The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for April, 2006

We're too late…

Posted by Xavier Ashe on April 30, 2006

A new law in Georgia on private investigators now extends to computer forensics and computer incident response, meaning that forensics experts who testify in court without a PI license may be committing a felony.

In the U.S. television show “Medium,”
Patricia Arquette's character uses her “special psychic skills” to help
solve crimes. If a new law passed by the Georgia legislature but not
yet signed by the Governor goes into effect, not only could Miss
Arquette's character face legal troubles, but thousands of computer
security consultants would face the very real threat of jail time –
simply for plying their trade.

According to the legislature, a Private Investigator
is any person who is in the business of obtaining or furnishing, or
accepting employment to obtain or to furnish, information with
reference to:

(A) Crimes or wrongs done or threatened against the United States of America or any state or territory thereof;

(B) The background, identity, habits, conduct, business, employment,
occupation, assets, honesty, integrity, credibility, knowledge,
trustworthiness, efficiency, loyalty, activity, movement, whereabouts,
affiliations, associations, transactions, acts, reputation, or
character of any person;

(C) The location, disposition, or recovery of lost or stolen property;

(D) The cause or responsibility for fires, libels, losses, accidents, damage, or injury to persons or property;

(E) The securing of evidence in the course of the private detective
business to be used before any court, board, officer, or investigating
committee; or

(F) The protection of individuals from serious bodily harm or death.

In addition to the aforementioned services, “private detective
business”” shall also mean providing, or accepting employment to
provide, protection of persons from death or serious bodily harm.”

Typical “Magnum PI” kind of stuff. The problem is that the statute is
written so broadly as to include almost all types of computer forensics
and computer incident response – at least when done by outside
consultants. After all, when do you need computer forensics, or
incident response? Typically, you call in a computer forensics expert
when you suspect something “bad” has happened. Thus, you retain the
expert to furnish information with respect to possible crimes or wrongs
(the phrase against the United States or any State or territory doesn't
mean that the State is the victim of the crime, just that it violates
the state law.)

You also retain forensic experts to collect evidence about damages and
loss to you – from computer viruses, worms, attacks, and so on. You
want to know what happened, how it happened, why it happened, and how
to prevent it from happening again. You want to know the, “cause and
responsibility for … losses and damage to … property.” Namely, this
applies to your computer network and the information contained in it.
You also want the information collected in a way so that it can be used
in court or by other investigators later on, even if you do not intend
to pursue a civil or criminal case. If information is stolen, you want
to know the “location, disposition and [ensure the] recovery of lost or
stolen property” namely the intellectual property stored on the
computer. For all of these things, you would typically hire not a
gumshoe, but a forensic expert. Unfortunately, under this new law that
forensic expert would be committing a felony.

Complete coverage on Security Focus.


Posted in Other Technology, Security | Leave a Comment »

Registry Key to disable USB Storage devices

Posted by Xavier Ashe on April 28, 2006

Once in a while I have a friend, or customer that needs to keep people from using the USB ports to copy data off of a system.

It is easy to lock a machine down, disable the floppy, and cdrom in the bios. Many times when you try to disable USB – it disables it entirely.  This can be a real pain on newer laptops or systems that don't even have a PS2 interface for the mouse or keyboard.

There is a simple registry change that will keep the USB storage drivers from starting when the system boots. Keeps people from walking up to a PC and copying data off with a USB key, but allows you to keep your scanner, keyboard, and mouse working.

As always – back your system up before messing around in the registry.
Just open regedit and browse to this key:


Notice the value 'Start'
Switch this value to 4, and USB storage devices are disabled.
Switch this value to 3, and USB storage devices are enabled.

From IntelliAdmin, who also has a little util for those scared of regedit.  I believe this is much more effective than the Group Policy I posted about.

Posted in Other Technology, Security | Leave a Comment »

DOJ jails Spam King, Alan Ralsky

Posted by Xavier Ashe on April 28, 2006

Local hacker “Memehacker” IMed in with a scoop on Alan Ralsky, the famed “Spam King” covered by the Observer and the Detroit News. Here's the breaking story:

Valleywag: Tell me the scoop in three sentences.
Memehacker: Alan Ralsky is currently being held by the feds and
his file is sealed for the next 72hrs by the DOJ. We are concerned that
he is going to narq out the entire network since they have enough on
him to send him to jail. This means hackers, spammers, anyone who has
worked in spam legally or illegally for the last 5 years at least.

The DOJ wants to do a dragnet, they have the top dog, but they want the whole system as well.

