jump to navigation

Security in The ‘Real World’ and the Influence on IT Security – Part 1 February 28, 2006

Posted by peewitsol in Technical.
add a comment
An interesting and different look at security & civilization through history.
Can’t wait for Par Deux
posted Tuesday, February 28, 2006 2:35 PM by sandeepm 
The human society we live in today is the result of over 4000 years of cultural evolution. Security has always been a priority for all societies and while the focus of security may have changed, the emphasis has not. Every society has been built upon a core set of security foundations that allows the government to keep its citizens safe, maintain law and order, and protect from external threats. Historically this has been achieved by building settlements in areas that can be easily defended from attacks and close proximity to natural resources and trading partners.
At this point the settlement was a potential opportunity for attack, but with little or nothing to offer the would-be attacker they remained relatively safe. However as the settlement grew in size and importance they moved from being an opportunity to becoming a target. The first level of defence to be erected was the outer wall to keep people out. But in order to allow people to travel out and allow commerce they had to start opening doors in their otherwise impenetrable wall. And while a trader can look like a trader, sound like a trader, and even smell like a trader, without the soldiers at the door checking their cargo they could never be sure. Sound familiar? It should do. In the IT world we call this wall a firewall and the people going in and out are packets. And just like the real world unless you deeply inspect the traffic or people coming through you have no real idea of the validity of the traffic.
 A similar approach is used in modern airports.
The fact you have a ticket and passport does not imply you are a trusted and valid traveller. Unfortunately the IT world has been slow to keep up and our firewalls have frequently failed to keep out malicious traffic and hackers. The concept of masquerading malicious traffic as valid data and passing it through the firewall is often called a Trojan – again a familiar term. First conceived 3000 years ago and named after the Trojan horse. Something that was perceived to be ‘good traffic’, secretly containing dangerous ‘traffic’, and taken knowingly through the ‘firewall’. The threat and countermeasure have been known about for three centuries, yet after 30 years of using a similar network we still became victims to the same threat.  Looking back through history there are a number of facts that become apparent:        
IT threats mirror themselves on real world threats


    Threats come from the inside as well as outside 

    Attackers don’t play by the rules

    Attack classes can be classified by real world categories

    Trojans, viruses, and spyware all take their name from real world threats and all too frequently the IT world fails to stay up to date and understand the types of threats that are evolving. While we have all had anti-virus deployed in our environments, did we consider spyware and the threat it poses before two years ago? The real world threat of spies also have been know for thousands of years, yet it has taken over 30 years in the IT world to wake up to the threat of spyware.

    Security in the physical world costs relatively less than its IT counterpart, is more effective, and gives us less cause for concern – can we take what we have learnt from the physical world, and develop the same type of security models in the IT world to deliver greater security, at a lower cost? Over the next few blog postings I will highlight physical security models, how they apply to the IT world, and how you can leverage these models to define your own internal security policies – stay tuned.



Tips & Tricks February 23, 2006

Posted by peewitsol in Technical.
add a comment


Customize your Start menu

The Start menu is the doorway to most of the programs on your computer. Taking some time to customize it to match your needs can be a good investment. Me? I was getting tired of searching through the list of programs on the Start menu. It always seemed to take too long to find the one I wanted. So, I figured out a way to alphabetize the programs in the list. In addition to saving me time, I no longer dread having to look through a long list. Anyway, I did a little research, and came up with these tips to customize your Start menu—including how to alphabetize the list of programs.

Keep your favorite programs near the top of the Start menu

Do you have a favorite program that you frequently use? Elevate its priority on the Start menu by putting it at the top of the list. This ensures that the program will remain on the Start menu and cannot be bumped by other programs, even if you use the others more frequently.

Right-click the link to your favorite program on the Start menu and click Pin to Start Menu. Your program will be moved permanently to the top part of the list, just below your browser and e-mail programs.

Alphabetize programs in your Start menu

If you’re like me, you’d like all the programs in the Start menu alphabetized. Also, you may have found that opening the All Programs menu as a folder and rearranging the icons changes nothing on the menu.

To arrange programs by name

  1. Click Start, click All Programs, and then right-click on any folder or icon.
  2. Click Sort by Name.

That’s it. Works like magic. Enjoy your refreshingly organized Start menu.

