Windows, security, etc.

OK. We already knew that Google knows everything. It reads “our” e-mails, search the web and it knows everything (except for location of Chuck Norris),Google allows “us” to use it’s VPN connection when using unsecured networks, so it reads our traffic too. So if you ask me, it’s the biggest spying network in the world.
OK, this is all known to almost everybody today. Why am I digging this out?
Read this article:
http://news.techworld.com/networking/3223617/google-admits-wifi-data-capture-mistake/?olo=rss
It seams that Google is spying on “us” more than we are aware

If somebody asked me few months ago about Internet censorship in Croatia, I would probably said: No way – it will never happen in Croatia. Yesterday I was proved wrong!

What happened?

Somebody, has stolen database containing a list of all Croatian soldiers during the war 15 years ago, and exposed it on the Internet. Half hour after that the site was inaccessible. Actually the site is and was accessible all the time, but not from Croatia. One can use proxy servers outside Croatia and it will be able to access the site (the server is located in US/New York region).

So, what kind of censorship happened here?

Probably somebody from government issued an order to ISP’s in Croatia to block access to this site. Who? By what authority???? I wonder why the ISP’s in Croatia blocked the access to this site, when the site is clearly up and running and accessible to all the People on this world (except Croatian and maybe Chinese)? What’s the point???

What hurts me, and this is the reason why I’m writing this post, is the agility of Croatian Government to address this kind of “issue”, but when something more important is at stake, they are so slooooow and inefficient.

Why is this database so important? It’s something that has to be known and it will be (probably in few months from now), but the government is fighting against it. Why?

So let’s return to the title of this post “Internet censorship: Croatia = China”. What comes next? What will be censored next? This is what frights me, because if it starts it will probably be unstoppable (and it started Yesterday).

As all of you probably know, all software has bugs and have to be updated regulary. But, what if you could exploit a software using allowed functions just the way they are supposed to work? This is something that happened to PDF readers (Adobe, Foxit) few days ago.

Didier Stevens proved this concept. Read more on his blog:

Today, Core Security Technologies issued Security Advisory regarding  Virtual PC Hypervisor Memory Protection Vulnerability.
Vulnerable systems are:

• Microsoft Virtual PC 2007,
• Microsoft Virtual PC 2007 SP1,
• Windows Virtual PC,
• Windows Server 2005 and
• Windows Server 2005 R2 SP1

Microsoft Hyper-V is NOT vulnerable.

Vulnerability is explained in this document. If you don’t want to read the whole article (I advise you to read it) here are some important parts of it:

• It’s only locally exploitable (remotely only if some other vulnerability exists that is remotely exploitable)
• There is no CVE at the moment
• It was discovered 7 months ago. Core Security worked with Microsoft to identify impact this may have before announcing it.
• It’s using memory above 2GB (memory reserved for system)
• It’s possible to bypass DEP (Data Execution Prevention), SafeSEH (Safe structured error handling) and ASLR (Address Space Layout Randomization)
• There is a PoC (proofe of concept) code available
• The vulnerable part of Virtual PC hypervisor is VMM (Virtual Machine Manager)

There are two ways to delegate administration of  Hyper-V server. If you are using SCVMM, use SCVMM to do it. If not, AzMan (Authorization Manager) is your best Friend.

How to run AzMan? Type AzMan.msc in run box.

After you start Azman, you will have to open  a store for delegation configuration. There is xml file on every server with Hyper-V role installed called InitialStore.xml. It’s located in %ProgramData%\ProgramData\Microsoft\Windows\Hyper-V. So, when you run AzMan for the first time, you will have to choose this file.

How? 

1. Open AzMan (start/run/azman.msc)
2. Right click on Authorization manager in the left tree of your mmc console and choose Open Authorization Store. Click OK

Authorization Manager

AzMan UI is simple to use.

There are 34 operations you can allow access for your users, like for instance, Allow Virtual Machine Snapshot, Connect Virtual Switch Port, Reconfigure Service etc. Play around if you want to customize specific tasks to your users or give them full admin access to hyper-V services.

Hyper-V is Microsoft virtualization technology that uses Microkernelized hypervisor. Let’s explain those words:

1. Micro  – it’s small. 
2. Kernelized- it runs in kernel. Actually it runs below kernel. When Windows boot up on a machine with Hyper-V installed, winload.exe loads the driver hvboot.sys.It’s purpose is to check if machine support hardware virtualization. If so, hypervisor image file is loaded (hvix.exe on intel and hvax.exe on amd hardware)
3. Hypervisior - software, hardware or combination of both that allows multiple operating systems to run on a single host computer

So, how big is microkernel of Hyper-V hypervisor?

Hypervisior v2 build 6.1.7600.16385 is:

• 651776 bytes (hvax64.exe – AMD), and
• 706650 bytes (hvix64.exe – Intel)

Microsoft Hypervisor 2.0

If you susspect some file to be infected there is few thing you could do:

1. Scan it with the antivirus software you use
2. Scan it with the AV software you don’t use 
3. Scan it with all AV engines available/known/usable …
4. Analyze it yourself

Almost every AV vendor has it’s own free online scanner. Microsoft also has it’s own. Use those services if  you want to check  the difference in AV engines and scan your entire PC. If you want to scan only one or few files, you could use  Virus Total. This service will scan uploaded file with almost all AV scan engines.
If you want to analyze the file yourself, you will probably want to read some tutorials before that. Good one to start is this.

I have heard that some People have had problems after installing new updates on XP machines. The problems are different so I will not try to explain how to fix it. I will remind you how to ask for help . Of course you could always use your favorite search engine to find a solution, but if the problem arose after applying some new update, you will probably found nothing. So, the best thing to do is to ask for help.

Start a free Windows Update support incident request and ask for help:
https://support.microsoft.com/oas/default.aspx?gprid=6527
https://consumersecuritysupport.microsoft.com/
http://support.microsoft.com/ph/6527#tab3

Hope this will help you next time you find yourself in helpless situation.

After a few months of initial public demonstration of SSL renegotiation vulnerability, there was no widely used exploit/attack.  Unfortunately, there is (was) only a matter of time when something like this will happen. Reading Microsoft security advisory 977377, one can speculate that this will happen soon. Since this is not only Microsoft “problem” (SSL and TLS are used in other OS-es), other companies are working to find a solution to. 
Microsoft has offered a workaround (disabling SSL/TLS  renegotiation) for IIS servers.If you are interested, please read KB  article 977377 . Be aware that after you apply this workaround some application will not work as expected (more on this in KB article).

If you want Wireless to be enabled in Windows Server 2008 R2 you have to add feature called Wireless LAN service
Please follow this link to learn how.   

If you are like me: trainer, you need Hyper-V server to be able to show all those new stuff to your students, and you want to have Internet access from within your virtual machines, and you are most of the time in classrooms or conference rooms only with Wireless access, you will probably be disappointed to learn that Hyper-V does not support Wireless network adapters. That might be a problem, but, believe me, it’s not a problem  :-). 
Don’t try to do this on your production Hyper-V servers!  

The easiest way to have your virtual machines running on Windows Server 2008 R2 with Hyper-V role installed and surf the internet using wireless adapter is to create bridge between Wireless and LAN.   

Here is how to do it:   

1. Create External network connected to your real Network adapter in hyper-V virtual network manager (if you don’t have it already). As you may see on this picture I have Broadcom NetLink (TM) Gigabit Ethernet
   

   Hyper-V Virtual Network Manager

2. Now you have one additional network adapter in your network connections
   

   Network Connections

3. Create Network Bridge using Hyper-V network adapter created in step 1 and wireless adapter.(How?:Select both network connections, right click on the selection and chose Bridge Connections option in popup dialog box) 
   

   Bridge

4. Now you have one more connection in your Network Connections window.
   

   Network Connections Bridge

5. In Hyper-V virtual network manager you will see new external network adapter you could use to create Hyper-V network adapters called MAC Bridge Miniport. You don’t need it !  

   

   Hyper-V virtual network manager with bridged connection

    

6. In network settings of your virtual machine choose  the network you created in step 1. 

Don’t forget to connect to the wireless network . Here’s how it’s look like: 

Hyper-V virtual machine surfing wireless