Adobe Reader shouldn’t be updating every day!

January 5, 2011 6 comments

I was looking at my blog statistics and noticed a lot of people hitting my site are using a search term similar to “why is adobe reader updated almost every day”. Since I wrote a blog post about Adobe some time ago my site comes up in this search. The following is my advice for people having this problem.

Adobe Reader should NOT be updating every day. If the reader is updating every day there is a problem. Looking at Adobe Readers downloads it can be seen that an update comes out about every couple of months or so.

The first suspect I would look at is malware/virus. TrendLabs released a warning last April about a Trojan (TROJ_FAYKDOBE.A) that looks identical to the Adobe Updater. The updater would then download other malicious files. I expect this type of attack to happen more often. It is imperative that you keep your anti-virus software up to date and do regular full scans of your computer.

If you are having a problem with Adobe Reader updating every day I would immediately update your anti-virus software and do a full scan. Trend Micro rates this type of attack as a high damage potential due to it being able to download anything to your computer.

If your computer is clean from virus/malware it is likely that your Adobe Reader has technical issues. One option would be to uninstall Adobe Reader, then install the latest version back on. The current version of Adobe Reader (Adobe Reader X at the time of this post) can always be found here.

Another option it to use an alternate PDF reader. I like Foxit as a PDF reader. It seems to work much quicker than Adobe and has fewer known security vulnerabilities.

Categories: Security Tags:

Copy PuTTY sessions between computers

December 31, 2010 1 comment

PuTTYI just setup a new machine and realized I had too many PuTTY sessions to manually setup (dozens of them). For some odd reason PuTTY keeps this session data in the Windows Registry. I would have figured it kept the sessions info in a flat file. The registry key is located at:


If you’re not sure how to export and import registry keys this article has some easy to follow steps specific to PuTTY. It’s a fairly easy process, and I figure if your smart enough to use PuTTY you should be able to import/export registry keys without breaking your computer (but still, play with the Registry at your own risk!).

Now to take it another step you could have the sessions exported every day via the following PowerShell command:

REG EXPORT HKCU\Software\SimonTatham\PuTTY\Sessions c:\putty.reg

Simply put that into a  PS script and change the destination to where ya want (I have it set to c:\putty.reg). You could then use Task Scheduler to back it up once a day/week/whatever.

One final note: Earlier I posted about notepad++, which could be used to create the PS script and view/modify the reg file.

Categories: Microsoft Tags:

Tool Spotlight: Notepad++

December 31, 2010 1 comment

Notepad++Its time to spotlight another favorite tool. This time its a Windows notepad replacement called Notepad++. It is an open source project, in fact the motto on their website is “free as in ‘free speech’ and ‘free beer'”.  Why would a Network Engineer care about a notepad replacement? Here are just a few reasons:

Network gear config files need to be done with an ASCII editor. Programs such as MS Word can throw in extra characters if you’re not careful. Actually I do all config files with Notepad++, whether it’s for a Cisco Router or a Windows application. (**In UNIX/Linux i use VIM, thats a completely different post).

Notepad++ supports multiple tabs. If you are working on a lot of files this  feature is essential! You can even perform searches on multiple tabs. This is helpful when reviewing logs. You can also use plugins to compare different files (helpful to see what changed on a router config).

This is by far the best scripting tool I’ve used. There is built-in support for almost any scripting language you can think of. I use it mostly for PERL, HTML, and PHP. But recently I decided to learn how to script with PowerShell and it has built-in support for that. Here is an example of a PowerShell script I’m working on right now:

Notepad++ PowerShell example

Notice how nice this is to work with compared to notepad below:

Notepad PowerShell sample

There are a lot of other good Notepad replacements out there, but I happen to like this one the best.

Categories: Microsoft, Tools Tags:

FTP is dead, now will someone tell developers!

December 7, 2010 3 comments

Today’s post is all about FTP, or rather about why FTP shouldn’t be around anymore. FTP, which stands for file transfer protocol, was created almost 40 years ago when networks looked completely different. At that time networks were small. FTP was a great way to move files between hosts. It worked great for the 70’s, 80’s, and even part of the 90’s for most people.

In the 90’s two major changes happened that basically killed FTP:

  1. Firewalls were making their way corporate network perimeters. With the www introduced in 1990 it wasn’t long before companies were becoming ‘connected’. With this new form of communication came new security risks, and of course new security measures. Firewalls were the cure-all security solution of the 90’s.
  2. NAT was being used so corporate computers could utilize a private IP over the Internet. NAT’s were configured on network devices such as routers, proxy’s, or even firewalls.

To illustrate why FTP is no longer a valid protocol its time look at how FTP works on a basic level. There are two modes for transferring data via FTP: PORT (active) and Passive.

PORT (Active) mode FTP

Here is a sample of PORT (Active) mode communication initialization:

  1. FTP client connects to a server.
    1. The source port for the client is a random number over 1023, this port will be used for commands on the client side.
    2. The destination port on the server is 21, this port will be used for commands on the server-side.
  2. The server replies to the FTP client on the client control port.
  3. Server initiates data connection to the clients data port.
    1. Server data source port is 20
    2. Client data port is client control port plus 1
  4. Client Acknowledges the data ports to be used.

Here is a sample of the above:

***note: For this example I chose 1024 for the RANDOM client control port, which in turn caused the client data port to be 1025

PORT (Active) mode FTP sample

PORT (Active) mode FTP sample


As you can see above the client side of FTP communications in PORT mode has a random port assigned. Also notice the FTP server initiates data connections, even though it was the client that initiated the control connection.

This is what causes many problems with getting FTP through firewalls. Typically a server would only be allowed to access certain ports through a firewall, if at all. Since the data port is a random number over 1023 it is unlikely the server can send data via FTP using Active Mode.

NAT will also have problems in the above scenario because the IP and port being referenced in the control will be the Private IP and port, as opposed to the Public IP and port.

The point is: If you have an old application that is using PORT mode, get rid of that application!

Passive mode FTP

Passive mode overcomes some of the limitations of Active mode. Here is a sample of Passive  mode communication initialization:

  1. FTP client connects to a server.
    1. The source port for the client is a random number over 1023, this port will be used for commands on the client side.
    2. The destination port on the server is 21, this port will be used for commands on the server side.
  2. The server replies to the FTP client on the client control port.
  3. Client initiates data connection to the server data connection port.
    1. Client data port is client control port plus 1
    2. Server data port is a random number specified by the server
  4. Server Acknowledges the data ports to be used.

Here is a sample of the above:

***note: For this example I chose 1024 for the RANDOM client control port, which in turn caused the client data port to be 1025

***note: For this example I chose 2048 for the RANDOM server data port.

Passive mode FTP sample

Passive mode FTP sample


As you can see above the client side of FTP communications in PORT mode has a random port assigned. With Passive mode the servers Data port is also random. Also notice the FTP client initiates data connections, which is the opposite of how Active mode sessions work.

With Passive mode the FTP administrator can set a range of ports to choose from for data connections. These ports can in turn be allowed through the firewall by the Network Administrator. This overcomes the issues caused by firewalls that causes Active mode to fail.

From a network security perspective this is not a good solution. It means opening more ports on the firewall, a rather large amount of ports actually!

It’s also a pain to troubleshoot FTP issues. Many times you will be working with applications that only support Active FTP. Or maybe you’ll have a client that supports Passive FTP but the firewall on either end is still unable to make a proper connection.

The point is: If you have an old application that is using FTP (Active or Passive), get rid of that application!

Alternative to FTP

Here we are 15 years after FTP should have been dead and developers are still using it. Recently I asked a developer why he was using FTP. His simple answer: FTP is simple to use/implement and it’s what I’ve always done. (I really hate the “its always been that way” answer).

There is a good alternative to FTP, it’s called SFTP. SFTP stands for SSH file transfer protocol (not secure file transfer protocol as some might think). SSH stands for Secure Shell. SSH provides a secure connection for the file transfer. Even if you don’t think any data being transmitted needs to be secured, it’s a good idea to always use secure communications.

SFTP is not simply FTP implemented with security. Let me repeat SFTP is NOT a new implementation of the older FTP specification. Instead SFTP is a new specification that has all of the capabilities the older FTP specification. In fact the same commands are available for use. For developers there is very little that need be done differently to use SFTP as opposed to FTP.

Also, there are no longer different control and data streams. The server has only one port, typically 22, the same as other SSH protocols. No more mucking around with random server ports or having to troubleshoot passive connections!

I won’t go any more into why SFTP is a good replacement for FTP. If you want more info on SFTP I would recommend going to the OpenSSH website or RTFM on the OpenBSD website.

One final plea: Developers, please STOP using FTP.. its dead, or at least should have been dead 15 years ago!!!

Categories: Networking Tags: , ,

Windows 7 does have a Run option

December 1, 2010 Leave a comment

I just had a colleague who was complaining because the “run” option was missing from the Start Menu in Windows 7. It took me a moment to figure out what he meant, since I use the feature constantly to open command prompt windows. Then I realized it was no longer called “Run”. Instead it is now called “Search programs and files”.

This is a great little feature. If you type in a command that would have previously worked in “Run”, it will bring up the exactly same thing it did then. Just type in the name of what you are opening and hit enter. Here are some examples of items open from here:

  • cmd – Command prompt
  • mmc – Microsoft Management Console
  • mstsc – Microsoft Terminal Service Client (remote desktop)
  • word – MS Word
  • excel – MS Excel

In addition you can search files and documents here. For instance if you type the word “test” it will search all files, documents, and outlook messages where the word ‘test’ is included. I haven’t used this feature much, but from playing around it seems to work very well.

Categories: Microsoft Tags: ,

Some tips to find rogue devices on your network

November 30, 2010 6 comments

Any unknown entity on your network is bad, this is especially true for rogue devices. There are a variety of ways to protect your network from rogue devices, but honestly most small and medium businesses don’t have the resources to do this.  If you’re a network person with good switches you could track these devices down to a physical switch port fairly easily. However if you have unmanaged switches (yes, they still exist) or don’t know how to follow MAC addresses on a switch you may have to use other methods for your investigation.

To assist in finding rogue devices on your network it is helpful to determine the vendor for a MAC address. First, you will need to know the IP address of the rogue device. Chances are you already know the IP because you know this rogue device exists. Often these devices are found when you try to add an IP to a device on your network and find the IP is already in use.

Once you have the IP a protocol named ARP can be used to determine the MAC address. If your on a Windows machine do the following:

  1. Go to the command prompt.
  2. Ping the rogue device. It doesn’t matter if there are replies, this step gets the MAC address in your ARP table.
  3. Type the following command:  arp -a
    1. Here is a sample output:
      Internet Address      Physical Address      Type             00-03-ff-d1-19-04     dynamic
    2. The MAC address is the Physical Address listed as 00-03-ff-d1-19-04
  4. Take the MAC address and enter it into a tool or website that lets you know the manufacturer. I use this website for my vendor lookups, but there others out there.
    1. Using the sample address from above I got the following vendor info returned:
      Prefix      Vendor
      0003FF   Microsoft Corporation (was: Connectix)
  5. Now that I know the vendor of the network card I have some clues as to what kind of device the rogue element is.
    1. Knowing the vendor is Microsoft narrows down my search, since computers won’t show Microsoft as the vendor.
    2. In this case I can assume it is coming from a Windows Virtual PC, since this is the most likely device on my network to show up with a Microsoft MAC address.
    3. This device is actually a Windows Virtual PC running on my laptop for testing purposes. I used this example specifically because I am seeing more and more rogue virtual machines created by IT staff in various companies.

Using the above method can dramatically cut down the investigation time to find rogue devices. Yes, it is much quicker/easier to track rogue devices through managed switches. However as I mentioned before this is not always a possibility.

Tool spotlight: WIMI

November 29, 2010 Leave a comment

Today I thought I would put a spotlight on a favorite online tool: (WIMI). At its core this site serves a very simple and important task by showing what your public IP is. Simply go to the website and it automatically shows your IP address. If you are behind a proxy server it will also let you know that.

But getting information about your public IP is just the beginning of this sites usefulness. I won’t go through everything but here are some highlights:

  • Information. Every tool/section of the website has some good basic networking information available. Anyone looking to learn more about basic network concepts would do well to browse this site.
  • Internet Speed Test: Find out your true upload and download speeds. I wouldn’t use this just once, try it at different times of the day to see how your ISP’s load differs. An alternate I sometimes use for this is the speakeasy speed test, it’s powered by the same ookla code.
  • IP Address Lookup: This will give the physical location of an IP address, most of the time. Because of where this data is captured it may be incorrect, it really depends on who the ISP is and how they maintain their database.
  • IP WHOIS Lookup: This gives information about an IP address owners. This is not the same as an IP address lookup, in fact the information here will likely be completely different.
  • Host Name Lookup: Basically this does a reverse-IP lookup, so you can see if a DNS host name exists for an IP.
  • Email Trace: This is a not a tool to trace an email, however it has some basic steps to help do this yourself. The IP Address Lookup, IP WHOIS Lookup and Host Name Lookup can all be used when trying to find the source of an internet communication.
  • Forum: I haven’t been in the forums there much, but it does seem to be a very helpful forum with some good information.

As I mentioned this is one of my favorite websites. Its quick, uncluttered, and has great tools/information.

Categories: Networking, Tools Tags: ,