Archive for August, 2009

Each user uses (or May not use) devices differently depending on the system setup. Nonetheless, some classes of devices are more commonly disabled than others. Knowing which ones will help you make your decision as to which devices you should disable. The following classes of devices are frequently disabled:

  • Network adapters: Especially on notebook computers, there is often more than one network device. Disabling the network devices that you do not use will definitely save you some booting time.
  • FireWire: If you have 1394 connections, otherwise known as FireWire, you might consider disabling them. Unless you are using your FireWire port to connect your digital video recorder to your computer, or have other external FireWire devices, you have no need to have this device enabled.
  • Biometrics: Some of the latest computer hardware includes biometric sensor equipment such as a fingerprint scanner. If you do not use these security features, you can save time by disabling these devices, too.
  • Modems: Do you have a broadband connection? If so, consider disabling your modem. If you rarely use it, why not disable it? If you ever need to use it again, just re-enable it.
  • TPM security chips: Does your computer have a Trusted Platform Module (TPM)? These chips are typically used as a secure place to store an encryption key that would be used for something such as hard drive encryption. If you are not using any of these advanced security features of Windows Vista, disable these devices, too.
  • Multimedia devices: Your computer has lots of multimedia devices. Take a look at the “Sound, video, and game controllers” section in Device Manager. You will find a lot of device drivers that are loaded during your boot. Some are used by all users, but you will find a few that you do not use. For example, I do not use my game port or my MIDI device, so I disabled both of those.
  • PCMCIA cards: If you are a laptop user, consider disabling your PCMCIA card controller located under “PCMCIA adapters.” The PCMCIA (Personal Computer Memory Card International Association) slot is a special expansion slot that is rarely used today on laptops except for wireless and wired network cards and card reader attachments for compact flash and other solid-state memory cards. Most laptops now have built-in network adapters, and some even have built-in wireless adapters. If you do not use your PCMCIA adapter, it is yet another device you can safely disable.

Important

Do not disable any hardware devices located under the Disk Drives, Computer, Display Adapters, IDE Disk Controllers, and the System sections (except for the system speaker). These hardware devices are critical to the operation of your system.
Advertisements

In the preceding section, I set a new Timeout value that will cut down on the amount of time that is wasted before the operating system starts to load. That works great when your primary operating system is the default; but if it is not, you must remember to press a key at the right moment on every single boot. There is a much better way to handle the situation. Just make your primary operating system the default operating system in the Windows Boot Manager. This will allow you to benefit from the lower Timeout value and speed up the overall boot time.

Setting the default operating system is a little more difficult because you need to use the command-line Boot Configuration Editor, bcdedit.exe. The Boot Configuration Editor is part of Windows Vista, but it requires an account with administrative rights to run. Even if you are logged in with an account that has administrator rights but have user account control enabled, by default the tool will not run as administrator. Follow these steps to use the Boot Configuration Editor to set the default operating system:

  1. Click the Start button and navigate through All Programs and Accessories.
  2. Locate the Command Prompt shortcut and right-click it to bring up the context menu.
  3. Select Run as administrator from the context menu.
  4. When the command prompt has loaded, you are ready to use the bcdedit.exe command. First, you need to get the ID of the operating system that you want to set as the default. To do this, type bcdedit /enum all in the open command prompt window. Scroll through the list of different entries and look for the one with the description matching “Microsoft Windows” for Windows Vista.
  5. After you have found the correct entry, note its identifier. That is used in the next step.
  6. While still at the command prompt, run bcdedit /default (entry identifier). For example, I ran bcdedit /default {}.

The default operating system on the Window Boot Manager is now set. The next time you reboot, your changes will be in use.

Tip The Boot Configuration Editor is a powerful utility that you can also use to change many other settings of the Windows Boot Manager. Experiment with bcdedit.exe by running bcdedit /? from command prompt. This will show you all the other available options and flags that you can use with the Boot Configuration Editor.

All systems initialize in more or less the same way. During the POST mentioned earlier, the BIOS checks the hardware devices and counts the system memory. Out of all the different types of system memory, the random access memory, better known as RAM, takes the longest to be checked. Checking the RAM takes time, and on a machine that has large amounts of RAM, this calculation can take several seconds. For example, a machine that has 512MB of RAM may take up to 3 seconds just to check the memory. On top of the RAM counting, a few other tests need to be done because your computer wants to make sure that all the hardware in your computer is working properly.

The complete version of these tests is not needed every time that you boot and can be turned off to save time. Most system BIOSs offer a feature called Quick Boot. This feature enables the user to turn off the full version of the test and sometimes enables you to run a shorter quick check test instead. Other BIOSs allow you to turn off the Memory Check only, which will still cut down on a lot of time.

To turn on the Quick Boot feature or to turn off the Memory Check, just do the following:

  1. Enter the system BIOS again by pressing F2 or the correct system setup Enter key on the POST screen for your system.
  2. After you are in the BIOS setup, locate the text “Quick Boot” or “Memory Check,”. Navigate with the arrow keys until the option is highlighted.
    Use the Change Value keys to cycle through the options and select Enable for the Quick Boot feature or Disable if your system’s BIOS has the Memory Check feature.
  3. After you have made the change to the setting, exit the system BIOS by pressing the Escape key. Make sure you save the changes upon exit.

