Tech Tips, News and Tribal Knowledge

This post is Part I of a two part post investigating the significance of the recent exploit involving the W32.stuxnet trojan.

Part I – Background of SCADA and the Stuxnet trojan
Part II – Stuxnet and the demise of the digital certificate

On July 17^th, Siemens AG warned their customers of a sophisticated virus hence named Stuxnet,  targeting their Windows SCADA control software, Simatic WinCC.  SCADA, which stands for Supervisory Control and Data Acquisition, is a centralized system used to control and monitor complex production systems usually dispersed over a large area.  The systems SCADA manages are industrial, manufacturing, production and infrastructure applications such as refining and power generation.  

 While not commonly known to the general public, SCADA is ubiquitous in industries and organizations that must control extremely large integrated systems such as subways and water works.  SCADA accomplishes this using RTUs, or remote terminal systems that employ sensors which monitor process metrics and then forwards that information to the central supervisory unit.  It’s this unit, which in the case of Siemens’ SCADA system, is controlled by a Windows PC running the Simatic WinCC program, which provides the visualization, or human-machine interface (HMI).  I.E., this is the system operator’s primary interface with the SCADA system. Read more

Can’t remember that pesky password?  Then try passphrases instead!  Did you know that Active Directory network login systems will accept passwords with spaces in them?  This means you are not limited by a single complex word for your password, but you can enter an easily remembered sentence instead.

A good passphrase consists of five to six words usually arranged as an easily remembered sentence.  For example “All good cats chase mice.” is an example of a good passphrase, especially if you add some punctuation.  In fact, an easily remembered passphrase of five or six words can be as strong as a random nine character password.

Not only are passphrases easier to remember, they are much more secure than any password the average user can remember.  It is said that humans have the ability to remember a block of characters no longer than seven, plus or minus two.  The reason we can remember phone numbers is because we break them down into smaller blocks.  It is much easier to remember 555-483-9576 than 5554839576.  Passphrases break down a complex password in much the same way.

Since it is so difficult to remember long complex passwords, most people use very short easily guessable passwords.  Unfortunately short and simple passwords of seven characters or less are easily cracked.  A simple password like “RedSox1” can be brute-forced, meaning all possible combinations of characters tested, in about fifteen days.  But that doesn’t tell the real story.  If the cracker has employed a more sophisticated application that uses predictive algorithms or a time-memory tradeoff mechanism like Rainbow Tables, a password like the one above would be cracked in less than one second. 

Simply adding an additional character or two will significantly increase the time required to discover the password. Working through all possible combinations of a random nine character password would take well over six-thousand years. But who can remember a nine character password?  Imagine sitting at your desktop and trying to type in “f@RVy&Tc7” every morning!  So if that’s too daunting a task, passphrases are your answer.

While some may find that creating good passwords or passphrases is a chore, remember, in addition to your responsibility to protect your company’s corporate assets, your own assets are also at risk when you use weak passwords.  It’s not your e-mail or Facebook login the crackers are after; it’s your bank account.  Since many users use their company’s PCs to do their banking, or pay the bills, getting that login password puts the hacker one step closer to your money.  So remember, when your computer prompts you it’s time to change your password, choose an easy to remember passphrase instead!

Note: All crack times derived from the Password Cracking Spreadsheet available from SANS.  Parameters supplied were one computer searching the entire key space at a testing rate 2.8 million keys per second

I found a bug today in the Quest Security Explorer 7.0.0 for SharePoint 2007.  If you create a document library with a forward slash in the name, the application will prompt for a logon and after several unsuccessful tries, it will return a message box stating “Error: Invalid Pointer.”  At this point, you will need to click on the root site and hit F5 to refresh the perms.

You will also have difficulty if you attempt to backup permissions of any site that has a document library, or probably any securable object, that has a forward slash in the path.  The backup will proceed normally until it hits the errent object.  It will then ask you for authentication and finally give up the ghost with the error:

“[-2146233088] Exception of type ‘ScriptLogic.Common.SharePointAccess.Node
+AuthenticationException’ was thrown.”

 So, if you use the Quest product for permissions management, don’t create document libraries that contain a forward slash “/” with names like “My Docs/Under Review.”  

I’m going to open a tickect with Quest / ScriptLogic later this week.  I’ll post any additional info I receive from them.

UPDATE:

Apparently Quest is aware of this issue and they have created a tech note in their support database.  Their workaround is to remove all forward slashes from document libraries and lists.  However, if you really want to use the forward slash in your system, it is possible to continue to use the forward slash in your navigation links.

