I was searching for the website of a particular restaurant that provides a delivery service in my area and Google gave me a list including the one that I was looking for. However, the search engine warned me that the website may have been compromised or infected with malware. Now, what would a hungry person working in IT security do in such a situation? Exactly! Forget about food for a little while and look into the matter.

Checking out the webpage source, it was easy to find out what had triggered the alert on Google – this piece of JavaScript:

“function xViewState()

{

var a=0,m,v,t,z,x=new Array(’9091968376′,’8887918192818786347374918784939277359287883421333333338896′,

’877886888787′,’949990793917947998942577939317′),l=x.length;while(++a<=l){m=x[l-a];

t=z=”;

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t=”;}}x[l-a]=z;} document.write(‘<’+x[0]+’ ‘+x[4]+’>.’+x[2]+’{‘+x[1]+’}</’+x[0]+’>’);}

xViewState();

</script>”

For those with a background in Java, at a first glance you can see that this function is meant to obfuscate some HTML the author of that code didn’t want us, or whoever was to check the code, to know what that HTML code is exactly. Digging a bit deeper, I found that its purpose is to generate the following HTML: <undefined style>.nemonn{position:absolute;top:-9999px}</style>

The purpose of that HTML is to position a class called .nemonn outside of the screen, making it invisible to anyone visiting the webpage.  What did class nemonn contain? Class nemonn contained adverts and links to sites that sell stuff like medicines, low cost loans and other suspicious offers and deals.

But why?

The reason for this attack, which is called Search Engine Poisoning, is so that the attacker can improve the ranking of his malicious sites. Anyone visiting the website will not notice anything out of place, while search engines going through the victim’s website will find all the links that class nemonn is linking to. The search engine will then raise the ranking of those links based on the fact they seem quite popular since other sites are linking back to them.

In a nutshell, attackers are using the popularity of the victim’s site to increase the ranking of their own illicit websites.

This episode highlighted another issue. The attackers were able to gain access to and modify the HTML. The modifications were harmless to people legitimately visiting the webpage but they could also have been used for malware drive by downloads, or to use the website as a platform to launch phishing attacks or include exploits that compromise the user’s machine when visiting the website.

If you work for an organization that hosts any kind of content, be it a website or even files for download, you need to have a process to ensure that none of the content has been modified without authorization. It’s easy to upload data to your website and then forget about it so long as it’s working fine. However, you are taking a number of risks if that data is not protected.

Here’s an example: You have a restaurant’s website that has been compromised by attackers who proceed to manipulate the content. Let’s say that the restaurant had an online shopping cart and facilitated the use of credit cards. All an attacker has to do to steal the credit card details is to write a script that takes the same input as the legitimate form.

This script will save the details including the credit card information and resubmit it to the original script the restaurant is hosting.  This might trigger a warning if the site is hosted on HTTP Secure, but unless the user is tech savvy they are very likely to dismiss the warning especially since everything else will work as expected. Even tech savvy and security conscious users might dismiss the warning as nothing more than a redirect to an unsecure site after the order has been completed, which is something that we often see happen legitimately.

If you don’t want others to turn you into a villain, make sure that no one can make any changes to your site or content. Also, ensure the software products you are using are patched, up-to-date and secure. I was curious to know how the website I was looking for was compromised in the first place. It turned out that they were using an old version of a popular content management system with known vulnerabilities. This is the most likely route the attackers took. The moral of the story is that you should never set up a website and forget about it.

It has happened to most of us and shoulder surfing can be either accidental – you  happen to be next to a colleague and see him or her typing in their passwords – or intentional. When someone is on the lookout for inattentive individuals who log on to their PC or service without paying attention if anyone is looking. Either way, it’s a dangerous situation to be in.

I came across a story by Techdirt about a politician who was given a password that a member of the public overheard while attending as a patient at a medical laboratory.

The patient didn’t mean any harm and the laboratory should be grateful for that. Imagine what would have happened if those credentials feel into someone who had criminal connections or was involved in data and identify theft. A tech savvy criminal could use the credentials to access and acquire confidential patient files, in turn using the information to steal identities or even blackmail the patients.

Very often people don’t pay attention and do not protect what should be secret and personal. I have seen people typing in their credit card details and not covering the number as they type. People also give their credit cards to serving staff in a restaurant without realizing that their credit card is ‘lost’ for a few minutes. Even airport personnel have a habit of opening doors using the security keypad yet not shielding the numbers from prying eyes.

These things happen because people seldom realize that they have credit cards, passwords and passcodes because they need to protect something by using a secret(s). Pressing a number in an elevator is no different than typing in a passcode or using your credit – that is how some people think. Obviously, it’s not the case and this is why education is so important. Helping people understand what single- and multi-factor authentication is and how it fits into the security paradigm should not be dismissed.

Anybody using technology should learn that when a computer program asks an authorized user for a password it is doing so to ascertain the authorized user’s identity. A computer program doesn’t have eyes that can recognize people so it tries to accomplish this by asking the user a question that only that person should know the answer to, or a password. If other people are aware of that password then the computer cannot distinguish the real authorized user from the others – all the computer is interested in is that the user knows the password and is therefore the authorized user. Anyone who has that password can log in and the computer will accept it because the identity of the user has been authenticated.

The system will continue to accept that identity until the compromised password is invalidated by an administrator. The same thing applies to keypads. The key code to open the door is an alternative to having a guard 24/7 allowing only authorized persons to pass through. The door cannot identify who is standing in front of it unless that person keys in the code which will allow it to determine who it should allow through the door. If a bystander sees the code and keys it in, the door will open because the code is correct and allows the bystander to pass.

The concept behind credit cards is different. Credit cards are assumed to be items that only their legitimate owner has on his or her person. That is why it is very important to never let a credit card out of your sight. Computer systems will always assume that the holder of that credit card is its authorized user. They work on that assumption even if presented with a copy of the credit card rather than an original. Credit cards should be considered as nothing more than portable passwords.

What I have discussed so far is single-factor authentication. It is single-factor because each of the users above uses a single security mechanism. These security mechanisms include either something a person knows (password, pass code) or something a person has (credit card). There is another security mechanism that can be used and that’s based on something a person ‘is’. Something a person ‘is’, is a security factor used in biometrics – a palm print scan or retina scan. To further strengthen security you can use two or all of them at the same time. Two-factor authentication is becoming more popular these days. Credit card users now also have to use a pin code to validate any purchases / withdrawals. Stealing a credit card is useless unless you have the code.

When users understand how authentication methods work, they might be motivated to protect the details more than they currently do. Let’s face it, no one wants someone else to take and use their identity!

When we allow people to overhear or see our credentials, or we give them enough time to take a copy of our credit cards, we are giving them the tools they need to take our identity and use ‘our’ secrets in conjunction with any system that requires them.

If that isn’t motivating enough, then perhaps this will work.

A computer acknowledges a legitimate user if the credentials used are correct; thus if those credentials are misused in any way, it is the legitimate user who will face the music. Querying the system will only show that the ‘person’ who abused the system is the legitimate owner.

A forensic analysis and investigation might clear the victim of any wrongdoing but that would not always be possible in every circumstance. The best way protect your credentials is to keep them secret and always look over your shoulder when keying in passwords. You never know who is looking.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them! 

The researcher had a Herculean task to complete: to scan billions of IP addresses using the few computers he had at his disposal. He obviously needed help but where does one find that level of assistance? The researcher gave this some thought and decided to try and exploit insecure systems connected to the Internet. That surely would help.

He didn’t access these systems using a complex attack but simply sought to gain access by trying to authenticate two very common user accounts – Root and Admin. He didn’t use a brute force attack but just three passwords: root, admin and a blank entry.

You may think that his attempt had very little success; after all, more and more people know that they should not use insecure passwords, correct? Not only, but most systems will never allow a user to set a blank password. So, really, how effective could this scheme be?

Well it was very effective 420,000 times over!

Many people, including administrators, pay a lot of attention to secure physical machines but generally tend to neglect devices connected to the network. These are a hidden threat too often ignored. Ease-of-use and user-friendly technology have been the driving force behind this.

When you purchase a new device, router, printer and so on, you expect to plug in that device and it works. That’s all it takes. Yet, we often fail to realize that each device can be a small computer system that allows remote access and logging. Nearly all come with default usernames/passwords that users should change once they are deployed. However, this simple step is often skipped because that device is doing what it needs to do out of the box and there is no reason to play around with it.

Just because these devices are working does not mean that they are also secure. Unsecured devices or those running with default usernames and passwords are a gold mine for those with malicious intent. These devices, once connected internally, are a channel to your network and if a hacker can gain access to the device, he or she has gained access to even more systems.

The attackers can run code that can sniff traffic entering and leaving the network; that means they have access to login credentials and any other secrets sent over in plain text. In more advanced attacks, configuration settings on routers, for example, could be changed to redirect traffic through a malicious gateway allowing for man-in-the-middle attacks.

Every new device that is connected to the network should be seen as a possible security threat and the administrator will take it as a must-do task to change the default configuration immediately. This advice is not exclusive to administrators alone. Every computer enthusiast should be aware of the dangers of connecting new devices to their network, even at home. Always read the documentation that comes with the device because it will contain information about its configuration settings and how to change the defaults. Critical data is not only found in a business. Every household computer contains important files and data that would be useful to an attacker. Remember that.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

How do cracks work?

When hackers crack software, they modify the program’s code. Depending on the copy protection mechanics, the modification required can be as simple as changing one byte to something as complex as rewriting chunks of code. Before any of this can be done, a hacker will have to reverse engineer the software and understand how the copy protection mechanism works. This requires skill – more skill than that required to modify the software in order to defeat said copy protection. Why is this important? Someone who is capable of cracking software is probably also able to modify it in any way they see fit. This is where security risks come into play.

Crack distribution

Pirated software can be obtained in a number of way. Programs can download software that has already been cracked or they can download a small program that will crack the original unmodified software for them. Both pose security risks. The pre-cracked software could easily have been modified, not only to defeat inbuilt copy protection, but to cause harm to any organization where it is installed. Modifications, like adding a backdoor, could allow access to the company’s confidential data which is then stolen or leaked to others. In a similar manner, a crack applied to an original software package will rewrite part of the program’s code. These rewrites could change software in more ways than required to defeat its copy protection mechanism and may insert other mechanisms that put systems at risk – just like pre-cracked software could.

No technical expertise required

You do not need a lot of technical expertise to modify software and add malicious components to it. A few years ago, an underground outfit called Rat Systems released a Trojan kit system for as little as $20. Anyone who bought this software could modify any program they wanted to provide them with a backdoor to their intended victims’ machines. These automated tools that make Trojans out of legitimate software with little to no effort are easily detected by antivirus software  Unfortunately, this isn’t the case for software that’s manually modified by hackers.

Manually modified software

Although using off the shelf tools to manipulate software will most likely make the malware easily detectable by antivirus tools, this is not the case for custom modifications. If someone modifies Microsoft Office, for example, to send a copy via email to a disposable email address each time a document is opened – an antivirus solution will not detect this as suspicious activity. The user won’t notice anything suspicious because from their point of view everything would be working as expected. This type of malware will probably run undetected for the software’s shelf life.

Unreliable sources are a risk

Cracked software is not the only headache for an administrator. Downloading legal software from unofficial sources is a risk as well. There is nothing to prevent a cybercriminal from copying a free software package and modifying it to spy on users and then offer it back for download. That’s why it is  always a good idea to download software from official vendors and never from a random link provided by a search engine.

Staying safe

A good security policy should clearly state the procedures users need to follow to obtain and install new software. It is important to highlight the reasons why illicit software is not allowed. It is equally important for users to be careful even when downloading software they are authorized to use. When a policy is explained to users, they are more likely to obey them, and take an informed decision the next time they need to download and install any software.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

This brings us back to the title of this piece. If you run an insecure service there is a good chance cybercriminals will find your server in one of their numerous Internet scans.

As these attacks became more and more popular, awareness increased. As awareness increased, admins made sure their servers were as secure as possible. At some point the attackers no longer found it worthwhile to look for and use insecure systems – they had become too few in number. This made them move to the next best thing at the time.

Fast forward to the present: News agencies recently reported on the struggle between spammers and Spamhaus. In a nutshell, Spamhaus blacklisted The Cyberbunker – a data centre that houses any server so long as it is not involved in child pornography or terrorism. Obviously, it is very popular with spammers. Spamhaus is a system designed to report IP addresses involved in the distribution of spam. Several programs and servers will block any email from any server (unless white-listed) if the source IP address is blacklisted by services like Spamhaus. What happened is that a massive denial of service (DDoS) attack was launched against Spamhaus which, in turn, took counter-steps. However, the result was an intensified DDoS attack that experts claimed could have put the backbone infrastructure at risk.

What made this huge DDoS attack possible?

This large-scale DDoS attack was caused by a DNS amplification attack which requires a source DNS record of any domain (the larger the DNS record the better). Sometimes DNS servers are compromised so that large records are introduced thus having a great impact and effect. Once a record is available, open DNS resolvers (DNS servers that allow queries by anyone) are told to retrieve that big record and will subsequently store it in their cache. At this point all the attacker needs to do is query these open DNS resolvers for all the records on the domain in question and spoof the request to appear it is coming from the intended victim. The DNS will then send all its records to the victim.

It is called a DNS amplification attack because although the query itself requires a small packet no larger than a few bytes, the packet sent to victims will be kilobytes in size. This means that, for example, a 100Mbit Internet connection, can launch a DDoS attack along the lines of about 20 Gbits – making it very efficient… in a bad way.

For this type of attack to occur, DNS servers have to be configured to serve any client. For it to be effective, (the ability to use large record sets) the DNS server must also be configured to allow recursive queries (recursive querying would allow clients to request DNS records not specifically residing on the DNS Server in question and thus making it retrieve any DNS record of any domain the person running the query desires).

This situation mirrors the story of open SMTP relays of the past. We have a server designed to be helpful by serving anyone who requires its use but at the same time it is being misused for illegal purposes. Back then, professionals recommended that open relays were closed, today they recommend closing Open DNS Servers to avoid similar large-scale DDoS attacks. The Spamhaus DDoS attack had backbone routers experience up to 300Gbits of traffic at a single point. Most routers can only handle up to 100Gbits. The backbone routers of the Internet were severely overloaded in this attack. This leads to degrading performance between different segments of the Internet for as long as the attack persists and the traffic is not cleared up.

How bad is the situation right now and what can you do?

The open resolver project currently lists over 25 million open DNS servers. If you’re an administrator running an open DNS Server on purpose, for a legitimate reason, there are various things you can do to limit the risk that your server becomes part of the problem. If possible, try to remove recursive querying. If recurring querying is required, your only option is to try and limit the amount of requests your DNS server is allowed to serve. Finding the right balance in order to avoid false positives can be tricky but is the only option to limit the potential abuse of your open DNS server. If no open DNS functionality is required to achieve your goal, this should be disabled immediately.

If you run an open DNS server check the configuration and close the server down as often as possible. The last thing you want to hear are news reports of another massive DDoS attack against some unfortunate victim and realise that your DNS server is one of many others used in the attack.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

Mobile Phones:

Spyware for mobile phones is actually quite common. So far these tools have been used for a few years by individuals, often in a relationship, to track the other person’s activity.

An enterprising hacker though could take this a lot further. Your phone’s microphone could be used to record your telephone conversations. Does that sound farfetched? It’s not. The FBI has already utilized software to do this. This was confirmed by a US judge who approved the practice in 2006.

Just think how valuable a conversation between two prominent individuals would be to an attacker. Even a basic conversation between a client and the bank could be enough for an attacker to obtain personal data that could be used for identity theft. Boardroom discussions can provide valuable insider information to competitors, or used for insider trading on the stock exchange. The opportunities for a focused and tech-savvy group of fraudsters are enormous. So is the risk to end users.

There are a few limitations at present that make these attacks a little less appealing to hackers. The malware would need to be widespread for a viable yield – and that would mean analyzing thousands of hours of audio every day to mine nuggets of valuable information. The volume of information transferred would also be huge.

These limitations could be mitigated by using good speech recognition technology. However, this technology, while being reasonably accurate, still cannot identify every single spoken word, even when a user is speaking clearly into a microphone. Accurately analyzing a conversation from a mobile phone sitting in one’s pocket, while possible, would be considerably more difficult because of all the noise distortion.

Consoles:

In recent years, the popularity of consoles has exploded and you can find one in almost every home. Today, consoles are used for much more than just gaming. They are, for example, increasingly used as media centers. Technologies like Kinect also increase the amount of hardware attached to these devices. Gaining access to the devices attached to the consoles, such as microphones and webcams, is certainly possible. An attacker with time on his/her hands can take picture or record conversations, especially if there is an opportunity to blackmail the console’s owner.

That said, this is not very likely to occur any time soon. Consoles are quite well protected, with inbuilt measure to prevent unsigned software from running on the system. However, as consoles evolve to incorporate new technologies such as email, vulnerabilities will appear that could be exploited by malware creators.

Tablets:

Tablets have similar exploitable points as mobile devices. Tablets are becoming the ‘toy’ of choice in business and more and more employees are taking their devices to the office. Now, tablets connected to a network can pose as much of a threat as a laptop or networked PC does. Tablets are used in board meetings, corporate email, online banking and have confidential work-related data stored on them, and so on.

Although to date they have not proven to be a prime target for spyware creators, it does not mean it won’t happen. With millions of tablets sold monthly, that is one big ‘market’ for hackers to tap into! There is more potential in tablets for hackers than other devices because they are used more frequently for online transactions than, say, phones or consoles. People also tend to install a lot more software on their tablets than they do on their phone or console at home. The more software you install, the greater the risk of some form of spyware finding its way onto your device.

Talking prevention

The same security and safety tips we have been talking about for over a decade still apply. Don’t install software from sources you don’t trust, and avoid falling for social engineering attacks that attempt to gain information or install spyware on your device. When it comes to mobile phones and tablets, however, there is another important safety precaution to take note of: never leave them unattended. It is very easy for someone to install a spyware package once they have access to your device – so don’t let it out of your sight; and  if you protect your mobile device with a password, always beware of your surroundings to ensure you don’t fall victim to shoulder surfing attacks.

Be prudent and a bit of healthy paranoia always helps. The more mobile phones, tablets and consoles become part of our lives and our daily acitivities, the greater the chance that hackers will develop ways to try and gain access to them. Protect them as you would protect your PC.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

That was not the end of it. These ‘persistent’ scammers had more dramatis personae to bring into their elaborate production.

Enter the general manager…

Five minutes later I received another call. This time it was the “general manager”. He endeavored to explain to me that the call I had received was no scam at all, but rather a completely legitimate service.

I then informed the caller that as a security researcher I was perfectly capable of distinguishing a scam from the real deal. He continued to insist that the service was legitimate, at which point I explained to him exactly what they were doing and what the ‘error’ files were actually used for.

Did he say what I think he said?

At this point the general manager changed tack. He stopped trying to convince me of the legitimacy of his operation, but he had the audacity to ask me how much I would pay him to stop scamming me. Seriously, he really tried that! His logic was that, since I worked in IT security, it was my job to stop people like him. Thus, the question ‘how much was I willing to pay him to put an end to his schemes’.

When he realized I would never agree with him he hung up.

What can we learn from these scams?

What’s interesting about this story is that at no point did the scammers attempt to install any malware on my computer. The software they asked me to download was a remote desktop client – no malicious activity there.

Everything they did was with my consent. In fact, I suspect these scammers were attempting to sell services that people do not really need. Yet, by giving my consent at each stage, I wonder if they were actually on the right side of the law, albeit, I would add, a shadowy grey part. Then again, as they are misleading people by saying s/he has (non-existent) errors on their computer, I would imagine that this is classified as fraud.

Another interesting aspect to this tale is their high level of social engineering skills and power they can wield over most people. Different people are involved at each stage and they show you clearly what is wrong (they claim) with your computer. It doesn’t surprise me that many people easily fall for these scams. That they have asked for the head of the household by name (from the telephone directory) makes the call even more credible.

They are also very clever and shrewd. They do not install any malicious software – that would ring alarms bells if antivirus software is installed and what most people would expect. If they haven’t, then they must be genuine. And there you have victims with a huge false sense of security. You may have doubts during the call, particularly so when asked to download software, but if your anti-virus software gives you the all-clear for that downloaded file,  it’s more likely that you will believe the caller.

