Skip to main content


Showing posts from September, 2012

Event ID 1517 / 1524 in Windows Server 2003 Event Viewer - Server Login Requires Reboot

I recently worked on a Windows 2003 server that required manual reboots in order to login, whether via console or Remote Desktop. After rebooting, Event ID 1517 was logged repeatedly in Event Viewer (protip: this error could also appear as Event ID 1524 in Windows Server 2003, or as Event 1000 in Windows Server 2000). Microsoft explains this error in better detail than I can in KB article 944984 - essentially, user profile registry hives are kept in limbo after log off, and never completely terminated. Unfortunately, the hotfix described in the KB article didn't help. I don't administrate this server, I was just called in to fix the issue without breaking anything else. At this point, I know the administrator had an application in need of some coding assistance. I didn't have time to review every application's authentication behavior, though, and I am a novice developer at best. As an alternative to reviewing miles of code, I installed the User Profile Hive Cleanup S

Google+ Integration

I am always looking out for new gimmicks to trick poor innocent souls on the internet into stumbling onto my website, so after countless prompts and notifications, I have finally broke down and activated a Google+ Account. I'm interested in showing authorship in my search results , and now I can be sure that at least the FBI is reading my blog . It's still a work in progress, but I am not sure what the point is after an initial inspection. MySpace was for 12 year old girls and awful bands. Facebook is for stalking your ex and so you in turn can be stalked by your government. Google+ ... what is Google+ for? I found some friends and coworkers and added them to circles. This was okay, and they always have some interesting things to say in the stream, but I found after a while that their comments were pushed underneath a bunch of posts by people I don't know about topics I don't care about. Here are a brief list of some of the random things added to my stream that I ha

This Looks Legit

I have seen quite a bit of advice on the Internet that is unsound over the years, enough that I thought I am rarely surprised by idiocy. The video above though - this one made me laugh out loud. You know the video is going to be a gem from the title - "Apple Keyboard Secret That Apple Does Not Tell You". Anything with "The Secret That X Doesn't Want You to Know" is usually a window into the mind of a lunatic, and this does not disappoint. Give it a click - its only about 30 seconds long.

Websockets and IIS8 - Enable the WebSocket Protocol Module

A few months ago, I wrote a post about websockets and IIS7 , explaining how some extensive hacking is needed to get websockets working and providing a link to an application that would accomplish just that. That post was very popular - Microsoft developers are obviously looking for ways to implement web sockets, and there is not a lot of documentation out there to assist them yet. With the release of Windows Server 2012, Microsoft is now including native suppor t for WebSockets. Unfortunately the 2008 hack (released by HTML5Labs) is now deprecated, and has been removed from the developer's website. Because there is so much interest, and no longer a fix to implement websockets in IIS7 that I am readily aware of, I am going to start putting together some information for developers here on IIS8. This post will just have the basics, and I will expand on the topic through later posts. To get started, it is necessary to enable the WebSocket Protocol Module. The module is available as a

Error 0x84B30002 When Uninstalling MSSQL 2008 R2

Have you encountered error 0x84B30002 when uninstalling MSSQL 2008 R2, preventing the uninstall from proceeding? I have. So far I have only encountered the issue with Express Edition, although rumor has it that the error can occur with other editions as well. The error message will be displayed in a pop-up as well as the summary.txt log file in the installation directory. Here is how to fix it: Launch the registry editor by typing regedit in the Run bar in the start menu. Navigate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ After expanding uninstall, you will need to locate each key related to the SQL instance you are attempting to remove - if there is only one instance on the server, locate each key with the word SQL in the DisplayName field.  Within each key, locate the GUID. It will look something like this:  234A1B2C-12AB-1AB2-B1C2-A12B345678C1   and be typically contained in either the ModifyPath or Uninstall

