nearlyclever.com

One of the goals of this site is to point out tools and methods that make your life easier as an administrator or technician. The System Rescue CD is one of those tools that does just that.

Francois Dupoux with help from Pierre Dorgueil, Franck Ladurelle, Isaiah Salinas, and Daniel Biehle have used Gentoo’s live cd technology to produce a bootable media distribution with many of the tools needed for recovery, deployment, and forensics. It is a cutting edge distro with a Linux 2.6.15 kernel and Reiser4 support.

For instance, it has QtParted - a free replacement for Partition Magic, Partimage - a free replacement for Ghost, and the Sleuth Kit - a free replacement for tools like Encase.

The latest version was released yesterday.  Try it out:

http://www.sysresccd.org/

The National Software Reference Library is a collection of software hash values from various sources. These hash values can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles. Since file system forensics is a very time consuming process, the database allows researchers and investigators to spend less time in determining which files are important as evidence on computers or file systems.

This is a collection of digital signatures of known, traceable software applications. This is not to be confused with known good files.
http://www.nsrl.nist.gov/

Some of you might have run into the issue where users could not authenticate to domain resources when a user is in too many groups. This can occur if you are using role groups and nesting groups within groups on the Active Directory. Most domains will fallback to the very insecure NTLM authentication method when this problem surfaces, and never see a problem.

However, since the publishing of the Rainbow tables to aid in attacking Windows through the NTLM hash, it is common to turn off NTLM authentication and use the more secure Kerberos authentication method.

So if you have disabled NTLM authentication, and use a lot of groups then I can guarantee that you probably have had problems on your domain.

Microsoft’s solution to this issue up until now to set a registry key to increase the size of the Kerberos token as shown below.

I happen to work with some of the best people in the world. Now, to put this in perspective, I have gradually become a coffee snob over the years. I thought I knew what good coffee was. Then my eyes were opened….
My co-worker Joe subscribe’s to Peet’s fresh coffee. Peet’s coffee sampler ships freshly roasted beans to anywhere in the US. To put it simply, you have not ever experienced coffee like this. Joe shares his Peet’s with us on a regular basis. Now you may be thinking, come on, it is just coffee, get over it. I repeat, you have not ever experienced coffee like this.

Thanks Joe!

http://www.peets.com

For those of you that use webmail, I encourage you to sign up for Windows Live Mail beta. I just got my beta account and am impressed with the AJAX functionality that Microsoft has built into this beta. They feature a three pane mode, similar to Outlook 2003, and drag and drop functionality within the web page. It’s very nice.

Sign up here: http://ideas.live.com/

There are instructors, and then there are teachers. I recently attended a class conducted by David S. Hoelzer. The class was amazing in both detail and practical value. If you ever have need of true security training and certification, I highly recommend David. His qualifications speak for themselves.
http://www.cyber-defense.org/CV.html

http://www.sans.org

Recently some sites are promoting a way to have a faster login time. The method combines a feature of Windows called autologon with a registry modification to lock the machine when the explorer shell is loaded.

The idea behind this is that the login time is slow, but the Ctrl+Atl+Del method is needed to secure the machine, so why not automatically logon, and then lock the workstation. This sounds safe, right?

Well, what processes the run key that contains the locking mechanism referred to in the below articles? (i.e. [HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run] ) The answer? explorer.exe

So if we can prevent explorer from running, then we have a workstation that logs on for us. What is a simple way to prevent explorer from running? Simply open task manager, and end the explorer.exe process. From task manager, then simply run explorer.exe. On second run, explorer detects that it has already run and does not process the above key. Presto! you are in the system.

For all you IBM / Lenovo Thinkpad lovers, the newly announced X60 and T60 series have, gasp, Windows Keys on the keyboard!

We don’t have to remap the keys for users anymore. Thanks Lenovo!

I just added a link to Technojoes.com

“Fast, friendly computer support & training.”
It’s a new site that has some great links for training resources. Quite comprehensive.

Here is a direct link to the Training pages

There are some tools in your tool box that are simply life altering. I’m talking about the equivilant of the invention of the wheel.

Process Explorer is one of those tools, and if you aren’t already using it, you should be. Process Explorer is what Task Manager should of have been from the begining.

For instance, wouldn’t it be nice to right click on a process and google it?

Check!

Wouldn’t it be nice to see the child processes in a tree view and be able to kill the entire tree?

Check!

How about seeing the company name attached to the process?

You got it!

This tool is so useful that Microsoft refers to it in some Technet articles. Best of all Mark Russinovich has released this wonderful tool for free.

Get it here:

http://www.sysinternals.com/Utilities/ProcessExplorer.html