Digital Choke Daynotes

 Sunday, February 6, 2005       mail    link   the story

We had a nice family dinner and birthday party Saturday at Mel's Original Drive-In (Roseville, CA edition). Mel's is the place in "American Grafitti", and the food is still good after all these years. It was Joelle's 5th birthday, and we celebrated Jason's 23rd birthday. Good food was had by all, and the whole restauraunt sang "Happy Birthday" to Joelle. If you are in the nieghborhood of a "Mel's", stop by.

I heard rumors of some football game today. Didn't watch it, though. It'll probably be on the news tonight. Can't think of anything else.

Quick read, eh?

 Monday, February 7, 2005       mail    link   the story

FireFox Phishing Alert! See below.

A gentle reminder ... add 7 days to today's date. Think carefully about the result, and the result if you don't think carefully about the result. You are warned.

I spent most of the day tweaking a batch file that uses the REG QUERY command. The intent is to look at all the computers on the network to see if they are properly configured for Windows Update via our internal Software Update Server.

There are several registry settings that contain the values I need to look at. So the batch file has several REG QUERY commands to look at a specific registry value. They look like this:

for /f "tokens=1,2,*" %%1 in ('REG QUERY \\%targetcomp%\HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /s ^| Findstr "WUServer" ') do (SET WUServer="%%k")

That's all on one command line, by the way. The %targetcomp% is a parameter set previously to the IP address of the computer you want to look at. The FINDSTR command looks at the output of the REG QUERY command to find the value of the "WUServer" parameter. That parameter is put into an enviroment variable called WUSERVER. (That environment variable is cleared at the beginning of the batch file with a SET WUServer= command.

If that registry value is not found, this next line sets the WUSERVER environment variable to a "Not-Found" value.

IF NOT DEFINED WUServer SET WUServer=Not-Found

There are several other registry values that the batch file looks for, including the currently logged in user name (an environment variable called ThisUserName).

After all registry values are examined, this next command puts all the environment variables into a comma-delimited file:

ECHO "%targetcomp%","%ThisUserName%","%WUServer" >> RESULTS.CSV

The RESULTS.CSV file was emptied/initialized at the beginning of the batch file with a ECHO > RESULTS.CSV command.

My version of the batch file just does one IP address. So I built another batch file that calls this one for every IP address found in a text file. The text file (iplist.txt) contains one IP address per line. That batch file looks like this:

FOR /f %%1 IN(iplist.txt) do FINDUPDATE %%1

Running the above batch file will give me a comma-delimited-file format of the results. And I can import that CSV file into a spreadsheet or a database for further analysis.

What about systems that aren't available or logged into the network? Since I have a master list of all the IP addresses that have been used in the last several days (IP addresses are usually handed out via DHCP), I need a quick way to keep track of 'inactive' computers. This is done by using the ERRORLEVEL value returned by the REG QUERY command. I just put the non-responsive IP addresses into another text file with this command, which is just after the REG QUERY command.

IF %ERRORLEVEL% EQU 0 ECHO %targetcomp% >> MISSED.TXT

Again, the MISSED.TXT file is created/cleared with a ECHO > MISSED.TXT command. So later on I can use the MISSED.TXT file to get computer systems I missed with the previous analysis.

Another tweak is to quickly determine if an IP address is 'alive'. This is done with a PING command:

PING -n 1 %targetcomp% | FIND /I "Request timed out." > NUL

I moved the above IF %ERRORLEVEL% .. command just after the PING command. The -n 1 parameter just sends out one PING, rather than the default 3. And the FIND command looks for the text "Request timed out.", which is what you get if the computer doesn't respond to the PING command.

The PING command actually responds a bit faster than the REG QUERY command, so the whole process works a bit faster -- important if you are scanning a big pile of systems. (In my case, that's over 1800 systems.)

The actual batch file is a bit more complex; mostly just additional PING commands and some other housekeeping functions. I'm still tweaking it a bit, so won't show it here (unless there is much demand from my thousands <g> of readers). But it was an interesting "home-built" scanning system. And the techniques can be useful for other scanning and auditing analysis.

 Monday night, February 7, 2005       mail    link   the story

ALERT !  ALERT !  ALERT !  ALERT !  ALERT !  ALERT !  ALERT !  ALERT !  ALERT !  