Speed up Menu Display

  1. Click Start, click Control Panel, and click System.
  2. Click the Advanced tab, and under Performance, click the Settings button.
  3. Clear the Fade or slide menus into view check box, and then click OK.

Now when you bring up a collapsed menu, it will expand without delay.

Change the Start menu style

Does the Windows XP Start menu take up too much space on your desktop? You can easily change the look back to the Windows Classic Start menu by following these steps:

  1. Right–click the Start button, and then click Properties.
  2. Click Classic Start menu.
  3. Click the Customize button to select items to display on the Start menu.

By default, selecting the Classic Start menu also adds the My Documents, My Computer, My Network Places, and Internet Explorer icons to your desktop.

Thank You—Jason Kozleski

25 Outlook E-mail Rules February 20, 2006

Posted by peewitsol in Technical.
add a comment
Without sounding like Miss Manners, here are my 25 rules of Outlook email etiquette.  

1) KEEP EMAILS SHORT – Don’t write a novel. Keep the email to one or two pages of text. Any longer, consider using an attachment.

2) REPLY QUICKLY – Respond within 24 hours. Send a quick email if it will take you longer to reply.

3) CHOOSE A MEANINGFUL SUBJECT LINE:  Be clear, not cleaver or cute. Don’t be vague (i.e. “Hi there”) Use something relevant to clarify the email’s content. This also allows them to locate your email in the future.

4) VERIFY YOUR EMAIL ADDRESSES – This is still a common mistake: sending an email to the wrong person, or overlooking an email address in a list of people. This can be embarrassing and disastrous, so double-check!

5) USE BCC: TO HIDE RECIPIENTS NAMES – Not only is a long list of recipients unsightly, but most people do not feel comfortable with their email address displayed to strangers. Use BCC: to hide people’s email address when sending to a group of people.

To enable BCC:

  1. From the email’s toolbar, click on the Options’ down arrow
  2. Select BCC

6) USE DISTRIBUTION GROUPS – If you frequently send to the same group of people create a distribution list containing all of their email addresses. 

How to Create a Distribution List: 

  1. From the File pull-down menu, select New, followed by Distribution List.
  2. In the Name box, type a name.
  3. Click Select Members.
  4. In the Show names from the list, click the address book that contains the e-mail addresses you want in your distribution list.
  5. Double-click on the email addresses you want to include, then click OK.
  6. If you wish to add any other email addresses not in your contacts, click Add New and enter those addresses manually.
  7. Click Save and Close.

The distribution list is now in your Contacts list, and can be used when sending an email to that group. 

7) CHECK SPELLING, GRAMMAR & PUNCTUATION – Your writing reflects you and your company. Reread your documents before sending. If you’re not a strong writer, read your email aloud before clicking send. 

Use WORD to Create/Edit Your Emails & Turn-On Auto Spell Correct: 

  1. From Outlook’s Tools pull-down menu, select Options
  2. Click Mail Format tab
  3. Select Use Microsoft Word to edit e-mail messages check box
  4. Click Spelling tab
  5. Select Always suggest replacements for misspelled words
  6. Select Always check spelling before sending
  7. Click OK 

8) DON’T MISUSE REPLY ALLBe careful when replying to an entire mailing list. It’s rare that the entire mailing list needs to see your reply.

9) DON’T TYPE IN ALL CAPS – Why this still needs to be a rule is beyond me. Mankind invented lowercase letters because they’re easier to read. STOP SHOUTING!

10) ANSWER ALL QUESTIONS BY QUOTING (AND REEDITING) THE ORIGINAL EMAIL MESSAGE – When answering questions from an email, quote the original email along with your reply. Email responses of “Sure, sounds great. . .” are not useful. Many topics will require reediting the original text to answer all questions separately.

11) AVOID JOKES, HUMOR & SARCASM – Use your own humor and sarcasm sparingly; your wit will probably be misunderstood in print anyway.  

Don’t forward jokes. But if you do: run spell-check, remove all of the “>>” forward marks, use BCC: when sending to many people, and be aware that your friends may viewing your joke at work . . . so warn them if it is not G-Rated! 

If you forward MANY jokes, people may no longer respond to your emails quickly or ignore them completely.


