Recently, I was evaluating ISP’s for my hosting requirements. If you take a gander at 1-and-1, or most of the providers on the Personal Colocation site (and almost every other hosting provider in the world) they apportion your bandwidth in GB per month. Exactly what does this mean to people that are more familiar with buying bandwidth by the circuit? Exactly how much bandwidth is 500GB/Month? Is that equivalent to a T1 (DS1 or E1 for you euros?) (read more…)

Today we launched our own anonymous web proxy: http://www.edgeproxy.net. Like most security tools, anonymous proxies are incredibly useful but also controversal. Web proxies mask your activities on the net in two ways: First, they allow you to access one web site through another, hiding you IP address from the target; Second, they encode the target URL hiding it from any local firewalls or proxies you might be sitting behind. They are great for pen testing where you want to hide your activities, especially if you want to mask your location. They are a nightmare if you are trying to manage a web filter and your users are able to bypass your filters.

Web Proxies are very popular among with students whose schools block access to MySpace and Facebook. We launched it because we needed a reliable proxy we control for testing. We debated whether it was wise to provide a public vehicle for bypassing someone else’s security controls, but felt in the end that adding one more proxy on the net will not increase the web’s threat profile. Our TOCs state that we will cooperate will law enforcement if we determine that our site is being used for nefarious purposes. Hopefully, that will be enough to scare away those who hide behind proxies to abuse the web.

Now that DST 2007 is over, we are going to start a series of articles on securing systems and networks. I have built a lot of systems for various companies over the years. The challenge is to create repeatable processes that work in a variety of operating environments. Having a strong scripting toolkit can make all the difference, especially when you are under deadline.

The first script in the series is a Windows Services lockdown script for Windows XP & 2003. Disabling services is generally a good idea to reduce the threat profile of your computer, and to improve its performance. Every security guide out there tells you to disable unnecessary services. A few of them also give some guidance as to which services are unnecessary. Few of them tell you how to disable them consistently.

There are three ways to disable services: 1) Use the Services MMC GUI. This is a time consuming process and is prone to mistakes. 2) Use Group Policy. This works well for environments that use Group Policy, but is harder to implement for stand-alone servers, such as web servers. 3) Use the sc.exe command line utility.

If you do not know the sc command, learn it! sc is a powerful utility for controlling services on local or remote hosts. sc will let you configure how services start, change the user account and password they run under, and start/stop/pause the services. The basic syntax of sc is:

sc <server> [command] [service name] <option1> <option2>

We are going to use 2 different sc commands in our service lockdown script: config & stop. These should be self explanatory, but config will allow us to disable the service, and stop will stop the service. To make this work, we need three files: 1) The script batch file; 2) a list of servers by name called hosts.txt; 3) a list of services we want to disable called services.txt. The two text files must be in the same directory as the batch file. The code is fairly simple: (read more…)

Microsoft has released an updated daylight saving time fix for Windows Mobile. Nice of them to wait until 5 days before the change! I am recommending everyone use the official patch found here: http://www.microsoft.com/windowsmobile/daylightsaving/default.mspx, but I will leave my unoffical patch online.

I’m noticing a trend that many vendors are releasing last minute patches to fix DST issues with their 1st round of patches. If you have patched your systems already, I HIGHLY recommend you recheck with all your vendors to make sure they haven’t released an update. Good luck to all for this weekend.

-Bill

Amazon is now selling the BlackJack for FREE!!!CLICK HERE. Amazon changes its specials frequently, so I would not expect this deal to last. As we’ve discussed, this is a great phone.

With a 100% rebate, how can you lose? Order today.

As discussed here, the Daylight Saving Time change for 2007 is going to cause problems for unpatched technologies. Most vendors, including Microsoft, have released patches. One big area that is lacking is Windows Mobile smartphones & PDAs. Microsoft release a registry fix and instructed the carriers to push out a patch. Most of the carriers, in their infinite wisdom, have neglected to do so. If you rely on your Windows smartphone, you need this fix. Microsoft published the registry fix here. This fix requires you to build a CAB file and then install it. To save you the trouble, I have bundled the CAB file for you:

Microsoft Windows Mobile Daylight Saving Time Patch

You can either download the CAB file directly to your cell phone, or download to your PC, copy it via activesync to your phone, and then run it. (read more…)

This March, Daylight Saving Time (DST) changes for the United States, starting the time change 4 weeks early. Congress in its infinite wisdom changed DST in the Energy Policy Act of 2005. Other countries such as Australia have followed suit. For most people, this will come as an early relief from winter doldrums, but for IT, the DST change is a major headache. After Year 2000, IT vendors were smart enough to start using 4-digit date codes, but DST changes are still hard-coded for the 1st Sunday of April and the last Sunday of October.

To accommodate the DST change, most IT systems must be patched. Otherwise, timestamps will be off, and some applications my fail to work. For instance, if you synchronize your Windows Smartphone with Microsoft Exchange, and you want your calendar reminders to work, plan on applying patches or fixes to Windows XP, Windows 2003, Exchange 2003 & Windows Mobile. Otherwise, you may be late for that all-important TPS meeting. (read more…)

Occasionally, I find a simple solution to a complex problem that works better than expected. Office of Foreign Assets Control (OFAC) compliance can be difficult. OFAC is the treasury department responsible for, among other things, enforcing the PATRIOT ACT and Terrorism Sanction Regulations regarding blocking financial transactions with suspected terrorists. Basically, OFAC requires you to compare your client list regularly to the published terrorist watch lists. If you find a match, you are required to stop doing business, freeze the money, and contact the Feds.

The hard part of OFAC compliance is matching your clients to the watch list. OFAC publishes a list on a regular basis, but the list is not exactly user friendly. Complicating matters is the fact that the list contains lots of Mohammeds, Usamas, and John Smiths. Most names on the list also have dozens of aliases. Obviously, not everyone named Mohammed doing business with you is a terrorist, so how do you distinguish the good from the bad? (read more…)