Get the scoop on Valleywag. (via)

Posted in Privacy, Security | Leave a Comment »

Bypass the Microsft Genuine Advantage check

Posted by Xavier Ashe on April 28, 2006

This copy of Microsoft Windows XP is not genuine – Want to bypass and remove this warning ?

Windows XP Pirates have again found workaround methods to bypass the new Microsoft Anti-Piracy effort Windows Genuine Advantage Notifications that notifies you through annonying pop-up messages if your copy of Windows is not genuine.

WGA Notifications patch is installed if the user has opted to
automatically update Windows via the Windows Update Website or if a XP
users manually downloads the latest Windows updates.

A workaround posted on titled WGA install workaround (KB905474) suggests the following:

Get the low down on Digital Inspiration. (via)

Posted in Security | Leave a Comment »

Wireless Recycling

Posted by Xavier Ashe on April 28, 2006

Wireless Recycling has a slick interface which walks users through the steps necessary to secure old cellphones before passing them off to others.

The process is as simple as selecting your phone manufacturer, make
/ model, and clicking ‘Submit’. The end result is a downloadbale PDF
file for securing your mobile handset of any personal data.

From UNEASYsilence.

Posted in Privacy | Leave a Comment »

Back in Business

Posted by Xavier Ashe on April 28, 2006

The Los Angeles Times reports that only days after flash drives containing sensitive military data were found for sale in a Kabul street market, they're available again. It seems that after the Times
first reported the data breach, military folk went through the market
and bought all the drives they could lay their hands on. For a few
days, there were no drives available, but by last Friday, drives were
once again being smuggled off the base and into the market.

If the Times' description of “thousands” of drives for sale
is accurate, the potential parameters of the data breach are kind of
unnerving. The drives sometimes turn up wiped (though the Times
story points out that deletion isn't a permanent condition), but the
range of information turning up  is amazing — everything from maps
showing where Osama Bin Laden might be traveling to pain-compliance
technique information to names and addresses of operatives to Web pages
explaining where to buy anabolic steroids.

The Times goes a good job setting the scene: Apparently the
drives are often walking off the base with local folk working on the
base (whether as employees or messengers and the like). The shopkeepers
don't necessarily know what they're selling — one gentleman apparently
priced his wares by color — though they note that prices have
increased tenfold for American shoppers since the original story broke.
And every Afghani interviewed seems to agree: The “trade” shows no
signs of drying up.

From ComputerWorld.

Posted in Security | Leave a Comment »

Studies Say HIPAA Privacy Rule Compliance Not Improving

Posted by Xavier Ashe on April 27, 2006

According to a survey from the American Health Information Management
Association (AHIMA), compliance with the Health Insurance Portability
and Accountability Act (HIPAA) patient privacy rules appears to be on
the wane. Of 1,117 hospitals and health systems responding to the
survey, 91 reported HIPAA compliance last year while 85 percent said
they were in compliance this year. The top reasons given for declining
compliance were “lack of resources and diminished management support.”
However, 75 percent of respondents said they were “fully or mostly
compliant” with HIPAA's information security rules, marking a 60
percent improvement over last year's figure. A separate study conducted
by Phoenix Health Systems and Healthcare Information and Management
Systems Society (HIMSS) found the level of compliance with patient
privacy rules among companies involved in health care is higher than 80
percent, but says that figure has not changed in the last six months.
The respondents in this study said their problems with compliance were
due to HIPAA's vaguely worded rules and the ever-changing array of
available technology.,1759,1949646,00.asp

From SANS News Bites.

Posted in Privacy, Security | Leave a Comment »

Microsoft updates the Windows Server 2003 Security Guide

Posted by Xavier Ashe on April 27, 2006

This updated version of the Windows Server 2003 Security Guide
provides specific recommendations for hardening computers that run
Microsoft Windows Server 2003 with Service Pack 1 (SP1) in three
distinct enterprise environments. The Legacy Client (LC) environment
must support older operating systems such as Windows NT 4.0 and Windows
98. In the Enterprise Client (EC) environment, Windows 2000 is the
earliest version of the Windows operating system in use. The
Specialized Security – Limited Functionality (SSLF) environment is one
in which concern about security is so great that significant loss of
client functionality and manageability is considered an acceptable
tradeoff to achieve maximum security.

Guidance about how to
harden computers in these three environments is provided for a group of
distinct server roles. The guidance and provided tools assume that each
server will have a single role, but if you need to combine roles for
some of the servers in your environment you can customize the included
security templates to create the appropriate combination of services
and security options. The referenced server roles in this guide include
the following:

  • Domain controllers that also provide DNS services
  • Infrastructure servers that provide WINS and DHCP services
  • File servers
  • Print servers
  • Internet Information Services (IIS) servers
  • Internet Authentication Services (IAS) servers
  • Certificate Services servers
  • Bastion hosts

This guide is a companion to two other Microsoft publications: the Threats and Countermeasures Guide, available at, and the Windows XP Security Guide, available at

guide is intended primarily for consultants, security specialists,
systems architects, and IT professionals who are responsible for the
planning stages of application or infrastructure development and the
deployment of computers that run Windows Server 2003 with SP1 in
enterprise environments. This guide is not intended for home users.

Send questions or feedback to us directly at

Go get the updated Windows Server 2003 Security Guide.

Posted in Security | Leave a Comment »

NIST Releases New Papers

Posted by Xavier Ashe on April 27, 2006

NIST is pleased to announce the release of:

1. Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems

The second public draft
of NIST Special Publication 800-53A, Guide for Assessing the Security
Controls in Federal Information Systems is now available for public
comment at the draft publications page. The document provides a
comprehensive listing of methods and procedures to assess the
effectiveness of security controls in federal information systems.
Assessment procedures have been developed for each security control and
control enhancement in NIST Special Publication 800-53 with the rigor
and intensity of assessments aligned with the impact levels in FIPS
199. To learn more about this draft document please visit the CSRC
Drafts page — link provided below:


2. Draft Special Publication 800-92, Guide to Computer Security Log Management.

document provides detailed information on developing, implementing, and
maintaining effective log management practices throughout an
enterprise. It includes guidance on establishing a centralized log
management infrastructure, which includes hardware, software, networks,
and media. To learn more about this draft document please visit the
CSRC Drafts page – link provided below:


3. Draft
Special Publication 800-38D: Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) for Confidentiality and

The draft Special Publication
800-38D, Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) for Confidentiality and Authentication
specifies an authenticated encryption mode of the Advanced Encryption
Standard (AES) algorithm. GCM provides assurance of confidentiality of
data using a variation of the Counter mode of operation for encryption.
GCM provides assurance of authenticity of the confidential data using a
universal hash function that is defined over a binary Galois (i.e.,
finite) field. GCM can also provide authentication assurance for
additional data that is not encrypted. To learn more about this draft
document, please visit the CSRC Drafts page — link provided below:


4. (updated) Special Publication 800-73 Revision 1, Interfaces for Personal Identity Verification

This document file was updated April 20. An updated errata page is also included.

Go to: to see the updates that was made.

Posted in Security | Leave a Comment »

Remove the 100 song cap on your iTunes phone

Posted by Xavier Ashe on April 27, 2006

If you are one of the few to have an iTunes Music Phone (ROKR, SLVR) it is more then frustrating to have a 100 song limit on the phone. What is with THAT restriction? A patch was developed to remove that 100 song cap, and make the new limit 1000 songs. Now if they could only find a way to make the USB 1.0 port a USB 2.0 port we are good to go!

Of course it goes without saying that this hack, along with any other is not supported by Motorola, and has the potential for bad mojo on your phone. Although I have found no reports of any problems, it is important to be aware of this fact. With that said, lets blast the 100 song cap off of this phone.

Get the Hack over on UNEASYsilence.

Posted in Other Technology, Security | Leave a Comment »

Letter to the Governor

Posted by Xavier Ashe on April 24, 2006

I just sent the following letter to Sonny Perdue regarding HB1259.  Read my previous post for more information.  You can send your own message to the Governor here and can use any bit of my message below.

Mr. Perdue, I am a computer security specialist and have been for 13 years.  I am currently working at IBM as a security architect, designing information security solutions for Georgia companies.  I am writing to address bill HB1259, a bill I believe is sitting on your desk for a signature.  I am asking that you veto this bill.

There are two perspectives that I can give you as to why this bill will be an undue burden on our industry.  I was an independent consultant for while and spent a good bit of money on industry certifications and training to certify that I was qualified to perform computer forensics.  I performed forensics for several firms, some of which I presented my findings to Georgia courts.  I was accepted as an expert witness, and my evidence held up to judicial scrutiny.  HB1259 will not do anything to qualify computer forensic scientists like myself.  It keeps independent consultants that are experts in computer forensics from gaining work and forces them to be employed by a PI firm.  To become a PI in GA, you don't ever have to take ANY classes on computer forensics.

The second perspective is from by current vantage point.  I now work for IBM, designing security solutions for some of the largest corporations in Georgia.  These companies have an internal security staff that is trained to do computer forensics.  Security incidents occur on an ongoing basis in large enterprises and these teams are quite busy.  They also have the same industry certification and training I had as an independent consultant.  They collect evidence as if they will prosecute every time, just in case they do.  Many times, companies decide to fire employees based on this information and will have to retain the evidence in case of civil litigation.  HB1259 will keep these trained engineers from doing their job, requiring a licensed PI firm to be paid every time a security incident occurs, which is often.

