Friday, June 27, 2014

The Cinnamon Snot Ball

So here is a quickie as I stare at the BrainDrool time line and realize I have been slacking...

I am an avid coffee lover.  If you recall one of my first posts, I wrote about reducing your caloric intake with changes made to your morning coffee in my post simply titled "Coffee..." I mentioned in the post that I enjoy adding cinnamon for both flavor and the health benefits.  At that time I didn't think I would be searching the internet for "Snot ball in my coffee" but here I am now writing about it.

So this is not new apparently.  Some ladies did an experiment on the phenomenon a couple years ago, you can get all the details on the blog post.  It's a pretty good experiment.  So there I am one day, getting down to the last drop of my coffee.  I take a nice big swig of it and suddenly my mouth is full of a big snot-like entity.  Luckily I have a pretty strong tolerance for gross stuff which let me keep it contained until I can get to the sink.  This was in part due to it not tasting bad.  My first thought was that the milk was bad and caused this beast to grow in my coffee.   I unleashed it into the sink and it was not pretty.  A slimy mess of cinnamon and remnants of coffee made its way to the drain.  After verifying the milk was good, I decided to avoid cinnamon for the next couple days.  And my suspicions were correct, no snot monster in my coffee.  After some searching on the internet, I found that this may occur with cinnamon.  It doesn't appear to be harmful and the less cinnamon used, the smaller the blob.  Different brands may also produce different results.  Some suggest to brew the coffee with cinnamon mixed in the grounds, unfortunately that isn't easily done with k-cups.  I suppose you can use the reusable cups that you use with your own coffee, but those are terrible.

So the next time you throw cinnamon in your coffee, just be aware that you may be greeted with an unpleasant surprise.  It won't kill you but it may cause you to hurl if you have a weak stomach!

Wednesday, April 30, 2014

Keeping Your Hyper-V Environment Patched

In the last post I covered a brief overview of Hyper-V vs ESXi.  Today I will share with you my experiences in keeping this environment patched.  Hold onto your seats, this is going to be a wild ride...

So before I go further, I would like to send you over to the following blog -  John Savill writes up the process pretty well.  His example hints at just doing this in Hyper-V and excludes mention of SCVMM.  This isn't too far off though since, even with SCVMM, performing certain tasks on either the Hyper-V host or the Hyper-V manager app is still much easier than trying to do it in SCVMM.  Also I found that even with the Hyper-V Management feature installed on SCVMM, the powershell modules still don't work correctly.  At Step 6, make sure you choose the Generalize option for SYSPREP.  This will make it so the image can be used by SCVMM during the Create Virtual Machine from template.  Otherwise you will get a big ol' error during a build.  Step 8 I ran from the Hyper-V host as it was just easier to keep everything local.  Once the export completed, I copied the file over to the SCVMM Library server directory so it can be connected to the Template Image.  Once that is all set, you should be good to go for building more updated VMs.  It would be best to incorporate this into your patch management process and perform this on a monthly basis.  I'm sure if you are smarter than I, you can automate much of this process.  I am also sure this is documented somewhere in some Technet blog but probably requires that you are using System Center for patching rather than WSUS.

The next post I will have up some steps to easily deploy a VM from template through a script...

Hyper-V and SCVMM not quite ESXi and vCenter

I am a huge fan of virtualization technologies.  I started my days in NT 4.0 and when Virtual PC was released I jumped at the ability to run multiple operating systems without needing to dual boot.  Years later I was able to experience VMware's virtualization platforms.  It wasn't just booting multiple systems is was streamlining the patching process, moving systems to other physical resources without batting an eye, and even moving them across datacenters to take advantage of off-peak utility rates.  Virtualization has allowed companies such as Amazon, Netflix, and Google to grow into what they are today.  And it has allowed much smaller companies the ability to run enterprise class environments without having to take up real estate in their small server room.  2-3 physical servers could be 20+ virtual servers.

This may or may not be a series of posts related to virtualization, we will see.  But for now it will be some nifty tips and tricks to help you get through using Hyper-V and SCVMM.  For those who don't know, Hyper-V is the evolution of Microsoft's Virtual PC/Server.  It is the hypervisor which is currently in use in their data centers and online service platforms.  From a small business or startup's perspective, it is a very inexpensive way to build your new server infrastructure since Microsoft has a few licensing programs that cater to the small budgets of these types of businesses.  So naturally it makes sense to utilize Hyper-V over VMware's ESXi.