Windows 8 Rootkit Discovered in the Wild

That Was Quick Italian security consultants ITSEC discovered the security hole following an analysis of the Unified Extensible Firmware Interface (UEFI), a successor to the legacy BIOS firmware interface, that Microsoft began fully supporting with 64-bit versions of Windows 7. Tip of the Hat to The Register, linked above.  [EDIT: The article specifies the payload as a "bootkit". This was deliberately omitted on my part. The word "bootkit" strikes me as part of that trend to modify prefixes of words to make them ludicrously specific, like how Watergate became EverythingUnderTheSun-Gate. Its a cheap way to feign familiarity through reference. Is there a relevant disharmony between the terms bootloader and rootkit I'm ignoring? If so feel free to shine light on my ignorance via email or in the comments.] Since we are on the topic of hardware hacking, last week I caught a printer spamming - as in, a printer that was network available that had been compromis

More Fun With PCI

I received a notification from a large security auditing firm that of the ciphers currently available, only RC4 ciphers will be considered PCI compliant. My assumption based on the notification is that this move is intended as a rejection of CBC (Cipher Block Chaining). Well, that's fine as far as I am concerned. CBC has some serious issues as implemented in SSL v3 / TLS v1.0. In a nutshell, you can time responses for applications using the block cipher to get ranges of possible data in SSLv3 and partial payload decryption in TLS. So-called "stream" ciphers like RC4 are immune to this particular attack vector. You don't get private keys from the attack, its by no means a fast attack (minimum of three hours), and you need access to monitor the session . Further, patches for CBC exist to over-ride the timing exploit (for example the NSS libraries used by Mozilla have been patched). I will save debunking the man in the middle hysteria for a later post. What frustrate

A Modest Proposal

We're all grown ups here. Can we agree to never say "app" in polite conversation ever again? I have trouble conceiving of another term that is more likely to make you look like a buffoon ("Social Media Guru" is a close second). Let's all have a bit of dignity and speak like we were taught to do so in schools and not marketing meetings. ლ(ಠ益ಠლ)

Disable Display_Errors in Production

Its a simple message, but worth repeating. Yesterday I came across the website of a major internet security firm making a few first-day-on-the-job mistakes. While I am not going to "out" them before contacting them directly, what they did is silly enough that it warrants a bit of discussion in the abstract. Display_errors was enabled in their web server's php.ini. As a result, a few helpful messages were displayed briefly at the top of several of pages on the site 1. The name of the database 2. The name of the table in use by that page 3. A list of every column in that table 4. An error indicating that the table is exceeding its maximum allowable size of 4GB The site collects information about its users - IP address, browser info, referrer, etc, and stores that information to a table in a MySQL database - we know from the error itself that database is running on a server using a 32 bit operating system. With the structure of the database, we have everything we

Activating Windows Server 2012 GUI after Installing Server Core Only

[This article deals with issues with installing the 2012 GUI from Server Core. Do you need help with activating your license key? If so, try this article instead. ] Update: James Stephan, currently Senior Analyst with Dell Health Services, was kind enough to point out to me that I had neglected to mention this procedure will only function with fully licensed versions of Windows Server 2012. If you have downloaded and installed the free edition of Windows 2012 Server Core, you cannot activate the GUI. For quite a bit of detailed information specific to the free edition of 2012 Server Core, follow  this link to James' blog . So I just started playing with Server 2012. Right out of the gate, I encountered issues on installing to a hard drive with a pre-existing Windows 7 installation. I nuked the partitions during the install, however when trying to install the full server GUI, I got a "Windows component cannot be found" error. I believe this was the result of the instal

Kaspersky, I Hardly Knew Ye

A few months ago, Noah Shachtman of Wired published an in-depth series of interviews with Eugene Kaspersky, owner of Kaspersky Lab. I realize this is an older issue, but its still worth checking out.  Schneir was late to the party, too, so I don't feel bad. First off, read the Wired article: Russia’s Top Cyber Sleuth Foils US Spies, Helps Kremlin Pals Then give Eugene's response a quick read: Then read the response to the response: How do you feel about your computers being owned by the Kremlin? Is it a refreshing change of pace from having your computers owned by the Pentagon/Home Office/Mossad?

Lol, Equity

Is anyone else scratching their heads about this HostGator / EIG acquisition? Accel-KKR has nice credit but $225 million feels like .com money, even for an established middle market. Maybe it makes sense for all the useless hardware that comes with it, I don't know. If anyone wants to enlighten a financial n00b shoot me an email.