My Google Shared Stuff page is missing all the stuff I had shared on it! What gives?

It's true that I haven't used the service for some time; mostly due to Google Reader Shared Items feature. I noticed this when I was looking for something that I remember sharing using Google Shared Items, but when I went to the page, it was blank, it said You have no shared stuff!

Lucky for me I also had added my Google Shared Stuff into my FriendFeed, so I found the page I was looking for. But, where is my happy ending, where have all the shared stuff gone...

Earlier this week Microsoft IIS team released its URLScan 3.0 (beta) to help fight SQL injection attacks at the Web Server, now Microsoft has put out another tool, this time in the form of a Code Analyzer. Microsoft Source Code Analyzer for SQL Injection should help out to quickly analyze and secure any existing ASP code.

Microsoft Source Code Analyzer for SQL Injection [Community Technology Preview (June 2008)]
Static code analysis tool for finding SQL Injection vulnerabilities in ASP code.

Also, there is this tool from HP that allows you to check your sites against these types of vulnerabilities.

Scrawlr (offered as-is and is not a supported product by HP)
Developed by the HP Web Security Research Group in coordination with the MSRC will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities.

Those nasty SQL Injection attacks have not stopped. They’ve probably just started!

If you’re still in the process of going through your SQL code and making sure it’s not susceptible to SQL injection attacks that means your websites are still wide open to the attack.

However not to worry, the Microsoft IIS team has come to the rescue with the announcing of the shiny new Microsoft Urlscan Filter v3.0 Beta release. It includes a GoLive license, so you can deploy it on your production servers.

Here are some of the cool new features:

• Support for query string scanning, including an option to scan an un-escaped version of the query string.
• Change notification for configuration (no more restarts for most settings.)
• UrlScan can be installed as a site filter.  Different sites can have their own copy, with their own configuration.
• Escape sequences can be used in the configuration file to express CRLF, a semicolon (normally a comment delimiter) or unprintable characters in rules.
• Custom rules can be created to scan the URL, query string, a particular header, all headers or combination of these.  The rules can be applied based on the type of file requested.

One thing important to remember is although this will protect websites against this latest form of SQL injection attack, any poorly written code still needs to be fixed. No escaping on that.

From the number of hits I've been getting on the posts on How to move Symantec Endpoint Protection Manager to another server and on How to change Symantec Endpoint Protection Manager port its seems that a lot of you seem to be in need of information on this product. So I thought I'd share with you this as well.

If you're got your Symantec Endpoint Protection Manager "Symantec Web Server" website on a Windows Server 2003 SP2 (IIS 6.0); Install the FastCGI extension for IIS and configure the "Symantec Web Server" website to use it. Doing that should speed up your SEPM console. Well not all of it but mainly the Home, Monitors, and Reports pages will show the improvement.

You can find the documentation on how to do it in the installation CD's. Although I found this under the NoSupport directory Symantec_Endpoint_Protection_11_0_2000_MR2_AllWin_EN_CD2\TOOLS\NOSUPPORT\FASTCGI\FASTCGI_SETUP_README.PDF
. The instructions from Symantec state that "Symantec provides full support for the Symantec Endpoint Protection Manager with the successful installation of the FastCGI extension.” So go ahead and give it a try.

 

 

Firefox Download Day is here. Download Firefox 3 today! Help set a World Record and make history!

In my last post I wrote about moving Symantec Endpoint Protection Manager to another server, one of the reasons I did so was because of the conflict between Windows Software Update Services and SEPM on port 80 of IIS.

However, instead of moving SEPM to another server it is also very much possible to keep SEPM on the same server by configuring its website to work with a custom port.

The installation process does ask us if we'd like to use the default website or create a separate site. However it does not give options to select a desired port for the website, so we’ll need to configure this after the installation.

There is a Symantec knowledge base article with detailed step by step instructions on how to configure SEPM to use a different port http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111212591048. This solution is good if you don’t have clients already deployed.

However, if you do have a substantial number of clients already deployed, then problem with the method that the knowledge base article uses is that once we change the port of the IIS website the clients that are currently connected to it will no longer be able to communicate with the server.

This meant that after making the change to the ports, there is a manual process involved in getting each client computer to reconnect to the server. This is done my updating a file on the client computers; namely the symlink.xml file. It’s not a difficult thing to do; all you need is a small script to replace this file on all your client machines.  That solution didn't look clean enough. So here is how I would suggest in doing the change.

First of all you need to have the Symantec site installed on a custom website instead of using the Default Web Site on IIS, follow the instructions on the knowledge base article and get it done.

1) Install Symantec Endpoint Protection Manager on a custom Web site.
       i. Execute the Symantec Endpoint Protection Manager installer.
       ii. Select Create a custom Web site and proceed with the installation.
After the installation is complete, a site called "Symantec Web Server" exists in IIS.

2) Create another website with the exact same settings but with a custom port.
       i. Exporting the current configuration of the Symantec Web Server site to a file: Right click on the "Symantec Web Server" site,   Click All Tasks, Click Save Configuration to a File and save this file.
       ii. Importing it as a new website: Right click Web Site", click New, click Web Site (from file), select the file that you saved in the first step.

You will be asked if you want to overwrite the existing website or create a new one. Create a new one. The new site will also be named "Symantec Web Server" and in a  stopped state, rename the site so you don’t get the two mixed up, then go to new web site's properties and configure it to use a port number that you like, say 8080. Do the same with regard to the "Application Pools" and create your own "SymantecAppPool" from a copy of the "DefaultAppPool" and assign the new site to use it. Now Start the new site.

3) Create a new Management server list.
       i.   In Symantec Endpoint Protection Manager, click Policies, click Policy Components, click  Management Server Lists.
       ii.  Make a copy of the Default Management Servers list. Copy and Paste works here.
       iii. Edit the new server list.
             - Edit the existing servers under Priority 1 so that they will use your custom port
             - Add a new Priority, then add the same servers that are in Priority 1 to the it but without customizing the port. This is more of a backup plan, just in case clients are not able to connect to the custom port they can try the default.
       iv. Assign this new management server list to your groups and locations.
       v.  Update Contents on all clients so that this new policy is reflected for clients.

4) Edit Tomcat properties.
After all the clients have got updated, we can change the conf.properties file located under  the Symantec install directory, something like C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tomcat\etc\conf.properties.  
       i.   Stop the Symantec Endpoint Protection Manager service.
       ii.  Open the conf.properties file in a notepad
       iii. Add the line   “scm.iis.http.port=8080” without the quotes to the end of the file ( or whatever port you want to use instead of 8080).

5) Restart Server.
Now stop the "Default Symantec Web Server" and restart the server that hosts Symantec Endpoint Protection Manager.
After the server boots up, confirm whether the custom port has been configured in the Default Management Server List.  You can do this by clicking Edit on the Default Management Servers list. Although the default list is not editable, you can view the changes and confirm whether or not the custom port has been configured correctly.

6) Clean up.
If all looks well, such as the port has been configured and the clients have connected to the server on the custom port, you can
       i.  Re-assign the Default Management Servers list back to your groups and also
       ii. Delete the custom Management Server list  created in step 3
       iii. Delete the “Symantec Web Server” web site on that uses port 80


That's all. If you find that by accident there is this client who has not got updated when step 3 was done, you can always manually that clients symlink.xml file.

For various reasons you may need to move Symantec Endpoint Protection Manager from one server to another. Another server meaning one with a different IP address and Host name.

I needed to do this sometime back, one of the reasons being a conflict for port 80 on IIS. Windows Server Update Services (WSUS), Self Update service accesses the WSUS server on port 80 and Symantec Endpoint Protection Manager also installs its website on port 80. The event log showed an error "Self-update is not working" with Event Id 13042.

You're reasons for Moving Symantec Endpoint Protection Manager to another server may be different, but either way, here is how I did it.

Looking around the web you'd find that there 2 ways to getting around this.

1 Using Replication Method
2 Backup-Restore Method

Out of the two the replication method seemed to make more sense, and looked the easiest to get done.

In summary what we need to do is:

1. Install SEPM on a new server
2. Configure it for replication with the first site
3. Change the priorities of the management servers to reflect that this new server is of higher priority; or simply assigning all groups to this new server.
4. Uninstalling old SEPM

Here is now you do that, step-by-step:

1. First install Symantec Endpoint Protection Manager on a new server
2. When you get to the Management Server Configuration Wizard panel, go through with the Advanced Configuration type; Select how many computers will be managed by this server
3. Choose to Install an additional site. This is the only option that will install a Management Server and a database for replication.
4. In the Server Information panel, accept or change the default values and then click Next
5. In the Site Information panel, accept or change the name in the Site Name box and then click Next. The Site Name cannot be the same as what you have on your other SEPM.
6. In the Replication Information panel, type values in the following boxes:
      Replication Server Name (The Name or IP address of the old Symantec Endpoint Protection Manager)
      Replication Server Port (The default is 8443)
      Administrator Name (The Username used to log on to the old console)
      Password (The password used to log on to the old console.)
7. Click Next
8. In the Certificate Warning dialog box, click Yes
9. In the Database Server Choice panel select either the Embedded database or the Microsoft SQL Server irrespective of what you have on your old server and click Next to complete the installation.
10. Log in to the new Symantec Endpoint Protection Manager (SEPM) and ensure that all the clients and policies are Migrated successfully
11. Click Policies
12. Click Policy Components
13. Click Management Server Lists.
14. Select the Default Management Server List for 'NEW SEPM'
15. Click Assign the List
16. Select all the locations, groups and click Assign to replace the existing Management Server list with the old server with the new one.
17. Wait for all the clients to reflect this change and connect to the new server. We can go through logs entries or on the SEPM Clients tab of the new server, you'd see the computer icon with a green dot for the ones connected to it, and a computer icon with a red arrow showing the clients still connected to the other server.
    
