Installing the Messaging Security Agent from the Security Dashboard

SMEX Error MessageThis week I upgraded the Trend Micro SMB installation on my “dog food” server to version 3.6. It kind of worked. The virus checking stuff upgraded nicely but the Messaging Security portion did not. I got this message, “Error 1923.Service Trend Micro Messaging Security Agent Remote Configuration Server(ScanMail_RemoteConfig) could not be installed”.

I researched the problem and it said I should check my privileges. After researching what privileges it was complaining about, I figured out that the privileges for the Administrator userid were just fine. So I rebooted and tried to install Messaging Security portion again. I was unsuccessful but this time it told me to install it from the Security Dashboard. I don’t remember seeing that message before but I was game. After a little research I found these instructions on how do this.

Installing the Messaging Security Agent from the Security Dashboard

These instructions were a little too short for me since the installation process asked me a few more questions than were included in the instructions. The installation process asked me which directory to install Messaging Security in and the “shared” directory. I was not sure what they wanted for the shared directory since this field was prefilled with C$. C$ looks like a “share” to me and I was clueless about a shared directory. If Trend Micro has a shared directory they want me to use, they hid it well. Since I was installing these files on my “H” drive, I assumed they wanted the “share” for the drive, H$. Anyway that is what I gave it. When I pressed the enter key, a screen showing the installation status popped up. The status screen updated several times over the next ten minutes before it finally completed. Now when I check the “Live Status” and “Security Settings” screens they show me that the Anti-spam is working. Since Microsoft’s Intelligent Messaging Filter catches most of the spam for my “dog food” server I got through this unscathed.

Free Firewall Software – Comodo™ Firewall

Comodo Free FirewallVersion 2.4

It’s Free. Forever. No Catch. No Kidding

Comodo Firewall Pro

The Award-Winning Comodo Firewall Pro
  • PC Magazine Online’s Editor’s Choice
  • Secures against internal and external attacks
  • Blocks internet access to malicious Trojan programs
  • Safeguards your Personal data against theft
  • Delivers total end-point security for Personal Computers and Networks

Install now for out-of-the-box protection against identity theft hackers, Trojans, scripts and other unknown threats

Free Firewall Software – Comodo™ Firewall

Yesterday I decided to upgrade my Trend Micro SMB software to version 3.6. While I was at it I decided to give their firewall another tryout. I was using Microsoft’s firewall so there must be something better. Within a few minutes I remembered why I was not using Trend’s firewall. Microsoft’s firewall is much easier to configure. If you have a bunch of exceptions to the rule, Trend Micro’s firewall is best forgotten.

Since I knew that there had to be a better firewall out there, I started looking around. Zonealarm is the traditional favorite. Comodo has a nice firewall that received some nice reviews recently and it is free, so I decided to give it a try. Since the online threats have morphed over the years I wanted a firewall that was easy and flexible to configure, have some built-in monitoring, and incorporate some application level filtering. The old port blocking firewalls are not very adept at catching the new online threats which take advantage of ports that are normally open(e.g. http-port80). It takes some application level filtering to catch the new threats. Comodo’s application level functionality reminded me of Microsoft’s ISA firewall. Microsoft’s ISA is a more robust product but Comodo’s application filtering looks pretty good.

Downloading and installing the program was easy. Configuring the program took me a lot longer since my laptop has an Apache web server, a FTP server, a MYSQL server, a Subversion server, and a VMware server on it and I wanted to restrict the access to these servers. The firewall will prompt you to add rules for specific programs. You can use the rules that the firewall creates but they were too general for me. So I changed them to be more specific. I restricted the ports and destinations available in each rule. My servers are for testing and development so there is no need to expose them to the world. Along the way I found out that I have a lot of chatty programs I have been ignoring and Google Desktop is the biggest culprit. It is amazing how many programs have to call home.

So far I have been impressed with the firewall. Its got great flexibility and monitoring capability. This is a nice addition to a layered approach to security.

Need to archive?

From Susan Bradley’s blog(aka SBS Diva) comes…

I have rec’d an email from one of my clients saying that he needs to recover email from 2005 in regards to a lawsuit. There is barely a backup plan in place. It holds backups of everything for a few days only, written only to an external hard drive. I don’t think our users have any idea what pst files are. Is there anything inherent to SBS2003 that would help? Is there any products you recommend for the future?

There was never any requirement for archiving purposes in the past so no company policy was forwarded to me. So I don’t think there is anyway that I am liable.

First off you are not. Secondly, you are only required to do your best efforts to recover that email. In a typical SBS network here’s the forensic places that email will land.

First off when email comes into the server (assuming you’ve set it up so that the SBS holds the email and it grabs the email) and dumps it into the Exchange store. When your end users read their email and hit the delete key in their personal email boxes, it doesn’t really “delete” the email but rather it merely moves it to the deleted email folder. Unless you set a rule to delete that email, chances are, that email of 2005 might be there. If someone has deleted the email, then it sits on the server in the mail store for 30 days before it truly and utterly gets deleted.

If your clients use the default SBS mailbox setup, they don’t have pst’s but rather ost’s that the SBS box sets up automagically as part of it’s Cached mode setup. Outlook has a rule set up (I’ve forgotten when it kicks in) of prompting you every now and then “do you want to archive your email”. Once again, it won’t truly delete the email, but will move it to an archive folder.

You might find it easier to get onto their ‘exact’ profile to see the Outlook folder structures they have on the local system as well as the files on the server.

But last but not least, you are only required to make a reasonable effort to recover this. If your policy is to NOT store emails, then you can’t be liable if you can’t find them. Where you get into issues (as in Enron/Arthur Anderson) is when you have a policy regarding email (or any correspondence for that matter) and don’t follow it. If you say you are going to delete after 30 days and don’t, or retain all email regarding X client and don’t, that’s when it’s an issue.

Remember that the new Federal Rules of Evidence kick in when you get a lawsuit in Federal Court. At THAT time you need to ensure that all electronic documentation is maintained.

But need to have a long term need to archive? Check out Message Journaling (native), check out GFI (third party) http://www.gfi.com/mailarchiver/

Computers do add some nuances to rules of evidence and you can see in these articles – http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1253827,00.html and http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm

Link to Susan Bradley’s “Need to archive” article
[tags]security[/tags]

Don’t Panic, But New Discovery Of Electronically Stored Information In Litigation Rules Now Apply :: WRAL.com

Link to Don’t Panic, But New Discovery Of Electronically Stored Information In Litigation Rules Now Apply :: WRAL.com

Today I read a post over on Susan Bradley’s blog about the need to archive and I remembered this article. This article is a couple of months old and was written by lawyers practicing in the ESI area. It provides a nice overview of the discovery rules and the problems the lawyers are facing. Once you have a grasp of the discovery rules, it is much easier to recommend the policies and tools that will help you and your clients create a ESI plan/policy that will reduce the impact of discovery requests in the future. The final step is for your clients to run the ESI plan by their lawyer.

Safeguards For RIAA Hard Drive Inspection

NewYorkCountryLawyer writes

“In SONY v. Arellanes, an RIAA case in Sherman, Texas, the Court entered a protective order (PDF) that spells out the following procedure for the RIAA’s examination of the defendant’s hard drive:

(1) RIAA imaging specialist makes mirror image of hard drive;

(2) mutually acceptable computer forensics expert makes make two verified bit images, and creates an MD5 or equivalent hash code;

(3) one mirror image is held in escrow by the expert, the other given to defendant’s lawyer for a ‘privilege review’;

(4) defendant’s lawyer provides plaintiffs’ lawyer with a ‘privilege log’ (list of privileged files);

(5) after privilege questions are resolved, the escrowed image — with privileged files deleted — will be turned over to RIAA lawyers, to be held for ‘lawyers’ eyes only.’ The order differs from the earlier order (PDF) entered in the case, in that it (a) permits the RIAA’s own imaging person to make the initial mirror image and (b) spells out the details of the method for safeguarding privilege and privacy.”

Link to Safeguards For RIAA Hard Drive Inspection

This fascinating description highlights a procedure being used on discovery requests to reduce privacy concerns of the defendant.
[tags]security[/tags]

TrueCrypt 4.3

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted drive. On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password or correct…

Link to TrueCrypt 4.3

I have been using TrueCrypt for over a year on my laptop. I keep my QuickBooks and other sensitive files in it. My assumption has always been that if my laptop is stolen that my XP login password would be cracked pretty easily. Ophcrack showed me how easy it can be done. My other assumption is that breaking into TrueCrypt would be way too hard for most thieves. I highly recommend TrueCrypt.

Security Settings tabs do not respond after installing CSM on Windows2003/SBS 2003 with SP1

Solution Details
The Security Settings tabs do not respond after installing CSM on Windows2003/SBS 2003 with SP1.

I finally found this article. I do not use TrendMicro’s Dashboard very often but it has been a problem for me. Sometimes it would work. Sometimes it would not work. I did not think I had done anything wrong but I was not sure. Since I push the lower limits of the hardware requirements on my server, I did not push the issue with TrendMicro. When I checked my “Web Sites” settings as indicated in this article, they were set to compress application files. So I unchecked the block and clicked OK. Now the Security Settings tab in Dashboard works consistently for me.

Gpg4win – EMail-Security using GnuPG for Windows

Gpg4win – EMail-Security using GnuPG for Windows

Today I upgraded from 1.0.1 to 1.0.3 and experienced problems verifying files. I could not verify a file with GPGee or WinPT. The files had been verified under 1.0.1. GPGee said I had an invalid key and WinPT did not show any results. GPA did verify the file. I re-installed a second time with an uninstall, reboot, and install to see if was an installation error by me. I got the same errors. I have reinstalled 1.0.1 and it verifies the files again.

TrueCrypt 4.2a updated

TrueCrypt v4.2a
TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted drive. On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password or correc…

This is an open source programs I use everyday. I think it is essential for your sensitive data if you still run your laptop with XP Home.

Helix – Incident Response and Computer Forensics Live CD by e-fense™, Inc.

Helix – Incident Response & Computer Forensics Live CD by e-fense™, Inc.

I was researching the Linux command, dd, and GParted because I wanted to migrate some data on old disk drives to my new disk drive and to see if I could copy a drive and debug a hardware/software problem on a PC I am working on. There are existing Windows solutions but I was curious about the state of the art on Linux.

I originally tried Ubuntu but GParted did not copy the partition for me?! I then went to Gparted Live CD and it worked for the NTFS partition I was playing with. The Linux partition was a bit more complicated. It is the LVM partition I used for my Fedora Core 4 installation and Gparted will not copy LVN partitions. Hmm…bummer!

I briefly tried the LVM commands to add a new LVM physical drive to the volume group and move the data from the existing LVM physical drive to the new drive. It did not work for me and with some more work I am pretty sure I could make it work since that is one of things LVM should be able to do. However, my interests in cloning the drive were very similar to copying the drive for forensic work so I decided to see what the Pros use for creating copies of disk drives. That led me to Helix.

I had previously downloaded and played with Helix 1.5 and 1.6. Helix 1.6(Knoppix) had problems with correctly recognizing my CD-ROM so I downloaded the newest version to see if it did a better job with the CD-ROM and to see if they had a frontend tool for dd/dcfldd. The CD-ROM worked and I found a frontend acquisition tool called Adepto. Adepto is an improved version of AIR – Automated Image and Restore which is also on the disk. So I cloned the old hard drive.

Mounting cloned drive was a little hard under Helix. I had to:

sudo vgscan
sudo vgchange -a y

before I could:

sudo mount /dev/VolGroup00/LogVol00 /media/sda3

Mounting the partition under Ubuntu was much easier. Now to go clone a copy of the PC’s disk drive I want to troubleshoot.

NewsForge | Portable open source software

NewsForge | Portable open source software

Since I use several of the open source packages on this list, I have to say that I approve of the selections and will take a look at the ones I do not presently use. For the ultimate in portability I have Firefox and Open Office installed on a USB stick. Most of the packages I use lean toward enhancing security via encryption. Some of the packages on the list I use are:

  • KeePass – password manager
  • TrueCrypt – encrypted file system

Some of the other open source packages listed at the bottom that I use are XAMPP and Notepad++. Although it is not open source, VMplayer/VMServer, really help in this area by allowing you to run Linux on a virtual machine and reach the rest of open source universe.

Ophcrack 2 — The fastest Windows password cracker

Ophcrack 2 — The fastest Windows password cracker
The Ophcrack LiveCD is a bootable Linux CD-ROM containing ophcrack 2.2 and a set of tables (SSTIC04-10k). It allows for testing the strength of passwords on a Windows machine without having to install anything on it. Just put it into the CD-ROM drive, reboot and it will try to find a Windows partition, extract its SAM and start auditing the passwords.

I downloaded the iso, burned the CD, and tried it on my son’s PC(W2K Pro), my laptop(XP Home) and my desktop(XP Pro). It was impressively fast at figuring out my local Administrator passwords. Naturally it does not know about the network password since it is not stored locally. I had to run it manually with my desktop since it is a dual boot machine and Ophcrack did not detect the NT partition with windows on it.

SourceForge.net: KeePass 1.04 released

SourceForge.net: KeePass 1.04 released

Version 1.04 is mainly a feature release. The auto-type features have been enhanced (most notably there’s now an entry selection dialog displayed when multiple entries match), improved TAN handling (new display, support of indexed TANs, …) and the user interface has been improved.

I have been using this program for about a year since I have so many passwords to keep track of. This entry selection dialog is an improvement I can really use and appreciate. I have several entries for EFTPS and Ohio Business Gateway for which I previously could not use the auto-type feature. This feature saves me from a couple of copy and paste key strokes. It is not a big deal but it was annoying/inconvenient.

Review of KeePass Password Safe

I have been using Password Safe the last couple of months to help manage my passwords. It has done a fine job. Yesterday I saw another open source password manager was released so I decided to check it out. It is called KeePass and you can find it here. It does everything Password Safe does and a couple of things more. KeePass appears to have better encryption although I am no expert and really don’t care. The feature that caught my interest was the ability to open urls in the web browser and fill the normal username and password fields. It worked for several of the urls I tried. It did not work on all of them. Still it could be minor timesaving feature that may encourage me to use more difficult passwords(i.e. random). I was very pleased that my exported passwords from Password Safe imported into KeePass without a problem.