12) DON’T ARGUE OR SEND EMAILS WHEN ANGRY – Since you’ve learned that your humor and sarcasm will be misunderstood, so shall your anger.  Attempting to argue in an email is futile. It’s best to wait before writing your email, or even better give them a phone call.  

How to: Configure Outlook to delay sending your emails  

If your email is more complicated than a few paragraphs of text (i.e. tables, graphs, graphics) it will probably be reformatted (incorrectly) when read by the recipient. Reading colored stationary and special & colored fonts don’t look correct on non Outlook programs, and look even worse on a mobile device. If you need to preserve the special formatting of your document; send it as a Word or PDF attachment. 

14) AVOID ATTACHMENT MISTAKES – The most common mistakes when attaching files are: 

  1. Forgetting to actually attach the file
  2. Sending too large of an attachment (under 2MB for some systems, 1MB for others)
  3. Not telling the recipient to expect an attachment
  4. Not telling the recipient what type of file is attached
  5. Sending to a company that removes all attachments due to potential viruses  

15) CREATE A SIGNATURE – Include a brief signature (i.e. name, address, phone number, email address, company name, disclaimer, website) on your email messages. Avoid scanned images. 

  1. From Outlook’s Tools pull-down menu, select Options
  2. On the Mail Format tab, click Signatures
  3. In the Create Signature dialog box, click New
  4. In the Enter a name for your new signature box, type a name for your new reply signature, click Next
  5. In the Signature text box, type your signature, click Finish
  6. Click OK (closing the Create Signature dialog box)
  7. Change the Signature for new messages box to the reply signature you created in Step 5
  8. Change the Signature for replies and forwards box to the reply signature you created in Step 5
  9. Click OK (closing the Options dialog box) 

NOTE: Do not use vCards – while sounding like a nice method for signatures; they appear as an attached file and are not recognized by all email programs, as well as ignored by most people. 

16) WHEN TO FORWARD EMAILS – You “should” tell the original author that you’re forwarding their email. Since this is rarely done, remember that your own emails may too be forwarded without your knowledge! (See #22)

17) COMPANY EMAIL RULE – If you send an email from your company, it came from your company. Don’t use your company’s email for anything personal – period.

18) REMEMBER EMAILS ARE READ AT SOMEONE’S WORKPLACE – Don’t send anything inappropriate for public viewing; if you do, give the recipient a warning!

19) DON’T FLAG EMAIL AS URGENTUnless required by your company; don’t use this feature because it doesn’t work with all email programs, and they’re typically ignored by most people.

20) DON’T USE REQUEST A DELIVERY RECEIPTUnless required by your company; don’t use this feature because it can only be enforced within your company. It doesn’t work with all email programs, and people feel they’re untrustworthy. 

To use Request a delivery receipt:

  1. From the email’s toolbar, click Options
  2. Under Voting and Tracking options, select Request a delivery receipt for this message
  3. Click Close 

21) DON’T USE RECALL/REPLACE A MESSAGEThis feature simply does NOT work outside a company’s Exchange Server. Besides, you usually look unprofessional because your email had already been read. (Support Document: How message recall works.)

22) EMAIL IS INDEED ETCHED IN STONE – Your email is not anonymous. And while you may have intended for only “one person” to read your email, it can (and may) be read by others. 

NOTE1: If your company needs to protect your emails, please watch this Microsoft’s Digital Rights Management demonstration.

NOTE2: Support Document How To Send An Anonymous Email. 

23) SETUP MULTIPLE EMAIL ACCOUNTS – Keep your work life separate from your personal life. Create email accounts for: work, personal, online gaming & shopping. 

NOTE1: Setup a free Hotmail email account.

NOTE2: Support Documents: How to use multiple e-mail accounts in Outlook & Outlook Express. 

24) INSTANT MESSAGING – should be used for quick “conversations” and is beginning to overtake email for this exact purpose. Email should be used to document a conversation. 

Download MSN Messenger for Windows or Macintosh. 

25) DON’T ALWAYS USE OUTLOOK – Just because email is easier, pick up the phone or meet in person. Don’t hide behind your computer monitor!
My thanks to http://spaces.msn.com/bhandler/blog/cns!70F64BC910C9F7F3!602.entry?_c=BlogPart 

Microsoft Mobile Email Solution February 20, 2006

Posted by peewitsol in Technical.
add a comment

NEWS: Microsoft Announces Mobile (“Blackberry”) Email Solution

WHILE WE WAIT . . .  Blackberry’s manufacturer, Research In Motion (RIM) has proposed an alternate solution to resolve their exisiting “patent infringement problems.” Their solution will be “disruptive” to implement; and still has an “unknown” future while it awaits additional legal scrutiny.

TODAY:  Microsoft has announced a new partnership with Vodafone to deliver a Direct-Push solution to Windows Mobile Devices!


Vista Versions Finalized February 19, 2006

Posted by peewitsol in Technical.
add a comment


From Microsoft Watch: After months of speculation as to what the final Windows Vista line up would look like, the word is out. Microsoft has posted to its Web site (whether accidentally or intentionally, we aren’t quite sure) a list of six core Windows Vista SKUs, plus two additional family members, just for the European Union audience, that don’t bundle in Windows Media Player. We’re betting there could still be other Vista SKUs in the wings, especially some 64-bit-specific varieties. But the new list offers a start.

By Mary Jo Foley

Add Microsoft Watch from Mary Jo Foley to your RSS newsreader or My Yahoo!

How to fold a T-Shirt February 18, 2006

Posted by peewitsol in Technical.
add a comment


New technique for folding t-shirts

Just found a silly video about folding t-shirts: Folding T-Shirts.wmv  



March Technet Webcast Schedule February 18, 2006

Posted by peewitsol in Technical.
add a comment


March TechNet Webcasts are here- check out the schedule

they’ve got over 50 new TechNet webcasts coming up in March.  Check out the March TechNet webcast schedule

And if you haven’t seen the new interactive webcast calendars, this is a great way to keep on top of what’s coming each week:

NEW: Interactive TechNet Webcast Calendar 

Upcoming TechNet webcasts in a dynamic, interactive format. 


NEW: Interactive Security Webcast Calendar 

Upcoming Security webcasts in a dynamic, interactive format.

An always useful link February 17, 2006

Posted by peewitsol in Technical.
add a comment


Cleartype Tuner

One of these always useful links to have – I just changed to a new laptop a couple of weeks after the New Year, and the default LCD display was somewhat fuzzy even with ClearType turned on.
If you didn’t know, you can use an online tool to optimise the cleartype settings here. There’s also an XP Powertoy to achieve the same thing here available here.

Warning: Simple Steps to Breaking the Security Perimeter and Unlocking the Keys to the Corporation February 17, 2006

Posted by peewitsol in Technical.
add a comment


Watch out! It is amazing how simple it is to break into companies and steal all their data. This story “Anatomy of a Break-in” details how easy it is by profiling “step-by-step” how Ira Winker and his team were able to compromise all the critical systems within two days including having the ability to steal sensitive information and threaten the entire IT infrastructure of a business.

Courtesy of



Anatomy Of A Break-In

 By Ira Winkler, Internet Security Advisors Group

A large multinational company was about to undergo a full security audit, and the CIO didn’t want any surprises. He was looking for advance warning of any problems that might be discovered in the formal audit so he could be ready with a remediation plan.


The company, which employs more than 10,000 people, is responsible for critical elements of physical infrastructures around the world and is regularly targeted by a wide variety of bad guys, including terrorists and foreign governments. The CIO believed the company had some problems with physical security and end-user systems but thought he had the servers and network locked down.

To get a true picture of the company’s overall security, the CIO hired my team to do a preassessment without informing the majority of employees. For political reasons, he had to let several people know the test would be performed. And just to make my job more of a challenge, the director of the network operations center vowed my team wouldn’t break into his systems or facilities.

Most of the company’s assessment funds had been allocated to the formal audit, so the preassessment budget was tight. We had an advantage in that I’d been at the facility before for an unrelated reason, so I knew the makeup of the main facility and some of its physical weaknesses, which would save us a day or so of reconnaissance.

Open-Source Intelligence
We typically begin an espionage simulation by gathering intelligence on the company’s physical, technical, and operational infrastructures, and on its personnel. Our search revealed a variety of information about the contracts the company was pursuing, as well as details on its facilities. Most troubling, we found maps of some facilities in high-risk areas, which could help malicious parties target the company and its people. We also found a corporate phone directory intended for internal use. This would have immense value for the social-engineering attacks we were planning.

