We already talked about how to lock down the USB ports. This is not always possible, so, at least a good way to know what devices are or have been connected to the computers in our network is needed.

This is what EndPointScan provides. With an easy and simple installation, this application allows to specify a list of computers from our network that will be scanned. The only thing we will need to do is going to EndPoint Security site and click on Scan my network.

For this, we will need Internet Explorer, as this is an ActiveX control which will be downloaded and executed locally. Once we have executed it, it will provide a detailed report of the devices that have been connected to the computers: iPods, external harddisks, floppy drives,…

Not only this, but it also will tell us the threat level of each device and the computer risk level, so we know where we should concentrate on.

It requires Windows 2000, XP or 2003 and administrator rights in the computer. Using it is completely free, so there’s no harm in trying it to see if it works for you.

Most users got conscious and disabled the use of macros, so the virus couldn’t get executed and many mail providers blocked e-mails with attached Office documents.

This is not the case anymore, as macro viruses are very rare now, but a recent Word vulnerability has made DOC files dangerous again. This time the problem is not with macros inside the document, but a vulnerability that allows to execute malicious code when the document is open.

There is no patch yet for this vulnerability, as Microsoft won’t release it until June, so you should be extremely careful with documents you receive, specially if they are unexpected.

For now, this doesn’t seem too widespread, as only one attack has been detected against a company, and it was a very targeted one, directed specially to them, but it wouldn’t be strange to find it in the wild in some days.

In computers located at Internet cafes, public libraries or school the risk of being infected by spyware or viruses is very high, as they are used by people who, sometimes, are not very knowledgeable about security. So copying files from them or accessing important sites from there can be very dangerous.

Microsoft has released Shared Computer Toolkit for Windows XP which makes it easier to manage this computers in a secure way. The main features of this toolkit are Windows Disk Protection, User restrictions and Profile Manager.

Windows Disk Protection clears the changes made to the hard disk when the computer is rebooted so, if it gets infected with a virus it will be deleted next time you turn the computer on. You can also define some zones which must not be cleared, for example where the users save their documents.

User restrictions allows the creation of user profiles in an easy way, so you can give different sets of permissions to the different users or groups of users who must use the computer. For example, you can disallow the use of unauthorized software or set timers which limit the time a user can be logged on.

With Profile manager you can create permanent spaces which will not be cleared by Windows Disk Protection, where the users can save data.

This is a good solution unless you have a large number of computers, because the control is not centralized. In that case it will be better to use Active Directory and Group Policy. It will also allow you to test software in your own computer without fear of destroying important data.

To use Shared Computer Toolkit you will need a legal copy of Windows XP, as you must pass the Windows Genuine Advantage validation. You will also need 5 MB of space in your hard disk and a NTFS file system.

For more information and download you can go to Microsoft Shared Computer Toolkit for Windows XP.

If you want to avoid these kind of risks you can use hardware-based or software-based methods. The hardware based ones can be the most effective, but also have the burden of not being able to use the USB in case you need it.

To deactivate an USB port you can either disconnect it from the motherboard (if it’s not integrated), deactivate it from the BIOS (not very reliable) or fill the hole with glue so nobody can insert anything in it.

If you want to it by software, you can disable the USB ports completely as explained in the Microsoft Knowledge Base: How to disable the use of USB storage devices. You can also make the USB devices read only.

It would be better if the server was able to avoid these messages being sent. Although some mail servers analyze the content of the message before delivering there are some other techniques which have been proposed to work against spam. Some of them are even standards, but haven’t usually been widely deployed. Let’s have a look at some advantages and disadvantages of them.

DNS blacklist. This is one of the most old and known techniques which tries to avoid the spam being delivered by checking if the computer sending it is a “probable” spammer. It looks up its IP address in an online service (for example, MAPS or ORBS) and if the address is listed the mail will be rejected (or at least, flagged as suspicious).

There are various online services, each one listing IP addresses depending on different factors. For example, some of them list dynamic and dial-up IP addresses, which usually should send the mails through their server. Other only list IP addresses which have sent spam in the past.

Some controversy has built around these services because sometimes IP addresses have been added in error and this makes a “legal” server unable to send mail to whoever uses this filtering system. Furthermore, spammers are trying to take down some of this sites, usually by DDoS them, so users can’t check them.

You can find more technical information about DNS Blacklists at the Wikipedia.

Greylisting. If a server uses greylisting when a new mail is received it will check the IP address of the sender, his mail address and the recipient mail address against a local database. If this combination has already been seen before the mail is delivered. If it hasn’t been seen before the message is rejected with a “Try later” message.

This works because most spammers will never retry to send the message but legitimate mail server will try again in a short time, so when they retry the mail will be accepted. This can be a really powerful technique while spammers don’t adapt to it (if many servers use this they will finally retry to send the mails).

The disadvantage of this technique is that it delays all messages coming from unknown sources, be it spam or not, which might not be suitable for everyone, especially online business. Even more, if the sending server is not configured correctly it might not retry to send the mail.

This can be combined with whitelisting (addresses which are always accepted) and blacklisting (addresses which are always rejected).

More information about greylisting at the Wikipedia and links to implementations for different servers.

SPF and DomainKeys. Many spammers use fake mail addresses as the remitent of the message and send the mail from hacked machines or open relays. To solve this one can build a list of IP addresses allowed to send mail from one domain. This is the way SPF works, adding a DNS registry which tells the authorized IP addresses to send mail for that domain. This solution is really simple but it requires the “big players” to use it in their mail servers, which hasn’t happened yet.

DomainKeys is another similar technique proposed by Yahoo which uses cryptography to authenticate the message and check it comes from the mail server indicated. One of the possible disadvantages of this method is that it requires more resources to check the cryptographic signatures, although this shouldn’t be a problem in servers with a low number of users. Also, as SPF it has to be implemented by most mail servers to be really useful.

More information about SPF in wikipedia or at their homepage. Also about DomainKeys in Wikipedia or at Yahoo.

Once booted, it recognises your Windows partitions and allows downloading F-Prot, a free virus scanner, which checks your hard drive for virus. If you find any, you need to delete the files containing them.

It is also a good idea to download updates for Windows at this time, as it is safer to browse the web from the Knoppix CD.

You can download the Knoppix CD from the official site. It’s a good idea to have it at hand, just in case you need it urgently.

From | O’Reilly

Sometimes, people not using the administrator account for a long time forget the password for that account and can’t login with administrator privileges to install software or update drivers. This is a big problem, which is usually resolved by formatting the disk and reinstalling Windows. By doing this you lose a lot of time and have the possibility of erasing important files if you are not careful enough or don’t have correct and update backups.

Luckily there are other options for recovering the administrator password. The one I like the most is the use of a recovery CD which allows to edit the password without modifying anything else, so you don’t need to risk losing data or settings in your programs.

I have used many times Offline NT Password & Registry Editor and it works like a charm, allowing me to change the administrator password without a problem. I’m going to explain how to do it.

In first place, download the CD image and burn it to a disk, which you will use to boot your computer. Once it has booted you will be presented with a menu like this:

=========================================================
. Step ONE: Select disk where the Windows installation is
=========================================================
Disks:
Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB, 2147483648 bytes
NT partitions found:
 1 :   /dev/ide/host0/bus0/target0/lun0/part1    2043MB  Boot
Please select partition by number or
a = show all partitions, d = automatically load new disk drivers
m = manually load new disk drivers
l = relist NTFS/FAT partitions, q = quit
Select: [1]

Here you have to select the hard disk drive where Windows is installed. In most cases, you will only have one disk so you can pick the default selection and it will work right away. It then asks to load drivers, but unless you have a very strange hardware use autoprobe (the letter d).

Once this has been done the system finishes booting and looks for where the password is stored in the harddisk. It should find only one place, so you can accept the default selection and it will show the menu asking which action you want to do:

Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :

In this case you want to reset the password so pick the default selection (number 1) and it will show another menu asking for an action:

Loaded hives: <sam> <system> <security>

What to do? [1] ->

You must also select the default option (number 1) and you will see a list of all the users in the system with their RID, a number which identifies each one:

===== chntpw Edit User Info & Passwords ====
RID: 01f4, Username: <Administrator>
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator]

If Administrator is the default option you can press Enter to select it and change its password or you can even make the password blank which, by the way, is the recommended option.

* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *

To do this press * key, confirm the change and press ! to go back to the main menu. When you are there tell the program you want to quit with the q key and it will ask if you want to save the changes, so say yes. Then all the changes will be written back to disk and when it finishes you can reboot the system into Windows (remember to take out the CD).

When Windows boots again, you can login into Administrator account without any password. It’s recommended that you assign a new password to it from the management console, and the process is finished.

But spammers know this and they wont’ allow their business to go down so easily. So what is the future of filter evasion? I have been thinking about some techniques which would probably evade most of current filters and perhaps it’s time to prepare against them before it’s too late.

The idea for this list came from a post by Vivek Jishtu where he explains how a spammer is using the Yahoo greeting cards to send his messages without being detected by filters. This service allows anyone to send a card to someone, who will be notified by e-mail and will receive a link to go to a site to view the card. In this card, the spammer can include arbitrary content so he can put his spam message there and as this will not pass through any filter it won’t be detected. So, if the user receiving the card visits the link he will see this (translated from Chinese by Google Translator):

But there are also other methods that spammers might use now or in the future (I’m not aware any of this is currently in use, but you never know).

The first technique is copied from viruses or worms which have used this for a long time. Instead of sending the content of the spam in the main body of the message, a ZIP file can be attached containing a text file with the advertisement from the spammer. If this becomes popular, Bayesian spam filters might be unable to detect it as the analyzed content can have no malicious word and can look innocuous. To be able to analyze the spam, the filter should decompress the ZIP file and search for text files inside it. This also can be avoided with another technique coming from the virus world, the use of ZIP files protected with a password, like the Bagle-J virus did. The user is told to open the ZIP file using a password contained in the main body, so the filter won’t be able to decompress the file but the user will.

Another technique, similar to the use of images instead of text, is sending their advertisements in attached files in some popular file format, like PDF or Microsoft Word files. Again, the content of the main body might be totally innocuous, asking the user to open the attached file. The filter will need to understand the file format to be able to extract the text and analyze it, which will consume resources from the computer, something sometimes not feasible in servers with lots of users.

These two techniques can be stopped by disallowing the use of attached files or, at least, restricting the formats accepted, as some servers already do to prevent the reception of viruses. We also can educate the users not to open attached files coming from unkown sources, although I doubt this will work as we can see with the expansion of some viruses which work this way.

Spammers could even do another loop and send their spam inside a PDF file compressed in a ZIP file protected by a password… OK, enough, enough,…

I don’t know if any of these or similar techniques will be used by spammers in a near future. If they do use them it will be harder to filter the spam but, at the same time, will mean we are winning a battle in this war against spam. We should better be prepared before it’s too late.

Of course, Bayesian filtering is not the only way to detect spam, although we have been concentrating on it. There are other techniques currently in use, which probably might be more effective against these new attacks and we’ll see them in another post.

• cipher.exe allows the management of encrypted data, but you can download an improved version which deletes data securely from the disk, not leaving any trace of the files
• Port Reporter registers the activity in TCP and UDP ports. Information provided is comprised, amongst others, of: ports used, processes using each port, modules loaded by a process, user executing a process…
• Malicious software Removal allows removing some malware. This is not a complete antivirus or antispyware, but includes detection of some of the most dangerous viruses and trojan horses

Best of all, these tools are free so don’t hesitate to use them when you need it.

From | Rootsecure

This takes us to the need for encryption. Luckily, our favorite guru Phil Zimmermann (one of the man who has done more things for expanding the use of encryption), the creator of PGP, has just released Zfone, a software that allows to encrypt any voice call done using SIP, an standard VoIP protocol.

If you have used PGP you will have seen that it’s a bit difficult to keep up with all the terms: PKI, key-management, public keys,… With Zfone you will not need this kind of technical expertise. You only install it and it works for you. The key exchange is done with the Diffie-Hellman algorithm which allows to share some private info through a public medium and it avoids men-in-the-middle attacks (typical of these algorithm) with the use of authentication strings which are short enough to be transmitted in the telephone conversation. This is a great idea and a really innovative way to make it easy for users to check the conversation is really secure.

The idea is to make this protocol an standard and integrate it in VoIP clients. By now, it works with any program you are currently using by capturing the data transmitted.

If you want to try you can download it for Linux and Mac and it will be released for Windows in mid-April. If you do so, remember this is beta software, so it might have some bugs and keep in mind this will only encrypt your calls if the other end also uses this software.

From | Error500.