Category Archives: Security

Security

Digital Forensics and Search and Seizure

Leave a comment

The Fourth Amendment site has posted an interesting result for a search and seizure suit, related to digital forensics.

United States v. Stewart, 2010 U.S. Dist. LEXIS 50876 (E.D. Mich. May 24, 2010)

A laptop searched at the border turned up illegal data. A second laptop had no power and no adapter so it was instead seized and taken away to a lab where further investigation could be performed. This provoked a lawsuit claiming Fourth Amendment rights were violated.

The US District Court just ruled that law enforcement needs to show “a particularized and objective basis for suspicion” to be allowed to move data/devices to forensic labs.

Food, Security

If you see something, think twice about saying something

Leave a comment

Bruce has quoted a poem in his blog post for today:

If you see something,
Say something.
If you say something,
Mean something.
If you mean something,
You may have to prove something.
If you can’t prove something,
You may regret saying something.

I think the best lines are actually

If you shoot something,
Eat something.
If you eat something,
Floss something.

Bruce brings forward a story about a man who has been accused of the equivalent of crying wolf. This is only slightly removed from yelling fire in a crowded theater. Apparently this man left a bag full of papers and then tried to call in a bomb threat.

My favorite lines are good security references too, but have little to do with the particular philosophical example of fraud and risk to the public.

Bruce often says if you ask amateurs to help with security work then expect amateur results. I think his post today is meant to support this.

I disagree for several reasons. One, intelligence functions best with a network of inputs rather than in isolation. There is always chatter and noise, but go for too much squelch and you lose vital signal. Two, experts all were once amateurs. Why not embrace and provide the opportunity? Three, the definition of expert is rarely accurate, especially with rapidly changing technology — kids can become more “expert” than even “trained” professionals — so who decides? Etc.

This takes me back to the customized billboards I created some time ago.

Poetry, Security

50% reCaptcha Failure

1 Comment

Ever wonder why you are offered two separate words in the reCaptcha box? They call it a “free anti-bot service that helps digitize books”. What they really mean to say is that if you type in two words, one of the words will help you and the other word will help them.

The security implication of this is only one of the two words is the real test for anti-bot access. The other word is to help them fix issues in their digital book images.

reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher. More specifically, each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA. This is possible because most OCR programs alert you when a word cannot be read correctly.

One word they already know and the other word they are trying to decipher. If you type in two random words, you fail their test. If you type in one random word you have a good chance of passing the test as well as giving their database bogus information.

Many years ago as a graduate student I worked on a Xerox implementation for the blind. Fellow blind students would scan books and then give me the output files to correct and verify. I built simple scripts with WordPerfect to look for the number 5, for example, and substitute for the letter s. It was not terribly sophisticated (I am no linguist) but it was enough to save me the trouble of reading every word of every page.

The reCaptcha effort seems to headed in the same direction but using human labor as the solution instead of algorithms. Although I can see why they find this attractive, it begs a question of trust. It also begs the question of whether you want to bother putting in two words or gambling with just one. Try it and see.

Security

disk2vhd and Volume Shadow Copy Service errors

30 Comments

Microsoft has published a utility called disk2vhd.exe that is meant to make it easy to convert a physical Windows system into a virtual disk.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that is online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion.

A customer asked for help tracking down errors when they tried to use the utility. They were unable to get a snapshot started because it immediately posted a non-descriptive error. With a little sleuth work I found that disk2vhd.exe has quite a bit of trouble as a result of its dependency on the Volume Shadow Copy Service (VSS). Here is how I located and resolved the VSS errors.

First, the Event Viewer is essential to unlocking problems on Windows. Open it up and review the Application event lists. Look for a VSS error. Open the Services control (run services.msc) and restart “Volume Shadow Copy” service. You may see something like this:

Ignore that link for more help. It actually is no help. Instead, note Event ID 12302 and go to Microsoft knowledgebase article 907574:

You receive a “Volume Shadow Copy Service” error message and event 5013 or event 12302 is logged when you use the Backup feature in Windows XP or in Windows XP Tablet PC Edition 2005…

This problem occurs because the Location registry entry in the following registry subkey is incorrect or missing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs
This problem occurs when you uninstall a program that is listed in this registry subkey, but only the location information is removed from the registry subkey.

Follow the instructions for fixing or removing the bad subkeys. That worked on one system.

Another method to find errors is to check VSS operations with vssadmin.

Type “vssadmin list writers” at a command prompt and you may see this:

This brought me to the same Event ID but Microsoft proposed a different solution. Knowledgebase article 940184 covers how to clear and reset a failure in COM and VSS:

This problem may occur if the following registry key is corrupted: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions

Their solution is a bit lengthy, so here is a quick batch file version that should make it easy.

Copy and paste the following commands into a file named VSSrepair.bat, then run it to execute the commands from 940184:

@echo off
REM
REM https://www.flyingpenguin.com
REM
REM Batch file to repair a Volume Shadow Copy (VSS) installation
REM based on https://support.microsoft.com/kb/940184
REM
echo --- !! WARNING !! WARNING !! WARNING !! WARNING
echo.
echo --- Run this with Administrator privileges only
echo.
echo --- NOT for use with Windows Vista, Windows Server 2008,
echo --- or later versions of Windows. Windows Vista and
echo --- Server 2008 use manifest-based component installation;
echo --- manual registration of components can cause serious failure
echo --- and require Windows reinstall to resolve.
echo.
echo --- !! WARNING !! WARNING !! WARNING !! WARNING
REM
pause
cd /d %windir%\system32
echo.
net stop vss
net stop swprv
regsvr32 ole32.dll
regsvr32 oleaut32.dll
regsvr32 /i eventcls.dll
regsvr32 vss_ps.dll
vssvc /register
regsvr32 /i swprv.dll
regsvr32 es.dll
regsvr32 stdprov.dll
echo --- vssui.dll is only for Windows 2003. Ignore this error on XP
regsvr32 vssui.dll
regsvr32 msxml.dll
regsvr32 msxml3.dll
echo --- msxml4.dll is optional and thus may fail. Ignore this error
regsvr32 msxml4.dll
pause

The knowledge base article then recommends you type “vssadmin list writers” from the command prompt. Success means you will see a list like this one:

Hope that helps save some time. There could be more issues to VSS, but these two methods worked for me.

Updated to add: if you have Visio installed you may have to remove the following registry entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\Visio