Windows 10 to be released for FREE !

January 25th, 2015

Microsoft has just announced that “Windows 10 will be offered as a free upgrade to current users of Windows 8.1, Windows Phone 8.1 and Windows 7 during its first year of availability”.

Unlike previous iterations of the OS, Windows 10 will deliver a consistent yet tailored product family across all types of computing devices, from screenless, embedded IoT sensors to all-in-one computers with gigantic displays. The Windows 10 family will also include versions for smartphones, tablets, wearables, hybrid tablet-laptops, TVs, PCs and the Xbox gaming console.

Microsoft promises that Windows 10 will ship to consumers and enterprise “later in the year” in 2015.

Download Windows 8.1 iso direct from Microsoft

January 12th, 2015

Microsoft have finally allowed us to create – on the fly – our own .iso images of Windows 8.1. This is great news since as long as you have a valid windows 8/8.1 key you can get a full version of 8.1 in whatever combination you need (32 bit OR 64 bit, US OR UK OR any other language, Home OR Pro) and create it whenever you need it. Makes life easy for when you lose your disk (or you get a system with no media provided!).

Get what you need from this link – http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-media

Important: PayPal Users Must Discontinue Using SSL 3.0 By December 3, 2014

November 21st, 2014

This message has recently been coming up with web sites that talk to PayPal for processing of funds. But what is it from and how to fix it ?

There has been a recent flaw found in the SSLv3 protocol, which is how some SSL (secure) certificates talk to each other across the net, esentially allowing third parties to capture the traffic and read it (thus making the encryption useless). This fault has been called POODLE (Padding Oracle On Downgraded Legacy Encryption). And it spells the end to SSLv3 as an option. TLS is now the preferred way to have SSL talk to across the net.

Looking at some of our Apache web servers, SSLv2 is off by default. So how do we make SSLv3 not be an option as well ? Its just a matter of editing the ssl.conf file (normally in /etc/httpd/conf.d folder). Look for the following line (the - removes the option, + enables the option):

SSLProtocol -SSLv2

and simply add in SSLv3

SSLProtocol -SSLv2 -SSLv3

or an even more secure way is to block all methods, and just select the ones you DO want:

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

Then just do a restart of the httpd service and it should be job done. To test your website for being safe from POODLE/SSLv3 use this page

https://www.tinfoilsecurity.com/poodle

You want the green tick !

James

Microsoft Phone Scam – the saga continues

November 12th, 2014

On our facebook page (facebook.com/ezylinkit) I recently posted on the Telstra and Microsoft scam that continues unabated – where people get a random call from someone pretending to be from Microsoft (or Telstra as has also been the case here in AU) and they get the user to give them remote access into their PC, at which point they open up some logs and prove that there is an issue (with bogus claims over what is in the logs). From there they install a pile of junk software, including often remote access and keylogging software, charge the customer AND also take money from their accounts. All very insidious.
We had a recent customer repair that had a new item they had thrown in. The dodgy brothers had setup a Windows Startup Password on the PC, so when it was rebooted it came up asking for a boot password to get into windows – which comes up BEFORE the normal windows login.
startup passwordSo I did some hunting on the net, and there was many comments about doing a restore of your registry, or going back to a last good system state, or recovering the last backed up registry. Yes these would all work – but we are dealing with morons here! So how about try some stupidly simple passwords first. password, admin, loser (ok thats one is not likely), abc, 12345, 1234, 123… BINGO it was 123. Yes they are that sad. I found some other reports on the web about some people who guessed numbers and so it seems that this is what they do. And since they have to change shifts between morons for the 24/7 scam Im sure they need to keep it simple.
So what is the “Startup Password” ? In simple terms it is a way to protect your registry account file so that it cant be hacked. It is a not often used feature so I thought Id list how it is used (and how to remove the password – since now that I was in to windows the customer of course doesn’t want to see that every boot !)
From within windows you access the Startup Password feature via “syskey”. Just run that from any command prompt or run box. Its actually called the SAM Lock Tool. When you run it you can encrypt your SAM (part of the registry), and set a password to it. So lets get in and reverse the damage ! Note you cant unencrypt the SAM, but you can remove the password requirement on boot.

Step1.
Click Update within syskey

syskey2
Step2.
Click OK. This will then ask you for the old password (123 in my case) and a new one (leave it blank)
syskey3
Step3
. Reboot the computer. At the Windows Startup Password screen, just hit enter to get past it. Then back in windows run syskey again, go to Update, then click on the bottom option for System Generated Password
syskey4
Choose Store “Startup Key Locally” then choose OK. This will then save the (blank) password to the system, and no longer show up a password box on boot. Tick one for the good guys. Now to just meet one of these scammers in a dark alley with a baseball bat…

James Joyce CCIE MCSE

How to Reload Windows 8/8.1 on a notebook or PC with a Windows 8 BIOS Key

October 8th, 2014

As of Windows 8 Microsoft has asked vendors to start putting the Windows key in the BIOS. This make it easy for the vendor to preload windows and the cuistomer not to have to activate. BUT what happens (as is the case we see) when your hard drive dies, and you have no backup discs ? Since the computer vendors dont supply CDs/DVDs anymore – you have an issue. Well you did !

To complete this process you will need a copy of Windows 8/8.1 (that is the same version you had on the computer), and a valid key that works with that version. Note you will be changing the key over to the correct one at the end of the process.

So step1 is to load windows, and use the valid key you have to install. If its an unused key make sure you dont connect to the internet after installing as it may auto-activate windows and use that key! Then step2- once windows is setup you need to then get the BIOS windows key – and thats where the great program called pkeyui comes in handy – which will allow you to read BOTH the installed key and the BIOS key. So run that, get your BIOS key, then run the following command to be able to change the Windows 8 key (do it at an elevated command prompt) -

slmgr.vbs /ipk <Your product key>

And then activate – it should be instant ! Job done.

 

Free Unitrends RTA Calculator – how long is your VMware recovery time ?

August 15th, 2014

Unitrends have release a great little tool to test the recovery time for your ESXi server VMs.
It works with ESXi 4.0 + and requires .Net 4.0. Well worth testing your server and see how long it will take when that DR scenario actually happens !
http://www.unitrends.com/products/download/rta

Fake Flash Player update, DNS issues and redirection for google.com, bing.com and more

June 18th, 2014

Heres a support case which took some tracking down to resolve. A customer called saying that they were getting a warning about their browser being out of date, and a lot of ‘page cant be displayed’ errors. So we got their 2 machines in the office, updated the web browsers, cleaned off some junk software and things that could be causing issues, tested and the systems were fine. The customer then returned home.
We then got a follow up call to say they were still getting the warning – but it was about Flash Player being out of date. First point when I started to think something else is going on – as it left us working fine !
I decided to go onsite and see it myself. At the customers place it was as they said – and when I tried to go to any search page (eg www.google.com) it would try to download a setup.exe file FROM the page it was going to eg. http://www.google.com/setup.exe (or bing.com – same thing). And the AV on the machine would block the page as being malicious. I have seen many browser hijacks but never one that is able to keep the domain name at the start (they always redirect to dodgybros.com and then try to get you to download the virus). So did their system have a rootkit we had missed ? Or was something hacked at their ISP ? I needed another look.
Back at the office – the system worked perfectly. We even had a look at the setup.exe file that was in the AV quaratine and it was a Password Stealer/Keylogger. But it had been blocked so the system wasn’t infected. Only answer that made sense – it was an issue at the customers location somehow. And during this time we had another customer contact us with the same issue – so we needed to find out what was going on and how to resolve.
I took my notebook as well back to the customers place to have a clean machine and test. Plugged their systems in and now they were just getting ‘ page can’t be displayed’ to most requests. I had a suspicion that something was going on with DNS as I could not see how else the www.google.com/setup.exe hijack was happening. So I decided to have a look at the IP config of the PC. here is what it showed -
dns_hack

On that screen I noticed something very wrong. Any normal home modem will hand out the DNS Server address as itself. So 192.168.1.1. What were these other 2 DNS – 23.253.94.129 and 128.199.225.64 in place of what should have been there ? Now the trail to the issue was becoming clear. On my notebook I set the DNS to use google (8.8.8.8/8.8.4.4) and things worked perfectly. So I did a quick search and found that those DNS addresses were know compromised or hacker DNS servers. FOUND IT !
As a quick explanation – a DNS server changes the address you type in your web browser (eg www.google.com) into an IP address that allows the request to travel across the internet to the correct machine (eg the google web server), since the internet is linked via IP addresses NOT names. Normally you would use your ISPs DNS server (which you modem does for you automatically in the background). BUT if you are using compromised DNS servers, they can send you anywhere. And in this case they are sending customer requests for search engines to infected websites. The reason why we were getting ‘page can’t be displayed’ messages now was that those servers had been shutdown (probably by the hosts who manages them once they found out).
So now its time to fix the issue. I attempted to log in to the modem so I could fix the config that I assumed had been changed by the hackers – and the usual password did not work. Again a warning light that I had found the issue. The customer had not changed the password, so the hacker had ! I was left no choice but to do a factory reset and reconfigure the modem. Now the network was all fine again. But how did they get into the modem ? The PCs didnt seem infected – so I had a guess it was the web interface of the modem. Then I found (to my major concern) that this model had the web interface turned ON by default – and to turn it OFF you had to create an ACL (access control list) to block external access to it ! No normal home user would have a hope of setting that up, and I consider that a major security issue. All modems I can remember always have web (external) access to the modem OFF by default, and you need to turn it on if you want to access the modem across the internet. Thats the safe way for it to be. So I locked down the modem and now they are secure again.
So what was done ? Hackers had used (I would guess) some IP subnet sweeping software looking for port 80 open on any links. Then they would try generic name/password combos on the modems and if they got into any of them – they would then change the DNS config so all machines in the network talked to the infected DNS servers. A situation which should never have happened if manufacturers maintained a simple standard of WEB access on ADSL modems being OFF by default.
The other customer we were contacted by was the same issue – so now we knew how to address it by resetting the modem to factory and setting them up again (and locking the web/external access down). An interesting lesson in tracing the fault and how hackers work.

James Joyce
CCIE, MCSE 2012

Setting up the Unitrends Linux agent on CentOS

May 25th, 2014

Here is a post worth mentioning – shows how simple it is to setup Unitrends to monitor and backup a CentOS linux system -

http://www2.virtxpert.com/?p=2005

Migrate you old Word 2003 normal.dot file to Word 2007

May 8th, 2014

Recently we had a customer with an Office 2003 system and a highly customised (with autotext) normal.dot file. Did some hunting around on how to get that into the new .dotm format so we could upgrade them to Office 2013 (this also applies to 2007 and 2010) – and Microsoft has a post on it HERE.
Essentially you need to copy the old normal.dot file into the new templates folder (C:\Users\<username>\AppData\Roaming\Microsoft\Templates) and then add a registry setting related to Word located at HKEY_CU\Software\Microsoft\Office\12.0\Word\Options. Its a DWORD called MigrateNormalOnFirstBoot – make it ’1′ to convert the old to the new, and you are away on the next boot ! Simple.

Canon b500 error – MP480 Replace Waste Ink Pads

January 29th, 2014

Recently had to replace the waste pads on a customers MP480 printer. Not an easy job – be ready to get dirty ! The actual pads are only $20-$30 to buy new, and the old ones can be accessed from the unit by taking the back cover off (which holds the paper – 2 black screws left and right then lift up). I would suggest using pliers to get the pads out – and then clean the tube so waste ink can flow out again. Thats the ‘easy’ part…

Next you need to get the printer into service mode and reset the count so that it knows you have done the job. This video gives the idea of how – http://www.youtube.com/watch?v=0waX_GF-h7U. For the MP480 its the following – Hold RESET, then press and hold POWER, then release and press RESET twice (the front light should go from Green to Orange to Green). Then release POWER. That should then boot it into Service mode and say IDLE. Now for the final part – you need to reset the Ink Absorber Counter to 0% so the printer will start working again (note you can also do this if you want to just reset the counter and keep printing – but be sure to check if the waste ink IS full rather than ignoring the issue !).

To do that yo will need the Canon Service Tool v3400, whcih allows you to talk to Canon printers in service mode and make changes – like the Ink Counter. You can download it HERE. Its simple software that talks to the printer via USB in Service mode and allows you to config all the parts – worth a look ! Then just power off and on, and the system should be good to go.