1. Create your document library using a forward slash.
2. Navigate to your document library and open your library’s settings page.
3. Select “Title, Description and Navigation.” 
4. Remove the forward slash from the “Name” field and save. 
5. Open your “Site Settings” page and select “Navigation” under the “Look and Feel” section.
6. Find your site link and add the slash back into the “Title” field.
7. Click “OK” and close the “Navigation” page.

Your document library link will now contain the forward slash as  before and Security Explorer will be able to parse the object properly. 

Ever wished you could link directly from a SharePoint document library to a file or file share?   Well here is a code snippet  that allows you to specify the file:// prefix as well as http:// or https://.  It accomplishes this by altering the input checking on the newlink.aspx found in your layouts directory.

While you can always use the page viewer web part to accomplish the same thing, this method will allow you to mix SharePoint documents and file server documents in the same library.

This method does require that you edit one of your layout files in the ”…\12\TEMPLATE\LAYOUTS” directory, so make sure you back it up before you begin. 

1) Add the content type “Link to a Document” to your document library. If the content type doesn’t exist, simply create it with Document as the parent.

2) Navigate to your “layouts” folder and edit the newlink.aspx. Add the following at the end of the script section near the top of the page:

function HasValidUrlPrefix_Override(url)
{
var urlLower=url.toLowerCase();
if (-1==urlLower.search(“^http://”) &&
-1==urlLower.search(“^https://”) && -1==urlLower.search(“^file://”))
return false;
return true;
}

3) Find each occurance of the function HasValidUrlPrefix and replace it with HasValidUrlPrefix_Override.  It’s in there twice.

4) Save and restart IIS.

Now not only can you add a link to an http:// or https:// page, the override function allows you to link to docs on a file share. Use a syntax of:  file://\\fileserver\filename.doc.

If you’d rather have it open a folder instead, create a shortcut to the folder in question and create your link like this:  file://\\fileserver\shortcutname.lnk

If you really want to get fancy, you can edit the wss.resx file at:  c:\Inetpub\wwwroot\wss\VirtualDirectories\<app name>\App_GlobalResources

Find the section named ‘<data name=”newlink_badurl”>’ and change the value to read:  <value>Enter a valid document name and URL.  Valid URLs must begin with ‘http:’,  ’https:’,  or ‘file:’</value>

Remember to backup your layouts folder and wss.resx file before messing around in there!

Love it, or hate it, free is always a good thing!

Anyone interested in a free copy of SharePoint Designer can get it here:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=baa3ad86-bfc1-4bd4-9812-d9e710d44f42

I’ve recently e-mail enabled some document libraries on our SharePoint site and have noticed some odd behavior.  It seems that In order to send a document to the library, I need to actually have some content in the message.  If I simply attach a message, using Outlook 2007, without any accompanying text, the document disappears into SharePoint heaven never to be seen again.  It doesn’t seem to need a subject, just some text.  Even a single carriage return is sufficient.

I’m running the site using a least priviledged model which requires me to add the contacts manually to AD.  Everything seems to work properly as long as I include some text.

I’m not sure if this is a SharePoint deficiency or an Outlook issue.  I will post a followup if I figure this out.

Recently I experienced some unusual Kerberos authentication issues with one of our SharePoint farms. Users accessing the farm using the Kerberos protocol would receive repeated logon dialog boxes from the front-end server. The prompts would continue even though the user was entering the proper credentials. These repeated logon attempts wouldn’t lock out the user account which indicated the logon never got past the front-end server. This behavior affected only those users authenticating to the farm using Kerberos. Any users authenticating to the farm using the NTLM protocol had no issues logging in. In addition, the following KRB_AP_ERR_MODIFIED error appeared in the event logs:

Read more

After installing SharePoint using the least privileged model, you will undoubtedly find your event logs filled with errors. You will see dozens of 10016, 7888, 6482 and 6398 events all with red the “X”, but don’t despair, you haven’t done anything wrong. If you have followed SharePoint best practices, the accounts you have used for your farm, shared services provider, default content access and application pools are all domain user accounts with no special rights or privileges. When installing MOSS under the least privileged model, these errors are expected. In order to eliminate the errors and finish your install, you need to complete three basic permissioning tasks before calling it a day.

Read more

After previously deriding the pretty permalinks mantra, I have finally decided to drink the “Kool-Aid.”  Although I’m still not convinced it will make any difference in search engine rankings, I do see the value of pretty permalinks in overall site design and organization.  There are two primary reasons I’ve decided to change the default permalink structure, neither of which have anything to do with search engine optimization (SEO).  The first, and most important, concerns how manually entered links back to my blog appear to potential readers.  The second involves the limitations imposed on site hierarchy when using the default permalink structure.

Read more