Monthly Archives: October 2011

Facebook – Avoid ChatSend application

Sunbelt security has issued a warning for the ChatSend application.  It installs toolbars for all popular browsers and changes the user’s home page.  It then generates spammed messages extensively within Facebook.  It is difficult to remove once installed and should be avoided if offered by any of your Facebook contacts.

Facebook – Avoid ChatSend application

QUOTE: There’s a program called ChatSend currently doing the rounds on Facebook, and at time of writing just over 114,000 people have hit the “Like” button which no doubt means a high proportion of that tally have downloaded and installed it. The link directs to the Facebook page of ChatSend where one can readily download the app. Upon execution, it shows a GUI containing its Terms of Service and Privacy Policy. The pre-ticked boxes will install the toolbar in all browsers, set web search as default and change the homepage.

Corporate Security Awareness – It is worth the effort and cost?

This SecuriTeam post debates some of the pros/cons of corporate security awareness.  Some firms rely solely on technology controls while others have a robust user awareness program.  Somewhere in the middle is a good balance as both technology and the user play an important role in safeguarding the company’s information resources.   I would personally vote “YES” having seen direct and measurable benefits from past security awareness campaigns

Corporate Security Awareness – It is worth the effort and cost?

QUOTE: Is security awareness “worth it”?  Is security awareness “cost effective”?  Well, we’ve been spending quite a lot on security technologies (sometimes just piecemeal, unmanaged security technologies), and we haven’t got good security.  Three arguments in favour of at least trying security awareness spending:

1)  When you’ve got two areas of benefit, and you are reaching the limits of “diminishing returns” in one area, the place to put your further money is on the one you haven’t stressed.

2)  Security awareness is mostly about risk management.  Business management is mostly about risk management.  Security awareness can give you advantages in more than just security.

3)  Remember that the definition of insanity is trying the same thing over and over again, and expecting a different result.

Reading the hosts file–revised

Quick revision to the post on reading the hosts file

I wanted to be able to display the whole file

function get-hostfilecontent {            
 param ([switch]$all)            
 $file = Join-Path -Path $($env:windir) -ChildPath "system32driversetchosts"            
 if (-not (Test-Path -Path $file)){            
   Throw "Hosts file not found"            
 $cont = Get-Content -Path $file             
 if ($all) {            
 else {            
   $cont |             
   where {!$_.StartsWith("#")} |            
   foreach {            
     if ($_ -ne ""){            
       $data = $_ -split " ",2            
       New-Object -TypeName PSObject -Property @{            
         Server = $data[1].Trim()            
         IPAddress = $data[0].Trim()            

so added an $all switch.  If this is selected the full contents of the file are displayed otherwise just the IP address entries are displayed as before

Windows 2008 R2 Hyper-V security Hardening Guide

Securiteam blogs has published an excellent security guide for hardening Microsoft’s Hyper-V virtual environment

Windows 2008 R2 Hyper-V security Hardening Guide

QUOTE: Virtual Machine Servicing Tool 3.0 helps to update offline virtual machines, templates, and virtual hard disks with the latest operating system and application patches. Authorization Manager provides a flexible framework for integrating role-based access control into applications. It enables administrators who use those applications to provide access through assigned user roles that relate to job functions.

Halloween 2011 – More online Tricks are circulating than Treats

Please be careful with email, weblinks and Facebook as malicious threats are circulating. Several security firms are warning of online dangers:

Halloween 2011 – More online Tricks are circulating than treats

QUOTE: Halloween is fast approaching and it’s that time of the year when scaring people is the most popular form of entertainment. However, not all spooks this season may end up in good-natured merriment. Cybercriminals may take this opportunity to scare users with their tricks, which include spammed messages, poisoned search results, spammed tweets with dubious links and Facebook clickjacking attacks. If not wary of these schemes, users may end up becoming victims of information theft, system infection, and even financial loss.

VMware – Security Blog and Key Resources

Below are key security resources for VMware found during recent research:

VMware – Security Blog

VMware – Security Center

QUOTE: VMware offers secure and robust virtualization solutions for virtual data centers and cloud infrastructures, and has both the technology and the processes to ensure that this high standard is maintained in all current and future products. VMware virtualization gives you:
  • Secure architecture and design: Based on its streamlined and purpose-built architecture, vSphere is considered by experts to be the most secure virtualization platform.
  • Third-party validation of security standards: VMware has validated the security of our software against standards set by Common Criteria, NIST and other organizations.
  • Proven technology: More than 250,000 customers—including all of the Fortune 100 as well as military and government installations—trust VMware to virtualize their mission-critical applications.

Multiple value query in WQL

A simple query that demonstrates how to query for multiple values. We want to stop the running services that are running where the names a like BITS and WinRm

Get-WmiObject -Class Win32_Service -Filter "State=’Running’ AND Name LIKE ‘%BITS%’ OR Name LIKE ‘%WinRM%’" |
Invoke-WmiMethod -Name StopService


Define the service state and use AND to link to the names and then OR to say you want name A or name B.  If it is easier to visualise use the syntax like this

Get-WmiObject -Class Win32_Service -Filter "State=’Running’ AND (Name LIKE ‘%BITS%’ OR Name LIKE ‘%WinRM%’)"


It does work!


To restart the services

Get-WmiObject -Class Win32_Service -Filter "State=’Stopped’ AND Name LIKE ‘%BITS%’ OR Name LIKE ‘%WinRM%’" |
Invoke-WmiMethod -Name StartService

Logging non-contactable systems

In this post – – I showed how to get the date of the last update applied to a system.  A comment was posted asking how to log machines that can’t be contacted

".", "rslaptop01", "" | foreach {              
    if (Test-Path -Path hotfix.log){Remove-Item -Path hotfix.log -Force}            
    if(-not(Test-Connection -ComputerName $_ -Count 1 -Quiet)){            
      Add-content -Path hotfix.log -Value "Could not contact $($_) at $(get-date)" -Encoding ASCII            
    else {            
      Get-HotFix -ComputerName $_  |              
      Where {$_.InstalledOn} |              
      sort InstalledOn -Descending |              
      select CSname, @{Name="Installed";              
      Expression={"{0:dd MMMM yyyy}" -f [datetime]$_.InstalledOn.Tostring()}} -First 1             

Simply add a couple of lines to run Test-Connection and if you don’t get an answer then write out to a log file.

Clearing hosts file

We seen how to delete a single entry from the hosts file – this is how we clear all entries

function clear-hostfilecontent {            
 param ()            
 $file = Join-Path -Path $($env:windir) -ChildPath "system32driversetchosts"            
 if (-not (Test-Path -Path $file)){            
   Throw "Hosts file not found"            
 Write-Verbose "Remove IP Addresses"            
 $data = ((Get-Content -Path $file) -notmatch "^bd{1,3}.d{1,3}.d{1,3}.d{1,3}b")             
 Set-Content -Value $data -Path $file -Force -Encoding ASCII             


Don’t bother with parameters and change the regex to pick off any lines that don’t start with an IP address (or at least the pattern that represents an IP address).  Write the data back to the file.  I’ve used ASCII encoding on these because the default is Unicode which uses 2 bytes per character and isn’t really usable.

Heads-UP DST Cancellation in Russia and some other countries

Heads-UP, friends. Even if you have already installed the patches for every Windows Server and every Exchange 2007, there still is more to do. Microsoft has issued Rollup 6 for Exchange 2010 SP1 which contains one more update to your CAS servers which affects DST cancellation. If you still see +3 time zone for Russia and other countries then you need to install it.

Here is the Rollup:

And here is the KB about problem with CAS Servers:

I Hope you’ll get fine through all this stuff =)

Recent Comments