Skip to main content


Showing posts from 2009

Cracking & Defending a Terminal Server

This is a copy of a guide I posted to our local DEFCON group last week. Enjoy.

Cracking & Defending a Terminal Server**** has been on my back about getting some content in here (and rightfully so), so I started pondering what type of content would be relevant to our members. My professional IT experience consists almost exclusively, and lamentably, to network administration in Windows environments. However, since I'm not the only one in this boat, I thought I would extend a collection of knowledge (read: no original thoughts here) on Terminal Services security to the group and allow for some constructive observations and reflections from others.

Trend Micro Ate My Virtual Machine

I had to run some routine security updates for a client yesterday on a host OS running Hyper-V. It was after hours, so I just shut down the two virtual machines and rebooted the physical server after the udpates. When it came back up, I went into Hyper-V Manager and tried to power on my VM's. Low and behold, where there were once two VM's, I now only saw one.

If you give a hacker a cookie, he'll ask for a session ID.

Most clients I talk to have a basic understanding that a wireless network should be "secure". They do what they can to make their home and office wireless networks have some semblence of security. However, no one seems to have an issue checking their Facebook account from the local bookstore or pulling up some sensitive company emails at the airport. People make the assumption that since they have no sensitive information on their hard drive and they are running a really good anti-whatever, safety is assured.

I can promise you, it is not. And seeing what you are searching for is not the worse thing that a hacker can do. Let me explain:

Google Launches Public DNS

Google may soon start wresting control of another important chunk of the internet. DNS (Domain Name Service) is a critical component of modern networks (including that really big one called the enter-something) and allows you to type in "" instead of the cryptic string of numbers that your computer actually uses. Now, having developed it's own presentation protocol (SPDY) and programming language (Go), Google would like to add another course to this meal: Google Public DNS.

Google's proposal is that you should use their shiny new service in place of the DNS servers commonly provided by an ISP. They currently have two IP addresses for you to use:

The benefit here is that each of these addresses could point to any number of servers, strategically placed throughout the world to give you a decent response time no matter where you are at (theoretically). And since Google already has a great resource from which to pull cached information, their …

Nick Wingfield IS the Insider Threat

I perused over this Wall Street Journal article by Nick Wingfield and my heart immediately went out to the poor IT guys at the WSJ who have to put up with him. The title of the article, "Why You Can't Use Personal Technology at the Office", caught my eye because I thought it would be a nice overview of the various reasons bringing your personal techno gadgets to work causes headaches for your IT department. As it turns out, Nick was simply using the WSJ as a soapbox to cry his heart out about having to use "ancient" technology like "Windows XP" and how clever he is to have found a way around his companies IT policy enforcement to install his favorite toolbars and plugins. How he got a job at the WSJ writing about technology is beyond comprehension (I have a few ideas), but at least he gave me a good example of someone with just enough technical know-how to skate around corporate policies and not enough common sense to see how dangerous that is.

Bad Tech Advice, Pt. 1

I had other items to write about, but my fury at having to deal with astonishingly bad tech support, advice, or recommendations is at a boiling point. It's not the inexperience or naivety that bothers me, we all have to start somewhere and some of us still struggle with new technology. It's the fact that these people, or companies, sell themselves as "experts"; after which I have to explain to the client that they would have gotten more from their money by investing in one of the many wonderful business opportunities available in Nigeria.

How I Learned to Stop Worrying and Love the Cloud.

Despite deep-seated childhood fears of all data being consolidated into a single powerful system that touches everything, a little research (and extensive therapy) helped me to develop a healthy relationship with "cloud computing". And by that, I mean that nearly everything I do is contained in the cloud and I am completely dependent on it. Healthy is a relative term.

Google Knows How Smart We Isn't

I stumbled across a very brief blog post concerning Google search suggestions and how they reinforce the idea of "txt speak" being associated with immaturity and generally less-than-stellar decision making skills. I thought I might expound on this with some screenshots.

Microsoft Declares Ownership of 'sudo'; rest of world

Some clerk at the US Patent Office apparently had a seizure and scribbled his approval across this blatantly monopolistic patent  for a "Rights Elevator" filed by Microsoft in 2005. Here's the abstract:

Systems and/or methods are described that enable a user to elevate his or her rights. In one embodiment, these systems and/or methods present a user interface identifying an account having a right to permit a task in response to the task being prohibited based on a user's current account not having that right.

In Microsoft's defense, the patent indicates that they are improving on existing technologies. The patent was filed around the same time Vista was being defecated developed along with UAC. What really concerns me is the second sentence that states this "rights elevator" GUI will "identify an account having a right to permit a task". So essentially, if I'm Joe User trying to install the latest "Free Smiley Pack with Screensavers&qu…