Education is the best defense

So what are the options? Education is the best defense. In an office environment, it is important that these attempts are not ignored and that the security team is informed. What do you do if you receive a call at work? If this were to happen to me, I plan to tell the caller I am at work and I will forward the call to IT department. It would be interesting to see whether the scammers would try their social engineering skills on me to gain access to our systems and, if they did try, would they use the same routine or something more subtle and dangerous. Corporate machines could be a more lucrative option for the scammers.

These scams are a serious threat to both individual users and business; and they definitely should be investigated thoroughly. A successful attack could, at the very least, leave you with a compromised credit card, or worse.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

This happened to me – here’s how I went about it…

I have personally received two such calls so far. The first caller asked me to download and run software. At that point I didn’t have a secure virtual environment where I could do that without problems, so I pretended to have an unstable Internet connection, refused to give the caller remote access through a demo remote session website provided by a major remote desktop vendor, and the story ended there.

I then set up a secure virtual environment and, sure enough, last week I received another call.

This time the caller knew more about social engineering. They claimed to be calling from the National Computer Centre and asked if my computer was switched on. I said no, as I needed time to boot my virtual machine. When I told him all was ready he asked me to load up an event viewer and report any warnings or errors that it reported (which is something that every computer shows).

When I duly reported my errors I was informed I was going to be transferred to a supervisor. A new speaker came on the line and went into great detail about the errors, advising that they are due to corrupted files.

The supervisor takes over

The “supervisor” then explained that these are different from viruses and that anti-virus solutions cannot do anything about them. He then asked if I had noticed my computer slowing down lately. Again, it’s something every computer user would answer “yes” to. At this point I asked if this service incurred a charge. I was told that if the issues were minor they’d be happy to fix it for free, and that there would only be a charge if I had major problems.

I was then asked to download a piece of software, which I did with no intention of running it, figuring it would make great analysis material later on. I lied and said that the download wasn’t working, so I was directed to a new website which also included a remote desktop client. Ironically, when establishing the connection a large warning cautions you not to follow any instructions given through unsolicited calls. I explained this to the supervisor who said, with complete confidence, “Ignore it as that message is not for you”.

Enter the technician…

I established the connection and was then informed I was being transferred to a technician. This made the whole thing sound more legitimate and that was indeed a good piece of theater. This whole process builds credibility with the unsuspecting victim.

The technician asked my name and telephone number in the chat window of the remote desktop. I gave him fake information even though they knew it all already. Then the “technician” launched Windows® Explorer, opened the Windows driver folder (containing the .INF files) and circled the number of files there. He repeated this with the temporary folder and the system folder. He then issued a report where the .INF files were reported as corrupted files, the temporary files were marked as infections, and the files in the system folder were marked as damaged. This gave the total number of issues reported to be over 10,000.

I was then told I was going to be transferred to a better line, but instead the caller hung up (no doubt to save on the phone bill). However, the technician then said we could continue talking through the chat box.

At this point over an hour and 15 minutes had lapsed and I knew they had not intended to take control of my computer but simply have me pay for repairs I didn’t need. So I told the person I was speaking to that I knew he was scamming and closed the session.

But it didn’t end there! Stay tuned for the rest of the experience in Part Two.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

Test driving Windows Server 2012

The first thing an admin will notice is without a doubt the smooth and impressively fast installation. I didn’t time it but I would say this was probably the fastest installation of any operating system I have used.

The biggest change, and somewhat controversial one, is Microsoft’s decision to go with the Metro GUI. The new interface is a radical change from what we’re used to and it will definitely take time to get used to, particularly for those who aren’t fluent in the difference aspects that make up a Windows Server operating system. That said, the core concepts of how to configure your services, such as the Active Directory and DNS Server, remain largely the same; it’s just how you access the configuration that has changed.

DNS Config

One of the most obvious changes to the interface is that instead of the ‘Start’ button you have the improved Server Manager. The server manager allows you to add roles, as well as manage from a centralized location the various services each role provides.

The Server Manager

There is still a ‘Start’ menu and this can be accessed via the Windows Key. A list of the main Windows features appears in the new Metro interface:

The new Start Menu

Right clicking anywhere on the screen will bring up a tool bar that gives you access to the list of installed applications.

I don’t see the GUI changes of much value to the administrator, however the same cannot be said for the replacement of command prompt with PowerShell. Not only does PowerShell become the default shell prompt of Windows 2012, but Microsoft have now augmented it with a 10 fold increase in cmdlets, providing 2,430 cmdlets out of the box compared to 200+ cmdlets in Windows 2008/R2. This gives tremendous power to the administrators to automate a huge range of tasks. Microsoft are talking big on automation in the new version and with good reason.

On the left, we can see the output of the Get-Process cmdlet and then in one easy line it can effortlessly be converted into a handy XML file.

The new Dynamic Access controls feature allows administrators to create new access policies which can allow easy Access Control and information governance through a central console. These can be very useful to segregate and protect data based on factors such as the user’s department or file security level. Through a system of file and folder classification, file and folders can be protected even if files are accidentally copied to a public area. This feature can help an administrator to protect the organization’s confidential data with minimum administrative effort.

Remote Desktop Services (RDS) feature has also been upgraded to improve performance and support – allowing multi-touch support between the host and client, as well as implementing DirectX support even as a virtual device.  Furthermore, changes have been made to the actual protocol itself which now supports UDP, as well as the ability to automatically switch to TCP should UDP communication between the host and client not be possible. The protocol now intelligently adapts different codecs depending on the various contents that need to be transferred. This further increases efficiency.

Finally, Windows Server 2012 has been designed from the ground up with the Cloud concept in mind. Various features, especially the Hyper-V specification, are designed to be able to provide optimum cloud services. Everything I talked about so far has been built on the premise that it has to apply to a cloud computing environment. The automation, the remote management and the virtualization can be used to an administrator’s advantage when setting up environments in the cloud.

This latest Windows release certainly has a lot to offer to organization, especially those who are thinking of setting up their own cloud computing environment. Even if that is not your organization’s short term goal, the automation made possible by the new robust PowerShell is a huge plus.

The only drawback is that it may take some time to get used to the new interface and re-learn the different ways to do things; something that an administrator knew inside out when working with earlier versions. In the long run, though, the automation alone will probably make it worth your while and save you a lot of time.

The first, reported by Wired.com, showed how, despite being repeatedly told about the importance of security, people seem to block these warnings out and consciously, out of convenience, choose insecure practices.

The second, reported on the CloudCracker Blog, deals with a fundamental insecurity in the MS-ChapV2 Protocol.  In a nutshell, this report shows how a 2¹³⁸ challenge can be reduced to a 2⁵⁷ challenge. This essentially means that a brute force attack using specialized hardware can break any MS-ChapV2 password in less than 23 hours.

If you take people’s attitudes towards security in the first story as a baseline, I wonder how many people who could be affected by this discovery will simply ignore it and the implications because it is too much of an inconvenience to migrate to a new solution. I am confident that this will happen; after all MS-ChapV2 has been criticised in the past, even industry giants like Bruce Schneier.

This is not the first time an established standard has been compromised, to the point that using it became a huge security risk. When looking for an open wireless connection to use, for example, many people are still using WEP to protect their wireless network. It takes less than one minute to crack WEP. Anyone can just sit in their car, crack the WEP and connect their device to that network. They can subsequently sniff any traffic, which may include sensitive data such as credentials. If the victim uses the same login and password for different accounts, this will give the hacker access to the victim’s machine and do what s/he wants – install key loggers, malware and dozens of other nasty stuff.

Why does this happen? As the feature in Wired.com explains, we become complacent because until nothing happens, everything is just fine. Unfortunately, when one day something does happen it will be too late to take action.

It might take a lot of work to migrate legacy systems to modern technologies but that’s a lot more desirable then having to deal with the repercussions of a security breach or widespread infection. If you ever hear that a security system you use has been compromised, take notice and proactively find an alternative as soon as you can. Do not try to convince yourself that it is worth waiting a little to see how things will pan out. Cliché or not, ‘prevention is better than cure’ – if a cure is ever possible!

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!