Use of the Quick Boot feature or the disabling of the Memory Check will not do any harm your system. In fact, some computer manufacturers even ship their computers with these settings already optimized for performance. The only downside to disabling the tests is in the rare situation in which your RAM self-destructs; the BIOS will not catch it, and you might receive errors from the operating system or your system could become unstable. If you notice that your system becomes unstable and crashes frequently or will not even boot, go back into the BIOS and re-enable the tests to find out whether your system’s memory is causing the problems.


Now that you have all your performance counters set up and displaying data, you need to select the interval time of how often the data will be updated. How often you want the counters to be updated depends on your purpose for monitoring your hardware. For example, if you are trying to track how much data your computer is sending through your network adapter every day or hour, it is not necessary to have that counter update every second. You will just be wasting CPU cycles because you are making the computer constantly update that performance counter. However, if you are interested in current memory or CPU utilization, you will want a much faster update time.

To change the update interval, perform the following steps:

  1. While in the Performance Monitor section of the Reliability and Performance Monitor, click the Properties button, which looks like a hand pointing to a notebook. Alternatively, you can press Ctrl+Q.
  2. After the System Monitor Properties window loads, click the General tab.
  3. Locate the Graph elements section and update the Sample Every text box. This number is in seconds.
  4. Click OK to close the window and save your changes.

Now Performance Monitor will poll the data sources at your specified interval.


When Windows Task Manager is started, a small histogram is displayed in the system tray that shows the CPU utilization. This little feature can be very useful if you would always like to keep an eye on your CPU utilization but do not want Task Manager always on top of all your windows. With a little bit of work, it is possible to start up the Windows Task Manager automatically on every start and run it minimized and hidden from the taskbar except for the system tray.

  1. Click the Start button, navigate to All Programs, and locate the Startup listing.
  2. Right-click Startup and select Open. A new window opens with the contents of your personal startup folder. Any shortcuts that you place in this folder will be automatically loaded when Windows starts.
  3. After the Startup folder is opened, right-click in the open white space, select New, and then navigate to Shortcut.
  4. When the new shortcut wizard loads, type taskmgr.exe in the text box asking for the location of the file, and then click Next.
  5. Type a name for the shortcut and click Finish.
  6. Now you are shown the startup folder again and a new icon for Task Manager. To make Task Manager start minimized, right-click the new icon and select Properties.
  7. Change the Run type where it says Normal Window to Minimized, and then click OK.
  8. Now the shortcut is all set up. However, there is one last change to make and you will need to open up Task Manager to do this. After you have opened up Windows Task Manager, click the Options menu bar item and select Hide When Minimized so that when the program starts, only the CPU histogram will be shown and the program will not appear on the taskbar.

Your system is now configured to start up the CPU meter on every boot in the system tray. Should you change your mind at a later time and no longer want the Task Manager CPU meter to show up, simply delete the shortcut from the Startup folder.

Hard-drive encryption is a technology that encrypts the data stored on a hard drive using sophisticated mathematical functions. Data on an encrypted hard drive cannot be read by anyone who does not have access to the appropriate key or password. This can help prevent access to data by unauthorized persons and provides a layer of security againsthackers and other online threats.

The concept of hard-drive encryption is simple enough. When a file is written to the drive, it is automatically encrypted by specialized software. When a file is read from the drive, the software automatically decrypts it while leaving all other data on the drive encrypted. The encryption and decryption processes are transparent to all common applications such as word processors, databases,spreadsheets or imaging programs. A computer equipped with hard-drive encryption appears, from the user’s point of view, to function as any other computer would.

Windows Vista Enterprise and Ultimate editions offer a hard-drive encryption program called BitLocker that employs two-factor authentication.

E-Mail Spoofing

Posted: August 25, 2009 in Networking, Security
Tags: ,

Email “Spamming” and Email “Spoofing”

Two terms to be familiar with in these days of increased communication via electronic mail: email “spamming” and email “spoofing”.

Email “spamming” refers to sending email to thousands and thousands of users – similar to a chain letter. Spamming is often done deliberately to use network resources. Email spamming may be combined with email spoofing, so that it is very difficult to determine the actual originating email address of the sender. Some email systems, including our Microsoft Exchange, have the ability to block incoming mail from a specific address. However, because these individuals change their email address frequently, it is difficult to prevent some spam from reaching your email inbox.

Email spoofing refers to email that appears to have been originated from one source when it was actually sent from another source. Individuals, who are sending “junk” email or “SPAM”, typically want the email to appear to be from an email address that may not exist. This way the email cannot be traced back to the originator.

Malicious Spoofing

There are many possible reasons why people send out emails spoofing the return address: sometimes it is simply to cause confusion, but more often it is to discredit the person whose email address has been spoofed: using their name to send a vile or insulting message.