"But isn't ESXi free?"  Glad you asked, yes it is and so is Hyper-V.  Earlier this year Microsoft released Hyper-V Server 2012 R2.  This is their free version of Windows Server 2012 w/ Hyper-V.  Provided you have proper licensing, you can install your Windows VMs on this with no additional cost.  There are some hardware limitations but I won't get into that at the moment.  But this is only for their standalone products.  Managing those systems is a different story.

Here is where the expense comes in (aside from the hardware costs)...  You can install as many virtual machines as your physical host(s) can support.  But to manage all these hosts and support a proper virtual infrastructure, you need the management server.  In VMware's case, this is vCenter.  In the Hyper-V world it is Microsoft System Center Virtual Machine Manager (SCVMM).  I may cover what one has to go through to get this thing running in another post later on.  It was a bit more difficult than getting vCenter running.  The requirements are not all that different, but the implementation is a bit more time consuming.  For example, it is recommended that a separate SQL Database Server be used for storing the Hyper-V information.  You can use the same server, but SCVMM will not install SQL for you.

So to wrap this bit up...  If you are a budding business and need to keep your costs low, going the Microsoft route may save you some money with their small business and startup programs.  There is nothing wrong with that.  If you find you like using Hyper-V, moving it to a more enterprise class environment would not be too difficult.  If you grow to where you can afford VMware, then migrating from Hyper-V should not be too difficult.  You would just convert them using the VMware vSphere converter and do them as physical machines.  Sadly going VMware to Hyper-V is not as easy.  You would need to stand up SCVMM first and incorporate your vCenter server in the mix.  Then you would need to use the MS converter which may or may not work.  I've seen mixed success with it.

In the next post I will cover some tricks about keeping your Hyper-V templates updated...

Tuesday, January 21, 2014

So you got a new computer, what's with all these tiles!?!?

Default new user "Metro" screen for Windows 8.1 
As the expiration of support for XP looms, many people out there are getting new computers, laptops, and even tablets.  If you have been an avid user of XP or Windows 7, then getting that first Windows 8 system is going to be a bit of a shock.  As you can see from the left, that is essentially your "Start Menu."  It is loaded up with all sorts of apps right?  So most of those tikes are actually just internet feed apps.  The tile screen was really designed for touch enabled devices.  My first recommendation for someone asking about a new computer, is to get one with a touch enabled screen.  This will make your Windows 8 experience a much more positive one.  The next thing you can do is clean up the tiles.  Right clicking a tile will cause a selection mode to come up.  You can right click on each tile you would like to "unpin" and select "Unpin from Start."

The next thing you will want to do is upgrade (if it didn't come installed) to Windows 8.1.  This a free update from Microsoft through their app store (yes they have one too now).  They have a nice step-by-step tutorial here.  This will add some more familiar functionality to the Tile screen and the Desktop.  For example to access applications like the Control Panel, Paint, or Notepad, you can now click on the arrow at the lower left corner of the Tile screen.  From here you can right click any of the list applications and add them to both the task bar on the desktop screen or as a Tile on the Tile screen.    The other navigation issue is the implementation of hot edges.  I would say corners, but in most cases hovering the mouse cursor over any of the edges on the tile screen and desktop may produce an option to switch from that current screen.  Most new systems will run you through a quick tutorial with instructions on what to do near each of these hot edges.  If you are purchasing from a store, I would recommend having the sales person walk you through the changes in Windows 8 from the earlier Windows versions.

Now why did I recommend getting something with a touch enabled screen?  Well besides the fact that the the "LabTab" or "TabTop" (or whatever you want to call it) is making a come back, Windows 8 is designed for this type of device.  It is meant to be interacted with through a touch screen using your hands.  Swiping and scrolling works much smoother this way.  My wife just recently picked up a Surface Pro, so I was able to play a bit more with the touch features.  It is a bit different using your hands and the stylus than the mouse.  Right clicking changes to a click-and-hold method.  So you click on an icon, selection, or whatever, hold until you see the circle appear, then let go.  You will then see the context menu.  If you have a jittery hand, this can get pretty frustrating and you might switch to dragging icons and tiles all over the place, rather than pulling up the context menu.  The normal navigation around the tablet environment still feels much more natural using your hands as opposed to the mouse.  Another cool feature that is present due to the stylus being added is the handwriting-to-text.  If the new interface is still a bit confusing, then check out their "Help + Tips" app for some visual instructions.

All-in-all it is not a terrible operating system.  From a security standpoint it adds a number of improvements that were not native to Windows 7 and almost non-existent in Windows XP.  The Surface has some nice features as well.  The Stylus is pretty useful, it can also attach on the magsafe power connector (when you are not charging the device).  It has a full size USB port and Micro SD slot.  These come in handy for attaching additional storage.  It also has an external mini-display port in case you want to connect it up too a secondary display.  The only major drawback to the Surface Pro is the limited hard drive size (128GB).  It seems like a lot, but if you are switching from a more full size laptop with a 500GB+ drive, then you may have some issues moving some of your larger files over.

So there you have it, Windows 8 in a nutshell, you even got a bonus mini Surface Pro review.  As always feel free to leave any comments or questions.  Change does suck at times but a little patience and a lot of googling, can help you through the transition.  It also helps if you are married to or dating an IT guy/gal.

Wednesday, January 15, 2014

Supporting the Unsupported
So the day is coming closer and closer when Microsoft will finally hit the delete button on support for Windows XP and Office 2003.  This means no more updates of any kind.  They are also ending support for Microsoft Security Essentials on XP.  That is Microsoft's free consumer Anti-Virus product.  So what does this mean?

For the home user, there is a pretty simple solution.  If you are still using a computer that is running Windows XP, then it is probably about time to get a new computer.  XP was released to computer manufacturers on August 24, 2001.  Microsoft continued supplying it to system builders through 2009.  So chances are you own a computer that could be anywhere from 4-12 years old. So high time to upgrade wouldn't you say?  Since I am the only IT guy in my family I get all the questions about why a computer is slow or why something isn't working.  If the system is 5 yrs old or greater I will recommend they just get a new system.  Certain things can probably be easily replaced but it will only be a matter of time before the next thing goes.  Eventually the motherboard is next.  Once that goes, you are pretty much getting a new system.  So if you are a home user and still have XP, you may want to update your budget for a new computer in the coming months.  While you are at it, you may also want to make sure you have been backing up your data and that it can easily be restored to a new system.  Unfortunately transitioning off XP to Windows 8 will be a bit of a shock, but it can be done.  I will cover that in another post soon.

For a business, it is a different story.  Many larger enterprises have been working on transitioning off XP for the last couple years.  At this time if you haven't been planning this transition, then you will need to consider some things when April hits.  You will need to determine how many systems are still going to be living on your network at that time and the risks associated with that.  No more security updates means that there is a very good possibility that we will see a huge increase in the number of 0-days released for XP and Office 2003.  So if you still have a need for these products on your network, you may want to consider isolating them off from your critical systems.  You will also need to make sure your security vendors will continue to support them until you can have them decommissioned.  If you can't isolate the physical systems, consider migrating them to Virtual systems that run in a more isolated fashion.  For example, if you have specific users such as Engineers who need legacy software support, consider getting them newer Windows 7/8 systems.  Install a virtualization platform and do a physical-to-virtual migration (P2V) of that legacy XP system.  Change the networking to NAT or Host Only, and test to ensure that their software still functions.  Chances are that if you haven't moved off XP then you probably don't have some of the more advanced security infrastructure in place such as Network Access Control (NAC).  A NAC system can assist in identifying and isolating unsupported systems.  The cost to implement some of these more advanced security measures may easily far exceed that of migrating off Windows XP.  So there is that to keep in mind.  The longer a company waits to do this, the higher that cost will be.

This is not a new announcement, Microsoft has been trying to end support for XP over the last 5 years.  It was the big enterprise customers that forced them to keep it alive.  Their main reason was that much of their legacy software was not supported on Windows 7 and/or the cost to migrate was to high.  As we like to say in consulting, "Pay me now or Pay more later."  We make recommendations not to fill our pockets, but to ensure that your environment operates at an optimal level to support your business.  If for some reason you did not take our advice at the time it was given, then there is a good chance you will need us to perform an emergency rush implementation of that earlier recommendation.  The increase in cost comes usually with premium rates being used, increased shipping costs for rush hardware, as well as possible additional product support from the vendors.  

So you have 82 days left to either finish your Windows 7/8 migrations and test all your software.  Or use that time to try and isolate those systems until they can be replaced at a later date.  Either way you have some work ahead of you so I suggest you get started.

