: it ends with  "unplug your system and pack it up just like it was when you got it. Then take it back to the store you bought it from."  “What do I tell them?" "Tell them you’re too stupid to own a computer." ) . The problem is – of course – that confidence tricksters are plausible, and anyone can fall for social engineering if it is well enough done. 

It turns out that this is a scam being used by a couple of firms in India – they don’t get malware onto the machine and then call to fix it; they randomly call people and tell them they have a problem. It was a company using the name of OnlinePcCare.com who scammed my Dad . One interesting thing was they put the credit card transaction through a third party G2S.com, and it may be that which triggered a fraud alert, the credit card company wouldn’t say. A search on Bing for “onlinePcCare +scam” finds plenty of other victims or near misses. This one from Ireland was immediately familiar “can you start event viewer…  are there any errors in the application log ?”.  If the event log is empty, logging itself is broken. Some people recorded the scammers and have posted the call to you-tube – these come near the top in a search and Digital toast has a selection – together with a list of other names used by these people.

Charles Arthur at The Guardian has been covering this story for a little while, see Police crack down on computer support phone scam, and Virus phone scam being run from call centres in India. His blog post Those ‘PC virus’ phone call scams: the unanswered questions is a worth reading too; it confirms my finding that no malware seems to get installed, and shares my opinion that this fits the definition of obtaining money by deception. (Dad’s call to the police got a response of “here’s a crime number – we’ve got a big file on this and we’ll add you to it”) 

If you act as family tech support, do yourselves a favour.  As well as pointing out that none of those nice men in Nigeria will really have a fortune which they will share, and that it is statistically nearly impossible to have a large lottery win and at the same time be unaware of entering the draw, now you need to add  “no one really knows if you have a problem with your computer and calls to fix it” (you may be yelling at the computer but in cyberspace no-one can hear you scream.)  

You might add “If you don’t like unsolicited calls register with the telephone preference service,  no reputable company will call you once you’ve registered and any company which does call you is, by definition, not reputable

Postscript. While I was working on this post I got a call from OnlinePcCare. It may be one of those random things or they may be stepping up their activities.

This post originally appeared on my technet blog.

March 15, 2010

IE 8 is safest. Fact.

Filed under: Internet Explorer,Security and Malware,Virtualization — jamesone111 @ 1:11 pm

Every now and then a news story comes up which reminds us that if people with bad intentions, even sensible people can fall into traps on-line. There was one such story last week where friends of the victim said she was “the sensible one” – if she wasn’t unusually gullible it could happen to anyone. I wrote about safer internet day recently and it’s worth making another call to readers who are tech savvy to explain to others who are less so just how careful we need to be trusting people on-line.  I got a well constructed phishing mail last week claiming to have come from Amazon I would have fallen for if it had been sent to my home rather than work account – it’s  as well to be reminded sometimes we’re not as smart as we like to think.

I’ve also been reading about a libel case. I avoid making legal commentary and won’t risk repeating a libel: the contested statement said that something had been advocated for which there was no evidence. I read a commentary which said something to the effect that in scientific disciplines, if your advocacy is not in dispute and someone says you have no evidence for it, you produce the evidence. Without evidence you have a belief, not a scientific fact.  This idea came up on later in the week when I was talking to someone about VMware:  you might have noticed there is a lack of virtualization Benchmarks out in the world, and the reason is in VMware’s licence agreement (under 3.3)

You may use the Software to conduct internal performance testing and benchmarking studies, the results of which you (and not unauthorized third parties) may publish or publicly disseminate; provided that VMware has reviewed and approved of the methodology, assumptions and other parameters of the study

imageTesting, when done scientifically, involves publishing ,methodology, assumptions and other parameters along with the test outcomes and the conclusions drawn That way others can review the work to see if is rigorous and reproducible. If someone else’s conclusions go against what you believe to be the case, you look to see if they are justified from the outcomes: then you move to the assumptions and parameters of the test and it’s methodology. You might even repeat the test to see if the outcomes are reproducible. If a test shows your product and yours is shown in a bad light then you might bring something else to the debate. “Sure the competing product is slightly better at that measure, but ours is better at this measure”. What is one to think of a company which uses legal terms to stop people conducting their own tests and putting the results in public domain for others to review ?

After that conversation I saw a link to an article IE 8 Leads in Malware Protection . NSS labs have come out with their third test of web browser protection against socially engineered malware*. The first one appeared in March of last year, and it looks set to be a regular twice yearly thing. The first one pointed out that there was a big improvement between IE7 and IE8 (IE6 has no protection at all  if you are still working for one of the organizations that has it, I’d question what you’re doing there).
IE 8 does much better than its rivals : the top 4 have all improved since the last run of of the tests. IE was up from 81 to 85% , Firefox from 27 to 29%, Safari from 21% to 29% and Chrome from 7% to  17%:

Being pessimistically inclined I look at the numbers the other way round : in the previous test we were letting 19 out of every 100 through, now it’s 15 – down by 21%: in the first test we were letting 31 of every 100 through so 52% of what got through a year ago gets blocked today. Letting that many through means we can’t sit back and say the battle is won, but IE8 is the only Browser which is winning against the criminals:  Google,for example, have improved Chrome since last time,so it only lets through 83 out of every 100 malware URLs -  that’s blocking 11% of the 93 it let through before from each 100. With every other browser the crooks are winning, which is nothing to gloat over – I hope to see a day when we’re all scoring well into the 90s.

I haven’t mentioned Opera – which has been have been consistently last, and by some margin, slipping from 5% in the first test to 1% in the second to less than 1 in the most recent. In a spirit of full scientific disclosure I’ll say I think the famous description of Real Networks fits Opera. Unable to succeed against Safari or Chrome , and blown into the weeds by Firefox,  Opera said its emaciated market-share was because IE was supplied by default with Windows. Instead of producing a browser people might want, Opera followed the path trodden by Real Networks – complaining to the European Commissioner for the protection of lame ducks competition. The result was the browser election screen.

