Firewalls, IDS and sticky tape

More Surface Pro blogging....

I had some issues with some of the Windows 8 apps that rely on Xbox Live sign in - Most seemed to take ages to sign in and others refused to sign in at all (SmartGlass in Windows 8!!!). I'd been poking around BitDefender and just couldn't deep enough into the configuration so removed it and went back to ESET.

After fiddling around trying to resolve SmartGlass sign in error 0x3ec with no success, I made some changes to get everything else working...SmartGlass now shows error 0x3ea and I've stopped wasting any more time on it.

[Please note - SSL scanning in original post, but see update comment at end of post]
Long story short - I often enforce an SSL scan (just because a service uses secured transport doesn't mean someone's cocked up something within the delivery), and this was basically what was causing the issue. After adding some certificates as trusted or excluded the whole sign process was fine.

Excluded certificates: login.live.com, storage.live.com
Trusted certificates: none (other than what you already have)

Not happy that some certificates have to be excluded from SSL scanning but a leap of faith needed to get features operational. Don't forget to disable all obsolete versions of SSL (TLS 1.x > only!) if the option exists in your security system.

In addition to that firewall rules need to be added for outbound traffic.

Application: {windows}\system32\WWaHost.exe
Application: {windows}\SysWow64\WWaHost.exe
Protocols: TCP
Ports: HTTP, HTTPS (ports 80 and 443 by default)
Direction: Outbound

The net result is that I have Windows 8 applications working and still isolated by the OS, IDS and SPI features working. There was an issue with a previous version where if your Xbox was wired to the network and you were using wireless for your SmartGlass device the two could not communicate - They needed to be on the same wireless network. I can understand why that might have been done but it renders the features pointless for me (it just doesn't fit the topology we need here at home).

As I've invested too much time already in SmartGlass I just uninstalled and moved on, but the rest of Xbox One, 360, SP3, Windows and WP are operational again.

Update 25-07-2015

I've now disabled SSL scanning in a few security suites due to concerns about privacy and chain management. A number of well thought of systems will not work with SSL scanning enabled (due to the way in which many security suites insert themselves into the chain). The firewall rules mentioned here could still help you but I no longer recommend SSL scanning
As part of my study for things like CEH I'm building a home IDS separate from these software components - these suites are fairly good for most people but anyone who does a lot on their home networks should consider defence-in-depth these days.

Job Board Analysis

I've been working on a blog post relating to the barter of personal information, most of it is unsurprising really but the flagrant disrespect for personal identity seems to be widespread.

An economy of scale where your information is bought and sold is inevitable - whether its your personally identifiable information, the email address you used to sign up to a newsletter or the details you forgot to remove from public access on a social networking site.

This isn't the place for that full post but an offshoot of that research unveiled something that may be of use to others. This year I started using a new sequence of mechanisms designed to trace the flow of information whilst I use the job boards - they're an essential business tool because as a contractor / freelancer it's the easiest way to find clients.

However these sites often require registration and up front disclosure of details - meaning you're essentially putting your details in the hands of a 3rd party. Most of the sites automatically create an account for you the minute you apply for a role, and - despite best efforts from your side - automatically subscribe you to 3rd party offers, newsletters, etc, etc.

Once you've applied for a job you have to log in, uncheck the relevant spam mailer and distribution options and hit the apply button. That, in my view, is unacceptable as it essentially puts you on the spam lists before you get a chance to opt out. Most job sites are guilty of it - most notably JobServe and TechnoJobs.

So you've now applied for a job but at least two organisations have your details - the job website data owners and the recruitment agency. That assumes that your details haven't already gone to a 3rd party for re-use too.

TL;DR

Of the three distinct phishing attempts made in October, they all came from PII which indicates it was skimmed from CwJobs applications or profiles. Had it all come from only one of the accounts I'd make a guess that it had come from compromised data at Harvey Nash but other permutations disproved this.

All three phishing attempts came from CwJobs email addresses which have only been used on that site, which means that either the recruiters or CwJobs - or both - aren't protecting personally identifiable information correctly.

Looking at it objectively it's more likely that the spammers are creating recruiter accounts on these boards and simply harvesting the details, capturing new job seeker update feeds, or acquiring the data more directly. Either way I've stopped using CwJobs altogether.

We cannot guarantee that other jobs boards aren't already compromised but hopefully the dragnet will either help ICO take the case forward or provide incentive to the site owners to review their validation procedures.

I've sent a copy of the blog post to the listed email address of the lawyer named in the spam, as well as the spammers "personal" email address to invite them to respond.

Phishing Explained

You really don't need to read this section if you're already aware, this is more aimed at people who have less experience with the web and email. I'm not writing this to extol any knowledge virtues but because I'm tired of answering the same questions from friends and relatives. Now I can just give them a URL to read.

So...