Firefox is vulnerable to a 'phishing' technique. It involves the use of international characters in domain names, and how they are processed by Firefox.

Internet Explorer, however, it not vulnerable to this technique, unless international character support is added in.

I've got a new report on this here (note: I updated that report on Tuesday 2/8/05 with more screenshots).

It includes a link to the report at Securnia; other media are also starting to report this. The technique has been known since about 2002, but the limited use of international characters in domain names has kept it obscure. There is no fix for this yet, except for switching to Internet Explorer <heh>.

Expect the 'phishers' to start exploting this soon, along with some other just-reported problems with Firefox and other open-source browsers.

As alternative browsers get more popular, will the number of vulneabilities increase?

 Tuesday, February 8, 2005       mail    link   the story

The top of this page now has a link to the "FireFox Phishing Alert" page. I see from it's visitor counter that a few of you have taken a peek at it. Comments are always appreciated.

I made some minor changes to that page this morning, adding screen shots of how the fake page looks in IE and FireFox, both with SpoofStick installed. You'll notice that SpoofStick in FireFox gets fooled. I took a quick look at the SpoofStick web page, but found no information about the problem. It looks like the author is on an extended travel trip, though, which may be delaying his response. (You can get to that author's blog via the main SpoofStick page.)

And today is "Patch Tuesday", so there are some updates from Microsoft that are important. Of course, we all have our Automatic Updates enabled, so we're protected, right?

I got a new pair of glasses yesterday. My main problem is 'presbyopia', which means my eyes are getting older, so my near (reading) vision is weaker. I have been using a 'blended bi-focal' pair of glasses, but they weren't working well with smaller text. This pair is just a regular reading glasses, which takes a bit of getting used to. With my prior glasses, I could move my head up/down and see objects farther away. The new glasses are a bit disconcerting because of the different way they work. Quick movements cause a bit of dizziness, so I don't use the new pair all the time. They do provide much clearer text for reading and working on the computer, though.

 Thursday, February 10, 2005       mail    link   the story

If you are using any Symantec products, there is a problem with their anti-virus engine not being able to look inside some types of compressed files. The risk is that a malicious file attachment/download would not be properly scanned for viruses. The virus/worm could cause damage to your computer or exposure of personal information.

The problem occurs in up to 30 of the Symantec products. A list of affected products is on the Symantec web site here:

http://www.symantec.com/avcenter/security/Content/2005.02.08.html

Patches are available at the Symantec site; users are advised to install the patches. Symantec rates this as a 'critical' patch.

And a later entry from the Internet Storm Center, it seems that the F-Protect Anti-Virus program has a similar problem with improper analysis of "ARJ" compressed files (Symantec has a problem with UPX-compressed files). Both companies have patches out. The F-Protect site advisory is here:

http://www.f-secure.com/security/fsc-2005-1.shtml

This may turn out to be a bit interesting -- perhaps other compressed file formats might have problems. This is a story worth pursuing.

 Friday, February 11, 2005       mail    link   the story

Three more days, gents.

Which is why I am being "allowed to go" to the church Valentine Dinner/Dance tonight. Actually, it's probably more of a "command performance", or even a "command request". And you know what the proper response is to those types of requests. I even 'get' to dance. Which could be somewhat amusing to watch, given that I am not the most coordinated person. That explains why I have never been good at video/computer games. Too much coordination is required.

I spent most of the day working on some documentation of file transfer processes for a big project around here. I used Visio 2003 for the flow charts; I've always liked using Visio to create those types of drawings and charts. Looks quite nice, he said humbly. (That reminds me of the country-western song -- by Matt Davis? -- "It's So Hard to Be Humble When You Are Perfect In Every Way".)

Noticed last night that there was an update to ZoneAlarm. Minor issue resolving a local lockup problem. I installed it, and got through the usual nag screens where it tries to get you to upgrade to the "Pro" version.

Not much planned for the weekend. Still contemplating getting a new computer. Although I certainly have the technical skills to build my own, I'm inclined to get a 'store-bought' system. Leaning towards the HP systems. We've had good luck with them at work, and I really like the HP web-based diagnostics for their systems. They have them for computers and printers and notebooks. I just noticed that the printer one will automatically check to see if you have the latest printer drivers. The price is reasonable, and they do have the 12 month no-interest financing. If we do go that way, we'll get it paid off by summer and won't have to put out a large up-front cost.