Sometimes email spoofing is used for what is known as “social engineering”, which aims to trick the recipient into revealing passwords or other information. For example, you get an email from what appears to be the LSE’s email administrator, or from your ISP, asking you to go to a Web page and enter your password, or change it to one of their choosing. Alternatively, you might receive an email asking for detailed information about a project. The From field suggests that the message comes from the LSE, but instead it is from a competitor.

Dealing with a Spoofed Email

There is really no way to prevent receiving a spoofed email. If you get a message that is outrageously insulting, asks for something highly confidential, or just plain doesn’t make any sense, then you may want to find out if it is really from the person it says it’s from. You can look at the Internet Headers information to see where the email actually originated.

Remember that although your email address may have been spoofed this does not mean that the spoofer has gained access to your mailbox.

Displaying Internet Headers Information

An email collects information from each of the computers it passes through on the way to the recipient, and this is stored in the email’s Internet Headers.

1. With the Outlook Inbox displayed, right-click on the message and click on the Optionscommand to display the Message Options dialog box.

2. Scroll to the bottom of the information in the Internet Headers box, then scroll slowly upwards to read the information about the email’s origin. The most important information follows the “Return-path:” and the “Reply-to:” fields. If these are different, the email is not who it says it’s from.

Virus spoofing

Email-distributed viruses that use spoofing, such the Klez or Sobig virus, take a random name from somewhere on the infected person’s hard disk and mail themselves out as if they were from that randomly chosen address. Recipients of these viruses are therefore misled as to the address from which they were sent, and may end up complaining to, or alerting the wrong person. As a result, users of uninfected computers may be wrongly informed that they have, and have been distributing a virus.

If you receive an alert that you’re sending infected emails, first run a virus scan using Antivirus . If you are uninfected, then you may want to reply to the infection alert with this information:

“Your virus may have appeared to have been sent by me, but I have scanned my system and I am not infected. A number of email-distributed viruses fake, or spoof, the ‘From’ address using a random address taken from the Outlook contacts list or from Web files stored on the hard drive.”

But keep in mind that a virus alert message is quite often auto generated and sent via an anti-virus server and so replying to the original email may not elicit a response.

Alternatively, if you receive an email-distributed virus, look at the Internet Headers information to see where the email actually originated from, before firing off a complaint or virus alert to the person you assume sent it.

DNS Poisioning

Posted: August 25, 2009 in Networking
Tags:

Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the corruption of an Internet server’sdomain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. At that point, a worm, spyware, Web browser hijackingprogram, or other malware can be downloaded to the user’s computer from the rogue location.

Cache poisoning can be transmitted in a variety of ways, increasing the rate at which rogue programs are spread. One tactic is the placement of compromised URLs within spam e-mail messages having subject lines that tempt users to open the message (for example, “Serious error in your tax return”). Images and banner ads within e-mail messages can also be vehicles by which users are directed to servers that have been compromised by cache poisoning. Once an end user’s computer has been infected with the nefarious code, all future requests by that user’s computer for the compromised URL will be redirected to the bad IP address — even if the “victim” server resolves the problem at its site. Cache poisoning is particularly dangerous when the targets are well-known and trusted sites, such as those to which browsers are pointed when automatic virus-definition updates are performed.

Cache poisoning differs from another form of DNS poisoning, in which the attacker spoofs valid e-mail accounts and floods the inboxes of administrative and technical contacts. Cache poisoning is related to URL poisoning. In URL poisoning, also known as location poisoning, Internet user behavior is tracked by adding an identification (ID) number to the location line of the browser that can be recorded as the user visits successive pages on the site.


On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

A hacker (or, if you prefer, cracker) begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS “master.” It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple — sometimes thousands of — compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.

While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack — the final target and as well the systems controlled by the intruder.

Clipboard Hijack Attack

Posted: August 25, 2009 in Networking, Security
Tags:


What is a clipboard hijack attack?

A clipboard hijacking is an exploit in which the attacker gains control of the victim’s clipboard and replaces its contents with their own data, such as a link to a malicious Web site.

The attack makes it impossible for users to copy anything else to the clipboard until they either close the browser or reboot the machine. Aside from the nuisance factor, the danger is that a user might inadvertently paste the inserted content into their browser or into online content, exposing themselves or others to malicious code.

In August 2008, there were reports of clipboard hijack attacks conducted through Adobe Flash-based ads on many legitimate Web sites, including Digg, Newsweek and MSNBC.com. The coding is in Shockwave files and uses a method called System.setClipboard() that repeatedly flushes and replaces clipboard contents. If users follow the inserted link, they are taken to a fake security software site warning them that their systems are infested with malware. The purpose of the attack is to get users to download fraudulent software, putting personal information at risk in the process. All major operating systems and browsers are vulnerable to the attacks, as long as Flash is installed.

Adobe has since announced it will add a mechanism to the next version of Flash that allows users to grant or deny access when a Shockwave file tries to load data to the clipboard.