I’m not a fan of browser election screen – not least because it is easily mistaken for Malware. To see the fault let me ask you, as reader of an IT blog, which of the following would you choose ? 

  1. The powerful and easy-to-use Web browser. Try the only browser with Browser-A Turbo technology, and speed up your Internet connection.
  2. Browser-B . A fast new browser. Made for everyone
  3. Browser-C is the world’s most widely used browser, designed by Company-C with you in mind.
  4. Browser-D from Company-D, the world’s most innovative browser.
  5. Your online security is Browser E’s top priority. Browser-E is free, and made to help you get the most out of the web.

You might say (for example) “I want Firefox”, but which is Firefox in that list ? You are probably more IT savvy than the people the election screen is aimed at and if you can’t choose from that information, how are they supposed to ? You see, if you have done your testing and know a particular browser will meet your needs best, you’d go to it by name you don’t need the screen. People who don’t know the pros and cons of the options before seeing the screen might just as well pick at random – which favours whoever has least market share – which would be Opera.

The IE 8 Leads in Malware Protection  article linked to a post of Opera’s complaining that the results of the first test were fixed “Microsoft sponsored the report, so it must be fixed!” If we’d got NSS labs to fix the results a year ago would we stipulate that Opera should be so far behind everyone else? Did we have a strategy to show Opera going from “dire failure” to “not even trying”? Or that IE8 should start at a satisfactory score and improve over several surveys with the others static  ? But to return to my original point: the only evidence which I’m aware of shows every other browser lets at least 4 times as much Malware through as IE. The only response to anyone who disputes it is let’s see your evidence to counter what NSS labs found.Google have spent a fortune advertising Chrome: if Chrome really did let fewer than 5 out of 6 malware sites through they’d get someone else to do a [reviewable] study which showed that.

And since we’re back at the question of evidence, if you want are asked for advice on the election screen and you want to advocate the one which will help people to stay safe from Phising attacks – I don’t think you have any evidence to recommend anything other than IE.  But remember it’s not a problem which can be solved by technology alone. Always question the motives of something which wants to change the configuration of your computer.

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2010/03/15/ie-8-is-safest-fact.aspx’;

This post originally appeared on my technet blog.

February 19, 2010

The Zombie cookie apocalypse (or how flash bypasses privacy)

Filed under: Internet Explorer,Security and Malware — jamesone111 @ 10:48 am

Earlier this week I went to “Oxford Geek Night” and the title of one of title of one of the sessions was “The Zombie Cookie apocalypse” delivered by David Sheldon (I wish his slides were on-line so you could read more and I could give him a proper credit), it wasn’t the only informative session – there were bunch of those -  but it was one which sent me away thinking “I should have known that”.

Here’s the Gist. We all know about cookies, the little bits of information which web sites send to to your browser to make applications work, or to follow you round the web. Even IE6 knew that cookies could be bad and could reject the tracking ones. Adobe Flash keeps its own cookies, which bypass the normal rules.
Although it doesn’t seem to widely known (I was in a roomful of people where internet expertise was the top skill, and no one seemed to have heard of this before) – it is reasonably well documented – often using Adobe’s name of “Local stored objects. You can read more information in Wikipedia’s dispassionate style, or you can have it in they’ll suck out your brains style if you prefer (of course you do !)

This has 3 main impacts.

  1. If you run different browsers – say IE and Firefox (the demo I saw used Firefox and Chrome on Linux) each browser maintains (and can clear) its own Cookie store, so you can have different personas by using different browsers: but Flash is Flash wherever it runs so it uses a single store.
  2. Browsers don’t know about information held by add-ins (Flash or anything else) so it can’t clear their information. You might think you’ve killed off the cookies but flash ones will keep coming back (hence the Zombie reference).
  3. IE8 has “In Private Browsing”, so do Firefox and Chrome (I think chrome talks about Incognito Windows) .Adobe announced support for private modes recently, (you can read the IE team’s take on the this) but if you are running a version before 10.1 – and as I type this the current download is 10.0.45.2, so you are running something before 10.1 -  it uses the same store for browsing in Private that it uses for ordinary Browsing, and doesn’t clear cookies afterwards.

I thought “the handful of sites where I use In-Private Browsing aren’t flash sites.”, the flash handling the cookie is not always visible. When I did a quick search I found something from the Electronic Privacy Information Center which quotes one tracking platform vendor as saying "All advertisers, websites and networks use cookies for targeted advertising, but cookies are under attack. According to current research they are being erased by 40% of users creating serious problems.". Indeed: as EPIC puts a little later “By deleting cookies, consumers are clearly rejecting attempts to track them. Using an obscure technology to subvert these wishes is a practice that should be stopped”

So: How do you see, clear and block/allow Flash Cookies ? That announcement from Adobe suggests that in 10.1 you will be able to this by right clicking on flash in the browser and going to settings. Until you get 10.1, you have to visit a page on Adobe’s site –which isn’t espcially easy to find. 

image 

Clearing the information from my computer I made a note of some of the sites which were leaving information on my PC which I was certain I hadn’t visited and got a little PowerShell script to get the title from their home page. (Which worked for most sites, some take a little fiddling). Here are the names and descriptions.

atdmt.com Atlas Solutions – Online Advertising: Advertiser and Publisher Ad Serving Solutions
Clearspring.com Your Content. Everywhere -connecting online publishers and advertisers to audiences on the social web.
feedjit.com Live Traffic Feed & Other Awesome Widgets
flashTalking.com Video and Rich Media Adserving
gigya.com Social Optimization for Online Business
ooyala.com Video Platform, Analytics and Advertising
quantServe.com It’s your audience. We just find it.™
tubemogul.com In-Depth Tracking, Analytics for Online Video | Web Video Syndication
videoegg.com VideoEgg "innovative ad products"
visiblemeasures.com Measure Online Video Advertising
http://www.vizu.com Digital Brand Advertising Measurement. Market Research.

You can see what business they are all in. I’ve added them to my list of sites blocked by InPrivate Filtering. Which reminds me, I must post part 2 of that.

This post originally appeared on my technet blog.

February 11, 2010

Windows 7 activation update.

Filed under: Security and Malware,Windows 7 — jamesone111 @ 6:11 pm

Over on the Windows blog there is a post talking about the update we are about to send out which is designed to catch some of the tricks being used by large scale pirates against Windows 7.  There was a time were an update to this technology would have me reaching for my tin hat and flame-proof underwear but I came read a Post on the subject from Ed Bott who (as I’ve said before) can be assumed to know what he is talking about.

I was a fierce critic of the initial [Windows Genuine Advantage] efforts, primarily because the user experience was so awful and the tools it used were inaccurate. Back in 2008, I gave Microsoft a C+ for its efforts, a significant improvement over the “big fat F” it earned in 2006 and 2007.
Over the past year, I have been visiting the Windows Genuine forums at least once per quarter to survey performance and have found that activation issues have become a non-issue. In every example I have found, the problem could be traced to malware or a major hardware change, or (surprisingly often) to a customer who had unknowingly purchased counterfeit software. Where false positive reports were on
ce a serious problem, they’re now practically nonexistent in my experience.

My experience backs this up. As a percentage the false positives were always small, but if you were affected it didn’t matter. And with an installed base as big as Windows a small percentage is a lot of people. There a story (which is widely told, but may be an urban legend)  of a major retailer whose repair operation always used the same key when reinstalling Windows: customers with licences hit problems later because their licences hadn’t been used and the one  which had was designated “pirated”. Those customers just had to enter their own product keys but the experience made many go ballistic. A repair shop wouldn’t do that today.

This post originally appeared on my technet blog.

February 9, 2010

Safer Internet day

Filed under: Internet Explorer,Security and Malware,Working at Microsoft — jamesone111 @ 8:06 am

I don’t often paste things from senior Microsoft folks into my blog, but I’d like to quote some things from our managing director here in the UK, Gordon Frazer

February 9th marks Safer Internet Day, a vital drive to promote a safer internet for all users, especially young people.

For the second year in a row, Microsoft subsidiaries across Europe are organizing employee volunteering activities for Safer Internet Day 2010. Through local partnerships with NGOs, schools, customers and partners, around 650 Microsoft employees in 24 subsidiaries will train more than 50,000 people on online safety. Last year Microsoft UK educated 12,000 young people and 2000 parents in online safety

Through an accident of scheduling I’m going to be using one of the volunteering days Microsoft gives me today, but for a different cause.  Volunteering days are one of the distinct pluses about working at Microsoft and its great to see colleagues supporting things like this. I’ve also maintained for a long time when a company is Microsoft’s size it brings some responsibilities with it, and the protection of children has been an area we have concentrated on since before I joined the company 10 years ago.

We are part of the UK Council for Child Internet Safety (UKCCIS) and Gordon’s mail also said This year as part of the “Click Clever Click Safe” campaign UKCCIS will be launching a new digital safety code for children– “Zip It, Block It, Flag It”.  Over 100 Microsoft volunteers will be out in schools in the UK teaching young people and parents alike about child online safety and helping build public awareness for simple safety tips.

Our volunteering activities today mark our strong commitment to child online safety. Online safety is not only core to our business, as exemplified by particular features in Internet Explorer 8 (IE8) and our work in developing the Microsoft Child Exploitation Tracking System (CETS) which helps law enforcement officials collaborate and share information with other police services to manage child protection cases, but it is also an issue that our employees, many parents themselves, take very seriously. As a company we put a great deal of faith in our technology, however, we are also aware that the tools we provide have to be used responsibly. 

Indeed. I said in something else I was writing that there is an old phrase describing user issues  “PEBCAK  Problem Exists Between Chair And Keyboard”, and technology – however good – is no substitute for user education. We have a page of advice which you might find obvious but could be helpful to share with  friends and family that have children active online http://www.microsoft.com/uk/citizenship/safeandsecure/parentadvice/default.mspx

IE8 provides the best protection out there, and the Child Exploitation and On-line Protection Centre (CEOP) have launched their own branded version of it which provides ease of reporting access for young people www.ceop.gov.uk/ie8, which again may be worth installing at home if you have children or passing on to Friends and Family who are running older versions of IE.

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2010/02/09/safer-internet-day.aspx’;

This post originally appeared on my technet blog.

December 2, 2009

Security updates.

Filed under: Security and Malware — jamesone111 @ 11:21 am

There are some rumours circulating about problems with the latest round of security updates. The Security response centre have posted about it. So has Roger Halbheer our Chief Security Advisor for Europe. Now you can say “They would say that, I’m going to take my chances with whatever security loopholes were being closed” or you can say “The reports of problems are of dubious provenance, Microsoft probably wouldn’t post outright lies” etc. Given how quickly our patches get reverse engineered into exploits I’d see a lot more risk in not having them than something which screws up coming out of one of the product groups , as the MSRC post says "it appears they’re saying that our security updates are making permission changes in the registry” and “We’ve conducted a comprehensive review [which] has shown that none of these updates make any changes to the permissions in the registry”

And if, you do think an update has broken your system, don’t suffer in silence I’m told Microsoft support will always take the call from someone in that position even if they don’t have a support contract.

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2009/12/02/security-updates.aspx’;

This post originally appeared on my technet blog.

November 25, 2009

Interview: Cybercrime , defence against the dark arts.

Filed under: Events,Security and Malware — jamesone111 @ 11:44 pm

When I was at Tech-ed in Berlin a couple of weeks ago I recorded an interview with Andy Malone, one of our MVPs, as a follow-up the session he ran on cybercrime. The results have now been posted, and apart from wishing the camera crew had told me just how awful I looked on camera I think it’s quite a good interview – my job when I do these interviews is to try get the “guest” to talk about what they know, and not show how much I know , this is Andy’s specialist subject, so it wasn’t hard to do. If this piques your interest he does longer sessions for various Audiences, just put his name into your favourite search engine.

This post originally appeared on my technet blog.

October 16, 2009

Microsoft Security Essentials

Filed under: Security and Malware,Windows 7,Windows Vista,Windows XP — jamesone111 @ 4:02 pm

Somehow, in all the other activities of the last couple of weeks I missed the release of Microsoft Security Essentials which is our FREE* anti-virus / anti-malware product aimed at home users. (We have the more business oriented Forefront Client Security as well). My experience with it has been too limited to date to offer much commentary on it: however – since this blog is read mostly by people who work around computers the reason for writing about it is to say this: we all have a friend or family member who doesn’t protect their PC. The availability of  software from Microsoft which plugs the gap and is FREE* gives you a chance help them.

Over on the Malware protection center blog  Joe has posted an analysis of what it unearthed in its first live week. We’ve had 1.5million downloads, and found 4 million infections on 0.5 million computers. That’s right the average infected computer has eight different infections. I’ve seen numbers like that before and find it a bit unnerving , because there is a long tail effect: lots of machines are clean, some have one or two infections, the average for an infected machine is 8 and beyond that – there are some out there with dozens upon dozens.

Joe breaks down the reports by country: US has the most reports at 25%, then Brazil and China at 17% each the UK only has 2% of the reports. I don’t know if it is because we have fewer installations here or if our PCs are better protected. Unfortunately it is only infection reports which are broken down by country, not downloads or installations. But Joe does break installations down by OS. 44% is Windows 7, 23% Vista and 33% XP. We haven’t even launched 7 properly and it is 44% of the downloads. My guess is that people who are trying out a new OS are keener than the population at large to try new anti-malware from the same source. The final chart Joe has put up shows the ratio of infections per OS – when he says normalized, I’m assuming that means Vista numbers are scaled up and Windows 7 scaled down so they both represent infection rates on a equal number of computers. XP is more than 3 times more likely to have an infection than 7. This isn’t entirely because 7 is better – it will be a newer installation so XP will have had more chances to get infected. XP infections rates are 60% higher than Vista’s. But 7 is running at about half Vista’s rate. As time passes it will be interesting to see how close 7 and Vista end up and how far behind XP lags. I’ve got a hunch that the numbers will change as they move away from people installing the software because they think their PC might be infected and finding something on the first run.

 

*As it says on the web site Your PC must run genuine Windows to install Microsoft Security Essentials  or put another way, if you stole the OS, you’re going to have to figure out how to steal software to protect it.

This post originally appeared on my technet blog.

August 18, 2009

Sophos error: facts not found

Filed under: Security and Malware,Virtualization,Windows 7 — jamesone111 @ 4:08 pm

Having begun my previous post with an explanation of “I have a professional disregard for …” it bubbles up again… Quite near were I live is the headquarters of Sophos, as a local company I should be well disposed to them but I’ve had occasion before now to roll my eyes at what their spokespeople have said – the pronouncements being of the “lets make the news, and never mind the facts” variety. One security blogger I talked to after some of these could be labelled “lacking professional regard for them”.  Well, Graham Cluley of Sophos has a prize example of this as a guest post on his blog, written by Sophos’s Chief Technology Officer Richard Jacobs.

“Windows 7’s planned XP compatibility mode risks undoing much of the progress that Microsoft has made on the security front in the last few years and reveals the true colours of the OS giant”. Says Jacobs. “XP mode reminds us all that security will never be Microsoft’s first priority. They’ll do enough security to ensure that security concerns aren’t a barrier to sales… …when there’s a trade off to be made, security is going to lose.”

That second half makes me pretty cross: I talked yesterday about the business of meeting customers’ needs and you don’t do that if security is lacking, but it’s not the only priority.

I’ve got a post Windows 7 XP mode: helpful ? Sure. Panacea ? No, where I point out that the Virtual in XP mode is not managed and I quote what Scott Woodgate said in the first sentence we published anywhere about XP mode “Windows XP Mode is specifically designed to help small businesses move to Windows 7.”  As Jacobs puts it The problem is that Microsoft are not providing management around the XP mode virtual machine (VM). It’s an odd statement because XP mode is just standard virtualization software and a pre-configured VM. You can treat the VM as something to be patched via Windows update or WSUS just like a physical PC. You install anti-virus software on it like a physical PC. To manages the VM you use the big brother of XPmode: MEDV, which is part of MDOP. But from the existence of unmanaged VM and missing other key facts Jacobs feels able to extrapolate an entire security philosophy: he could do worse than to  look up the Microsoft Security Development Lifecycle  to learn how we avoid making security trade offs the way we once did (and others still do ).

Now I’m always loathe to tell people how to do their jobs, but in post companies someone who carries the title of “Chief Technology Officer” would have a better grasp of the key facts before reaching for the insulting rhetoric. And having looked after another blog where we used many guest posts, it’s important to check the facts of your contributors, Cluley either didn’t check or didn’t know better, and let Jacobs end by outlining his idea of customers’ options.

  1. Stick with Windows XP.
  2. Migrate to Windows 7 and block use of XP mode – if you have no legacy applications.
  3. Migrate to Windows 7 and adopt XP mode.
  4. Migrate to Windows 7 and implement full VDI – there are various options for this, but don’t imagine it’s free.
  5. Demand that Microsoft do better

Lets’s review these

Option 2, get rid of legacy applications is plainly the best choice. There are now very few apps which don’t run on Windows Vista / 7 but if you’re lumbered with one those this choice isn’t for you

Option 1. Bad choice. (A) because if you are even thinking about the issue you know you want to get onto a better os and (B) because those legacy apps are probably driving you to running everything as administrator. Given a choice of “use legacy apps”, “run XP”, and “be secure”, you can choose any two. I hope Jacobs has the nouse  not to put this forward as a serious suggestion.

Option 3. Small business with unmanaged desktops ? XP mode is for you. Got management ? Get MEDV.!

Option 4. Full VDI: Bad choice: put the legacy app on a terminal sever if you can – but remember it is badly written, if it doesn’t run on an up-to-date OS will it run on Terminal services ? VDI in the sense of running instances of full XP desktops in VMs (just at the datacenter, not the desktop) has all the same problems of managing what is in those VMs: except they aren’t behind NAT, and they probably run more apps so they are more at risk. 

Option 5. Hmmm. He doesn’t make any proposals, but he seems to demand that Microsoft produce something like MEDV. We’ve done that.

And while I’m taking Cluley and Jacobs to task I should give mention a to Adrian Kingsley-Hughes on ZDNet It was one of my twitter correspondents who pointed me to Adrian and on to Sophos. He quotes Jacobs saying “We all need to tell Microsoft that the current choices of no management, or major investment in VDI are not acceptable”. The response is that if we thought those choices were acceptable we wouldn’t have MEDV. And Adrian should have known that too.

If people like these don’t get then some blame has to be laid at our door for not getting the message across, so for clarity I’ll restate what I said in the other post

  • Desktop virtualization is not a free excuse to avoid updating applications. It is a work around if you can’t update.
  • Desktop virtualization needs work, both in deployment and maintenance – to restate point 1 – it you have the option to update, expect that to be less work.
  • “Windows XP Mode is specifically designed to help small businesses move to Windows 7.”  As I pointed out in an earlier post still.  MED-V is designed for larger organizations with a proper management infrastructure, and a need to deploy a centrally-managed virtual Windows XP environment  on either Windows Vista or Windows 7 desktops. Make sure you use the appropriate one.

Update Adrian has updated his post with quotes from the above.  He has this choice quote “XP Mode is a screaming seige to manage. Basically, you’re stuck doing everything on each and every machine that XP Mode is installed on.”. Yes Adrian, you’re right. No customer who needs to manage Desktop Virtualization in an enterprise should even think of doing it without Microsoft Enterprise Desktop virtualization. Adrian calls the above the “MEDV defense” but asks “OK, fine, but what about XP Mode? That’s what we are talking about here”. What about XP mode ? It’s the wrong product if you have lots of machine (with 5 you can get Software assurance and MDOP). We’re talking about customers who install the wrong product for their needs. My job as an evangelist is to try to get them to use the one that meets their needs. But I think it would help customers if  instead of saying “XP mode is the wrong product” and stopping, commentators (Adrian, Richard Jacobs, Uncle Tom Cobley)  also mentioned the right product.

This post originally appeared on my technet blog.

February 18, 2009

How to manage the Windows firewall settings with PowerShell

I mentioned recently that I’m writing a PowerShell configuration tool for the R2 edition of Hyper-V server and Windows server core.   One of the key parts of that is managing the firewall settings…. Now… I don’t want to plug my book too much (especially as I only wrote the PowerShell part) but I had a mail from the publisher today saying copies ship from the warehouse this week and this code appears in the book (ISBN  9780470386804 , orderable through any good bookseller)

The process is pretty simple. Everything firewall-related in Server 2008/Vista / Server R2/ Windows 7, is managed through the HNetCfg.FwPolicy2 COM object, so. First I define some hash tables to convert codes to meaningful text, and I define a function to translate network profiles to names. So on my home network

$fw=New-object –comObject HNetCfg.FwPolicy2  ;  Convert-fwprofileType $fw.CurrentProfileTypes  

returns “Private”


$FWprofileTypes= @{1GB=”All”;1=”Domain”; 2=”Private” ; 4=”Public”}
$FwAction      =@{1=”Allow”; 0=”Block”}
$FwProtocols   =@{1=”ICMPv4”;2=”IGMP”;6=”TCP”;17=”UDP”;41=”IPv6”;43=”IPv6Route”; 44=”IPv6Frag”;
                  47=”GRE”; 58=”ICMPv6”;59=”IPv6NoNxt”;60=”IPv6Opts”;112=”VRRP”; 113=”PGM”;115=”L2TP”;
                  ”ICMPv4”=1;”IGMP”=2;”TCP”=6;”UDP”=17;”IPv6”=41;”IPv6Route”=43;”IPv6Frag”=44;”GRE”=47;
                  ”ICMPv6”=48;”IPv6NoNxt”=59;”IPv6Opts”=60;”VRRP”=112; ”PGM”=113;”L2TP”=115}
$FWDirection   =@{1=”Inbound”; 2=”outbound”; ”Inbound”=1;”outbound”=2}

 

Function Convert-FWProfileType
{Param ($ProfileCode)
$FWprofileTypes.keys | foreach –begin {[String[]]$descriptions= @()} `
                                -process {if ($profileCode -bAND $_) {$descriptions += $FWProfileTypes[$_]} } `
                                –end {$descriptions}
}


The next step is to get the general configuration of the firewall; I think my Windows 7 machine is still on the defaults, and the result looks like this

Active Profiles(s) :Private 

Network Type Firewall Enabled Block All Inbound Default In Default Out
------------ ---------------- ----------------- ---------- -----------
Domain                   True             False Block      Allow     
Private                  True             False Block      Allow     
Public                   True             False Block      Allow     

