Philosophically Secure » microsoft

Windows command line utilities

eugenekogan — Thu, 29 May 2008 02:26:02 +0000

We all know that Windows can’t compete with Linux or UNIX when it comes to useful command line utilities (excluding Cygwin). But what most people don’t know is how many commands actually are available in Windows. If your job is to investigate intrusions on Windows machines, there are some nifty little command line tools that can help make your job easier.

This article by Ed Skoudis lists a few of them, with handy examples of how the commands might be used in a security investigation. He mostly talks about wmic, openfiles (which I had never heard of before), and netstat. Unless you’ve done recent Windows administration work, you’ve probably never had to use wmic, but it’s really powerful, with tons of options. Also, be sure to check out the second part of his article, which goes into more advanced command line tricks – like “for” loops and querying the registry.

A more comprehensive list, although less detailed, was published by Kevin Beaver. There is overlap, but Kevin mentions a few addiontal commands.

Microsoft binary Office file formats

eugenekogan — Thu, 21 Feb 2008 00:06:54 +0000

Joel on Software recently wrote an interesting piece on the newly-published MS Office file format specifications. It’s a bit off-topic for my blog, but I found the history responsible for the extreme complexity of these files to be fascinating. It goes to show that even with good intentions, software can get out of hand when it sticks around for a decade. As Joel says:

With a little bit of digging, I’ll show you how those file formats got so unbelievably complicated, why it doesn’t reflect bad programming on Microsoft’s part, and what you can do to work around it.

MBR rootkit found in wild

eugenekogan — Wed, 09 Jan 2008 14:48:52 +0000

This isn’t just any rootkit, but rather one that lives in the master boot record of your PC. That means it runs before Windows even fully boots up. It’s also at a lower level in the system than anti-virus software, which makes it quite difficult to remove. Security Fix has a good summary of what was found and where this malware probably came from.

Symantec has a technical discussion of the malware (which they call Trojan.Mebroot), now that they’ve analyzed it. Note the last line: “To help prevent similar attacks in the future, if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!”

Wireless keyboard hacked

eugenekogan — Wed, 05 Dec 2007 01:59:57 +0000

This is some cool research done by Dreamlab to “hack” the latest Microsoft 27 MHz wireless keyboards. It looks like the hardest part was reverse engineering the proprietary protocol. After that, the encryption was trivial, and the key was even passed in the clear.

There are more technical details in the PDF paper, such as this gem:

The one byte USB Hid code is encrypted using a simlple XOR mechanism with a single byte of random data generated during the association procedure.

That’s a pathetic attempt at security, really. Maybe Microsoft were hoping that no one would try hacking a keyboard, or that the new protocol would save them, but they should know better by now.

Skype blames Microsoft for outage

eugenekogan — Wed, 22 Aug 2007 14:42:04 +0000

This is both scary and hilarious at the same time. I’m not a Skype user, so this hasn’t affected me at all. But apparently the huge number of Skype users rebooting last week, due to the patches released by Microsoft on Tuesday, set off a nasty chain of events. First of all, when all these systems came back up, each one attempted to log back in to Skype, causing a huge load on their servers. Coupled with the fact that Skype relies on a peer-to-peer architecture, and since the majority of their users were temporarily down for reboots, they simply could not handle the number of requests. This prevented users from getting back on Skype, and therefore prevented the recovery of the peer-to-peer network.

Skype may want to change their architecture slightly, so that users can initially join the network without logging in, and possibly allow not-yet-authenticated users to accept incoming data connections.

There is a good post about this topic on Security Fix.