Overall, this is the PI industry's attempt to artificially protect their industry by passing overreaching legislation.  It will hamper security forensics work and cause companies to think twice before making Georgia their technological hub.  Please veto HB1259 today.  Thank You.

Posted in Personal Note, Security | Leave a Comment »

Georgia to Outlaw Computer Forensics

Posted by Xavier Ashe on April 24, 2006

For those of you who care about Computer Forensics, please see the current situation in Georgia.

There is a bill before the GA Legislature — HB 1259

If passed, it will make it a Felony to perform and testify in a
State Court about any computer forensics performed, unless you are a
licensed Private Investigator.

This law will put honest, local companies out of business, unless
they go and get licensed. Note, the GA requirements for a Private
Investigator have NO REQUIREMENTS to have ANY computer forensics
expertise, nor is there any training regarding how to collect the

Several other states already have these laws, which only allows
Licensed private investigative services company to perform and testify
to any computer forensics related evidence. (Note, this would also
include any IT Audit records, not specifically limited in any way to
performing “Encase” like hard drive forensics.)

If you live in GA, please contact the Govenor and ask that he VETO HB1259.

Posted by dc0de. This would make it near impossible to have an internal security staff do forensics and more costly for independent consultants like I once was.  This is pure industry self protection.  The PI industry has not kept up with technology and is wanting the law to protect their elitness.  Reading through the thread on MemeStreams gleams some additional information.  Dc0de posted up an email he got from John Roberson of The Georgia Association of Professional Private Investigators, Inc. (GAPPI) (BYLAWS) (BoD) (CoE)

There has been no change in HB-1259, it is still on the Governor's
desk. That means we still need calls to his office to encourage him to
sign the bill this year. The telephone number is (404) 656-1776, so
call as soon as you read this message. You also need to contact five
others to get them to call also. They don't have to be private
investigators, just regular folks like your mother, father and other
friends and relatives. It is very important to our industry. If you
have keep up with state and national legislation over the past five
years we are losing ground every year, and pretty soon our industry
will be eroded away. Let's begin the fight now so as not to lose any
more ground. Thanks for your participation.

Here is some more discussion of the issue. Here is the actual text of the legislation. The Atlanta High Technology Crime Investigation Association is holding a meeting on this subject on May 8th. Calvin Hill, Representative who sponsored the bill, and John Villanes, Chairman, Georgia Board of Private Detectives will be at the meeting.

You can contact Sonny Perdue on this web form or call 404-656-1776.

Posted in Personal Note, Security | Leave a Comment »

Fantastic Security Awareness Videos for FREE

Posted by Xavier Ashe on April 23, 2006

EDUCAUSE/Internet2 Computer and Network Security Task Force and the
National Cyber Security Alliance have announced six winners for a
computer security awareness video contest, as part of a national
campaign to raise awareness of and increase computer security at
colleges and universities. The contest searched for two categories of
short computer awareness videos that addressed a broad range of
security topics or focused on a single security issue. Submissions were
developed by college students for college students. The winners’ videos
are featured on the EDUCAUSE Web site and will be utilized in campus security awareness campaigns and efforts.

were selected for creativity, content and quality of information,
overall effectiveness of the delivery, and technical quality. Cash
prizes were awarded to winners in each category. The two “gold” winners
received $1,000, two “silver” winners received $800, and two “bronze”
winners received $500 in cash prizes. The winning videos were:

Broad Topic Category:

  • Gold – “Superhighway Safety,” Savannah College of Art and Design
  • Silver – “Wasteland,” College of William and Mary and University of Virginia
  • Bronze – “The McCumber Cube,” Idaho State University

Single Topic Category:

  • Gold – “Bob, You’ve Been Phished,” Cal Poly Pomona
  • Silver – “Computing in a Community Environment, Part IV: Back Yo Data Up!” Wake Forest University
  • Bronze – “Act Now, Stay Current,” James Madison University

Get your copy or simply view them at:


Posted in Security | Leave a Comment »

ANA Spoofer Project

Posted by Xavier Ashe on April 22, 2006

The classic design tenants of Internet architecture produced a
network capable of remarkable scalability while relegating security to
the end hosts. As a result, the public Internet includes no explicit
notion of authenticity and will forward packets with forged headers.
Malicious users capitalize on the ability to “spoof'' source IP
addresses for anonymity, indirection, targeted attacks and security
circumvention. Compromised hosts on networks that permit IP spoofing
enable a wide variety of attacks. Despite being first exploited over
, IP spoofing is
a persistent problem and a continued threat. In addition to mounting
spoofed-source bandwidth-based denial-of-service (DoS) attacks, new
exploits utilizing IP spoofing surface regularly.

