Archive for the ‘Security’ Category

Allister’s Talks From Penn State MacAdmins

Wednesday, June 5th, 2013

Quick Update to a Radiotope Guide for Built-In Mac OS X VPN Connections

Tuesday, March 26th, 2013

Just a note for those folks with well-worn bookmarks to this post on Ed Marczak’s blog,, for authenticating VPN connections with Mac OS X Server’s Open Directory, which is still valid today. When trying to use the System Preferences VPN client/network adapter with the built-in L2TP server in Sonicwall, though, I was curious why OD auth wasn’t working for me, but users that were local to the Sonicwall were. Having been a while since the last time I’d set it up, I went on a search engine spelunking and found a link that did the trick.

In particular, a comment by Ted Dively brought to my attention the fact you need to change the order(in the VPN sidebar item, L2TP Server, when the Configure button pop-up is clicked, it’s under the PPP tab) that the L2TP service is configured to use for authentication type, PAP instead of the more standard MSCHAPv2.

Where it's done

We hope that is of help to current and future generations.

Regarding FileVault 2, Part One, In Da Club

Monday, January 28th, 2013


IT needs to have a way to access FileVault 2(just called FV2 from here on) encrypted volumes in the case of a forgotten password or just getting control over a machine we’re asked to support. Usually an institution will employ a key escrow system to manage FDE(Full Disk Encryption) when working at scale. One technique, employed by Google’s previously mentioned Cauliflower Vest, is based on the ‘personal’ recovery key(a format I’ll refer to as the ‘license plate’, since it looks like this: RZ89-A79X-PZ6M-LTW5-EEHL-45BY.) The other involves putting a certificate in place, and is documented in Apple’s white paper on the topic. That paper only goes into the technical details later in the appendix, and I thought I’d review some of the salient points briefly.

There are three layers to the FV2 cake, divided by the keys interacted with when unlocking the drive:
Derived Encryption Keys(plural), the Key Encrypting Key(from the department of redundancy department) and the Volume Encrypting Key. Let’s use a (well-worn) abstraction so your eyes don’t glaze over. There’s the guest list and party promoter(DEKs), the bouncer(KEK), and the key to the FV2 VIP lounge(VEK). User accounts on the system can get on the (DEK) guest list for eventual entry to the VIP, and the promoter may remove those folks with skinny jeans, ironic nerd glasses without lenses, or Ugg boots with those silly salt-stained, crumpled-looking heels from the guest list, since they have that authority.

The club owner has his name on the lease(the ‘license plate’ key or cert-based recovery), and the bouncer’s paycheck. Until drama pop off, and the cops raid the joint, and they call the ambulance and they burn the club down… and there’s a new lease and ownership and staff, the bouncer knows which side of his bread is buttered.

The bouncer is a simple lad. He gets the message when folks are removed from the guest list, but if you tell him there’s a new owner(cert or license plate), he’s still going to allow the old owner to sneak anybody into the VIP for bottle service like it’s your birthday, shorty. Sorry about the strained analogy, but I hope you get the spirit of the issue at hand.

The moral of the story is, there’s an expiration method(re-wrapping the KEK based on added/modified/removed DEKs) for the(in this case, user…) passphrase-based unlock. ONLY. The FilevaultMaster.keychain cert has a password you can change, but if access has been granted to a previous version with a known password, that combination will continue to work until the drive is decrypted and re-encrypted. And the license plate version can’t be regenerated or invalidated after initial encryption.

So the two institutional-scale methods previously mentioned still get through the bouncer unlock the drive until you tear the roof of the mofo tear the club up de- and re-encrypt the volume.

But here’s an interesting point, there’s another type of DEK/passphrase-based unlock that can be expired/rotated besides per-user: a disk-based passphrase. I’ll get to describing that in Part Deux…

(Sysadmin) Software Design Decisions

Wednesday, October 3rd, 2012

When approaching a task with an inkling to automate, sometimes you find an open source project that fits the bill. But the creator will work within constraints, and often express their opinion of what’s important to ‘solve’ as a problem and therefore prioritize on: a deployment tool is not necessarily a patch management tool is not necessarily a configuration management tool, and so on. One of the things I’ve dealt with is trying to gauge the intent of a developer and deciding if they are interested in further discussion/support/development of a given project. Knowing why one decision was made or another can be helpful in these situations. In that category of things I wish someone could have written so I could read it, here’s the design decisions behind the sonOfBackupRestoreScripts project I’ve been toying with as an add-on to DeployStudio(heretofore DS), which you can hopefully understand why I am not releasing as an official, supportable tool in it’s current bash form after reading the following.
I’ve adapted some of the things Google used in their outline for Simian as a model, to give this some structure.

Project Objective:

To move user home folders and local authentication/cached credentials between workstations in a customizable and optimized manner, preserving the integrity of the data/user records as much as possible


For speed and data integrity, rsync is used to move selections of the users home folder(minus caches, trash, and common exclusions made by Time Machine). To increase portability and preserve mac-specific attributes, a disk image is generated to enclose the data. The user account information is copied separately and helpful information is displayed at the critical points as it moves from one stage to another and during the backup itself.

Requirements: DeployStudio Server / NetBoot

DS, as a service, enables an infrastructure to run the script in, and automounts a repository to interact with over the network. Meant to work optimally with or without a NetBoot environment, an architecture assumption being made during development/testing is wired ethernet, with the use of USB/Thunderbolt adapters if clients are MacBook Airs. Even old minis can function fine as the server, assuming the repo is located on a volume with enough space available to accept the uncompressed backups.

Implementation Details: Major Components / Underlying Programs

- source/destination variables

Parameters can be passed to the script to change the source/destination of backups/restores with the -s(for source) and -d(…) switches and then a path that is reachable by the NetBooted system.

- hdiutil

A simple sparsediskimage is created which can expand up to 100GBs with the built-in binary hdiutil. The file system format of that container is JHFS+, and a bunch of other best practices, cobbled together from Bombich’s Carbon Copy Cloner(heretofore CCC) and InstaDMG, are employed.

- cp

The cp binary is used to just copy the user records from the directory service the data resides on to the root of the sparseimage, and the admin group’s record is copied into a ‘group’ folder. If hashes exist in /var/db/shadow/hash, which is how passwords were stored previous to 10.7, those are moved to a ‘hashes’ folder.

- rsync

A custom, even more current build of rsync could be generated if the instructions listed here are followed. Ideally, a battle-tested version like the one bundled with CCC’s (/Applications/Carbon\ Copy\, which is actually a heavily customized rsync version 3.0.6) could be used, but it’s output isn’t easy to adapt and see an overview of the progress during a CLI transfer. Regardless, the recommended switches are employed in hopes to get a passing grade on the backupBouncer test. The 3.0.7 version bundled with DS itself (/Applications/Utilities/DeployStudio\, which for whatever reason is excluded when the assistant creates NetBoot sets) was used during development/testing.


The Users folder on the workstation that’s being backed up is what’s targeted directly, so any users that have been deleted or subfolders can be removed with the exclusions file fed to the rsync command, and without catch-all, asterisk(*) ‘file globbing’, you’d need to be specific about certain types of files you want to exclude if they’re in certain directories. For example, to not backup any mp3 files, no matter where they are in the user folders being backed up, you’d add - *.mp3 Additional catch-all excludes could be used, as detailed in the script, which specifically excludes ipsw’s(iOS firmware/OS installers) like this: --exclude='*.ipsw'


Pretty much everything done via both rsync and cp are done in reverse, utilizing the source/destination options, so a backup taken from one machine can easily be chosen to restore to another.

Security Considerations:

Very little security is applied during storage. Files are transferred over password-protected AFP, so a separate server and repo could be used to minimize potential access by whoever can access the main DS service. Nothing encrypts the files inside the sparseimages, and if present, the older password format is a hash that could potentially be cracked over a great length of time. The home folder ACL’s and ownership/perms are preserved, so in that respect it’s secure according to whoever has access to the local file systems on the server and client.

Excluded/Missing Features:
(Don’t You Wish Every Project Said That?)

Hopefully this won’t sound like a soul-bearing confession, but here goes:
No checks are in place if there isn’t enough space on destinations, nor if a folder to backup is larger than the currently hard-coded 100GB sparseimage cap (after exclusions.) Minimal redirection of logs is performed, so the main DS log can quickly hit a 2MB cap and stop updating the DS NetBoot log window/GUI if there’s a boatload of progress echo’d to stdout. The process to restore a users admin group membership(or any other group on the original source) is not performed, although the group’s admin.plist can be queried after the fact. Nor is there even reporting on Deleted Users orphaned home folders if they do actually need to be preserved, by default they’re just part of the things rsync excludes. All restrictions are performed in the Excludes.txt file fed to rsync, so it cannot be passed as a parameter to the script.
And the biggest possible unpleasantness is also the #1 reason I’m not considering continuing development in bash: UID collisions. If you restore a 501 user to an image with a pre-existing 501 user that was the only admin… bad things will happen. (We’ve changed our default admin user’s UID as a result.) If you get lucky, you can change one user’s UID or the other and chown to fix things as admin before all heck breaks lose… If this isn’t a clean image, there’s no checking for duplicate users with newer data, there’s no filevault1 or 2 handling, no prioritization so if it can only fit a few home folders it’ll do so and warn about the one(s) that wouldn’t fit, no version checking on the binaries in case different NetBoot sets are used, no fixing of ByHostPrefs(although DS’s finalize script should handle that), no checks with die function are performed if the restore destination doesn’t have enough space, since common case is restoring to same HD or a newer, presumably larger computer. Phew!


The moral of the story is that the data structures available in most of the other scripting languages are more suited for these checks and to perform evasive action, as necessary. Bash does really ungainly approximations of tuples/dictionaries/hash tables, and forced the previous version of this project to perform all necessary checks and actions during a single loop per-user to keep things functional without growing exponentially longer and more complex.

Let’s look forward to the distant future when this makes it’s way into Python for the next installment in this project. Of course I’ve already got the name of the successor to SonOfBackupRestoreScripts: BrideOfBackupRestoreScripts!

Digital Forensics – Best Practices

Thursday, September 6th, 2012

Best Practices for Seizing Electronic Evidence

A joint project of the International Association of Chiefs of Police
The United States Secret Service

Recognizing Potential Evidence:

Computers and digital media are increasingly involved in unlawful activities. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence range from the mainframe computer to the pocket-sized peronal data assistant, to the smallest electronic chip storage device. Images, audio, text, and other data on these media can be easily altered or destroyed. It is imperative that investigators recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices, and guidelines.

Answers to the following questions will better determine the role of the computer in the crime:

  1. Is the computer contraband or fruits of a crime?
    For example, was the computer software or hardware stolen?
  2. Is the computer system a tool of the offense?
    For example, was the system actively used by the defendant to commit the offense? Were fake IDs or other counterfeit documents prepared using the computer, scanner, or printer?
  3. Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?
    For example, is a drug dealer maintaining his trafficking records in his computer?
  4. Is the computer system both instrumental to the offense and a storage device for the evidence?
    For example, did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?

Once the computer’s role is known and understood, the following essential questions should be answered:

  1. Is there probable cause to seize the hardware?
  2. Is there probable cause to seize the software?
  3. Is there probable cause to seize the data?
  4. Where will this search be conducted?
    For example, is it practical to search the computer system on site or must the examination be conducted at a field office or lab?
    If Law Enforcement officers remove the computer system from the premises, to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before trial?
    Considering the incredible storage capacities of computers, how will experts search this data in an efficient and timely manner?

Preparing For The Search and/or Seizure

Using evidence obtained from a computer in a legal proceeding requires:

  1. Probable cause for issuance of a warrant or an exception to the warrant requirement.
    CAUTION: If you encounter potential evidence that may be outside of the scope of your existing warrant or legal authority, contact your agency’s legal advisor or the prosecutor as an additional warrant may be necessary.
  2. Use of appropriate collection techniques so as not to alter or destroy evidence.
  3. Forensic examination of the system completed by trained personnel in a speedy fashion, with expert testimony available at trial.

Conducting The  Search and/or Seizure

Once the computers role is understood and all legal requirements are fulfilled:

1. Secure The Scene

  • Officer Safety is Paramount.
  • Preserve Area for Potential Fingerprints.
  • Immediately Restrict Access to Computers/Systems; Isolate from Phone, Network, as well as Internet, because data can be accessed remotely on the system in question.

2. Secure The Computer As Evidence

  • If the computer is powered “OFF”, DO NOT TURN IT ON, under any circumstances!
  • If the computer is still powered “ON”…

Stand-alone computer (non-networked):

  1. Photograph screen, then disconnect all power sources; Unplug from back of computer first, and then proceed to unplug from outlet. System may be connected to a UPS which would prevent it from shutting off.
  2. Place evidence tape over each drive slot.
  3. Photograph/Diagram and label back of computer components with existing connections.
  4. Label all connectors/cable ends to allow for reassembly, as needed.
  5. If transport is required, package components and transport/store components always as fragile cargo.
  6. Keep away from magnets, radio transmitters, and otherwise hostile environments.

Networked or Business Computers: Consult a Computer Specialist for Further Assistance!

  1. Pulling the plug on a networked computer could severely damage system.
  2. Disrupt legitimate business.
  3. Create liability for investigators or law enforcement personnel.



