Tuesday, January 18, 2011

Phishing Fax? or just plain fishy

This afternoon we got a one page fax from someone in Vancouver WA wanting a quote for some specific printer supplies (we don't sell printer supplies - duh). The letter was well written with a good logo and plentiful contact info including physical address, phone, fax, and an email address.

So the first thing I did was go to their website based on the email address. Oops! just a standard Windows Lives template - STRIKE ONE!

Next I did a whois on the domain, the name matched the name on the fax but - STRIKE TWO!! - the domain was registered just yesterday and domain privacy is enabled. Now I'm curious.

So I went to Google maps and put in the address and did a street view. Turns out it is a residential street with older one story inexpensive small ranch houses - STRIKE THREE!!!

Next I went to the State of Washington business lookup database and found there is no legal business registered by that name - STRIKE FOUR!!!! (anybody from the state of WA listening?)

Just for good measure I did some additional google searches and found out this person has registered 104 domains - STRIKE FIVE!!!!!

The fax wanted availability of items, pricing, method of payment and contact person (name, phone...) - this gives the phisher a name and possibly an email for their database - if they are a phisher. They wanted the quote faxed back, which gives them a verification that the original fax number (mine) was good and possibly a new fax number as part of the fax back of the quote.

What are they doing? good question. Are they looking for additional contact info to build or verify their sucker list of fax numbers, email addresses, names and phone numbers? Who knows?

Phishing or fishy? definitely fishy if nothing else.


Friday, January 14, 2011

Fix for Product Registration Problem on Win 7-64

A recent change in the NetScanTools Pro manifest (v10.98.1) allowing USER accounts to run the program had a negative side effect: there have been more people having trouble completing the registration process. This is due to the fact that we store information in a common area of the registry called HKEY_LOCAL_MACHINE (HKLM). It has been there for many years and is there because it can be accessed from any logged in user, ie. it is not user specific. Recently Windows 7 64 bit has been seen as strongly enforcing the 'read-only' status of this part of the registry causing our product registration process to fail. The workaround is to start the program using right-click 'Run as administrator'. This has worked for most people.

I spent a good deal of time this week looking for a better solution. I looked at storing the registration information in a common area, but that presents it's own problems. I found a suggestion on a forum that made sense and worked: Create the registry key in HKLM with read/write permissions for the EVERYONE group during installation. Why during installation? Because when an installer is run, it is run at higher privileges (administrator) than a normal user has.

So I have now modified the methods used to create the HKLM key during running of the installer so that the key has read/write privileges. This has been tested on all versions of Windows that NetScanTools Pro v10 supports: 7 down through 2000, also on Server 2003 and 2008. Now any privilege level user should be able to complete the registration process without a problem. You still need admin privs to install the software - I can't change that.

Along the way I learned a bit about SID, ACE, ACLs, security descriptors and how to apply them to registry items using SetSecurityDescriptorDacl, RegCreateKeyEx and RegSetKeySecurity. Complicated.

The installer for NetScanTools Pro v10.98.1 was modified to include this change and published on Jan 13, 2011 at 3:53pm Pacific Time.

Tuesday, January 11, 2011

Managed Switch Port Mapping Tool v1.99.2 Released

Last night I released a new minor revision to the Managed Switch Port Mapping Tool. "Minor" is in the eye of the beholder. In reality, there were some big internal changes:

The SNMP engine was upgraded to v5.5. The complete effects of this are unknown, but may help out some mappings due to different SNMP implementations. I've been using this version of the SNMP engine for several months in the development of NetScanTools Pro v11.

The SQLite DLL was upgraded to 3.7.4. SQLite is arguably the most widely distributed non-client/server database engine. It's in your iPhone, Firefox and more.

Other changes were also important but less recognizable. We had one user who had problems with the Switch Port Mapper hanging up. Together we found that it was a corrupted snmp.tmp file. This new version deletes that file automatically when you exit the software and also deletes the html report .tmp file.

Another user had a strange problem a couple weeks ago and it was what accelerated this release. Someone at his university had a MAC with a dynamically updated DNS name of "John's MAC" (with the double quotes). First of all DNS names are not to have single quotes or spaces in them - it is a violation of DNS RFCs - why the DNS accepts them I have no idea. When our software tried to execute the SQL command with that extra quote, it failed because single quotes are used to define strings in SQL. So now our software removes single and double quotes returned by DNS.

The final important change was to the way VLANs were handled. The change corrected the VLAN results shown when you map a Cisco Small Business SF 300-08 switch. Previously there were 'extra' VLANs noted like vlan 0 which doesn't exist.