The Code looks like this 


Function Get-FirewallConfig {
$fw=New-object –comObject HNetCfg.FwPolicy2
"Active Profiles(s) :" + (Convert-fwprofileType $fw.CurrentProfileTypes)
@(1,2,4) | select @{Name=“Network Type”     ;expression={$fwProfileTypes[$_]}},
                   @{Name=“Firewall Enabled” ;expression={$fw.FireWallEnabled($_)}},
                   @{Name=“Block All Inbound”;expression={$fw.BlockAllInboundTraffic($_)}},
                   @{name=“Default In”       ;expression={$FwAction[$fw.DefaultInboundAction($_)]}},
                   @{Name=“Default Out”      ;expression={$FwAction[$fw.DefaultOutboundAction($_)]}}|
            Format-Table -auto
}

Finally comes the code to get the firewall rules. One slight pain here is that the text is often returned as pointer to a resource in a DLL, so it takes a little trial and error to find grouping information.
The other thing to note is that a change to a rule takes effect immediately, so you can enable a group of rules as easily as :

Get-FireWallRule -grouping "@FirewallAPI.dll,-29752" | foreach-object {$_.enabled = $true}

 

Function Get-FireWallRule
{Param ($Name, $Direction, $Enabled, $Protocol, $profile, $action, $grouping)
$Rules=(New-object –comObject HNetCfg.FwPolicy2).rules
If ($name)      {$rules= $rules | where-object {$_.name     –like $name}}
If ($direction) {$rules= $rules | where-object {$_.direction  –eq $direction}}
If ($Enabled)   {$rules= $rules | where-object {$_.Enabled    –eq $Enabled}}
If ($protocol)  {$rules= $rules | where-object {$_.protocol  -eq $protocol}}
If ($profile)   {$rules= $rules | where-object {$_.Profiles -bAND $profile}}
If ($Action)    {$rules= $rules | where-object {$_.Action     -eq $Action}}
If ($Grouping)  {$rules= $rules | where-object {$_.Grouping -Like $Grouping}}
$rules}

Since this the rules aren’t the easiest thing to read I usually pipe the output into format table for example

Get-firewallRule -enabled $true | sort direction,applicationName,name | 
            format-table -wrap -autosize -property Name, @{Label=”Action”; expression={$Fwaction[$_.action]}},
            @{label="Direction";expression={ $fwdirection[$_.direction]}},
@{Label=”Protocol”; expression={$FwProtocols[$_.protocol]}} , localPorts,applicationname

 

Last, but not least if you want to create a rule from scratch you want to create a rule object with New-object –comObject HNetCfg.Fwrule, you can then pass it to the add method of the Policy object’s rules collection.  If I ever find time to finish the script it will probably have new-firewallRule, but for now you need to write your own.

This post originally appeared on my technet blog.

February 6, 2009

Can I get published if I say that rain is wet or snow is cold ?

Filed under: Security and Malware — jamesone111 @ 2:49 pm

I saw an article on ITPro “removing-admin-mitigates-most-windows-flaws” earlier today.

“The vast majority of all critical Microsoft vulnerabilities, some 92 per cent, could have been mitigated by removing the administrator rights of Windows users, a new report has revealed.”

Strike out the numbers and the product specifics “Most vulnerabilities can mitigated by removing administrator rights”. Stone the crows , we never knew that if you run everything as admin you were exposed to more risks… OK sarcasm aside, anyone who works with IT knew this, but did we realise the figure was as high as 92% ? And having written about UAC this morning, I feel the need to point out that being a local administrator and running a problematic program elevated if you need to (the Vista way) mitigates risk 11 times out of 12, and running everything elevated because of one program (the XP way) doesn’t.

This post originally appeared on my technet blog.

This post originally appeared on my technet blog.

Windows 7 and UAC

Filed under: Beta Products,Security and Malware,Windows 7,Windows Vista — jamesone111 @ 1:42 pm

From the start I thought User Account Control was a big step forward for Vista I tended to brush off any complaints about UAC, for 3 reasons

  1. Most of the appearances of UAC appear during the initial setup of the machine. If this is onerous, then you can re-enable the built-in Administrator account because by default this is doesn’t see the prompts.
  2. Normal users doing normal things just don’t see the prompt.
  3. If you’re a Power Users and you seeing the message multiple times a day you can switch the message off. (If you’re seeing it too often, and routinely OKing it then it loses its value). Though this is like taking the battery out of your smoke alarm because you keep burning the toast.

Nonetheless one of the persistent gripes about Vista was UAC. So in Window 7 we changed things

image

It’s no just on or off, but we now have “Notify me when Programs install software or make changes to my computer or I make changes to Windows settings” , “Notify me when Programs install software or make changes to my computer”  “Notify me when Programs install software or make changes to my computer but don’t dim my desktop” and “Lay out the welcome mat for all kinds of Malware”.

The middle ones are interesting because parts of the OS are signed as being trustworthy. The Management console is, regedit is not. Net result: no practical reduction in security, but a reduction in the number of prompts… at least that was the theory. I mentioned that  Long Zheng picked up that setting UAC levels was a trusted operation. If you can get the user to run something which (say) sent keystrokes to it, you could turn UAC off and then let rip with any kind of nasty you fancy.  We have now explained how this is going to change , and a good thing too. It appears it was planned to change before the beta, and the change moved back to Release Candidate. What has surprised me in all of this that I have not read a single comment which says “Oh for  pity’s sake Microsoft just get rid of UAC it’s too much of a pain”. Every comment has been that UAC should be there, should be enabled, and should be robust.

It amused me to see a comment to the write up on computer world

“About the only time I see the prompt [for elevation] is:
Installing software
Changing a system setting
Starting Wireshark (promiscious mode requires [it]”

The amusing part was the writer could be describing Vista, but he was actually talking about the prompt for root access on Linux, and he asks “Why do MS insist on making UAC so difficult to use ?”

Technorati Tags:

This post originally appeared on my technet blog.

December 18, 2008

IE Security Patch

Filed under: Events,Security and Malware — jamesone111 @ 11:48 am

You may have seen in the news over the last few days that a vulnerability has come to light in IE, which allows a carefully crafted web page to run arbitrary code on a PC. I don’t assess the technical side vulnerabilities -  some of the things written about how serious this one was one verge on the hysterical, and some downplay it too far. There are two web casts scheduled to talk about this one. Wednesday, December 17, 2008 1:00 P.M. Pacific Time / 9PM GMT and Thursday, December 18, 2008 11:00 A.M. Pacific Time / 7PM GMT if you want to get chapter and verse.
In any event the fix is now on Windows update. It’s serious enough to put a fix out without sticking to our normal schedule. Our biggest worry with every fix we post is they get reverse engineered, so get this one installed on any machine where you use IE to access the internet. On servers, where you don’t use a browser, or only use it for very limited browsing of trustworthy sites, there is less urgency.

I did read something in from a recent customer survey, where a customer wrote that products should be 100% bug free. Realistically, bug-free code is like an error free newspaper … a great aim, but something which doesn’t really happen. Some minor typos, spelling , punctuation or grammatical errors can be left without anyone being concerned. Other change the meaning of what it is said. Some errors of fact need a correction to be issued (patches) and some can land you in the libel courts.  Something like the Nimda virus was the equivalent of a huge libel payout, this one seems to be more than a correction buried somewhere internally and less than a £1M libel payout.

This post originally appeared on my technet blog.

November 25, 2008

Safe on-line part 2 (in praise of John Lewis)

Filed under: General musings,Security and Malware — jamesone111 @ 7:27 am

I’ve talked about brand values and somewhere along the line I sure I said that I choose to shop at Waitrose instead of Tesco or Sainsbury’s. Since Waitrose is part of the John Lewis partnership I have had one of their credit cards for a while (my local Waitrose was one of the first where you could scan your own shopping as you collected it, but you needed to have one of their cards to logon to the scanning system).

We have a project in the office for which needs some large hard disks, and I got approval to go out and buy them and expense them back. For at least the last 10 years been using Scan for this sort of thing, and they had the right disks at the right price; so yesterday after I had finished my part of the unplugged , I went on-line and ordered them. I was impressed with what happened next… before Scan’s website had sent displayed the order confirmation page my phone started to ring. I grabbed it and ran out of the session which was going on. It was the fraud prevention people at John Lewis checking that the transaction was legitimate. HSBC – who run the card for them – must have a team who just get fed with one transaction after another which needs checking: that sounds like a pretty miserable job to me, but the person who called me was friendly and looked after my interests with the minimum of fuss and bother. I talked about the HSBC’s first direct subsidiary being “people ready” a little while ago and it’s another example. And as for Scan … well they mailed me with progress of my order as the picked and despatched it – and I know it’s waiting at the parcel depot a few miles away for delivery on Monday. That’s pretty people-ready too.

This post originally appeared on my technet blog.

November 18, 2008

Get Safe Online ‘08

Filed under: Events,Security and Malware — jamesone111 @ 3:02 pm

The First time I ever worked with Steve was on GSOL the first year it ran. It’s become an annual event, and I hope that no-one who regularly reads this blog needs to be told too much about on-line safety. It’s pretty simple stuff.

  • Keep your machine patched
  • Use Anti-virus Software
  • Use a firewall
  • Be careful what you click on.

The BBC had a story that Spammers only get one response for every 12 Million mails … and as part of GSOL we have a poster up with the top 5 email scams

  1. Fake lottery wins
  2. Fake requests for payment details
  3. Updating On-line service details
  4. Notice of an inheritance
  5. Foreign aid / Charity payments

The BBC had another story about IDs being sold.

So, do your bit and spread the message to those less IT savvy than yourself. Don’t scare the life out of them, just make them aware of what a scam looks like. You know you didn’t even enter the lottery that mail says you’ve won, and you know if you gave your mail address to a lottery. You know that your bank would address you by name and tell you to go to their main site and follow a setup of step if they really needed you to do something and so on. That kind of thing, and send them to http://getsafeonline.org 

By the way… I think a lot of things are said to be in the name of “protecting children” are actually humbug, but I heard a good story at tech.ed in Barcelona that one security person got his young son to create a fake on-line persona – he was a 70 year old man with a wooden leg, or something like that. “So Dad …” the son asked “does that mean other people on the internet aren’t who they seem to be ?” . Far more effective than “Don’t talk to Strangers” which is what I grew up with.

This post originally appeared on my technet blog.

October 10, 2008

Never, ever run executables which arrive unexpectedly by mail.

Filed under: Security and Malware — jamesone111 @ 10:12 am

I had this waiting for me on my home PC this morning.

From: Microsoft [mailto:customerservice@microsoft.com]
Sent: 10 October 2008 02:25
To: {My home account}
Subject: Security Update for OS Microsoft Windows

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions:

Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:

1. Run the file, that you have received along with this message.

2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner

Director of Security Assurance

Microsoft Corp.

—–BEGIN PGP SIGNATURE—–

Version: PGP 7.1

Now there are a number of things which jump out and say THIS IS A FAKE , notably the greeting “Dear Customer” [someone who has your email address but not your name is suspicious for starters], the grammatical errors and clumsy English the incorrect names. Also the fact that when you sign up for Windows update, Microsoft don’t get your e-mail address.  I give it a plausibility rating of about 3 out 10. But this seems a good time to remind people Never, ever run executables which arrive unexpectedly by mail. Outlook has blocked executables for since about 2002 so I didn’t get to see what the file was – although it was named to make it look like a valid patch.

The same rules apply to mails which tell you to go to a web site and enter information. My bank, e-bay and paypal have all said much the same thing. “If we need you to do something on-line we will send you a mail which addresses you by name, and says go to the normal web site, log on normally and then follow these steps. Anything which says dear customer, click this link and enter private information is a fake.”

YOU probably know this already. By all means warn people about this specific mail, but far better to remind people you know who might be taken in of these basic rules.

This post originally appeared on my technet blog.

August 28, 2008

A novel password policy

Filed under: General musings,Security and Malware — jamesone111 @ 10:40 am

Setting up some demo servers recently Steve and I tripped over the Windows 2008’s default password policy: it needed to be relaxed to get to easy password we use in demos. Steve advocates pass-phrases "IHateChangingmyPasswordEvery30Days" is better than "o^1bKK%19#"

However I read this article this morning about having a bit of trouble with their passphrase.* I don’t think that was a case of "computer says no"

This reminds me of two things, one was Steve (again) telling realising that one of the "secrets" he shared with his bank was known to people it shouldn’t be, starting a call to them with "Hi, I need to change my ‘mother’s maiden name’ " . Steve just viewed that as a kind of password which should be changable – the bank employee (and it’s computer system)  couldn’t cope with the idea that Steve’s mother would change… And it also reminds me of man called Michael Howard who, after a spat with his bank, changed his name by deed poll to "Yorkshire Bank are Fascist bastards". The Bank apparently asked Mr Bastards to take his business elsewhere, he replied, sure just write me a cheque for my outstanding balance.

This post originally appeared on my technet blog.

June 17, 2008

Security, Security, Security.

Filed under: General musings,Security and Malware — jamesone111 @ 5:38 pm

The story last week that someone had left a secret folder of documents on a train – which were then given to the BBC brought back memories for me. Shortly after my wife and I had moved into our first house, she brought home a brown paper envelope she had found on a train. In it were some legal papers which related to a celebrity (one we didn’t like much). There was nothing deeply personal in them but it was an interesting bit of gossip, so I suggested she ring a couple of newspapers and one of them bought the story and ran it the next day. It paid for our patio. I suspect if the traveller got anything for the papers they found it was more than the price of a few dozen paving slabs.

Just through on my News feed, is the story that "A personal computer holding sensitive documents relating to defence and extremism has been stolen from Hazel Blears’ constituency office in Salford." I say the same thing to customers over and over again. Computers get lost, they get stolen. Vista makes it easy with Bitlocker. If Vista isn’t your plans, then do it with something else. If you don’t use full volume protection and you have "secret" data on them you know what is coming. Interestingly whilst this story of a stolen laptop made the news it has a totally different tone because it was encrypted.  It sounds like Hazel Blears’ PC was not.

According to the BBC. "The machine contained a combination of constituency and government information which should not have been held on it.". Oh deary, deary me.  I’m not going to venture in opinions of Hazel Blears… except to say I would laugh – a lot -  if the "documents on defence and extremism" led to of her facing court for possessing "a record of information of a kind likely to be useful to a person committing or preparing an act of terrorism". Sadly the Police only have 28 days to hold her while they find out if a charge can be brought.

If I were Hazel I’d stay out of the boss’s way for a bit. He was saying only at lunch time that we really didn’t need principles like habeas corpus any more and we could trust the government with an ID cards database, Facial recognition CCTV, Automated Number Plate cameras, a DNA database etc etc. … a state of affairs which a colleague who grew up in the old East Germany called "Beyond the dreams of the Stasi".  No party politics here: no government can be trusted with that data, whether the person in charge is named Erich, Gordon, or Dave.

This post originally appeared on my technet blog.

April 16, 2008

Core! that firewall management has some tricks.

Filed under: How to,Security and Malware,Windows Server,Windows Server 2008 — jamesone111 @ 5:23 pm

Quite a lot of the last few days has gone into preparation for the Road-Show and making sure I had all the things right for show Windows Server Core.

Core, as you probably know by now, is server 2008 with support of only a subset of features, and most of the GUI bits removed. The idea is that you manage core remotely, but some things need to be done at the command line. I’ve got all my notes on core on my PC but when I checked out the Core document in the step by step guides, I found it had all the bits I’d pulled together over recent months in one place, and a few more. I recommend it.

Server 2008 starts "shields-up" that is with the firewall blocking just about everything (even to the point of blocking inbound PINGs, which might be going a bit far). To manage core remotely from the management console, you need to set some firewall rules. In an ideal world my demo core machine would be in a domain -  and group policy would set the firewall rules. But it isn’t: the Step by step document kindly tells me that to allow all MMC Sanp-ins to connect, at a comment prompt, I need to type

   Netsh advfirewall firewall set rule group="remote administration" new enable=yes

and to enable remote management of the firewall

   Netsh advfirewall firewall set curentprofile settings remotemanagement enable

There’s one more section that jumps out of the document To manage a server that is running a Server Core installation and is not a domain member using an MMC snap-in … establish alternate credentials … on your client computer using

   cmdkey /add:<servername> /user:<username> /pass:<password>

This works like a charm for everything … except for the firewall MMC. The fact that it governs it’s own management traffic separately should have been a clue here. I haven’t found any way to get it to accept alternate credentials. This normally wouldn’t be an issue, because I use a standard password on all my demo machines. Steve does the same; they’re different passwords (of course), and in this case Steve set up the Hyper-v host computer, I set up the core machine as Virtual Machine guest on it. One had his password and one had mine. Much gnashing of teeth followed. 

This post originally appeared on my technet blog.

Next Page »

Blog at WordPress.com.