Converting from AD time to Excel time

Here's a little formula that works to convert times and dates from Active Directory (or other LDAP servers) to Excel – really useful to use if you've exported a number of entries from Active Directory to an Excel spreadsheet or CSV, and want to see them as dates:

=(B1-94353120004495000)/864000000000

Clearly, 864000000000 refers to the number of 100-nanosecond intervals in a day. It's possible that the offset value of 94353120004495000 is not going to be correct for your environment, so don't forget to test this – time zones may affect the accuracy of this value.

Insufficient Resources to Complete API – part 3

In part 2 of this series, I promised to let you know how I'd been doing with my hotfix solution to this problem.

[History: After increasing my laptop's memory past 1GB, in Windows XP SP2, I find that the laptop will occasionally refuse to hibernate, with the cryptic message "Insufficient System Resources to Complete API". A Microsoft Knowledge Base article makes it clear that this is a known bug, and offers a hotfix. After going through the simple procedure of getting the hotfix sent to me, it's now even simpler, because the hotfix is available to anyone to download, without having to call Microsoft.]

I'm happy to say that this has been going really well. My laptop, with 1.5GB of memory, now hibernates wonderfully well all the time, and I no longer fear that I will be pulling a red-hot laptop out of my bag after I've closed the lid in a hurry.

I do still hit the problem that if I press the power button, then close the lid, it hibernates once, and then a second time immediately after I turn it back on. Not a big problem – certainly not as big a problem as running the laptop's processor and fans at full tilt inside a sealed laptop bag because it didn't hibernate.

Lessons for those watching:

  1. Always search the Knowledge Base – go to http://support.microsoft.com, and type in either the full error message, or select words that are liable to be unique in reference to your problems. If your first search produces too many, or too few, matches, simply choose a different set of search words. Imagine how you'd write up the article yourself, what key words you'd put in there.
  2. If there's a hotfix available, don't get irritated that you have to call someone on the telephone in order to get the hotfix. It's a ten-minute process, you don't have to give your credit card number, you just say you want the hotfix related to article number such-and-such, and they send you the password to use in downloading it.
  3. Revisit a previous problem after a couple of months – someone else may have reported and fixed it.

Changing passwords on a service

At work, I'm faced with an interesting task – we're trying to limit the number of people that know high-powered passwords.

[This is an ongoing goal - and we already have many processes in place that achieve this. You'll hear more about this in future.]

The latest investigation of reducing password knowledge centres around service accounts – particularly, one service account that is widespread, and has local administrative access. Not an account we want to have available to everyone, not even to everyone who manages the service!

The goal is, as with other high-powered accounts, to lock the password away, and only reveal it when it's needed to troubleshoot something. Of course, being a password, once you've revealed it to someone, you can't unreveal it.

So you have to change it. Once in the security database, and once on every service instance, so that the service can continue to log on.

But there are hundreds of instances of this service, so the administrators were baulking at the idea of having to enter the password in hundreds of locations.

I didn't like the idea either, but my suggestion was better than that of "set the password once on installation, and hope that nobody abuses their knowledge of the password". It had to be, because we don't allow that around here.

I'll be exploring what I did over the next few days, but here's my start, which may be adequate for many purposes:

C:\> for /f %a in (servers.txt) do sc \\%a config "service-name" password= "new-password"

Linux – unbreakable until when?

Not much of a claim...Man, if I were dumb enough to claim anything as "unbreakable", I'd probably want to claim that you have a little bit more than two months of unbreakability (and yes, that is an unretouched graphic from Oracle's site).

Cousin Jeff notes that Mary Ann Davidson, head honcho of Security at Oracle, previously remarked on the previous "Unbreakable" campaign "What idiot dreamed this up?"

I think it's the same "idiot" that came up with the original version of this campaign. Marketing geniuses, all of them.

Internet Explorer 7 flaw – slow news day

You know it’s a slow news day when a flaw like this makes the TV news. [Or when it makes the front page of a normally respectable security site like Secunia.]

Okay, so the first thing to note is that if you try this flaw on other browsers – Internet Explorer 6 or Firefox 2.0, for instance – what happens is that the popup appears on screen without an address bar. So, if this popup is going to persuade you on Inernet Explorer 7 to click in a bad place, then it’s going to persuade you even more easily to click in a bad place on Internet Explorer 6 or Firefox 2.0.

The next thing to note is that it doesn’t work if your fonts are different widths from the default, for instance if you use a high-DPI font, or use larger fonts because of poor visibility, or just because you like them – the number of padding characters used has to match exactly with the width of the popup window.

Other reasons the flaw is next to useless:

  • If you enable Internet Explorer 7’s ability to open popups in another tab, the flaw is totally wasted.
  • If you click anywhere in the window (and I don’t suggest you do on any popup), the address is revealed.
  • If you click in the address bar, the address is revealed.
  • The flaw only works while the text in the address bar is fully selected – meaning that it’s highlighted, and looks different from every respectable popup (is there such a thing?). Again, you should be aware that any time something looks different from usual, it’s a warning flag at best, and probably something to be avoided.

Oh, and Internet Explorer 7 comes with a phishing filter – which I really suggest you accept – that prevents you from being lured to known phishing sites by popups such as these.

Really, there are so many down-sides to this flaw, from the perspective of a malicious person trying to actually exploit it, that it’s a wonder anyone bothered to spend time typing the web page up that demonstrates it.

In a way, this demonstrates Internet Explorer 7’s superiority over previous versions – if this really is the most newsworthy attack you can make, Internet Explorer 7 must be solid.

I’ll restate very simply the reasons that Internet Explorer 7 is worth an install:

  1. You are required to have a version of Internet Explorer on your Windows system – it’s a part of the OS.
  2. Every flaw that has been found in Internet Explorer 7 has been found in previous versions of Internet Explorer – and each one (of two) is minor and complex, so much so that despite widespread publicity for some considerable time, there are no known exploits in the wild.
  3. Internet Explorer 7 closes a huge number of avenues of attack that were present in Internet Explorer 6.

Put all that together, and it’s clear that installing Internet Explorer 7 will improve your security. Whether you use it is up to you.

Whether you use Internet Explorer, Firefox, or Opera, or some other browser, from a security standpoint, installing Internet Explorer 7 is a big win. Plus, it’s much easier and more fun to use.

Cousin Jeff says it’s going to be alright

I've been worried a little over the past several days that McAfee and Symantec are going to strong-arm Microsoft into weakening the protection on 64-bit Windows Vista, just because S&M can't figure out how to write software for the new operating system without using undocumented and unsupported functions that have gone away in Vista64.

Amusingly enough, Symantec's competitors, Sophos, respond to the assertion that the world will be forced to run Microsoft anti-virus software by announcing that Sophos' antivirus software will work quite happily on Windows Vista, and that Sophos isn't quite sure what all the fuss is about.

Symantec, by coincidence, have been exhibiting the sort of track-record that befits someone who wants a toe-hold in the kernel, by showing off a kernel-mode escalation of privilege vulnerability. Whoops. [McAfee is no stranger to buffer overflows, either - a Google search for McAfee, "Buffer Overflow" and Vulnerability leads to a couple of fun articles on the topic.]

But cousin Jeff puts my worries to rest, by noting that Jim Allchin, straight-shooter that he is, has declared that Microsoft won't be letting any vulpine-looking animals manage the security of this particular coop.  Not Microsoft OneCare, not Symantec, not McAfee, will be given the ability to patch into the kernel. Note that – not even Microsoft.

No, the Windows Kernel in 64-bit Vista will be written by the Windows Kernel team. Its purpose will be to act as an OS kernel, not as a lackey for whatever program can figure out how to subvert it. Symantec and McAfee can scan files for viruses the same way that Microsoft's security tools will, and the same way that Sophos' tools will, by hooking in to documented, standard, supported APIs.

I guess McAfee and Symantec will have to send their developers on a training course, to learn how to straighten up and fly right, rather than achieve all their goals by hacking around the OS.

How to be a security expert

There are two ways to be a security expert.


First, the bad way:


Publish articles saying “you should do things like I say, because I’m a security expert, and this is how you secure computers”.


Then, the good way:


Answer questions that people throw at you with other questions. Here are some example questions you might try:


  • What’s the risk you’re trying to protect against?
  • Is the risk likely / realistic?
  • What’s the benefit of protecting against the risk?
  • What damage could be caused if you don’t protect against the risk? [Can the CEO go to jail? Maybe that's a risk worth taking!]
  • How many different ways can we protect against the risk?
  • What is the cost of protection?
  • What are the side-effects of protection? [Technically, side-effects are often 'costs', but can be benefits in themselves.]

There are further depths to which you can refine these questions – for instance, consider potential risks and damage in terms of compliance regulations and sanctions, business costs, public relations, technical effort, etc.


In the Information Security field, we often get so wound up in our own technological solutions that we lose sight of the problem we were trying to solve, or the magnitude of it.

I always thought Preston Gralla was an idiot

Right from the first moment he gave my software, WFTPD, a negative review whose contents indicated he was confusing it with a completely different piece of software, I knew Preston Gralla was an idiot.

Every so often, I forget about him, because he's at least a relatively inconsequential idiot. He's not Steve Gibson, whose legions of fans hang on his every word, no matter how hyperbolic, contrived, unoriginal (unoriginal, yet claimed to be "unique" and "brand new") or incorrect.

Then again, every so often, I am reminded.

Last time was his "6 Steps To Protect Your Wireless Network", which, as I pointed out in "Wireless Security", overlaps significantly with "The six dumbest ways to secure a wireless LAN".

Today's is "", in which he states (as the whole basis for his article):

In Internet Explorer 6, you are able to customize your toolbar by adding buttons, removing buttons, changing their appearance, and so on.

Don’t look for that feature in Internet Explorer 7. It’s not there any more.

Uh… yeah.

So, when you select "Tools", then "Toolbars", and finally "Customize…", what you are looking at is a mirage. The apparent ability to remove, add, move all those toolbar buttons around is completely absent.

Maybe Preston's confused because it's no longer on the View menu. A "Power User" who can't cope with the possibility that a feature has moved from one menu (which is now hidden) to a different one? That's like turning up your guitar amp, smacking your head against the strings, and calling it a "Power Chord". With power must come sophistication, or you're nothing more than an oafish brute.

In another part of his article, Preston says:

Internally, Microsoft has created a mythical typical user it calls “Abby” who knows very little about computers. It now targets the operating system and browser at this imaginary Abby, potentially leaving the rest of us out in the cold.

Clearly, Microsoft needs to create a new mythical user called "Preston". Abby could teach Preston a thing or two.

IE7 – the security update that isn’t

First, the big news – IE7 is now available for direct download.

I cannot recommend this update strongly enough. Go and get it.

My wife’s not into the security stuff as much as I am, so she recommends it purely on the basis that it’s a far improved user experience over IE6.

Me, I see how much it adds to your security – how many attacks have been simply stopped (or, at the very least gave me a prompt) by the IE7 beta versions.

A lot of press statements have said that this will be pushed as a security update. That’s not correct. It will be pushed as a high-priority update, but not as a security update.  That means it isn’t going to wait for the second Tuesday of the month, and it doesn’t have to be made available on the download pages at the same time as the automatic update is pushed out.

Download and test IE7 in your usual operations – if an app fails in IE7, you can spend some time getting it to work, or remove it and use IE6 again. While you do that, of course, you want to be pestering the vendor to get their app to work.

Your users who run with Automatic Updates enabled will be getting IE7 on November 1 (All Souls’ Day, or the Dia de los Muertos), by the current schedule. So, update in advance to prepare for this.

Even though a number of vendors (hello, Intuit!) have stated that they will not support IE7, many of their applications just plain work anyway.

How Apple keeps the statistics favourable

Apple does its job to make sure that you'll see more viruses on Windows than on a Macintosh.

My favourite quote – "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."

According to McAfee, this virus infects due to a user's insertion of a removable drive carrying the virus, and "the user agrees to the auto run prompt for execution of the worm".

Uh.. so I guess that line should be "As you might imagine, we are upset at Windows for automatically running the software we approve it to run, and even more upset with ourselves for distributing it through shoddy practices and a lack of scanning or clean-room preparation of these devices."

At least Apple isn't asking for access to patch the Windows kernel.