Every hour, we generate a
summary report
on the current state of
Internet spoofing. Thus far, we've collected data from approximately 1100
clients, 500 networks and 450 ASes.

From the ANA Spoofer Project.  Pretty neat little project from the Computer Science and Artificial Intelligence Laboratory at MIT. 

Posted in Security | Leave a Comment »

Blingo on

Posted by Xavier Ashe on April 22, 2006

Do you have a mobile phone with web browsing capability? Now you can use Blingo even when you're on the go.
Need to look up an address? Want to check the weather? Wondering
whether your local malt shop is open for a quick after-dinner dessert?
Find their web site using Blingo!

Just point your phone's web browser at and you'll
have the full power of Blingo Web Search in the palm of your hand.

We know what you're wondering, and the answer is yes, you can win a prize even when you use Blingo from your phone.

Nice… I use my Blackberry on a daily basis.  Join Blingo today and win prizes while you get google search results.  I am up to two free movie tickets.

Posted in Other Technology | Leave a Comment »

Mapping the Iraqi IPv4 Space

Posted by Xavier Ashe on April 21, 2006

This project is a continuing look at various countries' IPv4 address
space. For this particular project I look at Iraq (Apr 2006). Iraq is
unique in all the projects I have done in this venue thus far, even
compared to Afghanistan. The majority of the infrastructure that
supported Iraq's Internet was destroyed during the war. And the
rebuilding of that infrastructure, as for the rest of the country
itself, has been painstakingly slow. In fact, it appears that the vast
majority of Internet activity throughout Iraq is taking place on IP
ranges assigned to the US and Britain. Added to that, most of the
infrastructure that supports Internet communication appears to be
conducted over wireless and satellite as opposed to land lines.

Very interesting project from Osin.

Posted in Security | Leave a Comment »

Are you Blacklisted from the hackers?

Posted by Xavier Ashe on April 21, 2006

I was Blingo-ing around today searching for blacklists for common spammer and hacker subnets and found a blacklist that hackers use so that they don't piss off the wrong group.  Click below, but we wary of the popups.  And considering it's a blackhat link, I wouldn't try it with IE.  Let me know if you find your group on this list.  It's supposedly has a list of all the FBI honeynets.  I will forward this list to my FBI contacts to see how accurate it is.  Interesting….

Blacklist for Hackers.

Posted in Security | Leave a Comment »

The Evolution Of Spy Tools

Posted by Xavier Ashe on April 20, 2006

Real spies may tell you that their lives are nothing like what you’d
see in a Hollywood movie, but don’t be fooled: They’ve still got some
pretty cool gadgets.

And aside from the relatively recent tools
that monitor electronic correspondence, most of those gizmos have been
around for a pretty long time. Spies claim that theirs is the
second-oldest profession, and basic espionage needs haven’t changed:
looking and listening, getting the information they need, and smuggling
it back home.

What has changed is the way those spy gadgets work.
As technology advances and enemies get smarter, spies have had to
constantly re-invent the tools of their trade.

Neet article on

Posted in For Fun, Other Technology | Leave a Comment »

Going Spain-ward

Posted by Xavier Ashe on April 20, 2006

I am booked and ready to go to to Barcelona in June to speak at the Netcool User's Conference.  I am very excited to head to Spain, but equally excited to speak with my European counterparts about security.  I will be presenting some case studies and discussing the ways our customers have found success using NeuSecure.  I also will be learning much from the engineers and customers in Europe.  Looking forward to it!

Posted in Lectures, Personal Note | Leave a Comment »

Novell Acquires e-Security

Posted by Xavier Ashe on April 19, 2006

Novell today announced its acquisition of e-Security, Inc., a move that will make Novell a pioneer in delivering a single view of security and compliance activities across the entire enterprise. The deal combines the benefits of Novell's identity and systems management expertise with e-Security's real-time event monitoring, response and reporting capabilities. With a comprehensive view of user, network and application events, customers will now be able to streamline a previously labor-intensive and error-prone process, cut costs through automation, and build a more rigorous, predictable security and compliance monitoring program.

Read the full Press Report.  E-Security now makes the 2nd SIM vendor to be acquired by an established company… NeuSecure being the first :).  I wonder who's next…..

Posted in Security | Leave a Comment »

%d bloggers like this: