IT Trenches

February 2, 2010  6:14 PM

Cookies disabled? – You can still be fingerprinted when browsing

Troy Tate Profile: Troy Tate

The Electronic Frontier Foundation, who’s mission is defending civil liberties in a digital world, recently released an online browser privacy test tool called Panopticlick. The premise of this tool is that you can still be tracked by websites even if you limit or completely disable cookies. Every browser session transfers some client information that is possible to track by the server. Some of the client information that can be tracked includes:

  • User agent information – browser version, OS version, patch level, plugins, etc.
  • Time zone
  • Source IP address
  • Screen size & color depth
  • System fonts

When put together, these elements and others, could be a device fingerprint totally unique to you and your system. An interesting writeup on Panopticlick can be found on the Technovelgy (where science meets fiction) website – Panopticlick Browser Ident-Key You Didn’t Know You Had.

Panopticlick showed my browser fingerprint was unique out of the 521,269 computers tested so far. What does yours show? Do you think this is a good tool to have available? What about the suggestions EFF gives for browser self-defense? Are these valid options in an enterprise environment?

Thanks for reading & let’s continue to be good network citizens!

February 2, 2010  5:40 PM

Malware writers get a little HLP from you

Troy Tate Profile: Troy Tate

I was roving around today on the McAfee TrustedSource Research Blog website and came across a very interesting entry about malware writers using Help files to mask infection sources. This is not a new technique but a recent variant known as Muster.e has some characteristics that are interesting.

Muster.e infects the “imepaden.hlp” help file. This help file is used for Microsoft IME – input method editor. IME allows a user to enter characters or symbols not found on their input device. So, a user with a Western keyboard could enter Asian characters. This help file can be viewed normally even when infected. The infection creates a system service that extracts the virus executable portion from the help file after each reboot. So, even if you clean out the registry key and remove the malicious file it creates, the device remains infected due to the compromised “imepaden.hlp” file.

McAfee does mention that their AV product does detect and clean this infection. However, this research shows another trick that attackers use to maintain a foothold on infected systems. When was the last time you were working on an infected system and asked the user about what HLP files they had been looking at recently?

Thanks for reading & let’s continue to be good network citizens!

January 29, 2010  1:27 PM

Weekend fun for Geeks, Techies, Nerds – Techland!

Troy Tate Profile: Troy Tate

Time magazine, one of the busiest marketing engines on the planet (if you don’t believe me…. what about all of those Time-Life infomercials for music and video collections?), has a new website that may appeal to ITKE readers.

It is called If you are into Gadgets, Gaming, Tech Culture, Tech News and Videos about Gadgets, Gaming, Tech Culture and such, then this website may be a new stopping place for you. I’m gonna go right to learning how David Blaine held his breath for 17 minutes. I wonder if I can keep from turning blue…

Thanks for reading and have a great weekend! Let’s continue to be good network citizens!

January 27, 2010  6:26 PM

Identify malware infection using Internet Explorer history

Troy Tate Profile: Troy Tate

A user on my network recently reported their computer was displaying virus detection warnings. Investigation showed that the virus detection warnings were bogus and looked something like the screen below.

Bogus Anti-Virus warning

Bogus Anti-Virus warning

One thing to note about notifications like this is the computer displaying this message is now infected by some malware. The next thing that must happen is identifying the infected files and removing them.This process can take several steps. Some of the steps are outlined below.

  • The client antivirus must be updated to see if it can detect and remove the infection.
  • Scan the client using the Microsoft Malicious Software Removal tool. This is free and available for Windows systems running Windows 2000 or newer.
  • If possible, use task manager to see running tasks. Find the names of any strange running processes. Then, see if you can locate the executable name on the hard drive.
  • If you can locate the executable, and the previous virus scans have not detected anything, it is possible that you have a new variant or a new malware sample. To find out, submit the suspicious executable to VirusTotal for analysis by multiple virus scanning engines. This can help you determine what the depth of infection might be on this system.

In the case of this user, we also wanted to identify the particular source of infection and block it using URL filtering. This is where IE History Viewer came into action. I used the Sysinternals Psexec tool to remotely run the IEHV executable and capture the user’s browsing history. The command series I used for this purpose was as follows (this must be run under the security context of a user with administrative rights over the remote computer):

net use * \\machine-name\c$

psexec \\machine-name -w c:\ -c iehv.exe /shtml “userIEdata.html” -user username

Where machine-name can either be the fully qualified domain name of the user’s computer or the IP address. The username must also be specified on the command line in the same format as the name used on the user’s Documents and Settings folder. In other words, a user may have more than one profile copy on the computer, the command shown above will need the user’s active profile name. For example: user JBond may have profiles JBond.UK and JBond.007. If JBond.007 is the normal profile used by this user, then that will be the value used for the username variable above. So, an example for this would be:

psexec \\Goldfinger -w c:\ -c iehv.exe /shtml “JBond007-IEdata.html” -user JBond.007

So, I I mapped drive Y: to the Goldfinger computer, there would be an HTML file called JBond007-IEdata.html showing the IE history for the JBond.007 user. Since this file is HTML, it can be opened in a web browser or other HTML editors for review. I typically open the output file in Excel so I can do sorting, searching and string manipulation on the data.

This enabled me to look at the user’s internet activity around the time the bogus antivirus detection was reported. One thing you should notice in the history file shown below is the kaka:// string in front of a path to a file under the user’s Documents and Settings folder. This kaka string can help you identify where part of the malware has deposited itself. This is the file that needs submitted to VirusTotal for analysis.

The IE History Tool can be a very useful tool for fighting malware.I also found a website that I put into the URL filter blocklist called This is a known malware source and if you have not blocked it in your environment in some way, I recommend you take steps to block this domain.

Have you used it for any other useful purposes? Share your experiences with other ITKE readers.

Thanks for reading and let’s continue to be good network citizens!

January 26, 2010  1:28 PM

Nmap 5.20 released – 150+ improvements

Troy Tate Profile: Troy Tate

In July 2009, Fyodor released Nmap 5.0 with over 600 changes.This was the first major release since 1997. On January 20, 2010, Nmap 5.20 was released with an additional 150+ improvements. Some of these improvements include:

  • 30+ new Nmap Scripting Engine scripts
  • enhanced performance and reduced memory consumption
  • protocol-specific payloads for more effectie UDP scanning
  • a completely rewritten traceroute engine
  • massive OS and version detection DB updates (10,000+ signatures)

Nmap is an excellent tool for network administrators, security administrators and penetration testers. Get some Online Nmap video training – scan your network. You can also do interesting things like Use NMap to quickly scan a large subnet for MAC or IP addresses – even firewalled systems. Go get your copy today.

How do you use Nmap in your environment? What tips/tricks do you have to share with other ITKE readers? Leave a comment and share your experiences.

Thanks for reading and let’s continue to be good network citizens!

January 25, 2010  6:12 PM

Check this out – 4 Steps for Trimming Patch Management Time

Troy Tate Profile: Troy Tate

Hopefully you have heard of and are testing and/or applying the recent Microsoft out-of-cycle patch for the Internet Explorer vulnerability that was exploited and the cause of recent attacks on Google and other companies. If not, you need to consider how your organization and users are protected from this threat and others.

One main way of protecting your organization is by applying patches. An article on Dark Reading proposes 4 Steps for Trimming Patch Management Time. Those steps summarized here are:

1. Level the patching field. Time-saver: Develop a patch priority list based on business criticality: Your business continuity/disaster recovery plan is a good starting place for establishing a hierarchy of patch deployments that will see the most critical exposures patched first, with lower risk or lower exposure vulnerabilities patched on a less fast-paced (and, ironically, less time-consuming) schedule.

2. Know which systems impose their own patch schedule. Time-saver: Maintain a list of critical systems’ regular maintenance and planned downtime schedules, and plan patch deployment accordingly, dealing with other more readily available systems in the meantime. Review and update system maintenance schedules (and their effect on other schedules) on a regular basis.

3. Know who needs to know and who signs off. Time-saver: Create and maintain a comprehensive patch deployment approval and sign-off path along with your systems inventory, including emergency and off-hour contact information for all personnel on the list.

4. Take time to test patches before going operational. Time-saver: Establish comprehensive patch test platforms, including platforms for new technologies and configurations ahead of time, and make their maintenance, readiness, and upgrades an ongoing part of your operations overhead and budget. Build a day of patch-test time into your patch deployment schedule.

What steps do you take to effectively manage patches for your organization? I think Dark Reading hit the nail on the head with this list. I urge you to go read the article in its entirety. Add your comments below.

Thanks for reading & let’s continue to be good network citizens!

January 22, 2010  7:34 PM

Sure you can use my security context – exploit me!

Troy Tate Profile: Troy Tate

I recently blogged about the fact that the initial reports of the Google Aurora attack focused on Internet Explorer version 6. Some comments on the Information Security Community Group on LinkedIn got me thinking about another part of the successful exploit that could have reduced the impact, if not completely prevented it.

The Microsoft security bulletin states that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” That’s great news for a lot of organizations that have taken the operational stance of least user access or the principle of least privilege. Not everyone has to run everything as a local administrator on their computer. This would prevent a lot of home users from being infected and definitely help businesses reduce the impact of successful exploits of known and previously unknown vulnerabilities.

How much news about security breaches do you think there would be if LUA was put into practice everywhere possible? Maybe then we could focus on addressing other business application issues like getting incompatible applications upgraded from Internet Explorer 6 to IE8.

Thanks for reading and let’s continue to be good network citizens!

January 21, 2010  9:57 PM

Google Aurora attack focused on IE6 – does anybody do autoupdates anymore?

Troy Tate Profile: Troy Tate

Maybe you have heard about the recent news of the attacks against Google known as Aurora. If you haven’t take a look at the stories returned in the Google news search in the previous link.

What strikes me as interesting about this attack is that the focus is on Microsoft’s Internet Explorer 6. Internet Explorer 6 was released in August 2001. Internet Explorer 7 was released in October 2006. Internet Explorer 8 was released in March 2009. So, the recent attacks focused on a 8+ year old application that has been superceded by two full revisions. Didn’t anyone use automatic updates to update their IE? What kept people from updating IE?

I know that Microsoft has released an out-of-cycle update to address the vulnerability. This is a cumulative update for all currently supported of Internet Explorer. So, will this update get applied to at-risk systems? Hmmm… I wonder since it appears that there is little movement off of older versions of Internet Explorer. The attacks were on well known organizations (Google, Adobe, Juniper). Why would they still be using this older version of IE? It seems like this would raise questions about Microsoft’s penetration of newer operating systems like Vista which would be running IE7.

IE7 had issues with compatibility and html standards. IE8 is much better. Is the compatibility issue so significant that organizations stayed on IE6 rather than moving to IE7 and/or IE8?

Please share your thoughts.

Thanks for reading and let’s continue to be good network citizens!

January 21, 2010  7:23 PM

How small is your netbook? How about a PC on a stick?

Troy Tate Profile: Troy Tate

I know that there are ways to run ISO’s from a USB memory stick using the QEMU processor emulator open source software. It’s pretty cool if you haven’t tried it. Now, according to Dark Reading, Ironkey and Lockheed Martin have an entire virtual desktop on a secure USB stick. According to the article an entire hard drive, including OS, applications and data, can be shrunk to fit on a secure flash drive. They call it a “PC on a stick”.  Since it is basically an image of a computer, it can meet an organizations security posture and still be extremely portable and secure.

I just wonder though what would happen if you use this portable computer on a machine already running keylogging software. Does the virtual desktop check the host environment for any threats? This is a technology that could bear watching. Just how portable does your computer need to be?

Thanks for reading and let’s continue to be good network citizens!

January 15, 2010  7:33 PM

Recipe for malware infection – 10 steps

Troy Tate Profile: Troy Tate

For certain malware infection follow these steps:

1. Do not apply operating system patches.

2. Do not apply application patches.

3. Do open emails from unknown sources.

4. Do open attachments on emails from unknown sources.

5. Do open unexpected attachments appearing to be from known sources. “I’m sure this person meant to send me this PDF file.”

6. Do purchase and install a program which is supposed to fix the detected viruses on your computer. “I was just browsing the web and this window popped up saying I was infected and could fix all my problems with this 2010 SuperAntiMalwareAntiVirusFirewallPreventBuggySoftware application.”

7. Do follow instructions found in an email supposedly from the IRS, a banking institution or FBI asking for personal information including mother’s maiden name and social security number. The information should be entered on the website link shown in the email.

8. Do blindly click on the link shown in the email supposed to be from the trusted source. Just because the displayed link shows and the clicked link shows doesn’t mean that the message shouldn’t be obeyed.

9. Do go ahead and install the unsolicited Flash update on your computer. Surely that attached video won’t infect my 2010 SuperAntiMalwareAntiVirusFirewallPreventBuggySoftware protected computer.

10. Do not pay attention to that person over there saying they were infected when they ran the 2010 SuperAntiMalwareAntiVirusFirewallPreventBuggySoftware application. Surely they are not as smart as you.

What other steps would you suggest for becoming malware infected? Share your comments. <remove tongue from cheek>

Just thought I would share these tips with you. If you got this far, you might find this entry in the McAfee Security Insights blog interesting – Operation “Aurora” Hit Google, Others. Basically the attack was multi-layered. It began with social engineering and ended up with outbound data being sent to unknown attackers. It makes for some very interesting reading.

Thanks for reading & let’s continue to be good network citizens!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: