Hacking Your Car: Install Windows on a CompactFlash Card

February 24th, 2007 at 03:04am Under Windows

by Damien Stolarz

Editor’s note: This hack was written by Silvio Fiorito, who contributed it to O’Reilly’s Car PC Hacks book.

Microsoft’s XP Embedded OS can help you do what XP normally can’t—boot off a CompactFlash card.

The car PC community is constantly searching for hardware and software solutions to improve the system’s boot speed and reliability and reduce the physical size of the computer. One of these solutions is to build a system that boots off a CompactFlash (CF) drive. Flash storage is used in many commercial devices because it’s small, has no moving parts, uses less power than a hard drive, and holds up much better than a hard drive when exposed to vibration and extreme temperatures.

Using only a CF-to-IDE adapter (Google “CF to IDE”) and any off-the-shelf CF card (Figure 4-16), flash-based systems can be built relatively easily and affordably. One of the disadvantages of using flash, however, is that due to its construction it can withstand only a limited number of writes. This is fine for digital cameras, but since operating systems like to constantly thrash around on the hard drive with temporary files and virtual memory, flash requires special support by the operating system to filter out or completely disable these writes. Many users have turned to custom versions of Linux, while Windows users have had no viable option other than Windows CE or XP Embedded.

Figure -16. A CompactFlash-to-IDE adapter

For those willing to try, Microsoft provides a free trial of XP Embedded (XPe) from its web site that allows developers to build a fully functional boot image that will work for 90–120 days. It takes a few tries to get it working right, but it’s a very powerful tool. After spending a good amount of time playing with it and reading as much as I could about it on Microsoft’s MSDN site, I decided to investigate how XPe was able to work on flash disks. Since XPe is just a componentized version of XP, I figured there was no reason why a regular XP install couldn’t be made to use some of the XPe components in order to boot from a CF disk.

Microsoft provides a component called the Enhanced Write Filter (EWF) for developers planning to deploy their systems to a CF disk. EWF is simply a storage filter driver that can be configured to protect one or more volumes from any unwanted writes. All changes to a protected volume are filtered by EWF, which then stores them in RAM rather than writing them to the disk. Upon system shutdown or reboot, changes can be either committed to the volume or discarded. Since the volume is not written to during normal operation, the system is also more resistant to data corruption in case of a sudden power loss.

MinLogon is a component Microsoft added to XPe for devices that need quick boot times and as little overhead as possible. Normally, when an XP system is booted, an executable called WinLogon is started that performs the user login, sets the security policy settings, and runs the logon scripts. This can be a lengthy process and seriously hurt boot times. Car PC developers don’t typically need this level of functionality in our systems—we just want the system to boot up as quickly as possible and start playing music like a normal radio would. MinLogon was created for just these types of devices, and coupled with EWF, you can use it to turn a regular XP install into an OS capable of quickly booting off a CF disk.

The first step in preparing a CF install is downloading the XPe trial from http://msdn.microsoft.com/embedded/windowsxpembedded/default.aspx. The install will create a network share on your system called Repositories. This is where all the XPe components are stored, and all the files I use in this hack come from this directory. The best way to experiment with this hack without corrupting your desktop system is to use machine virtualization software, such as VirtualPC (http://www.microsoft.com/windows/virtualpc/default.mspx) or VM-Ware (http://www.vmware.com). Set up your XP install and make sure you’ve got a way to transfer files between the virtual machine (VM) and the desktop. After I set up my system in VirtualPC, I created a second VM using a differencing drive of the first VM. This was so that if I screwed up I wouldn’t have to go through the lengthy reinstall process all over again. (See the VirtualPC documentation for directions on how to set up a differencing drive.)

If you have any disk-cloning software, such as Symantec’s Ghost (http://www.symantec.com/sabu/ghost/), you can use that too. Clone the drive you want to experiment with onto some old 1-GB drive you have lying around, and try changing that version so that you can re-clone it if you mess it up.

Read Mor…..  

By admin Add comment

Beware of Network Sniffers

February 24th, 2007 at 03:01am Under Windows

by Mitch Tulloch, author of Windows Server Hacks
11/01/2005I’m really enjoying reading Jesper Johansson and Steve Riley’s book Protect Your Windows Network. It’s the best book on Windows security by far that I’ve seen, though it’s aimed at a fairly high-end audience and is a bit lean on nitty-gritty “how to” stuff. Conceptually though, their treatment of the subject is masterful and their use of humor and the stories they tell from their own experience make it a real page-turner. Once you start you don’t want to put it down.

One section that intrigued me is titled “The Myth of Network Sniffing.” Hmm, sniffing is a myth? Shouldn’t we be worried about hackers trying to sniff out sensitive information on our networks? Well, as Steve and Jesper point out, there are often far worse things to worry about than someone sniffing your network. For if someone is in a position to sniff traffic, it means they’ve probably taken control of one of your machines, which means they already have access to whatever information is stored on that machine (and probably any other machines that particular machine trusts or is trusted by). In fact, most hackers would rather go straight for the information actually stored on the compromised host rather than bother with installing sniffing software on it. Why is that?

Well, sniffing is actually a lot harder than Hollywood movies portray it to be. Imagine gaining clandestine access to a corporate network with a thousand nodes connected by a Gigabit Ethernet backbone. You’re sitting in the server room with your laptop plugged into the span port of the backbone switch, and you have sniffing software installed on your laptop and your laptop’s NIC is running in promiscuous mode. Ask yourself two questions: first, how long will it take for you to fill up your laptop’s hard drive with captured packets? And second, how long will it take you to actually find something useful (like a password or other credentials or a MasterCard number) in all those captured packets? Then ask yourself something else: if you’re standing in the server room of a company you want to hack, why on earth would you bother sniffing the network anyway? Why not just grab the hard drive from a server and run?

Risk Management

Everything in network security boils down in the end to risk management. You determine what risks your network faces, and then you act accordingly to protect the network within the boundaries of your allotted budget and time. While sniffing poses a danger to your network, so do rodents nibbling on cables in the plenum spaces of your building. Which are more of a threat? It depends — is your building old and decrepit? Do employees tend to leave their lunch remains on the table at day’s end? If either of these are the case, your best security investment might be to get a cat.

Either way, you need assess the amount of risk each threat (rodents vs. sniffing) poses for your network, and you need to assess this realistically if you are going to protect your network. Then once you’ve identified the threats your network faces, you need to prioritize them. Once they’re prioritized, then you can start taking steps to mitigate the most serious threats while keeping an eye on less likely threats in case their likelihood increases.

Preventing Sniffing

Let’s say you do identify sniffing as a realistic, potential threat to your network. What should you do? First, ask yourself why sniffing is a threat. Is it because the steps you’ve taken to protect the computers on your network aren’t really very effective? Is it because your company’s physical security is poor and you’re actually afraid of someone social-engineering themselves past the receptionist and into the server room where they can tap into a switch? Is it because you’re overwhelmed by your new job as administrator and the network has grown over the years as the company expanded and you’re not really sure just what’s out there on your network? Like, maybe there are some LAN segments using hubs instead of switches, and by the way that computer over there wasn’t there yesterday, I wonder who it belongs to? Hmm . . .

Actually, the way to prevent sniffing on your network is pretty straightforward, just follow these steps:

1. Make sure your network assets are physically secure. If you don’t have physical security, you don’t have any security.
2. Make sure you have a written security policy and that it’s enforced. Even physical security won’t mean anything if you don’t have a policy behind it backing it up.
3. Make sure you know your network’s assets, where every cable terminates and which computer or device every switch port connects to.
4. Make sure your hosts are protected using every means necessary. If the bad guy compromises one of your hosts, sniffing is probably the least of your worries.
5. Encrypt all traffic on your internal network using IPSec. Just try and sniff that. Which of course means that you can’t use sniffers for legitimate reasons on such networks, like troubleshooting network problems (you win some, you lose some).
6. Finally, you may want to consider setting up a bait machine — a computer that only you know about. Give this machine a static or reserved IP address but don’t create any records for it in the DNS server database. Then if someone is maliciously sniffing your network and they come across this machine, they’re likely to try to run a DNS lookup on it to find out its hostname. Checking your DNS logs periodically for lookups for this machine’s IP address could signal a sniffing attack at work.

Read Mor…..

By admin Add comment

Windows Server Hacks: Shadowing Remote Desktop Sessions

February 24th, 2007 at 02:58am Under Windows

by Mitch Tulloch, author of Windows Server Hacks
11/08/2005Shadowing Terminal Services sessions is a cool feature of Windows Server 2003 that lets you remotely control the desktop session of another Terminal Services user. You can even shadow the console session, that is, the session which the interactively logged-on user experiences at the server’s console. This console session is also known as “Session 0″ since it is the base or default session on a terminal server.

Let’s start by reviewing how to connect with and shadow the console session on a W2K3 terminal server from an XP client machine. First you have to enable remote control on the terminal server, which in my test scenario is a standalone machine in a workgroup. You can do this as follows:

1. Click Start, then Run, type gpedit.msc and click OK to open the Group Policy Editor.
2. Expand Computer Configuration, then Administrative Templates, then Windows Components, and finally Terminal Services.
3. Open the policy setting named “Sets rules for remote control of Terminal Services user sessions” and enable this policy and set the Options listbox to “Full Control with user’s permission” as shown in Figure 1:

Figure 1. Enabling remote control of terminal server sessions

Next, open a command prompt on the XP client and type mstsc -v:servername /f where servername is the IP address or name of the terminal server. This will open a Remote Desktop session from the client to the server.

Now open a new command prompt within the Remote Desktop connection you have established from your XP client and type shadow 0 to request shadowing of the console session (session 0) on the terminal server. A dialog box should appear on the terminal server’s desktop saying “ is requesting to control your session remotely, Do you accept the request?” Click Yes and the Remote Desktop session you have open on your XP client machine should show exactly the same as what appears on the interactively logged-on desktop of the terminal server. For example, if you open Notepad on the server, Notepad should likewise appear in the shadowed session on the client. Figure 2 shows the shadowing XP client and the shadowed terminal server side by side in a Virtual PC environment.

Figure 2. The shadowing XP client and the shadowed terminal server side by side in a Virtual PC environment. Click for full-size image.

Note that to terminate shadowing in your session from the client, press Ctrl-plus key-* where the * key from the numeric keyboard must be used.

Read Mor…..  

By admin Add comment

Disabling USB Storage With Group Policy

February 24th, 2007 at 02:56am Under Windows

by Mitch Tulloch
11/15/2005The security threat posed to companies by USB flash drives has been known for some time now. LabMice has a good summary of both the tremendous usefulness of these devices and the dangers they pose to businesses, both in terms of being a potential malware vector and a channel for stealing sensitive information from companies. What can be done to prevent such misuse of technology?

Policy First

Start by updating your company’s security policy to provide guidance to employees concerning the proper use and misuse of USB storage devices. If you want to allow employees the convenience of using these devices, you need to give them clear guidance on what management expectations are for using them and what the consequences will be for misuse. The misuse of technology like this is generally not something you solve by more technology — it’s fundamentally a management issue and needs to be addressed at the policies and procedures level first.

When your boss hears that anyone can now walk into an office and take a USB key from his pocket and grab megabytes of confidential business data and walk out with it undetected, her first response might be to ask, “How can we lock down our computers to prevent this from happening?” The networking staff then run around looking for some commercial product to buy that blocks use of USB drives, and suddenly you’re adding another layer of software on top of your network, increasing complexity and making it harder to maintain. If your boss reacts like this, you need to respond by pointing out that USB storage technology can have significant benefits for worker productivity and that the risks posed by this technology are not fundamentally different than those of floppy drives and CD burners (though the small form factor of USB keys makes them a bit easier to hide). Then after your boss has dialed down, you need to point out that what really needs to be done is to make a management decision concerning what constitutes acceptable use for this technology and then update the security policy and communicate the changes to employees.

Of course, the reality sometimes is that maybe you don’t have a written security policy for your company, or maybe you have one but management won’t buy into it and violations are never punished. Perhaps your boss says, “It’s your problem, you’re the admin — fix it” and walks away. In that case, your next step might be to update your resume. On the other hand, if you’re the All-Powerful Administrator of your network, then you may simply decide to disable use of USB storage devices completely on all your computers. Where do you start?

Ways of Disabling USB Storage

There are commercial products that can solve your problem, and a good example of one is IntelliPolicy for Clients from FullArmor. While this is a great product, it should not be thought of as a solution to the problem of disabling USB storage capability on your computers. That’s because you don’t buy a powerful, full-featured product like this simply for a single feature it can offer. Instead, you buy a product like IntelliPolicy as part of your overall planning for building a security architecture that can help you manage the real risks your network faces. So if your network needs a security overhaul, take a good look at a product like this and evaluate its usefulness. But if you already have a robust security architecture in place and just want to add one extra piece of functionality like disabling USB storage capability, you should look elsewhere.

As it turns out, a simple solution is to extend Group Policy to handle the problem of disabling USB storage on Windows machines. Group Policy is the de facto tool for managing the configuration of machines on Windows-based networks (that is, networks that have Active Directory deployed). And Simon Geary, a Microsoft MVP (Most Valuable Professional) in the area of Directory Services, has come up with a simple illustration of how powerful Group Policy is and how easily it can be extended. All you need to do is create a new administrative template (.adm file) that defines a policy setting for disabling the usbstor.sys driver on Windows machines. Then you import your .adm file into a Group Policy Object (GPO) and you now have the option as administrator for disabling USB storage on any domain or organizational unit to which your GPO is linked. Here’s a knowledge base article that contains the code for the .adm file, and below is a figure showing what the new policy setting looks like:

Figure 1. The new policy setting to disable USB drives

Simon’s work is typical of many others in the Microsoft MVP program, which recognizes outstanding individuals who contribute their time and energy to the worldwide user community by answering questions, offering advice, and sharing their knowledge in a professional manner. If you have technical questions concerning any Microsoft platforms or products, a good place to get your questions answered is by posting them to an appropriate newsgroup on Microsoft Technical Communities, where MVPs generally hang out and are eager to answer your questions. You can access these newsgroups using either your web browser or a NNTP newsreader.

I may sound a bit like an advertisement for the MVP program, and I am, but I’ve been tremendously impressed by the members of this community since I joined it, and I’m honored to know many of these people including Rodney and Mark who live right here in my own home town of Winnipeg, Canada. And they even like beer!

Read Mor…..  

By admin Add comment

What Is Spyware

February 24th, 2007 at 02:53am Under Windows

by Anton Chuvakin
11/22/2005

Spyware

Spyware is a new strand of malicious software (or malware), annoying, and capable of robbing computer users all over the world.

In This Article:

1. How Spyware Works
2. Protecting Yourself
3. The Future

Spyware is such a broad term that even the definition of this computer scourge is fuzzy. So, what is spyware? The best definition out there is given by Wikipedia:

“Spyware is a broad category of malicious software intended to intercept or take partial control of a computer’s operation without the user’s informed consent.”

Thus, spyware has come to mean not only the “software that spies on you,” but also the software that performs other kinds of abuses and annoyances, outside the traditional virus-and-worm world. For example, displaying unwanted ads is a primary purpose of “adware,” which is often categorized as a type of spyware. In fact, some people even extend the definition to cover browser cookies, relatively innocuous pieces of text used by websites for user tracking.

One angle missed by the above definition is that while some folks are known to launch viruses and worms, two well-known types of computer nasties, “just for fun,” spyware is usually written for somebody’s direct monetary benefit, often in the form of good old cash. This aspect is one of the keys to the dramatic rise of spyware.

Spyware emerged in recent years to “entertain” computer users. This emergence coincided with a sea change in the world of mainstream computer attackers that shifted their focus from having fun at somebody else’s expense to making money at somebody else’s expense. Spyware, along with spam, phishing (”social engineering” attacks via email intent on stealing credentials), and pharming (DNS attacks aimed at attracting users to malicious websites), is one of the most noticeable computer threats of the day. We did say “noticeable,” although spyware is often engineered to be hard to find, hard to notice, hard to pay attention to (that is, hidden in a lengthy license) and, obviously, hard to remove. Spyware evolved in the same time frame as e-commerce and online banking. As business use of the internet was growing up, so was business abuse.

How Spyware Works

The world of spyware is extremely broad and the mechanisms of its operation range from a mundane social engineering ruse (e.g. three pages of license “blah-blah-blah” followed by “and we will also steal your cookies and browser history for ‘marketing purposes’”) to a “zero-day” (that is, previously unpublished) exploit launched against the victim’s Internet Explorer by malicious or compromised websites.

Here are some of the commonly identified types of spyware:

• Browser objects (IE hacks, ActiveX controls, malicious toolbars, and so on)
• Bots and rootkits (allow others to control your system remotely)
• Keyloggers (record your keystrokes looking for sensitive data)
• Bundled parasite software (miscellaneous nuisance)
• Adware (run on the system or in the browser to display advertisements)

Let’s look at some common spyware specimens. As reported by commercial anti-spyware company Sunbelt Software, these spyware programs were common in September 2005: Claria.DashBar, AvenueMedia.DyFuCA, IST.SlotchBar, ABetterInternet, and IST.ISTbar, to name a few. Most of the above are “adware” specimens (they display ads that can potentially generate revenue for the software creator) and do not spy on the victim, but others (such as IST.ISTbar, a malicious browser toolbar) actually collect web usage information and may install other, more harmful spyware on the user’s system.

Read Mor…..  

By admin Add comment

Identifying Essential Windows Services: Part 1

February 24th, 2007 at 02:51am Under Windows

by Mitch Tulloch, author of Windows Server Hacks
11/29/2005An important part of hardening Windows servers against attack is disabling any unnecessary services on your machines. A freshly installed member server running Windows Server 2003 with no specific roles defined (that is, not a file server or a print server or a web server, and so on) has more than 80 installed services visible in the Services console. These services are configured by default in various ways, with some configured for Automatic startup and therefore running by default, some configured for Manual startup and either stopped or running, and some configured as Disabled and therefore stopped.

By comparison, Windows 2000 servers have fewer installed services by default, but more of these configured for Automatic startup and are therefore running by default. The result is that Windows Server 2003 machines are more secure out of the box than Windows 2000 servers, so if you’re still running the earlier platform you need to do a bit more work to ensure that only those services that are needed are running on your server.

But even with servers running Windows Server 2003 it’s still valid to ask whether the default configuration of services is secure enough. The logical place to start is to ask which services are essential to normal operation of Windows servers, then go further and ask which additional services are needed when servers are fulfilling specific roles on your network such as file/print servers or web servers. I’ll address the first question in this article and consider the second question in Part 2 later.

Bare Minimum Services

The Microsoft Windows Security Resource Kit is probably a pretty reliable source of information on securing Windows servers (we would hope!). In general, for all Windows 2000 and Windows XP machines this book recommends that the following minimum services be configured.

Services that should be configured to start automatically on Windows 2000 member servers:

• DHCP Client
• DNS Client
• Event Log
• Logical Disk Manager
• Netlogon
• Plug and Play
• Protected Storage
• Remote Procedure Call (RPC)
• Remote Registry Service
• Security Accounts Manager
• Server
• System Event Notification (SENS)
• TCP/IP NetBIOS Helper Service
• Windows Time Service (W32Time)
• Workstation

Services that should be configured to start manually on Windows 2000 member servers:

• Logical Disk Manager Administrative Service
• Network Connections
• Performance Logs and Alerts
• Windows Management Instrumentation Driver Extensions

Most of these services are pretty obviously needed by servers running in a low or medium security environment, but before you start disabling everything else on your servers and end up with broken applications or other unexpected results, we should dig a little deeper into this subject by considering the recommendations of another important piece of Microsoft documentation: the Windows Server 2003 Security Guide. This document is a little more up to date than the Security RK, so let’s see what the Security Guide recommends for minimum services needed on bare member servers, that is, member servers without any specific server roles defined.

Services that should be configured to start automatically on Windows Server 2003 member servers:

• Automatic Updates
• Computer Browser
• Cryptographic Services
• DHCP Client
• DNS Client
• Event Log
• IPSec Services
• Netlogon
• NTLM Security Support Provider
• Plug and Play
• Protected Storage
• Remote Procedure Call (RPC)
• Remote Registry Service
• Security Accounts Manager
• Server
• System Event Notification
• TCP/IP NetBIOS Helper Service
• Terminal Services
• Windows Installer
• Windows Management Instrumentation
• Windows Time
• Workstation

Services that should be configured to start manually on Windows Server 2003 member servers:

• Background Intelligent Transfer Service
• COM+ Event System
• Logical Disk Manager
• Logical Disk Manager Administrative Service
• Microsoft Software Shadow Copy Provider
• Network Connections
• Network Location Awareness (NLA)
• Performance Logs and Alerts
• Remote Administration Service
• Removable Storage
• Volume Shadow Copy
• Windows Management Instrumentation Driver Extensions
• WMI Performance Adapter

Read Mor…..

By admin Add comment

What Is Virtualization

February 24th, 2007 at 02:48am Under Windows

by Wei-Meng Lee
12/06/2005

Virtualization

Virtualization allows you to have multiple “virtual machines,” each with its own operating systems running in a sandbox, shielded from each other, all in one physical machine. Each virtual machine shares a common set of hardware, unaware that it is also being used by another virtual machine at the same time.

In This Article:

1. Why Virtualization?
2. Microsoft Virtual PC 2004
3. VMware Workstation 5.0
4. Microsoft Virtual Server 2005
5. Performance Tips
6. Summary

Why Virtualization?

Today, there are quite a number of choices when it comes to choosing an operating system for your computer. In the good old days, the choice was much easier — either you got MS DOS for your PC, or you got an Apple (or Atari), and so on. Today, you have a few more choices for your PC: Windows XP, Windows Server 2003, Linux, and so on.

For those adventurous folks, you might install a multi-boot loader that lets you choose what OS to load during boot-up time. But that involves some experience and a little bit of skill, and partitioning hard disks is not for the faint-hearted. Moreover, once the operating systems are installed it is not a trivial task to add another one into your multi-boot PC.

The rich folks among you might go for the hardware solution, using a different hard disk for each operating system and swapping the required hard disk during boot time. Of course, this is the ideal solution and helps you avoid the nightmare of messing up the multi-boot loader. However, just like the multi-boot solution, only one operating system can run at a time, and switching from one to another takes some considerable delay.

With virtualization, you can have the best of both worlds. You can install new operating systems as easily as installing a new game on your PC, and you can run more than one operating system at the same time. In this article, I will take you through a tour of some of the popular virtualization software available in the market so that you have a better idea of the strengths of each.

Microsoft Virtual PC 2004

Host operating systems supported:

• Windows 2000 Professional
• Windows Server 2003
• Windows XP Professional
• Windows XP Tablet PC Edition
• Mac OS X

Microsoft Virtual PC is virtualization software designed to run on Windows and computers running Mac OS X. Originally from Connectix, Virtual PC was acquired by Microsoft in early 2003 as part of its effort to enable its customers to run their legacy Windows applications as they migrate to newer Windows operating systems. In addition, Virtual PC also allows customers to run different operating systems on the same physical machine without needing to commit to additional hardware. More importantly, Virtual PC allows developers to test their applications on different platforms easily on virtual machines, especially for technologies that are still in the beta stage and that should not be installed on production servers.

Figure 1 shows my host operating system (Windows XP Professional) with two guest operating systems: Windows Server 2003 Standard Edition and Linux Mandrake 8.0. The Virtual PC Console (on the top right corner of the screen) contains a list of virtual machines I have installed on my machine. To view each virtual machine in full-screen mode, select the window and press Alt-Enter.

Figure 1. Two guest operating systems in the host operating system

 Read Mor…..

By admin Add comment