    After the successful Migration. I let this configuration run for a few days before the following
    
    
18. Uninstall the old Symantec Endpoint Protection Manager (SEPM)
19. Log in to the new SEPM and delete the old SEPM server from the Replication partners list and the Remote Sites
20. Under the Management Server Lists Policy Component, Delete the Default Management Server List for 'OLD SEPM'

The original of the above steps can be found at: https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=5911 I've edited the above based on my experience to hopefully bring in a little bit of clarity.

This worked for me perfectly and I Hope this works for you too. However it's advisable to first read Best Practices for Disaster Recovery with Symantec Endpoint Protection and be prepared for the worst.

The Firefox team is trying to set the record for most software downloads in 24 hours with the upcoming Firefox 3 release. If you want to help out with this effort visit the Firefox Download Day 2008 Website and make a pledge.

I switched to Firefox 3 from Firefox 2 since the initial beta releases and now run the release candidate. I’m definitely loving it.

What’s wrong in the email that I got below? Well for one thing, I didn’t try to reset my password, and the email doesn’t tell me what to do if I was not the one who initiated this password reset process.

Someone had recently attempted to reset my Google Account password. I'm not sure if this happened by accident or if it was an intention attempt to gain access to my account. Either way, it got me thinking "What if someone stole my Google account? What can I do?” If you had your account stolen and what sort of impact is it going to have on your life?

If you've just been using it to access various Google services, you no longer will be able to access any of them. If you've been using Gmail with that account, then other online services that you've associated with it get compromised as well. For example, at http://digg.com you can retrieve a lost user name or password by simply entering your email address. What this means is, if someone stole your email account (that’s used with digg); they've basically taken over your digg account as well.

Life is going to be very frustrating and you'd need to recover from this situation as quickly as possible. Leaving aside all the freaking-out, head-banging and sobbing there is hope.

Google Accounts Help provides support when you face "issues that prevent you from accessing your account". However, if you want to have your problem solved quickly and efficiently you need to do your part and help out with some information regarding your account. The more you know the faster your turnaround time is going to be.

Some of the questions that you'd be asked to prove your ownership of the account include:

- Last successful login date
- Account creation date

- If you use Gmail:
    Most recent secondary email address
    Up to five frequently emailed contacts
    Names of up to four labels

- If you signed up via an invitation:
    Invitation URL (listed in your Gmail invitation)    
    The Gmail username of the person who invited you to create an account
    The email address to which your invitation was sent

- Google products you used with this account and the date you started using each one

While you are not required to answer all these, being able to answer at least some additional questions will definitely help your case. Knowing this, I took a few minutes to find the answers to some of these questions.  Just in case.

The month of May seems to be a time for many SQL injection attacks around the world. Unfortunately one of the sites affected by these attacks happens to be one that is administrated by a friend of mine. As it so happens the site was also developed by a friend and I'm sure we can have a good time reminding him to give SQL injections the respect it deserves for a long time to come.

Anyway, getting back to the attack, I was able to get a few logs to see what was happening first had. Here is a (modified) extract of the IIS logs that show what had happened:

This particular attack carried out from within China (WHOIS - 58.215.76.181) is pretty interesting, most of the SQL is obfuscated behind a very long hex string (CAST(0x HEX string)). I've removed the original string and replaced it with something harmless and much shorter in the above log entries.

The attacker has tried 2 slight variations of a SQL injection attack in the form of

1) /page.asp?pageID=2;SQLStatement;--   

2) /page.asp?pageID=2';SQLStatement;--

the attacker keeps trying the above 2 combinations on different pages of the website till he gets status 200 result; then leaves.

So what has the attacker done in his SQL statement?  To figure this out we can fire up SQL Server Management Studio and pretty much use the same code that the attacker used except that we substitute the EXEC with a PRINT to view the query.

DECLARE @S NVARCHAR(4000);
SET @S = CAST(0xuseTheActualHexString AS NVARCHAR(4000))
PRINT(@S)

The attacker had queried all the all the user tables, found column names in each of these tables that are used to store string values such as text, nvarchar, or varchar etc. then it adds a <script> tag with a URL pointing to  a malicious .js file into each of  the column values. The SQL had also been "nice" not to replace the original values and only append to it, and also even properly deallocate and close cursors they used in their attack query!

The result of all that meant that all the websites configured to use that database will start to display its pages as shown in the following Google search result. Innocent visitors of the site would in some cases be executing that .js file in their browser which could cause all kinds of havoc depending on what is in the specified .js file.

Recovering from the attack is straight forward; use a clean backup of the database, or if you really wanted you could just remove the appended <script .. > portion from all the column data using the same script that was used to insert it.

But do we prevent this from happening again? well that's another post. Just remember to give SQL injections the respect it deserves.