Digital Choke Daynotes

"Daynotes" are popularized by a Internet Web site called the "Daynotes Gang" (www.daynotes.com or www.daynotes.org), a collection of the daily technical and personal observations from the famous and others. That group started on September 29, 1999, and has grown to an interesting collection of individuals. Readers are invited and encouraged to visit those sites for other interesting daily journals. You can send your comments to us by clicking on any mailbox icon.

A new week, another new page to upload. I could get a bit philosophical here. Let see, a new week with blank pages to fill with things important and significant. Nope, that doesn't match what you have read in prior weeks. How about: a new week in the book of life, a blank page to fill with the rantings and ravings of a computer geek. Hmm..that's a bit closer. I don't rant and rave much, but I am somewhat of a computer geek.

Although, I try not to let it get out of hand. There are more important things to do. Spending time with the family, for one. Tom Syroid's Sunday post mentions that. You need to spend time with your family, because they grow up too fast. I'm at that point. My youngest daughter is making college plans, and may start in the summer session. My oldest has two children, who do come to visit every Sunday, and I really enjoy that time together. The middle son is somewhat withdrawn from family life. Although he lives in a trailer right next to the house, we don't see him that much. He tends to spend most of the weekend sleeping or hanging with a couple of his friends.

But spending time together with the family is important. There's a commercial on TV lately that shows a father sitting in the chair, reading the newspaper. His two children (young boys) start peering around the corner, and the father tries to continue reading the paper. But then, the father decides to throw down the paper and start chasing the boys around the room, doing a bit of "rough-housing". Everyone is laughing and giggling and having great fun. And the commercial ends with a blurb about having a comfortable carpet that is tough enough to take the abuse while comfortable enough to actually live on.

I like to think the point is about getting out of the self-centered mode, and taking the time to be involved with your family. As Tom S. says in his Sunday piece, the kids will grow up way too fast. You need to spend the time with them now, to have the memories when they go. And, hopefully, the kids will have good enough memories that they will want to come back.

Right now, the house is quiet. There's a clattering of the computer keys here in the office. In the living room, the pellet stove is blowing warm air throughout the front of the house. My wife is curled up on the couch taking a nap. In one of the back bedrooms, the soon-to-be-in-college daughter is snuggled into her blankets taking a rest. But soon, the oldest will be here with her husbands and children, and the house will wake up. The grandchildren will run to us with big smiles on their faces, and hugs for everyone. There will be the smell of a cooking dinner wafting into the rest of the house. It will get a bit noisier, as we review the past week, and discuss events in our lives.

And I will happily participate in the general confusion. Away from the computer. With my family.

If you are lucky enough to have family near by, get up from the chair and participate and hug. Or call someone close to you. Send a chatty email to your friends. Take some time to be with your family.

Just don't forget to come back tomorrow, where things might be a bit less philosophical.

So, thanks to John Dominik, an Irish joke that got me laughing (a common occurrence when I read John's postings):

Busy day today. There are several important security alerts out, all three regarding IIS servers. (One good place to see the alerts is at http://www.cert.org .) Two are related to buffer overflow problems with a specially crafted URL that is way too long, giving the attacker the ability to deface your web site. One is related to WebDav. All are important to patch. One of the buffer overflow problems, as I understand it, is a zero-day exploit -- that's an attack where the vulnerability was not known until the attack happened. SNBC reported that one of the attacks initially seemed to be targeted to .mil sites, with the army.mil site as one of the victims.

So, we did a quick patch on one of the exploits (just a registry change, but a reboot just the same). The others are less critical, I think, they are quite new as I write this. One of the exploits went 'critical' (lots of attacks sensed by various organizations) just before I left for the dentist. (Root canal, excellent dental surgeon, didn't feel a thing, except when I paid my share of the fee. It was interesting that he has a computer-based x-ray system, the picture is displayed on the LCD screen, and we both looked at it as he explained about the crack in my tooth.)

I think that it will be increasingly important now to ensure that one's servers are fully patched, no matter which OS you are running. I suspect that US sites will be hit a bit harder than normal over the next several weeks or longer. But once an exploit gets out there, everyone is vulnerable to an attack.

It might also be important to ensure that your home system is properly protected, even dial-up users, and especially broadband connections. Spend the time to get all the OS patches installed, get ZoneAlarm going as your firewall. Keep a close eye on what you allow ZoneAlarm to allow; especially if others in your family use your computer. And keep the anti-virus up to date.

There is a new worm coming through via email that purports to be a game. While the game runs, it silently changes the pages you will see for popular sites like Yahoo. It puts a bogus htm file on your system, then lets that htm file become visible when you go to that site. The htm file includes code to ask you for a user name and password, which it promptly reports back to the worm's writer. It is not widespread yet, so I don't think there is a DAT update (for McAfee, I haven't checked the other anti-virus sites) until Wednesday. So, as usual, don't open any attachment from anyone, unless you were expecting the attachment and you know the person (both conditions must be met). Keep the anti-virus program current on all systems you touch.

We will close with another joke from John (I hope my wife doesn't read this one...):

To use a favorite phrase of Jerry Pournelle's, "The day was devoured by locusts". Some research on security stuff, email spam, etc. A meeting about the new billing system. Testing some security audit programs.

And I stayed up to late last night reading, so I am beat. It will probably be a bit more interesting here tomorrow.

I did some port scanning on my network today. I used a tool called "SuperScan" from Foundstone, really good and fast. It's Windows-based, and will scan up to 255 IP addresses at a time. It has several config files that specify which ports to scan, and you can make your own variations. I had it scan for the standard ports, plus the hacker ones. That gave some interesting information. My main discovery was some computer had IIS, FTP, SMTP, even SQL server processes running on computers that shouldn't be doing that. I suspect that someone wasn't paying attention to the services, since there didn't seem to be any content on the IIS pages. And file sharing wasn't enabled on the one that had FTP, so I couldn't transfer a file there. Although I just did a short test of that; there are several hacks that you can use to bypass that.

SuperScan is free, fully functional (as far as I can tell), and works quite well. Foundstone has a whole package of auditing tools that are also free, plus some others that they will sell to you. I downloaded the free tools package, but haven't taken a look at all the programs yet. But, if they work as well as SuperScan, they should be quite useful.

It is important to note that one should be very careful about using some of these tools, especially on a network that doesn't belong to you. Many companies take a very dim view of unauthorized scans, to the point of an immediate escort from the premises, and sometimes a "go directly to jail" card. I have the authority to do scans at my company, but I still notified key network services staff that I was planning on scanning parts of the network. That way they don't worry about the Intrusion Detection System alarms that I will set off.

I also used the HFNETCHK program from Microsoft, which checks for missing patches on Windows systems. You can set up a text file with the Windows computer names and using the command line version run the check against all of the servers in the list. The results are written to a log file, which you can peruse later. The advantage to this is once you set up various lists, you can schedule the checking to run automatically.

I think I have mentioned a Microsoft manual about an overall strategy for securing Windows servers and workstations. It is about 200 pages long, and filled with very useful information. I was digging around on the Microsoft site for the link to it, but couldn't find it. I'll have to post it later.

And I prepared a short note to the CIO about our company's security preparedness. Information Security guys are a bit paranoid, and I am not exception. I have some concern about an increase in web attacks on our systems, especially with the current world status. I think that we may have seen a first shot on this last weekend with the WebDAV exploit that hit a US military web site. It has been kept a bit quiet in the mainstream press, but it had the potential for another 'Slammer' attack.

And there are reports of some interesting viruses/worms out there that are compromising unprotected systems.

So, I am a bit more cautious about the effect of those kinds of attacks on our company's business. A bit of precaution is always good.

After work, I stopped by the barber for a haircut. It was not busy there at all compared to other Wednesday evenings; we (the barber and I) figured that people were watching TV news. Had a nice dinner of pork chops (boneless, Shaked/Baked), hash browns, corn, and applesauce. Then we watched the President's speech, a bit of the news dweeb rehash, then we popped in the "Tuck Everlasting" DVD. A good movie (not great), but well-done.

So, a lot happened today. Brian C sent a short and cryptic message "You have been eaten by a grue". I think that was a reference to yesterday's post about the "day was devoured by locusts". But I'd rather think that it was foreshadowing what will happen to Mr. Saddam Hussein.

We indeed "live in interesting times". (By the way, that is not an old Chinese curse, as popularly though. Go here for a good story about one man's two-year quest for the origin of that phrase.

And, for something completely different, the Wall St Journal today had a piece on a group of people who are targeting the people that send out those "Nigerian Scam" letters. From the story "Web sites are attracting dedicated fans to the online serialized comedies that result when scam artists are drawn into lengthy e-mail exchanges that poke fun at the get-rich-quick schemes, and, often, their grammar and spelling". (Sort of what Brian C does to me from time to time as he comments on my grammar and spelling -- but I enjoy his comments.) The WSJ is a subscription site, so there is no link to it, but go to the ScamJokePage for the best variety -- it has pictures, voicemail, and movies of actual scammers.

I spent most of the day at work doing more port scans of the network. I found a couple of guys using P2P (Kazaa) file sharing, which is against the rules. One of them is a repeat offender. I fired off a nastygram to both of them, with copies to their bosses and the network admin for their divisions.

Now you might think it was a bit much to tell their bosses, but all employees were told in December (last year) that file sharing was not good for the network's security. And they all have signed an "acceptable use" policy that was issued by the main dude of the company. That policy states that there is to be no file sharing. And there was a second guideline document relating specifically to file sharing. It's too big of a risk to the security of the data on the network, not to mention the RIAA getting a bit ticked off at company's that allow it. (Note to self: I think that last apostrophe might be wrong, but it's a good excuse to get a nice note from Brian C.)

I also found some other interesting ports that seem to be related to possible back door trojans. I haven't investigated them yet. Although port numbers have standard assignments, a program can be made to run on any port. So you need to figure out what program is linked to the port. The best way to do that is with Foundstone's free FPORT program. It will tell you the port, and who is 'listening' to it. You do have to run the program on the suspect computer, though; you can't really get to that information remotely. (Well, I think that you can't. I suspect that you might be able to hack into the machine and get to it. But even a Security Officer -- that's me, ma'am -- has to be careful about that.)

So I spent most of the day getting the scanning reports organized to send to the various division network admins. It is their responsibility to fix the problem. I get to make sure that the problem gets fixed. We have a large number of computers, but right now there is just two of us (plus my boss, who mostly interfaces between us and management and manages us) in the company's information security department. So our job is to monitor existing network protection, identify problems, get others to get them fixed, and then we make sure that they stay fixed. And if it costs some equipment money to do it, then we make them pay for it.

Tomorrow, I've got to get organized for next week's PeopleSoft training. I've got a new laptop to get set up with the appropriate software. It's got a CD/RW, so I plan on spending some time in the evenings next week (it's a week-long class) burning some CD's with some of the auditing tools. Then I can take the CD along to the computers or servers and do the auditing without installing programs on that computer.

I spent most of the evening watching the ABC News reports about the Iraq thing. I found one report that was more interesting in what was happening in the background, rather than listening to Dan Rather. During the 20-odd minutes of that report, there was a continuous stream of tanks and other vehicles going down a road in back of him, all on their way into Iraq. If you were standing by the road, they were probably going by at the rate of 4-6 per minute. And they were moving slowly to keep down the dust. And there was a continuous line of vehicles as far back as you could see. An impressive number.

I also spent a few minutes patching a few holes in the interior wall board. I picked up a small container of plaster patching. It's a dark pink color when you put it on, then when it is dry, it turns full white. Makes it a bit easier to tell when it's ready for a second coat. You see, when you fill holes in the wall (from where some shelves were mounted with molly bolts), it takes two or three passes to get it done right.

And I did take time to watch "This Old House Hour" on PBS. One of the segments showed how to replace a sink's garbage disposal. Now I have done that a few times, so I thought I already knew how. But I learned a new trick: hook up the electrical wire before you mount the disposer under the sink. I've replaced disposals three or four times, and I always did the electrical hookup after mounting it to the sink. Doing it before mounting is easier, as you are not working at an unnatural angle.

So. Not only have you learned some geeky stuff, there is also two house maintenance tips. Aren't you glad you stopped by?

Daynotes	a daily journal of our activity	Send us email
Digital Choke	an action that is sometimes needed for your computer; also a short techno-story available here.	Send us email