Some users have asked me how they can protect themselves against identity theft. I have researched the topic for a while and found the following steps for you to shield yourself from possible identity theft.

Review your credit report periodically

The first step is to review your current credit report. There is a website sponsored by the 3 credit report companies: Equifax, TransUnion and Experian.

http://annualcreditreport.com

You can request a free credit report every year. When you get your credit report, review the report carefully and report any inaccurate info and unauthorized activity immediately. Remember to repeat this process every year.

Setup fraud alert

Once you have reviewed your current credit report, you can set up fraud alert. Equifax offers a free 90-day monitoring service.

https://www.alerts.equifax.com

You can renew it after the first 90 days. This service alerts you immediately when suspicious activity is found.

Security Freeze (not free)

If you are still paranoid about someone stealing your identity even after the aforementioned steps, you can freeze your credit report. This feature is not free for most states. This is probably the safest way to protect you from identity theft, but it also requires more work on your part. You need to contact the company and ask them to thaw your credit file whenever you want to apply for a new credit card or open a new bank account.

I recently changed my home wireless router’s encryption from WEP to WPA Personal. Most of my computers and wireless-enabled devices could connect without a problem except for an old set-top media player. The player did support WPA Personal, but it just wouldn’t connect. When I looked at the router’s status, I could see the player trying to connect. However, it only connected for a few seconds before suddenly disconnecting.

After I entered the passphrase several times, I then realized the media player only took  a WPA key. There was no way to input a passphrase to the player.  Some routers do generate the key for you, but mine does not support it. I needed a way to convert the passphrase to key.

I found a web page that converts the WPA passphrase to key for you. The calculation is done using Javascript on your computer, so your WPA passphrase is not transmitted to the server after processing. If you are still worried about the potential leak of your passphrase, you can save the webpage on your computer. Disconnect your computer from the network and run the Javascript-enabled page for conversion. Here is the link.

WPA Passphrase to Key Calculation

After I entered the converted key into my media player, it connected to the wireless network and worked  right away. This is very useful if you have wireless-enabled devices that only take a WPA key but not a passphrase.

McAfee released a virus definition file DAT 5958 today. After the virus definition file has been installed, it will identify a legit system file (svchost.exe) and move it to quarantine. As the file is an important system file, the system will not function properly without it. Major symptoms includes no network access and missing task bar.

I helped a user restore an affected computer. It was an XP computer with SP3 installed. Here are the steps to uninstall McAfee temporarily.

1. Press F8 while the computer is booting and select safe mode.
2. Press Ctrl+Alt+Del to bring up Windows Task Manager.
3. Under Windows Task Manager, click on File -> New Task(Run…)
4. Enter cmd and click on OK to bring up a command prompt.
5. Type the following to restore svchost.exe
   copy c:\windows\system32\dllcache\svchost.exe c:\windows\system32
6. Type the following to reboot the system. Remember to boot to safe mode.
   shutdown -r
7. Once the machine is booted to safe mode again. Bring up a command prompt.
8. Type the following to enable the installer under safe mode.

   REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"
   net start msiserver

9. Use Add/Remove Programs in control panel to uninstall McAfee VirusScan.
10. Reboot the machine.

When I worked on the user’s machine, I was not aware of the new DAT file. Therefore, I just uninstalled McAfee. If you still want to keep McAfee, do not follow step 8 and 9 to uninstall McAfee VirusScan. McAfee has published an official workaround. Here is the link.

False positive detection of w32/wecorl.a in 5958 DAT

You can follow the link to download the new virus definition file 5959 and update the file instead of uninstalling McAfee VirusScan.

Microsoft has issued an advisory about a vulnerability in VBScript through the use of Internet Explorer on Windows 2000, XP and 2003 server. A malicious web site might trick you to press F1 key when you use Internet Explorer to visit the site. If you do, your computer will be infected by a virus or spyware. There is no patch for this vulnerability yet. The obvious workaround for this vulnerability, as suggested by the advisory, is: Do not press the F1 key when prompted by a Web site.

[via Microsoft]

Most of the IT admins are getting ready for the Conficker worms which are supposed to wake up on 4/1/2009. According to a new research done by Tillmann Werner and Felix Leder, it’s easy to detect systems infected by the worm. The feature has been incorporated into nmap 4.85 BETA5. Here is the thread for the announcement.

http://seclists.org/nmap-dev/2009/q1/0870.html

The free tool can be downloaded from the download page.

http://nmap.org/download.html

It’s available for multiple platforms. Once you have it installed, use this example to scan your network.

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

Substitute [targetnetworks] with your network. Check this manual page if you need more information about using it. Here is a sample output for a non-infected computer.

Host 192.168.1.247 appears to be up ... good.
Interesting ports on 192.168.1.247:
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

If you have a problem with McAfee 8.5 where the framework service doesn’t run, here are things that you can try.

1. Uninstall McAfee
2. Delete the following folders. Note that the third one is for Windows XP, you can look for the equivalent folder under C:\Users on Vista.
   C:\Program Files\McAfee
   C:\Program Files\Common Files\McAfee
   C:\Documents and Settings\All Users\Application Data\McAfee
3. Reboot the computer.
4. Install McAfee again.

Let us know if this works for you.

I helped a friend with her infected laptop this past weekend. Usually I only need to boot the computer in safe mode and scan virus while in safe mode. However, this one is nasty and it got loaded even in safe mode. Without digging into how the virus got loaded in safe mode, I was able to boot to a Vista PE USB flash drive and scaned virus under Vista PE environment.

Even though Vista PE is a very powerful tool for system admins, it’s not easy to create. I found that there is a Rescue CD from one of my favorite security companies Avira. This tool is easier to create and use, what’s even better is that it’s free.  Here are the steps to use it.

1. Download the software from Avira’s site to a Windows PC with a CD burner. Note that the file is actively updated, so be sure to download the latestest one from the site when you need to use it.
2. Insert a blank CD-R to the CD burner and double click on rescurecd.exe to burn the RescueCD. If for some reason, your CD burner is not recognized, you can click on Exit.
   
   The program prompts you to save the ISO file.
   
   Click on Yes to save the ISO file. You can then use your favorite disc burning software to burn the ISO to a CD. On Windows 7, right click on the ISO file and select Burn disc image to burn it.
   
3. Now you need to boot the infected computer using the RescueCD. On most recent computers, you need to press F12 during system boot up process and select the CD/DVD drive as the boot up device. If F12 doesn’t work, try to enter the BIOS setup screen to set the CD/DVD drive as the boot up device. Consult your machine’s user guide if you still cannot boot your computer using the RescueCD.
4. When the system boots up in Avira AntiVir RescueCD. Click on the British flag to set the interface to English if needed. Now you can click on Start scanner to start the scanning process.
   
5. When you are done, click on Miscellaneous and then Shutdown to shutdown the machine.

When you got the virus removed, do yourself a favor, install Avira AntiVir or any other good program as the resident AntiVirus software. Also instruct the user to use the computer as a normal user and leave the admin account for software installation and maintenance only.