Monday, 26 March 2007

Malware

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a portmanteau of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, West Virginia, and several other U.S. states [1].
Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or
bugs.
Purposes
Over the years, people have written malicious software for a number of different purposes.
Many early infectious programs, including the
Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks -- generally intended to be harmless or merely annoying, rather than to cause serious damage. Young programmers, learning about the possibility of viruses and the techniques used to write them, might write one just to prove that they can do it, or to see how far it could spread.
A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. Many DOS viruses were designed to destroy files on a
hard disk, or to corrupt the file system by writing junk data. Network-borne worms such as the Code Red worm or Ramen worm fall into the same category. Designed to vandalize Web pages, these worms may seem like an online equivalent of graffiti tagging, with the author's name or affinity group appearing everywhere the worm goes.
Revenge is sometimes a motive to write malicious software. A programmer or system administrator about to be fired from a job may leave behind backdoors or software "time bombs" that will allow them to damage the former employer's systems or destroy their own earlier work.
However, since the rise of widespread broadband Internet access, a greater portion of malicious software has been focused strictly on a profit motive. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in
spyware -- programs designed to monitor users' Web browsing, display unsolicited advertisements, and redirect affiliate marketing revenues to the spyware creator. Spyware programs don't spread like viruses; usually they are installed by exploiting browser security holes, or are installed like a Trojan horse when the user installs other software.
Infectious malware: viruses and worms The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. Originally, the term computer virus was used for a program which infected other executable software, while a worm transmitted itself over a network to infect computers. More recently, the words are often used interchangeably.
Today, some draw the distinction between viruses and worms by saying that a virus requires user intervention to spread, whereas a worm spreads automatically. This means that infections transmitted by email, which rely on the recipient opening an attachment to infect the system. This is classified under viruses.

Trojan horse (computing)
In the context of
computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.
Often the term is shortened to simply trojan, even though this turns the adjective into a noun, reversing the myth (Greeks were gaining malicious access, not Trojans).
There are two common types of Trojan horses. One, is otherwise useful software that has been corrupted by a
cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities. The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.
Trojan horse programs cannot operate autonomously, in contrast to some other types of
malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.





Zombie computer
A zombie computer, abbreviated zombie, is a computer attached to the
Internet that has been compromised by a security cracker, a computer virus, or a trojan horse. Crackers almost always target the Windows operating system because of its vast user base, security problems and perceived lack of technical savvy of its users. Generally, a compromised machine is only one of many in a "botnet", and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the vector tends to be unconscious, these computers are metaphorically compared to a zombie.


Infected zombie computers — predominantly Windows PCs — are now the major delivery method of spam.
Zombies have been used extensively to send
e-mail spam; between 50% and 80% of all spam worldwide is now sent by zombie computers. This allows spammers to avoid detection and presumably reduces their bandwidth costs, since the owners of zombies pay for their own bandwidth.
For similar reasons zombies are also used to commit
click fraud against sites displaying pay per click advertising.
Zombies have also conducted
distributed denial of service attacks, such as the attack upon the SPEWS service in 2003.

Spam Prevention Early Warning System
The Spam Prevention Early Warning System (SPEWS) is an anonymous service which maintains a list of
IP address ranges belonging to Internet service providers which host spammers and show little action to prevent their abuse of other network's resources. It is used by numerous Internet sites as a source of information about the senders of unsolicited bulk email, better known as spam.

SPEWS itself publishes a large text file containing its listings, and operates a database where users may query the reasons for a listing. Users of SPEWS can reprocess these data into formats usable by software for
Stopping Spam.

For instance, until recently many mail sites used a
DNSBL based on SPEWS data, operated at spews.relays.osirusoft.com. This DNSBL was shut down on August 27, 2003 after several weeks of denial of service attack. A number of other DNSBLs exist based on the SPEWS data, which remain accessible to the public.

There is a certain degree of controversy regarding SPEWS' anonymity and its methods. SPEWS remains anonymous to avoid harassment and
barratrous lawsuits of the sort which have hampered other anti-spam services such as the MAPS RBL and ORBS. Some regard this anonymity as irresponsible, while others find it sensible. In addition, many ISP clients whose providers are listed on SPEWS take umbrage that their own IP addresses are associated with spamming, and that their mail may be blocked by users of the SPEWS data.
The social issues of who do I allow to send me data remain unresolved for now but one thing that we are all sure of is that it can not continue in its current form, as software writers struggle to come to grips with business relationships to establish what is safe, a yet large problem remands with

Saturday, 24 March 2007

Web logon Error

SYMPTOMS
can't log on you have a error telling you have entered the wrong username or password.

Do you have a IIS6 website running OWA (Outlook Web Access) Sharepoint, Remote Desktop or all.

Check your authentication is set to NTLM by going to a command prompet, then to the C:\Inetpub\Adminscriptscscript run the
cscript adsutil.vbs get w3svc/NTAuthenticationProviders
If you get an error or The parameter "NTAuthenticationProviders" is not set at this node.

you'll need to set NTLM on the site you can do this on every site or just one, to set it on the every site on the server run cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

To run on it just one site you'll need the identifier you can get this from the Internet Information Service Manager MMC in this example the site identifier is 1056747795 so the command is
cscript adsutil.vbs set w3svc/1056747795/NTAuthenticationProviders "NTLM"

you may need to restart IIS after you can use the iisreset command

if you have a large number of web servers you can copy the following into a batch file

cd\
cd C:\Inetpub\Adminscripts
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
pause

Things to remember when installing a windows operating system

Don’t forget about the foot print.... Windows XP Pro SP2 with all hotfix’s http://en.wikipedia.org/wiki/Hotfix applied comes in at about 3Gb and that is before you have any other programs and you have the Pagefile to think of.
Remember is double the size of the RAM to if you’ve 4Gb on your PC that’s a 8Gb Pagefile
http://en.wikipedia.org/wiki/Pagefile so this brings my workstation to 11Gb before I even install office and if your installing office 2007 that’s another 1.5Gb so call it 13Gb to be safe, remember things like this when picking you system partition size.

In a server environment if you can you want to have a minimum of a RAID 1 set for the OS http://en.wikipedia.org/wiki/RAID ideally RAID 5 as you never know when you might want to increase the size of your OS by a few gigabytes, RAID 5 for your data and when working in a data sensitive environment like banks or government agency where data cannot afford to be lost RAID 10 is the recommended this is like having two RAID 5 arrays that are mirroring one another meaning you would have to lose a minimum 2 drives from each mirror and 4 drives in total to stand a chance of losing anything, the chances of having this many faults at the same time are extremely unlikely, you can look up the Mean Time Between Failure to calculate the odds, just to give you some idea you have better odds of winning the lottery 4 time in a row that you do of this happening, but there is still a chance and this doesn’t protect your data from corruption or human error so you still need to look at backing it up somehow.

Christmas is bad for networks

... deck the halls with boughs of holly By Will Sturgeon Published: Wednesday 06 December 2006Hanging Christmas decorations in the office has become a thorny enough issue in these PC times but now companies are being warned festive trinkets can interfere with office wi-fi coverage. Though rarely considered in past years, a well-dressed Christmas tree and some decorations hung around the office could diminish the strength of a business' wi-fi signal by as much as 35 per cent. And that drop could be the difference between a usable signal and a connection that is faltering or intermittent. It's not just the physical interference of added 'clutter' in the office but also an increase in reflective surfaces that can make the signal even less effective, according to wi-fi optimisation and troubleshooting experts AirMagnet.Some enterprises are already aware of the threat. Paul Broome, IT director at 192.com, whose offices use wi-fi, said Christmas decorations are just the latest in a long line of items that can affect the strength of a company's wi-fi signal.Broome told silicon.com: "Christmas lights can play havoc if you have a very cheap and nasty power transformer. It will radiate lots of RF gleefully over the twisted 12v DC cable powering the lights." But Broome said this is no stranger than other problems he's encountered in the past. One office he worked in had a number of women who wore large amounts of jewellery and who would cause a dip in signal strength as they passed access points, he said.AirMagnet's top tip for preventing problems this year is to ensure whoever is responsible for positioning the Christmas tree and any large decorations is also aware of the whereabouts of wireless access points. Problems are certainly far less severe if trees aren't placed directly in front of, or below, access points.This news follows findings last month, published on silicon.com, which showed the effect even normal decoration and fixtures, such as plants and lighting, can have on the strength of wi-fi signals.

Sunday, 18 March 2007

Types of Data Loss Events

Here are some very important things to conceder when choosing your backup and restore technologies that there is more than one kind of data loss and each has its own unique problem, human error is by far the hardest one to protect against and the most likely one to happen, you can control the data input by validating the date where possible and remove the option to delete data from all except managers.

Intentional Action
1) Intentional deletion of a file or program
2) Unintentional Action
3) Accidental deletion of a file or program
4) Misplacement of CDs or floppies
5) Administration errors

Failure
1) Power failure, resulting in data in volatile memory not being saved to permanent memory.
2) Hardware failure, such as a head crash in a hard disk.
3) A software crash or freeze, resulting in data not being saved.
4) Software bugs or poor usability, such as not confirming a file delete command.
5) Data corruption, such as file system corruption or database corruption.

Disaster
1) Fire, earthquake, flood, tornado, etc.

Crime
2) Theft, hacking, sabotage, etc.
3) A malicious act, such as a worm, virus, hacker or theft of physical media.

Thursday, 15 March 2007

HTTP Error 401.1

You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool

SYMPTOMS

When you try to access a Microsoft Internet Information Services (IIS) 6.0 Web site that is configured to use Integrated Windows authentication only, you are prompted for your user credentials. When you try to log on, you receive the logon prompt again. After you try to log on three times, you receive the following error message:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

CAUSE

This behavior may occur if the following conditions are true:


The IIS 6.0 Web site is part of an IIS application pool.



The application pool is running under a local account or under a domain user account.


The Web site is configured to use Integrated Windows authentication only.

In this scenario, when Integrated Windows authentication tries to use Kerberos, Kerberos authentication may not work. To use Kerberos authentication, a service must register its service principal name (SPN) under the account in the Active Directory directory service that the service is running under. By default, Active Directory registers the network basic input/output system (NetBIOS) computer name. Active Directory also permits the Network Service or the Local System account to use Kerberos.

RESOLUTION

If this behavior occurs when the application pool is running under a local account, follow the steps in the "Workaround" section.

To resolve this behavior when the application pool is running under a domain user account, set up an HTTP SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account that the application pool is running under. To do this, follow these steps on a domain controller:

Important An SPN for a service can only be associated with one account. Therefore, if you use this suggested resolution, any other application pool that is running under a different domain user account cannot be used with Integrated Windows authentication only.

Install the Setspn.exe tool. To obtain the Microsoft Windows tool, visit the Microsoft Website.

The Microsoft Windows Server 2003 version of the Setspn.exe command-line tool is available in the Windows Server 2003 Support Tools that are included on your Windows Server 2003 CD. To install the tools, double-click the Suptools.msi file in the Support/Tools folder.

Start a command prompt, and then change to the directory where you installed Setspn.exe.

At the command prompt, type the following commands. Press ENTER after each command:

setspn.exe -a http/IIS_computer's_NetBIOS_name DomainName\UserName

setspn.exe -a http/IIS_computer's_FQDN DomainName\UserName

Note UserName is the user account that the application pool is running under.

After you set the SPN for the HTTP service to the domain user account that the application pool is running under, you can successfully connect to the Web site without being prompted for your user credentials.

WORKAROUND

To work around this behavior if you have multiple application pools that run under different domain user accounts, you must force IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only. To do this, follow these steps on the server that is running IIS:

Start a command prompt.

Locate and then change to the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.

Type the following command, and then press ENTER:

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

To verify that the NtAuthenticationProviders metabase property is set to NTLM, type the following command, and then press ENTER:

cscript adsutil.vbs get w3svc/NTAuthenticationProviders

The following text should be returned:

NTAuthenticationProviders : (STRING) "NTLM"

Tip for those of you running lots of stuff in a IIS6 or just a Small Business Server 2003

copy the command into a bat file as you might be running is more than once due to service packs and reconfiguring

cd\

cd C:\Inetpub\Adminscripts

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

pause

The pause at the end give you time to see that the command has run and any error you might have.