The aim of phishing is to get you to give up some personal details in order to access your account and get some money - or better, get you to give them money directly and save them the extra leg work. It's not about anything else.

I've got a dead relative in Malaysia and I should contact the Malaysian barrister using his Russian personal email address. Obviously if you want to check the address then having a poke around for the office on street view will show you where they are.

Of course it turns out this particular legal firm actually exists and uses a different gmail account, but that's just paperwork.

Now if by this point you still think this is a potentially viable email with genuine offers you need to re-read the last few paragraphs carefully. Make sure you follow the links in this post (not in your spam / phishing email) and think about it. Any email that asks you for personally identifiable information - Full name, date of birth, mothers maiden name, shoe size, etc... just delete it. If it's a bona fide conversation they'll be sending you a letter or calling you to make contact first. Don't give out any details over email to anyone you don't actually know.

I've included the entire email text in case anyone out there is searching for the same problem, and can get an indexed response based on content.

5 Ghz Wifi & Surface Pro 3

I've noticed a trend with SP3 users over the course of its life so far, and there's been a few issues initially relating to overheating, pens, over-eager power saving and wireless networking.

Whilst I feel fortunate to have missed out on these problems in only buying after the first big batch of firmware and software updates I've still been struggling with the 5Ghz band Wifi issues; that is, until now.

Basically I've had WiFi problems with Windows Phone 8.1 and Surface Pro 3; although not Surface Pro 1 funnily enough. A registry hack enabled visibility of 5Ghz networks on the SP1 but after recent WP8 updates I've not been able to acquire those networks any more. 2.4 Ghz is fine, and if separated from the router by more than one or two solid walls (esp. re-enforced concrete) 5 Ghz is next to useless anyway. I'm not going into details here but you can read about it on StackOverflow if you're interested.

However 5 Ghz is great for the same vicinity plus network storage / high data transfer, which is why I'm interested in getting it working over our home network. After two weeks of frustrated router settings experiments I found the solution whilst browsing with my Saturday morning cup of coffee.

The answer lies here on the Windows 8.1 Forums over at Microsoft. Now whomever UKNOWJP is, they deserve a medal - it only solves the problem on networks where you have privilege to change the router & AP settings but on your own network it's a winner.

There's all sorts of answers on the web about deleting drivers, updating router firmware, messing around with recovery partition driver versions....all valid solutions to other specific problems. However across all the different devices and patch versions I found across the forums this one was unique in that it solved the initial problem.

Just change all 5 Ghz networks channel numbers to below 100 - channel 36 is suggested in this post (you still need to use different channel numbers for different networks on the same frequency).

Don't forget: Reboot the router after you've logged in to the admin area and changed your settings; this prevents any possibility of latent session capture by unwelcome guests.

Now Windows Phone 8.1, Windows 8.1 (SP3 and SP1) all see every single WiFi network our routers provide...but it's not a silver bullet.

Prior to this I hadn't altered the channel number on the 5 Ghz networks so above channel 100 was the default setting. If that's the case we cannot guarantee that all networks of this frequency will enable contemporary Windows devices to connect - this only appears to be a problem with AP's running the 802.11ac protocol afaik.

Overall I think Microsoft need to work on some updates which don't have this channel number requirement - and disclose why this problem exists.

Addendum: I haven't checked this with iPhone yet, my better half has a 4S - that and iPhone 5 weren't 802.11ac capable...Will update when she gets her iPhone 6 to see if these settings are compatible.

VMWare Player Memory Issues

I had a *facepalm* moment with VMWare Player yesterday and solved it today so thought I'd share it - Either that helps someone out or makes someone laugh at my stupidity (either way it's a positive post).

I've recently been getting things deployed to my brand new Surface Pro 3 and by and large it's been painless - almost everything Windows 8'y was done instantly because of the settings sync between my Surface Pro 1 and my various desktop and R&D VMs using the same Microsoft Live ID. It's optional of course but I found that it makes a positive difference¹.

The only installs I've had to do are the standard laptop / desktop installs, e.g. Visual Studio, Achimate, EA, Office, etc... And VMWare Player^2.

None of these were an issue but when trying to spin up a VM I kept getting an error message telling me that there wasn't sufficient memory for the VM guest. I'd already moved VMX across from old Surface or installed new VM's from scratch so it wasn't happening all the time.

I thought that was a bit strange as my Linux guests tend to have 512Mb RAM for sandboxes and up to around 2Gb for intensive operators (such as some research tools on Kali). With 8Gb of RAM on SP3 and a few days researching memory cache in Win8.1 I was pretty confident that this wasn't the real issue.

Which of course it wasn't. Finally found this conversation chain on the VMWare forums.

Well that made a lot of sense. Should have checked UAC issues out first. I changed the application start-up options via context menu properties on %installPahth%\vmplayer.exe to run as administrator ... restart machine and - lo and behold - it seems to kick it into touch.

Hope that saves someone else the time spent on the problem :)