UPDATE: On Wednesday (1/15/13) Microsoft announced they will extend support for their Anti-Virus products until July 2015.  Now keep this in mind, that does not mean that XP is safe, this is will just plug just one hole in an already swiss cheesed dam.  It is not a difficult thing to bypass anti-virus products on vulnerable systems.  If you are not able to migrate off XP this year then you may want to consider a couple additional options such as implementing an Application Whitelist solution such as Bit9's Security Platform and/or deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET).  Another revelation that was mentioned over the last couple days has been the fact that many ATMs are known to use Windows XP Embedded.  Now the banking regulations require that these devices are not on the internet, but that doesn't make them automatically safe.  There have been a number of stories where thieves were able to get physical access to the system in order to load malware or a secondary operating system via USB.  Again this required physical access to the ATM.  Other critical hardware that relies on XP Embedded include a number of medical devices and SCADA systems.

Wednesday, September 18, 2013

Hello little NAS why are you trying to talk to Russia?

In a recent post I talked about securing your home network, so of course I want to make sure I practice what I preach.  My main server recently suffered some hardware failure, there was nothing critical on it so I am in no hurry to get it back up and running.  I took the opportunity to find something more dedicated to run the file sharing on the network so I picked up a QNAP  TS series device.  I figured yeah, this should do what I need.  Well I didn't realize that was able to replace most of the services that my bulky Dell server was hosting.  After getting it up and running I found it to have a slew of useful services like VPN, media server (DLNA) services, and of course file storage/sharing.  So I got the thing running, connected up the big USB HDD and restored all the shared paths and such.  Eventually I got the VPN working and made sure managing it was only done through SSL.

So I had it going for a couple weeks without any issues, until the morning I decided to check out my network traffic.  I saw some odd stuff in my firewall logs that didn't make sense, and they were coming from the QNAP system.  It started because I saw a good deal of inbound UDP traffic being blocked.  UDP is basically TCP's bastard cousin.  It is not typical for legitimate internet services to use UDP.  So I checked out some IP addresses and they were coming from the usual oversees locations.  No big thing, most likely internet scanning on UDP to see if anyone's firewall will allow it through.  So I continue through the log and notice outbound UDP traffic.  I panic a little and then notice it is going out over 6881.  Now my lovely firewall allows me to do an on-demand packet capture, which is handy as it sits between my LAN and Internet, so it can see everything.  So I ran the capture and then filtered the results in Wireshark:
Notice the many different non-US destinations?  Yeah that didn't sit right with me.  Did some digging as I have not memorized all my TCP/UDP port numbers and found that this is typical of BitTorrent listeners.  I did some additional searching and found that the QNAP has a Download Manager service that comes turned on by default.  This download manager runs like a Torrent listener so this is beacon traffic to the torrent network.  I took a look at some of the packets and found it to be random garbage, nothing malicious.  But still, that is traffic I don't want going out without my permission, least of all to overseas locations.  I made some changes on the firewall that would automatically block traffic based on country of origin and found a nifty forum post about disabling the feature and hardening the device further.

  • Disable Download Station - unless you can find a good use for it.  This can be done from "My Apps." Just slide the bar to the left.
  • Now we need some clean-up.  We will need to make sure only authorized networks can access the QNAP.  Go to the Security Settings in the QNAP control panel.

  • In the Security Settings, you will want to select "Allow connections from the list only."  Then add the internal IP address/ranges you wish to allow to access the device.  This is handy if you happen to have a guest wireless network that may touch your main network.  Again who would have that, it is just silly.  Refer to the image below, IP addresses are obfuscated, but those would change based on the network anyway.  I did have to add my VPN IP Pool in as it is different from the internal LAN.
So that is it, piece of cake!  Once you make the changes it will restart the network services, so you may lose access to the shares for a minute or 2.  After I made those changes the traffic pretty much stopped.  I am still getting a bunch of inbound UDP getting blocked but that should decline as well.  Anyway hope this is helpful to some folks.  The device is pretty useful but again, don't always trust the default settings or apps.  Take the time to understand what you plugged into your network!  Any questions feel free to leave a comment below!

So quick update on the network security... as I sit here waiting for my plane to Louisville for DerbyCon 2013, I decided to test my VPN to the home office.  It wouldn't connect, so through other magical means I remoted in a different way to check the systems.  Firewall check!  It was passing traffic nicely.  So logged into the QNAP where the service is hosted and immediately saw the warning indicator for unauthorized network attempting to connect on my VPN port.  Nifty, that made fixing the issue pretty easy.  Made the necessary changes and all is working now.  So if you lock your QNAP down and use the VPN service, you may need to open some ranges or just not use the block networks piece.  The VPN is only temporary until I can bring up a new full time server.

Sunday, September 15, 2013

Securing Your Home Network

Every now and again I try to take some time out of my weekend mornings to take a look at my network traffic.  I should certainly do it more often or enable some form of weekly report to be sent to me, maybe that will be a winter project this year.  In any event, with all the new tech we add to our home networks every year, it makes more sense to know just what exactly is going on in the network.  Big enterprises have numerous tools (not so much personnel) to monitor both outbound/inbound traffic, unfortunately the typical home user does not.  In fact many believe that if they slap in their Linksys/Netgear home router, they are good to go and everything will behave.  But with stories such as the "hacked" baby monitor in Texas, we know this is not true.  Just some corrections to that story, it wasn't an actual baby monitor, you know the two way radio sort of monitors.  It was a Foscam IP Video Camera, most likely of the wireless sort.  It sounded like the father took the appropriate steps in configuring it, but again, just doing what the manual tells you to, does not make it securely configured.

But I digress, the point of today's post is to help educate my not so tech savvy readers and make them aware that many of these consumer brand companies really don't put too much effort in securing their product.  They have some basics covered like changing the default password or enabling secure wireless, but something such as allowing access to the device over the internet, well that opens a door and invites trouble into your network.  Researchers and the bad guys are constantly scanning the internet for open ports to determine services that might be running on those ports.  You have your typical ones such as web based TCP 80 (http) and 443 (https), as well as email (SMTP/TCP25), FTP (TCP21), and SSH/SFTP (TCP22).  There are also standard services running on non standard ports; for example, http running TCP 8080.  This is typically done to either obscure a web server from the untrained script kiddie or run more than one web server from a single host.  In my case it would be to get web traffic through my cable companies routing rules, as residential internet typically filters popular traffic such as SMTP and HTTP on standard ports.  We can go into details another time on that.  With tools such as Shodan (See previous post) being used much more frequently and internet scanning software becoming more efficient (Check out the post from Robert Graham), it is getting much easier to find out what is running on people's networks.

So what does all this mean?  Well as consumers we need to start getting smart about what we are connecting to our home networks.  In the past the average home probably had 1-2 computers and possibly both wired and wireless networking.  Now a majority of homes have any number of smart phones, tablets, game consoles, laptops, and (maybe) a desktop all connected up.  They may also include network printers, Smart TVs, Smart Blu-ray players, and other media devices such as Apple TV or Roku.  All of these are now nodes on your home network and they all require internet access to function.  

Now of course we have all created a network diagram that we keep handy for reference... right?? Anyone?  Anyone besides the crickets?  OK I'm joking, only folks like myself who do this for a living will probably go the extra length and document the home network.  At least I can rest easy knowing that if I am ever hit by a truck, my wife will know what device to unplug to reset the cable modem.  I only partially joke about this, but it is not a bad idea to know what is connected to your home network, just draw it out on paper or make a simple list.  You don't need to make high end enterprise architecture diagrams, I mean that would be silly!  The first part to securing something is knowing what it consists of.  You know how many doors and windows you have in your home right?  Well think of your network in a similar way.  The less devices you expose to the internet, the better.  Exposed meaning you allow inbound access to them.  If you absolutely must have access to something while you are away from your home, then look into setting up a VPN.  It is not all that hard and there are a number of both hosted and local solutions out there.  I will be doing a write up on one such device coming up.  The VPN allows you to make a secure connection to your home network from outside.  The tunnel is encrypted so it is difficult to play a man-in-the-middle on.  Is it full proof?  absolutely not, but it is another layer to make it so the novice cannot get in.  In security we like to say, if someone wants something bad enough, they will get it, it is just a matter of time.  You best defense is to make it as hard as possible for them to do it. Think about it this way, putting frosted glass on windows, using thick curtains, and even placing warning signs on your property for dogs or an alarm system.  Granted these may throw up flags that you have valuable stuff, but it will keep the curious passer-bys from snooping around.  A determined criminal may risk it and smash in a window still but he may not be willing to tangle with a big dog.  

So this one went on log enough, I will end with this... don't assume the product manufacturers have your back, they want to make money and adding extra steps to secure something may take from their bottom line.  So go out and do some research on that next new gadget you want to add.  Know that you may need to do some extra work to harden it!  If you ever want more education on the matter, swing by your local Hackerspace, there are always folks willing to educate people on these sorts of things.  If you are local to CT, you can come by  We are usually around in the evenings during the week and random times on the weekends.  The weekly schedule is posted on Sundays.