We uncovered information about the company’s generic technical architecture by looking at trade Web sites and postings the company’s IT staff had made to newsgroups. We knew the company had a Windows infrastructure with Sun Microsystems computers handling most of the server duties. Knowing the hardware and software let us predict technical vulnerabilities and helped us prepare to target the systems, both internally and externally.

We also found a variety of corporate domains to target. Later we learned that the people responsible for managing the company’s Internet presence didn’t know about some of these domains, which provided back doors into the company. Along the same lines, our search turned up more than 100 Web servers, though the IT staff had figured there were fewer than a dozen. We learned of the discrepancy when we informed someone from the CIO’s staff of our findings at a breakfast meeting our first day on-site.

As happens in about half our reconnaissance efforts, we found evidence of illicit employee activities. For example, one employee was using his company E-mail account to sell information on how to perform criminal activities.

After a day and a half of this preliminary investigation, we ventured on-site. Three of us were involved in the internal test: Kevin, a technician familiar with attacks on Unix and Windows (the company’s typical environments); Jeff, who would focus on social engineering and could assist on the technical side; and me. My focus was on the “black bag” aspects of the test–physically going into a high-risk environment to steal information or perform other high-risk tasks to support the espionage operations.

Our first job was to get into the building complex, which housed multiple tenants sharing a common entrance. An outside firm handled the facilities management and physical security.

The reception desk was in the center of the main lobby, roughly 20 feet from the door. The lobby was wide open, so when we arrived I told my accomplices to act as if we were talking about something important and ignore the receptionist as we walked through the lobby toward the main building. The receptionist tried to get our attention, but we proceeded without being stopped.


There was a proximity-card sensor on the door to the offices, and the door was locked, so we waited for someone to come out and walked on in. We found the office our breakfast contact had assigned to us. Our team had its own gear–hubs, Ethernet cables, and so on–and we set up a small LAN inside the office off the room’s Ethernet port. At this point, I thought we should get company badges.

I called the company operator and asked to talk to the people responsible for issuing badges. She connected me to the reception desk. I told the person who answered that I was the CIO and I had subcontractors who needed to be issued badges. She told me, “Just send them down now.”

Jeff and I went back downstairs, at which point the receptionist recognized us and said she had tried to talk to us when we came in. We apologized, saying we didn’t know we had to stop and were there to make everything right. A uniformed guard, who’d been standing next to the desk, led us to a room with a machine. There, we filled out a form requesting name, company, and contact information, which the guard didn’t verify, and had our pictures taken. We made small talk with the guard, who asked what type of work we were doing. I told her it was computer work, and she asked, “Will you need access to the computer room?”

“Definitely,” I replied. She then made sure our badges were authorized to open computer-room locks.

When the badges were finished, the guard handed them to us and told us the access privileges might not take effect for a couple of hours. Back in our office, Kevin told us he’d identified more than 250 Web servers through network scanning. The preponderance of Web servers indicated that the company had lost control of the internal architecture and was wasting resources. Most important, these systems were poorly maintained. These and the end-user PCs were vulnerable to viruses, worms, and other attacks. The file and mail servers were generally secure but still had some vulnerabilities.

Easy Access
Next we decided to scope out the computer room. The three of us headed to the basement, where we spotted a door in a back corner labeled “Computer Room.” Duh. We entered the server room, which was unattended. We walked around, looking at the monitors, most of which were labeled. Kevin noticed that one was labeled “PDC,” likely for primary domain controller. Kevin found that the system was logged on as the administrator. He quickly opened the User Administration tool and added a new user to the system, then added the user to the Administrator group. Then we left, quite unnoticed.

Back to our office, Kevin logged on to the PDC and had control of the company’s entire Windows infrastructure. He downloaded the password file and proceeded to crack passwords.

Jeff started calling people he’d identified in his research and used several ruses to get them to disclose their passwords. He claimed to be an administrator investigating a security incident in which an outsider had called the help desk to change people’s passwords. Of course, the employees then had to tell him their passwords.

Jeff then pulled up the names of key employees and started to focus on the cracked passwords. Because the company’s user IDs were predictable, Jeff and Kevin identified the CEO’s and pulled up his password. They logged on to his account. They also learned the CEO’s secretary’s name and pulled up her account.

We acquired information critical to the company’s success, such as financial information, key project status, multibillion-dollar proposals, and other insider information. We also accessed information that could have compromised the CEO’s personal safety, such as the tail number of the private jet he uses to fly into high-risk areas.


We got to the CEO’s information through other means as well. Our espionage simulation included physical walkthroughs, and we specifically targeted the information-systems and human-resources departments and the executive offices. Again, the card-access systems gave us access to all the necessary facilities. Although some people didn’t leave anything that could give us access to sensitive information, more than enough people had their passwords hidden in plain sight–taped to monitors or under keyboards–that we could access their accounts and, therefore, other people’s information.

In the executive offices, keys and passwords, while not universally available, often were easy to find. For example, the CEO’s secretary had the CEO’s password written on a piece of paper inside her desk, even though the password was his first name. We gained access to the secretary’s desk by finding a set of keys in another desk in the executive area. Also inside the secretary’s desk was a key to the CEO’s office. We had similar success getting data from the offices of the CFO and general counsel.

Then there were the Unix systems. By the second day, the CIO thought we could take some chances that I advised him we wouldn’t take in real life because we already had the ability to control all the systems remotely. He specifically wanted me to get physical access to the network operations center.

Jeff found out the name of a technical support person who was away for a week. Sporting our headquarters access badges, we drove over to the network operations center, walked up to this building’s receptionist, and told her we were there to see the person we knew was away. She told us he was out for the week. I replied that we were with the audit staff and needed to make sure we had all the systems cataloged in advance for the upcoming audit. I said we’d been told that person would show us around the center so we could count the systems. She volunteered to show us the facility.

We had planned how the attack would go. Jeff was to stay near the woman, and I would wander out of sight. As in most such operations centers, system names and IP addresses were taped to the system boxes. We recorded the names and addresses. While Jeff was distracting our escort and I was out of sight behind an equipment rack, I pulled something out of my bag and put it in the racks as if it were a network tap. After a couple of minutes, we told the woman we had everything we needed, and we left.

Spyware Installed
From a technical perspective, Kevin had found critical vulnerabilities in the network operations center’s main servers before our visit. The systems appeared to be well-patched. However, staff members didn’t check the servers regularly for vulnerabilities and missed reinstalling all patches when they reloaded operating systems. Because of the nature of the vulnerabilities found, we would have had to reboot the systems to finish the compromise and get root privileges on the critical servers. We didn’t want to bring down the system, so Kevin came up with an alternative attack.

Thanks to the password-cracking Kevin had performed, he compromised the Sun admin’s desktop system, which was actually a Windows system. He installed spyware that let him watch the administrator’s activities and control the system. We waited for the admin to perform a remote logon to the Unix systems, which would let us capture the admin accounts and passwords. Although we didn’t need to do this because Kevin had identified vulnerabilities on the servers, it was a way to get root access without bringing down the systems. We eventually got the admin accounts for the Unix network. This, of course, provided an immense amount of engineering and project data.

All in all, this was a busy two days–yes, two days. Generally, all company information was available to us. We didn’t have any information that a malicious party couldn’t have found independently and with minimal effort.

Although some might say we were just lucky, my teams consistently have this level of success in this time frame. The people who will cause you the most harm are the professional and malic-ious criminals who want to access your information or cause you damage without being detected. Although these criminals might not get the same results as we did in two days, they very well may have more funding and time than we did and could use those to their advantage.

Ira Winkler, CISSP, is president of the Internet Security Advisors Group and the author of Spies Among Us (Wiley, 2005). This article originally appeared in Secure Enterprise, an InformationWeek sister publication.

2007 Microsoft Office system (aka Office ’12’) February 16, 2006

Posted by peewitsol in Technical.
add a comment



 Today we are announcing the details behind the upcoming 2007 Microsoft Office system products. We had previously been referring to it as Office “12”, but we now have an official name and there is a ton of other information now available about the packaging options too. We’ve been blogging about this stuff for a long time now, and I think most of you (especially those on Beta 1) realize how huge this upcoming release is. This really is the most significant release of Office in over a decade (and it’s been awesome to work on over the past several years). So now for those of you who were wondering when we were going to stop calling it Office ’12’ (I’ve also seen people making fun of us for always putting the 12 in quotes) can be satisfied. :-).