In case you are wondering, the Managed Switch Port Mapping Tool is Windows compatible software used to discover MAC and IPv4 addresses of devices connected to an SNMP managed network switch. If any of this interests you, please visit http://www.switchportmapper.com/ or http://www.netscantools.com/spmapmain.html

Thursday, January 6, 2011

Shortened URLs Unmasked

Twitter users in particular are bombarded daily with a plethora of shortened URLs. Shortened URLs are especially useful on Twitter because really long URLs like http://netscantools.blogspot.com/2011/01/addressing-confusion.html are tough to fit into 140 characters and somehow retain a meaningful message. Those long URLs can be shortened up into something like http://tinyurl.com/37dnopw. While convenient, they do present a security risk. Not only can a URL to an informative article be shortened, but so can a URL to a page full of malware be hidden by the shortened URL. How can you know where that URL goes?

The methodology of shortened URLs is fairly straightforward. When you access the shortened URL, the shortened URL provider's web server sends back a HTTP 301 Moved Permanently message with the new location URL. You can clearly see it in the two examples below - I used NetScanTools Pro's URL Capture to grab the text. Your web browser will not show these hidden headers and it will act on them before you have a chance to think about the final target URL. That's why I used the tool in NetScanTools Pro - it grabs only the text and does not accept anything else like scripts or images.

This first methodology used by tinyurl.com is the simplest. It only sends back the 301 redirect message.

Starting Timestamp: 01/06/11 22:06:18
Input URL: http://tinyurl.com/37dnopw
Web server IPv4 address:
***###Received Web Page text begins after this line###***
HTTP/1.0 301 Moved Permanently
Location: http://netscantools.blogspot.com/2011/01/addressing-confusion.html
X-tiny: cache 0.00097513198852539
Content-type: text/html
Content-Length: 0
Connection: close
Date: Fri, 07 Jan 2011 06:05:40 GMT
Server: TinyURL/1.6

The next methodology used by the bit.ly URL shortening service is a bit more involved. Not only does it send back the HTTP 301 moved message, but they also provide a web page with the embedded redirected target link just in case the web browser does not follow the 301 command.

Starting Timestamp: 01/06/11 22:06:40
Input URL: http://bit.ly/i9TxQY
Web server IPv4 address:
***###Received Web Page text begins after this line###***
HTTP/1.1 301 Moved
Server: nginx/0.7.67
Date: Fri, 07 Jan 2011 06:06:01 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Set-Cookie: _bit=4d26ad49-003c1-00673-b3a08fa8;domain=.bit.ly;expires=Wed Jul 6 02:06:01 2011;path=/; HttpOnly
Cache-control: private; max-age=90
Location: http://www.us-cert.gov/current/index.html#apple_releases_mac_os_x4
MIME-Version: 1.0
Content-Length: 328

...web page omitted...

There are plugins for Firefox and other browsers which do that first step of contacting the URL shortening server, then they present the final target to you - and it's your decision as to whether to continue. I have showed the mechanism and how to use our software to see this. Not only is this text only URL capture tool in NetScanTools Pro, it is also in NetScanTools LE (law enforcement).

Be careful!

NetScanTools LE 1.40 Released Jan 6, 2011

This release was posted around noon today and it includes the following changes:

-Notes field can now accept much more information than in previous versions.
-Packet Capture now parses spanning tree protocol, hp switch protocol and makes sure WinPcap uses the interface IPv4 address in the event that IPv6 is also enabled on the computer.
-updated left panel control icon images.
-Updated dates to 2011.
-Updated SQLite DLL to version
-Updated database files.

You can find it at http://www.netscantools-le.com/ or if you already have the program, click on Help/check for new version.

Wednesday, January 5, 2011

Addressing Confusion

In my December 2010 newletter I talked about NetScanTools Pro 10.98.1 on Windows 7-64 bit. I talked about how the change to the manifest from 'require administrator' (which did not allow unescalated use on a User privileges account) to 'asInvoker' allowed User privileges accounts to run NetScanTools Pro without logging in as an administrator -- some business installations only allow user level privs for their employees. But the biproduct of that change was to disallow writing to HKEY_LOCAL_MACHINE (HKLM) on Windows 7-64 and possibly Vista as well. For security reasons, UAC only allows read-only privileges in HKLM when you are not an administrator process. The process (ie. NetScanTools Pro) must have elevate privs to administrator for UAC to allow writing to that part of the registry.

NetScanTools Pro 10 only writes to one specific portion of HKLM and it only does that when you complete your registration (Validate and Save) or if you change your Maintenance Plan expiration date or Email Address using About/Edit Maintenance Plan. If you try that on Windows 7-64 with normal administrator or user privs, you get an error that it cannot write to the registry. It does not write to HKLM in the normal course of program operation, registry writes are done to HKEY_CURRENT_USER (HKCU).

The next release 10.98.2 will address this by giving a much more descriptive message explaining that in order to complete the task, you have to exit and restart with 'run as administrator'. It will also have some other changes to address some things we recently learned about the SNMP toolset.

We are working on 10.98.2 and should have it done shortly.