Setting Up Time Machine Server in Lion Server

Sunday, May 20th, 2012

Video On Setting Up File Sharing In Lion Server

Friday, May 11th, 2012

Installing and Configuring Active Directory Certificate Services

Wednesday, March 21st, 2012

This guide assumes that you have a Windows Server 2008 R2 installation on a physical or virtual machine, and that the system is a domain controller of an Active Directory domain:

  1. Open Server Manager. 
  2. Click on Roles on in the tree on the left, then click Add Roles
  3. Choose next to start the wizard. 
  4. Then enable the checkbox for Active Directory Certificate Services
  5.  Choose  next to start the AD CS role configuration
  6. Click on “Add Required Role Services”  to install the IIS and the related tools needed.
  7. Enable the check box for “Certification Authority Web Enrollment and click next.
  8. Choose “Enterprise” and click next.
  9. Choose “Root CA”and click next
  10. Choose “Create a new private key”
  11. Leave the default values for Configure Cryptography for CA and click next.
  12. Ensure that you have the proper values for Configure CA Name for your environment and click next. The default values will usually be right.
  13. Click next to set the default validity period  of 5 years
  14. Configure the locations of the database and logs if needed for your environment and click next
  15. You will now be prompted to configure IIS. 
  16. Make changes if needed, but be sure to leave Windows Authentication as it is required for Web Enrollment.
  17. After the  role configuration is complete, run IIS Manager from Administrative Tools.
  18. From the tree on the left, navigate to the default website. 
  19. Right click Default website, and choose bindings.
  20. Click the Add… button.
  21. Change the type to https, and choose the SSL certificate that matches the server’s FQDN, and click OK.

Microsoft’s System Center Configuration Manager 2012

Sunday, March 18th, 2012

Microsoft has released the Beta 2 version of System Center Configuration Manager (SCCM) aka System Center 2012. SCCM is a powerful tool that Microsoft has been developing for over a decade. It started as an automation tool and has grown into a full-blown management tool that allows you to manage, update, and distribute software, license, policies and a plethora of other amazing features to users, workstation, servers, and devices including mobile devices and tablets. The new version has been simplified infrastructure-wise, without losing functionality compared to previous versions.

SCCM provides end-users with a easy to use web portal that will allow them to choose what software they want easily, providing an instant response to install the application in a timely manner. For Mobile devices the management console has an exchange connector and will support any device that can use Exchange Active Sync protocol. It will allow you to push policies and settings to your devices (i.e. encryption configurations, security settings, etc…). Windows phone 7 features are also manageable through SCCM.

The Exchange component sits natively with the configuration manager and does not have to interface with Exchange directly to be utilized. You can also define minimal rights for people to just install and/or configure what they need and nothing more. The bandwidth usage can be throttled to govern its impact on the local network.

SCCM will also interface with Unix and Linux devices, allowing multiple platform and device management. At this point, many 3rd party tools such as the Casper Suite and Absolute Manage also plug into SCCM nicely. Overall this is a robust tool for the multi platform networks that have so commonly developed in today’s business needs everywhere.

Microsoft allows you to try the software at For more information, contact your 318 Professional Services Manager or if you do not yet have one.

Windows Firewall via GPO

Monday, March 12th, 2012

Setting up the Windows Firewall to run on Windows client systems can be tedious when done en masse. But using a Group Policy (GPO) to centrally manage systems can be a fairly straight forward process. First, decide which firewall rules you want to implement. Then, manually configure them and test them  out on a workstation to verify it works the way you want it to. This process has been documented at

Once you know the exact settings you’d like to deploy, create an Organizational Unit and put computer accounts (or other OUs/security groups) to be governed by this policy in the new OU. Once you have all of your objects where you’d like them, it’s time to create a GPO of the settings (which should be applied to one machine and tested before going wide across a large contingent of systems). To do so, go to the policy server and Features from within Server Manager to expand Group Policy Management.

From Group Policy Management, expand the appropriate Forest and Domain and then right-click Group Policy Objects, clicking New at the contextual menu. Then provide a name for the new GPO (e.g. Windows Firewall Policy) and click on OK. In the Group Policy Management screen, click on Group Policy Objects and then right-click on Firewall Settings for Windows Clients. Click on Edit to bring up the Group Policy Management Editor.

At the Group Policy Management Editor, right-click Firewall Settings for Windows Clients policy, and select its Properties. Click on the Disable User Configuration settings check box and at the Confirm Disable dialog box, click on the Yes button and click OK when prompted.

In the Group Policy Management Editor open Policies from Computer Configuration. Then expand on Windows Settings and then on Security Settings and finally Windows Firewall with Advanced Security. Here, click on Windows Firewall with Advanced Security for the LDAP GUID for your domain. Then open Overview to verify that each network location profile lists the Windows Firewall state as not configured.

Click on Windows Firewall Properties and under the Domain Profile tab, use the drop-down list to set the Firewall state to On. Then, click on OK and verify the Windows Firewall is listed as On.

Once you’ve created the GPO, go to the OU and click on Link an Existing GPO. Here (the list of GPOs), select the new GPO and test it on a client by running gpupdate or rebooting the client. To verify that the GPO was applied, open the Windows Firewall with Advanced Security snap-in and right-click on Windows Firewall with Advanced Security on Local Computer, selecting Properties from the contextual menu. If the setting is listed as On then the policy was created properly!

Windows Firewall For Windows 7

Friday, March 9th, 2012

A firewall is a barrier between you and the Internet at large that filters information that your computer can receive. Companies usually have firewalls in place to keep certain kinds of websites, people, and information from being accessed from outside their networks, keeping sensitive info safe, and you focused on the job. Your home computer and/or modem can have a firewall built-in as well, acting as the gateway to your home network and the Internet.

NOTE: you might not be able to use a third party application until you add the application to the list of allowed programs.

Here is an explanation of the different options you can modify and customize:

Add a program to the list of allowed programs:

  1. Open Windows Firewall by clicking the Start button, and then clicking the Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. In the left pane, click Turn Windows Firewall on or off. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. Click Change settings.  If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Select the check box next to the program you want to allow, select the network locations you want to allow communication on, and then click OK.

If an application needs a specific port that this being blocked you can also allow port traffic by:

  1. Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. In the left pane, click advanced settings. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. In the Windows Firewall with Advanced Security dialog box, in the left pane, click Inbound Rules, and then, in the right pane, click New Rule.
  4. Follow the instructions in the New Inbound Rule wizard.

Block all incoming connections, including those in the list of allowed programs: this setting blocks all unsolicited attempts to connect to your computer. Use this setting when you need maximum protection for your computer, such as when you connect to a public network in a hotel or airport, or when a computer virus is spreading over the network or Internet. Word of caution with this setting, you wont be notified when Windows Firewall blocks programs. When you block all incoming connections, you can still view most websites, send and receive e‑mail, and send and receive instant messages.

  1. Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. Check the box that says to block all incoming connections.

Notify me when Windows Firewall blocks a new program
If you select this check box, Windows Firewall will inform you when it blocks a new program and give you the option of unblocking that program.

  1. Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. Select the box that says “Notify me when Windows Firewall blocks a new program”

Turn off Windows Firewall (not recommended)
This step is not recommended unless your system administrator has implemented another application to provide protection for your network.

  1. Open Windows Firewall by clicking the Start button, and then clicking the Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. In the left pane, click Turn Windows Firewall on or off. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.

Note: If some firewall settings are unavailable and your computer is connected to a domain, your system administrator might be controlling these settings through Group Policy or third party application like Symantec Endpoint Protection.

If you have trouble allowing other computers to communicate with your computer through Windows Firewall, you can try using the Incoming Connections troubleshooter to automatically find and fix some common problems.

  1. Open the Incoming Connections troubleshooter by clicking the Start button, and then clicking Control Panel.
  2. In the search box, type troubleshooter, and then click Troubleshooting. Click View all, and then click Incoming Connections.

Note: Some material in this article was referenced from Microsoft directly from:

Note: Stay tuned for more information about setting up Windows Firewall Using a GPO!

Lost a password to your Cisco Device and need to recover the settings?

Friday, March 9th, 2012

Most of us know that Cisco can be a bit complicated and sometimes things happen that are not so forgiving. One of those is losing a password on a Cisco device. The downside to this is if you did not know that you could reset the password using a console cable you might be freaking out thinking you might have to reset to factory defaults. Well thank you Cisco for providing a backdoor to their devices. Now for each device the commands and procedures can be slightly different, so you will want to look up from Cisco the password recovery steps for you specific device. In the example I will show you the steps on how to reset the password on a Cisco ASA 5505 using Terminal from a Macbook.

First thing you will need to have on all the Cisco devices is Console port access. For this reason it is important to ensure there are strict physical security measures in place. Access to the device allows someone to have access to the procedures that I am about to list, which can give them unwanted entry to your device.

1.Connect to the device using the console port\cable. The cable is usually an RJ45 to Serial so on my Macbook I don’t have a serial port so I use a serial to USB adapter. All my configurations are than done in terminal. If you’re on a PC you can use your telnet application or the MS-DOS CMD window.

Using a Macbook with the serial to USB adapter requires I use the “Screen /dev/tty.KeySerial1 9600” command to be able to use terminal as my telnet window. This will allow you to view the bootup of the device as soon as it has power.

2. Now shutdown the ASA, and power it back up. During the startup messages, press and hold the “Escape” key when prompted to enter ROMMON.

3. To update the configuration register value, enter the following command:

rommon #1> confreg 0x41

4. To have the ASA ignore the startup configuration during its startup, enter the following command

rommon #1> confreg

The ASA will display the current configurations register value, and will prompt you to change the value:

Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:

5. Take note of the current configuration register value (it will be used to restore later). At the prompt enter “Y” for yes and hit enter.

The ASA will prompt you for new values.

6. Accept all the defaults, except for the “disable system configuration?” value; at that prompt, enter “Y” for yes and hit enter.

7. Reload the ASA by using entering:

rommon #2> boot

The ASA loads a default configuration instead of the startup configuration.

8. Enter privileged EXEC mode by entering:

hostname> en

9. When prompted for the password press “Enter” so the password will be blank.

10. Next Load the startup config by entering:

hostname# copy startup-config running-config

11. Enter global configuration mode by using this command:

hostname# config t

12. Change the passwords in the configuration by using these commands, as necessary:

hostname(config)# password newpassword
hostname(config)# enable password newpassword
hostname(config)# username newusername password newpassword

13. Change the configuration register to load the startup configuration at the next reload by entering:

hostname(config)# config-register 0x00000011

* Note- 0×00000011 is the current configurations register you noted in step 4.

13. Save the new passwords to the startup configuration by entering:

hostname(config)# wr mem


The commands used in the example above were referenced from Cisco article


Wednesday, March 7th, 2012

In the routing world, NAT stands Network Address Translation while PAT stands for Port Address Translation. To many they’re going to be pretty similar while to others they couldn’t be more different.

When you have an Internet connection for your business network you are usually given a range of public static IP addresses. With these addresses you can use your Cisco router to use NAT technology, which will allow you to map an external address to an internal address (NAT is One to One addressing).  Your NAT router translates traffic coming into and leaving your private network so it works in both directions.

Let’s say your computer has an IP address of and the Router has a public IP address of If you go to the Internet from your address, it will be translated to the address using the NAT protocol, which will allow you to communicate external your network. It also allows for the return of that data and the opposite to happen when data returns to it will translate back to your address to receive the information to your system with the address of

Port Address translation is almost the same thing but it allows you to specify the TCP or UDP protocol (port) to be used. Let’s pretend you need to access a mail server at your network from externally. Most likely your port will be the standard SMTP port 25. Assuming it is you would configure the router to allow traffic from port 25 external your network to come through to your mail server’s port 25, thus sending and receiving e-mail. You can also use PAT to define traffic from a specific port to translate to a different port. For example if you have to use port 25 for an external mail client but you have a custom port of 26 internally to the mail server. You can define a Static PAT rule that can define all outside port 25 traffic will route to port 26 internally allowing port 25 traffic to reach your mail server on port 26.

*Note: PAT works hand in hand with NAT and is linked to the public and internal IP addresses. With PAT You may route many to one addressing (i.e. all internal addresses go out a single Public IP address for internet using port 80).

Technical Overview of Mac Business Encryption methods

Friday, March 2nd, 2012

For a more in-depth look at security on the Mac, we’ll contrast the technical features (and limitations) of Mac full disk encryption methods. A balance that always needs to be struck when implementing a highly complex system is between maintainability and features. Employees need an easy to use yet reliable solution, and support personnel need to be able to consistently ensure that everything is functional and able to be audited. To understand the changes to encryption features leading up to the present, we’ll start by describing the implementation used by one of the most popular vendor’s, Symantec, and their PGP product.

PGP has a very long history in data encryption, and since Apple moved to the Intel processor platform (and EFI), they have been able to provide many features that were previously only fully supported on Windows. In an ideal situation, they and other vendors (like Sophos and McAfee) construct a way to tie your directory service to a keyserver, and therefore have authentication stay in one central place. Client software performs the local encryption on each workstation, and after completion users are granted secure access to a pre-boot environment, so only after authentication succeeds does the actual system boot. The encryption itself is based on a key that is independent of the user, multiple users including the admin can be added, and there is even a feature called the Recovery Token in case someone forgets their password (which gets regenerated after a single use, once the laptop then connects back to the keyserver).

The changes Apple made during its build-up to Lion jeopardized PGP’s pre-boot environment, which caused serious side effects. From Snow Leopard 10.6.6 on, Symantec had to be vigilant to insure their product was updated in a timely fashion, and many customers began to doubt the future viability of the solution. Businesses still wanted the features products like PGP offered, so a balance needed to be struck.

Apple released FileVault2 with Lion, and has since documented one method of achieving some sort of centralization: generating and storing the FileVaultMaster.keychain. A drawback of this process is many of the workflow steps surrounding it require custom, secure methods to be devised for implementing and auditing this process. Further, since support personnel need access to the single key that will unlock any machine encrypted with this process, the fact that the key cannot be easily reset and never expires becomes a prominent flaw.

Cauliflower Vest, as discussed previously, instead utilizes the recovery key. This reduces the risks associated with storing and retrieving the unlock mechanism centrally, as it is tied to each employee’s Google Apps account. It is sent and stored securely, and access controls can be put in place to grant access to support personnel. The csfde tool that is bundled with the project can also be used independently, if another data store or authentication mechanism to secure the transport and storage is preferable. Deployment and enforcement were priorities of the project as well, and a graphical interface to guide employees through setting up their encryption in a self-service manner round out the salient features. It can still be considered a compromise when compared to the functionality offered to businesses previously, but Google’s Macintosh Operations team should be commended for making available a feature-rich and flexible open source solution.

Lion’s New Security Features, Manageable for Businesses with a Solution from Google

Friday, February 24th, 2012

The big cat, Lion, has been out of the bag for a while, and even with Mountain Lion slated to come out this Summer, many are still devising strategies to tame it. In particular, there’s been uncertainty about the update to Apple’s encryption solution, FileVault. In the past it wasn’t as fully featured as encryption solutions from Symantec (PGP) and others, but the functionality of those third party products has been faltering due to ‘plumbing’ changes Apple’s made in order to accommodate, new with Lion, FileVault2 – their higher-performance, whole disk encryption solution.

From a security and ease-of-use perspective, when you encrypt the entire hard drive (or ‘disk’), your documents are much safer if your laptop should happen to be lost or stolen. Only user accounts granted access to un-encrypt the computer (which happens just by logging in with your user name and password like normal) can get at the files. However, there is a ‘get out of jail free’ card provided, just in case you forget your password – the Recovery Key, which is a 24-character code that Apple can even store for you.

When using FileVault 2 in Lion, businesses lose several features they would otherwise have with 3rd party whole disk encryption solutions: we’d like to store that key centrally for our company, keep an inventory on which computers are encrypted, and not worry what user account encrypted the computer when we need to re-deploy it for someone else. Apple’s consumer-focused, manual process for storing the Recovery Key doesn’t help us, so Macintosh Operations at Google have stepped onto the scene with a solution: Cauliflower Vest.
Yes, the name is… distinct, but really it’s just an anagram (same letters, different words) for FileVault Escrow, which means storing the FileVault Recovery Key centrally. A big caveat of using this solution is that it relies on a Google Apps account for every employee whose machine you’d like to use FileVault with. Generously, Google’s Mac Ops team took the time and went the distance to allow us to adapt their tool for use with other centralized systems.

Adjusting to the new changes in Lion can be a considerable amount of work for many administrators. 318 has been a reseller for Google Apps and can also build custom solutions that adapt open source products to your businesses needs. For assistance, please contact your 318 Professional Services Manager, or if you are not yet a customer.

Using Squidman as a Web Proxy for OS X

Thursday, October 27th, 2011

Squid is an open source package available at that caches web files to a local server, increasing throughput for users and decreasing the amount of traffic on WAN connections. A Mac OS X software package named SquidMan, which includes Squid is available at SquidMan makes installing and using Squid much easier, giving nice buttons to use for management rather than managing Squid using configuration files.

Once SquidMan is downloaded, copy the SquidMan application bundle to the /Applications directory. Then open it. At the Helper Tool Installation screen click on the Yes button.

At the Squid Missing screen click on the OK button to install squid itself.

The Preferences screen then opens. Click on the Clients tab and, if you would like to restrict access to only a set of IP addresses, define them (or use the net mask to define a range).

Click on the General tab. Here, provide the following information:

  • HTTP Port: The port number that the proxy will run on.
  • Visible hostname: The hostname of the server (e.g.
  • Cache size: The total amount of space used for the proxies cache.
  • Maximum object size: The maximum size of single cached files.
  • Rotate logs: The frequency with which log files are rotated (I usually use Manually here).
  • Start Squid on launch: Automatically start squid when SquidMan is launched, and delay start by x number of seconds.
  • Quid Squid on logout: Define whether logging out of the server also stops squid.
  • Show errors produced by Squid: Displays squid’s errors in SquidMan.

Click on the Parent and define a proxy server that this one will use (if there is one, otherwise it just uses the web to directly access files). This feature is only used if you are daisy chaining multiple squid servers.

Click on the Direct tab and enter any sites that should not be proxied. Internal staging environments are a great example of sites that should bypass proxy servers.

At the Template tab, enter any custom variables.

Squid is usually used to cache and speed up web access, so the default configuration file is optimized for small files. In order to cache larger files effectively, change the configuration to allow for larger files (up to 64 megabytes) and allow for more total disk storage of cached files (up to 8 gigabytes in our tests for a few specific projects, but much larger is fine). This usually depends on the total available disk space on the machine which will run squid.

These are some of the options which we updated for a specific project we’re working on in the squid.conf (Template):

http_port 3128 transparent (add transparent if using NAT to redirect http requests):
maximum_object_size_in_memory 65536 KB
cache_dir ufs /usr/local/var/squid/cache 8192 16 256
maximum_object_size 65536 KB

These days, we prefer to use squid running in NetBSD’s pkgsrc, although any method of installation (such as the squidman approach) should be acceptable.

Next, click on the SquidMan application which should have been running the whole time and click Start Squid.

The squid daemon then starts. Looking at the processes running on the host reveals that it is run as follows:

/usr/local/squid/sbin/squid -f /Users/admin/Library/Preferences/squid.conf

Client systems can then be configured to use the squid proxy, or PAC (Proxy auto-config) file can be configured to configure clients. Another option being transparent parodying:

rdr de0 port 80 -> (local Squid server) port 3128 tcp

Basic SonicWALL Router Setups

Tuesday, October 11th, 2011

A work in progress…

1. Register the Sonicwall appliance at A new account may be created for this purpose

2. Download the latest firmware from

3. Disable popup blocking on your browser

4. The default IP of a factory Sonicwall device is Connect to the Sonicwall (you need to adjust your Ethernet NIC’s config to match the Sonicwall’s network settings)

5. Follow the setup wizard and define a WAN IP, LAN IP, and DHCP range of IPs

6. Upload the newer firmware downloaded above and boot from it

7. In the https://[Sonicwall IP Address]/diag.html screen, uncheck the box ““Enforce Host Tag Search with for CFS”

8. Use the Public Server Wizard to create additional systems on the LAN that need to be publicly accessible. Note that the default WAN IP address provided in the wizard is the SonicWALL’s, but you can enter a different WAN IP; this creates a NAT policy using a new Address Object in the WAN zone

9. If more than one service needs to be visible for a system (ie, a mail sever needing 993, 587, 465, etc.), just select a single service during the wizard setup and then modify the “Service Group” that the wizard creates to include additional services that you want visible

10. For site-to-site VPN, follow the documentation in the SonicOS Administrators guide. Typically we have found that setting the VPN policy up in Aggressive Mode works more reliably than Main Mode

Video on Configuring FileVault in OS X Lion

Wednesday, July 20th, 2011

Making snort a Service in Server 2008

Tuesday, April 26th, 2011

Note: For more information about the information contained in this article, contact us for a professional consultation.

Installing Snort in Windows Server 2008 is a fairly straight forward maneuver. Simply install winpcap, then barnyard and then snort itself. You’ll also want to install the snort rules available on the snort downloads page.

Once snort is installed, it’s fairly simple to run it from the Windows Server 2008 command line. To do so, use the snort.exe that was distributed in the installer (by default it would be at c:\snort\bin\snort.exe). You can then run it in a simple form to check that the interfaces are available:

c:\snort\bin\snort.exe -W

And then use one of the listed interfaces, invoke it with a -i option followed by the interface. You can also specify a custom logging location using -l and a custom configuration file using -c. This would result in something similar to the following:

c:\snort\bin\snort.exe -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

There are a lot more options, but this article is about converting it into a service. Once you’ve found a configuration that works for you manually, you can then take that, throw a /SERVICE /INSTALL after the snort.exe but before the operators and viola you’ve converted snort into a service:

c:\snort\bin\snort.exe /SERVICE /INSTALL -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

Once snort has become a service, many will want to have it start automatically. This is possible using the sc command to configure the snortsvc to start automatically:

sc config snortsvc start= auto

And then, start her up:

sc start snortsvc

Intrusion Detection (IDS) and Prevention (IPS) solutions can be invaluable to an organization. If you would like to discuss running snort or any other IDS or IPS, please feel free to contact your 318 Professional Services Manager, or if you do not yet have one!

Provisioning TelePacific iNOC On A SonicWALL

Friday, January 7th, 2011

1. Login to SonicWALL

2. Check to see if SNMP is already in use on WAN IPs by checking under Network > Firewall.

ALERT: Enabling SNMP Management on the SonicWALL will cause issues with the SNMP firewall rules. You can ONLY have SNMP SonicWALL Management OR SNMP firewall port forwarding. Not both. This was confirmed with SonicWALL Tech Support.

3. Go to System > Administration

4. Scroll down and put a check mark for “Enable SNMP”

5. Click on Configure

6. Put in whatever you want for System Name, System Contact, System Location. You can leave Asset Number blank. Ask TPAC for their monitoring WAN IP and put that in the “Host 1″ field.

7. Go to Network > Interfaces

8. Click on the Configure icon for the Interface that you want monitored.

9. Put a check mark next to SNMP

10. Click OK

11. You can confirm SNMP is listening by using snmpwalk. On a Mac, the command can be:

snmpwalk -c private -v 2c “wanipaddress of SonicWALL”


snmpwalk -c private -v 1 “wanipaddress of SonicWALL”

The SonicWALL utilizes version 1 and 2c for SNMP.

Book On Enterprise iOS Integration Available

Monday, December 20th, 2010

The 6th book from 318′s staff is now available: Enterprise iPhone and iPad Administrator’s Guide. In this title, Charles Edge, the Director of Technology at 318, takes a look at lessons learned in our numerous iOS integration projects, from procurement to deployment to patch management. Per the publisher, Apress, the following indicates who the book is intended for:

This book is intended for IT staff members that will be charged with planning an iPhone and ipad implementation or pilot program, as well as those that will be charged with ultimately deploying and provisioning the devices and delivering support to iPhone and iPad users. Readers should have an existing background in IT management, systems administration, and end user support working in a medium to large business or enterprise environment.

If you are considering doing a large scale integration or remediation project for iOS-based devices in your environment then contact your 318 Professional Services Manager or for more information on how 318 can assist you in your endeavors.

Restricting Outgoing Email To a 3rd Party SMTP Relay Host on SonicWALLs

Friday, November 12th, 2010

Often times, it is necessary to lockdown outbound traffic to MX Logic. MX Logic can provide outbound filtering capabilities which assists against getting blacklisted, while also scanning your outgoing e-mail for malware. Also, limiting only the server to communicate with MX Logic ensures that no rogue mail servers can send out e-mail (often done by infected devices).

This guide assumes you have already used the Wizard to setup port forwarding, firewall rules, and NAT policies for allowing the mail server to be accessed via the SonicWALL.

To Lockdown a SonicWALL to Outbound Email to MX Logic
1. Determine what port you will be sending out on. If you are using a non standard port, you will first need to make a custom service object on the SonicWALL for the port.
2. Create an Address Group containing the Address Objects for MX Logic
1. Go to Network
2. Go to Address Objects
3. Add Address Object
1. Name: MX Logic 1
2. Zone Assignment: WAN
3. TYPE: Network
4. Network: IP From MX Logic
5. Netmask: Subnet From MX Logic
NOTE: You will need to do this for each subnet that MX Logic Offers. Name them sequentially. The Address info can be found on MX Logic’s Portal.
4. Go to Address Objects
5. Create Address Object Group
6. Add all of your MX Logic Address Objects to the Address Object Group, and call it “MX Logic”
7. Save all your changes.
3. Go to Firewall
4. Go to LAN to WAN
5. Click Add
6. Create a Rule that allows the mail server on the LAN to send out to anywhere on the WAN.
1. Action: Allow
2. From Zone: LAN
3. To Zone: WAN
4. Service: SMTP (or whatever you named your custom one)
5. Source: Your Address Object Representing Your Mail Server
6. Destination: MX Logic (The Address Object Group you created Previously).
7. Save your changes.
7. Create Another Rule to block all other outbound e-mail.
1. Go to Firewall
2. Go to LAN to WAN
3. Click Add
4. Action: Deny
5. From Zone: LAN
6. To Zone: WAN
7. Service: SMTP (or whatever you named your custom one)
8. Source: Any
9. Destination: Any
10. Save Your changes
8. Adjust Rule Order.
1. Ensure that the MX Logic Outbound rule is above the rule that blocks all other devices from sending SMTP traffic out to the Internet.
2. Apply the changes.
NOTE: By doing this, any laptop users, or other portable device users, that may try to send email over port 25 through other servers (Gmail, Yahoo, AOL, etc.) will be DENIED by the SonicWALL.

iPhone Security Updates

Friday, August 13th, 2010

US-CERT has issued the following regarding the latest iOS patches:

Systems Affected

Feedback can be directed to US-CERT Technical Staff. Please send email to with “SA10-224A Feedback VU#274718″ in the subject.

* Apple iOS for iPhone, iPad, and iPod touch devices


Apple has released iOS 4.0.2 Update and iOS 3.2.2 Update to correct multiple vulnerabilities affecting components of Apple iOS. Apple iOS is used by iPhone, iPad, and iPod touch devices. As a result of convincing a user to view a specially crafted web page, attackers could take control of your device, gain access to your sensitive information, or crash your device.


Install the updates on Mac OS X and then use iTunes to download and install updates.


Apple iOS 4.0.2 Update and iOS 3.2.2 Update address two vulnerabilities affecting iOS, including a vulnerability detailed in US-CERT Vulnerability Note VU#275247.


* iOS 4.0.2 Update for iPhone and iPod touch -

* iOS 3.2.2 Update for iPad –

* Updating your iPhone, iPad, or iPod touch -

* Vulnerability Note VU#275247 -

Sandboxing Chrome

Friday, April 23rd, 2010

Thanks to Google for referencing our post introducing sandbox in their sandboxing design document for Chromium at:

Their use of sandbox is really over and above what we’ve seen from any other vendor. Each installation contains 3 distinct sandbox profiles (currently I have and version 5.0.342.9 although mileage here may vary according to updates), each profile allowing access to only files and resources that are absolutely necessary to complete the task that the process that leverages them requires. You can see the specific resources that are accessible by looking at these profiles. The profiles are located at:

  • /Applications/Google Chrome Framework.framework/Resources/
  • /Applications/Google Chrome Framework.framework/Resources/
  • /Applications/Google Chrome Framework.framework/Resources/
You can view them easily using a simple cat command:

cat /Applications/Google\\ Chrome\ Framework.framework/Resources/

You can then edit the profiles easily. For example, if you want to enable debug logging for sandbox, etc. This allows you transparency into what Chrome is doing but also allows you to further tighten security. Although, they have really taken their time to secure Chrome well and locked things down, so we doubt much further restriction is necessary or really possible. Overall, Chrome provides a great example of taking sandbox to the next level and extending it much more into the applications with graphical user interfaces than we’ve seen it extended to thus far.

Bad McAfee Update

Thursday, April 22nd, 2010

Please be aware that there is a bad McAfee Antivirus update that will wrongly quarantine the SVCHOST files on Windows XP.  McAfee is aware of the issue and has pulled the bad update file.  Below is a fix in case you run into a case where the machine has already applied the update:

WordPress Security Auditing

Thursday, March 11th, 2010

After reading Sarah Gooding’s article, 7 Quick Strategies to Beef Up Your Security, we decided to take a look at our own WordPress settings here on the 318 Tech Journal.

Deleting the Default Admin User

Creating a new user with admin permissions, then logging in as that user and deleting the default “admin” account is great advice. Just make sure you assign all of the old admin users posts and links to the new account. Another caveat, if you are using the WPG2 plugin with a Gallery2 installation, make sure to remove the Gallery2 user links before deleting the old admin account.

Don’t Use the Default “wp_” Table Prefix

SQL injection attacks are very real, and this tip can help mitigate risk of infection. The WP Security Scan plug-in mentioned in the article has a built-in tool to help automate this change, but it can also lock you out of your dashboard. The trick is to make sure each user’s meta_key settings in the usermeta table match whatever prefix you choose:

wp_capabilities –> newprefix_capabilities
wp_usersettings –> newprefix_usersettings
wp_usersettingstime –> newprefix_usersettingstime
wp_user_level –> newprefix_user_level

Whitelisting Access to wp-admin by IP Address

This is typically done via .htaccess files and the AskApache Password Protection For WordPress plug-in mentioned in the article can help get the settings correct, although that plug-in has specific server requirements in order to run (it will run some tests for you to see if your server qualifies). If you do set this up, beware of dynamic IP address changes, which can lock you out in the future.

Other Items to Consider

  • Consider using a local MySQL application like Sequel Pro or the command line mysql tools for database configuration instead of public web-facing tools like phpMyAdmin. If you do use PMA, you should lock down access as much as possible using .htaccess controls (or other methods).
  • Tools like the WP Security Scan plug-in mentioned above or Donncha O Caoimh’s WordPress Exploit Scanner plug-in can help identify file permission issues in your WordPress setup.
  • Using SSH/SFTP instead of FTP to access your server is always good advice, even when you are using whitelists.
  • Stay up to date on both WordPress core files and all of your plug-ins.

318 is here to help you with all of your WordPress needs – call us today at 877.318.1318!

Thawte No Longer Offering Free Certificates

Monday, October 12th, 2009

Thawte is no longer offering free accounts for mail. As an interim, they are going to offer a free year (through a partner deal) of VeriSign’s similar service which is then $19 after that initial year.


Wednesday, September 23rd, 2009

Virtual Private Networks, abbreviated “VPN” is technology that that allows users to connect from one place to another securely.  What makes it secure is that the connection between point A and point B is encrypted.  An encrypted tunnel is built between Point A and Point B, and then data is passed through that tunnel.

VPN’s come in many different types (protocols).   Some of the most common include the following:


Often called “dial up VPNs”, it technically extends the functionality of PPP. It was originally started by Microsoft, US Robotics, Ascend Communication, 3Com, and ECI Telematics.  Their first draft of their IETF document for the protocol extension was submitted in June, 1996.  The protocol extension is supported by Linux, Mac and Windows workstations.

Current versions of all three operating systems include the VPN Client application pre-installed in the operating system.  All three operating system server versions can also be setup to allow PPTP connections. A Microsoft Routing and Remote Access Server (RRAS) typically uses Microsoft Point to Point Encryption (MPPE) which is based on RSA RC4 and supports up to 128 bit encryption.


IPSec is short for Internet Protocol Security.  It works on Layer 3, and is often called “Site to Site VPN”.  It is usually used to connect one LAN to another LAN, most times using two hardware VPN units at each side communicating with each other.  It can also be used to connect a workstation to the corporate LAN, typically using proprietary software from the VPN manufacturer/developer (although you can sometimes use the built in software in the operating system – as is the case with Windows). The protocol can function in two modes (Transport and Tunnel) and provides end to end security by authenticating and encrypting the packets between parties.  It can support up to 168bit encryption with 3DES.


SSL VPN is a type of VPN that allows communication to happen over https via web browsers.  The main advantage of SSL VPN is that no additional client software is required besides a web browser.  Since no software needs to be installed on a computer, a user can access the corporate network via VPN from just about any computer (i.e, Public Computer, kiosk, etc.).   The disadvantage is that because it tends to make the applications you would normally use a web type of application, you often lose some of the intended user experience of those converted applications.


L2TP is short for Layer 2 Tunneling Protocol.   It doesn’t do any encryption on it’s own, and is often used in conjunction with IPSec (L2TP/IPsec VPN). The biggest thing to remember about L2TP is that it allows more types of applications to communicate through the VPN connection that otherwise are not supported in a standard IPSec implementation.

In a nutshell, deciding which VPN protocol to implement depends on your budget, the hardware that you have, what will be connecting (workstation/user, or LAN to LAN) and the ease of use.  Please feel free to contact us, and we will be happy to help plan out your VPN infrastructure, or answer any questions that you may have.

Yet Another Spyware Article

Monday, August 31st, 2009

First and foremost, it’s called MS Antivirus, or MS Antispyware:

From Wikipedia:

MS Antivirus has a number of other names. It is also known as XP Antivirus,[2] Vitae Antivirus, Windows Antivirus, Win Antivirus, Antivirus Pro, Antivirus Pro 2009, Antivirus 2007, 2008, 2009, 2010, and 360, Internet Antivirus Plus, System Antivirus, Spyware Guard 2008 and 2009, Spyware Protect 2009, Winweb Security 2008, System Security, Malware Defender 2009, Ultimate Antivirus2008, Vista Antivirus, General Antivirus, AntiSpywareMaster, Antispyware 2008, XP AntiSpyware 2008 and 2009, WinPCDefender, Antivirus XP Pro, and Anti-Virus-1

It can be spread through the following vectors:
Most have a Trojan horse component, which users are misled into installing. The Trojan may be disguised as:

* A browser plug-in or extension (typically toolbar)
* An image, screensaver or archive file attached to an e-mail message
* Multimedia codec required to play a certain video clip
* Software shared on peer-to-peer networks
* A free online malware scanning service

Lately, with the infections I’ve seen this year, it seems that it spreads by tricking the user to download a CODEC to play a video. Sometimes the link will appear within a frame (say AOL main web site with an article directed somewhere else). It will also bypass web filtering applications (i.e. Surfcontrol) as long as the site that carries the malware is not banned for any reason . I was reading of an instance where a graphic designer was looking for a CODEC for their software, and downloaded one that they thought was good from a site that hosted Graphic Design templates, and got infect from there.

I also read of an instance in an enterprise environment where a business person was looking for info on an article, and happened to find what he thought was a news video on the subject, and got infected from there.

The following are ways that we can decrease a company as being a target for this infection:
1. Begin updating all Windows workstations with current security patches from Microsoft. And update them regularly
2. User education (especially don’t download codecs!)
3. Keep AV up to date.

Damage control consists of cleaning the computers with free tools we have at hand.

I have had success (meaning clean system with no nuke and pave) using the following strategy:
1. Download and Install CCleaner: Run it in regular mode and clear out the temp files, and unneeded registry entries.
2. Go to Control Panel, Add/Remove Programs and attempt to remove Malware from there.
3. Turn off system restore to delete all system restores that are probably compromised now.
4. Download and install Malwarebytes Open it in regular mode, update it, and then run it in safe mode (no networking). If you can’t run it, go to step 12.
5. Reboot
6. Run Malwarebytes in regular mode until it reports no issues. If there are virii still present, run it in safe mode. If you can’t run Malwarebytes at all or after 3 cleans it’s not fully clean, continue to step 7. If no spyware is present, but Google redirects, skip to step 12.
7. Download Superantispyware:
8. Update it in regular mode for Windows.
9. Run it in safe mode to remove more malware.
10. Reboot
11. Repeat step 6, if step 6 fails, continue to step 12.
12. Download Combofix:, and update it in regular mode.
13. Run it in safe mode. If Combofix will not run, continue to step 14.
14. Find the Malwarebytes executable by going to the shortcut that it placed on the desktop, and rename the Malwarebytes executable from *.exe to *.com.
15. Boot into regular mode, and update Malwarebytes.
16. Boot into safe mode and see if it will run (ensure it’s still named *.com). Repeat step 6 until it’s clean. Once it is, rename it back to *.exe. If this fails, continue on to step 17.
17. Rename combofix.exe to combo-fix.exe or Run it. After it’s finished, repeat step 6.
18. If all of these fail, backup your registry again, and try running Icesword: Icesword’s GUI is in Chinese, if this is unacceptable, backup, nuke and pave, and reinstall OS plus data, and rejoin to to domain if necessary.

The above steps go from least intrusive software to more dangerous software. Combofix and Icesword being the ones that can cause the most damage if used improperly (can delete needed items in registry, or muck up Microsoft Office Suite applications). Personally, Combfix seems to do the trick, and is the only one that will take care of the Google Link redirects. Icesword is worse case scenario, and I’ve only had to run it once since I first became aware of it 2 years ago.

Links on the subject for your reference:

Setting Up SonicWALL High Availability Pairs

Friday, May 29th, 2009

1. They MUST be the same model
2. Make sure that if you need Stateful High Availability that you have the license for it (only Primary SonicWALL needs to be licensed)
3. Make sure that if the client wants support for both SonicWALLs that they purchase support for the Backup SonicWALL as well.
4. Register and associate the Primary and Backup SonicWALLs as a High Availability pair on
5. Physically label the SonicWALLs
6. On the back of each SonicWALL make note of the Serial Number.
7. Ensure you have two (2) Ethernet cables coming off of the LAN (one for each SonicWALL)
a. Adjust the Spanning Tree protocol if it’s being used on the switch to FAST.
8. Ensure that you have a crossover cable for X8 on NSA 240s (this is for the heartbeat between the two units)
9. Ensure that you have a dumb switch for the WAN, and two (2) Ethernet cables (one for the primary, one for the secondary).
10. Ensure that you have 2 LAN IP address that you can give to the SonicWALLs for monitoring
11. DON’T connect the SonicWALLs together yet

1. Register both SonicWALLs online
2. Register both SonicWALLs as an HA Pair
a. Go to
b. Go to the Backup SonicWALL
c. At the bottom of the licensing, look for HF or Hardware Failover
d. Enter in the requested information (name, and serial number)
e. On the “Service Management – Associated Products” page confirm that the registration was successful, then scroll to the bottom to see the Associated Products and click either HA Primary or HA Backup to display that the unit that is now associated with the your newly registered SonicWALL.
f. (OPTIONAL) Register Stateful HA on the Primary SonicWALL if you have the license.
3. Power on Primary SonicWALL and enter in LAN and WAN information
5. Activate Primary SonicWALL (login to the Primary SonicWALL and register it when you get it online).
6. Load up new firmware on Primary SonicWALL (this’ll take up to 5 minutes)
7. Disconnect Primary SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
8. Power on Backup SonicWALL and enter in LAN and WAN information same as Primary and connect to LAN and WAN (DO NOT CONNECT CROSSOVER CABLE)
9. Activate Backup SonicWALL (login to the Primary SonicWALL and register it when you get it online).
10. Load up new firmware on Primary SonicWALL. (this’ll take up to 5 minutes)
11. Disconnect Backup SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
12. Power on and connect Primary SonicWALL
13. Create all necessary firewall/security rules on the Main Unit
14. Create a Backup of your settings

Configuring HA
1. Login to Primary SonicWALL
2. Go to “High Availability”
3. Go to “Settings”
4. Select Enable High Availability checkbox
5. Enter in Serial number of Backup SonicWALL
6. Click Accept
7. Go to “High Availability” > “Advanced”
8. Leave all values the same in the fields
9. Select the following:
Enable Preempt Mode
Enable Virtual MAC
10. Save your settings

Connecting the HA units
1. Make sure both devices are turned on
2. Connect a LAN cable to X0 on each SonicWALL device
3. Connect a WAN cable to X1 on each SonicWALL device
4. Connect the cross over cable to the HA reserved port (X8 if it’s an NSA 240)
5. Login to the Primary SonicWALL
6. Go to “High Availability” > “Settings” and keep clicking on refresh until:
a. That status at the top right is Active
b. “Primary Status” is enabled
c. Dedicated HA Link is connected
d. “Found backup” is Yes
e. “Settings Synchronized” is Yes
f. OPTIONAL make sure anything that says “Stateful” is at “yes”
7. Review the logs to ensure that there are NO errors with licensing. If found, errors with licensing will occur in the logs every 10 minutes. If you find errors in the licensing, wipe everything out, and reapply the firmware.

Configuring Monitoring of HA Devices
1. Login to Primary SonicWALL
2. Go to “High Availability” > “Monitoring”
3. Find X0 (the LAN) and click to configure it
4. Enable Physical Monitoring
5. Enter in a LAN IP address for each device that you reserved in the Prerequisite steps (Primary = Primary Unit; Backup = Backup Unit).
6. Attempt to manage both SonicWALLs from their respective HA IP addresses. NOTE: The HA LAN management IP addresses are only used for management and CANNOT be used as a gateway for traffic.

1. Backup all of the settings from the Primary SonicWALL and Secondary SonicWALL (via HA LAN management IP address)