DecaffeinatID: A Very Simple IDS / Log Watching App / ARPWatch For Windows

First off, I did NOT write this code or article,  if you have any questions or concerns please direct them too irongeek.com

This project started because I wanted a simple ARP Watch like application for Windows. In a short matter of time, feature creep set in. DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of “reindeer games” that often happen at coffee shops and hacker cons. For more information on the sort of attacks I’m talking about see my article Caffeinated Computer Crackers.  It’s not meant to be a replacement for something more feature rich (but complicated) like Snort. DecaffeinatID watches the Windows logs for three main things and pops up a message in the Windows Systray when it sees any of the following:

New or changed ARP table entries Think of this as a poor man’s ARPWatch for Windows. The IDS gives a special alert whenever it sees the MAC address of the IP gateway change.
New events in security log This will let you know about attempted and successful logins, assuming you have set up auditing for such things in your local security settings.
New events in the firewall log DecaffeinatID will read your Windows firewall log (if you have one) and list events.

DecaffeinatID should work in Windows XP SP2 and Vista. Notifications are logged into idslog.txt located in the present working directory. Currently settings can be changed via the decaffeinatid.ini file that is created whenever DecaffeinatID is first run. You can sort of set what is monitored via the GUI, but the single threaded nature of Autoit3 causes it to be somewhat less than responsive at time (we are working on this).You may want to just edit the setting via the INI for now. The INI file should look something like the following:

[config]
sleep=0
firewalllog=C:\WINDOWS\pfirewall.log
[networks]
ignorenetworksrc=x
[events]
ignoreeventids=576
monitorarpcache=1
monitorgateways=1
monitorfirewall=1
monitorsecevent=1

sleep is the amount of time you want DecaffeinatID to wait before looking for new events (in milliseconds). DecaffeinatID spreads the time between its three main functions.
firewalllog is the path to the Windows firewall (assuming you have logging enabled). C:\WINDOWS\pfirewall.log should be the default location in XP, but Vista may have it at C:\Windows\System32\LogFiles\Firewall\pfirewall.log .
ignorenetworksrc lists the first part of source IP addresses that should be ignored. For example, “ignorenetworksrc=192.168″ would cause the IDS to not notify you if a source IP is in the range 192.168.*.*.
ignoreeventids is a space separated list of Windows Security Event Log Event IDs to ignore.
monitorarpcache, monitorgateways, monitorfirewall and monitorsecevent allow you to set what you want to monitor. The monitorgateways section is still a work in progress and is here as a place holder.
It’s a pretty ghetto excuse for an IDS as of right now, but it’s something I wanted to create for personal use so I figure I might as well share it. The source and binary can be found here:

Download DecaffeinatID 0.04 Beta

Why Tracking Global Hackers is almost impossible.

They’re in our computers, reading our files. The Chinese government, that is, according to two U.S. Congressmen who recently accused Beijing of sending hackers to ferret out secret documents stored on Congressional computers. The Chinese deny any involvement, but if they were lying, would we be able to prove it?

The answer, according to computer and security experts, is probably not.

At least, not conclusively enough for a court of law.

“It’s very difficult to track hacker attacks and, even if you can track it, you don’t always know with 100 percent certainty if you’re right,” said James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C.

That was the problem faced by the investigators who attempted to figure out who broke into computers used by the staff of Rep. Christopher H. Smith, R-N.J., and Rep. Frank R. Wolf, R-Va. The Congressmen announced on June 11 that they’d been the targets of several attacks, beginning in 2006.

Both Smith and Wolf are high-profile critics of the Chinese government. They told reporters that, among other things, the hackers stole lists of identities of Chinese dissidents and records from Congressional human-rights hearings.

It is possible to track such attackers, to a point. When you use the Internet, you leave the equivalent of digital footprints, Lewis explained. Every message your computer sends to a different computer travels in a series of hops from one router or server to another. Even after the message is received, the record of its path remains. Lewis said authorities can sometimes follow that path back to a hacker’s computer.

But not always. For one thing, not all servers and routers save records. Another big problem is that hackers will often conceal their location by creating a fake trail, essentially leading authorities to a computer user who had nothing to do with the attack.

More frustrating, Lewis said, is the fact that even when you can successfully trace a hacker, the information you get doesn’t tell you who signed his paycheck. While the attacks on Smith and Wolf were apparently traced to a computer in China, knowing that doesn’t necessarily implicate the Chinese government.

“All it gives you is the Internet address of the last computer in the line,” he said.

Because of this, Lewis said, the U.S. intelligence services usually have to take circumstantial evidence into account. For instance, in the current case, they might look at who would have had the motivation to make the attack. “The records stolen were secret lists of Chinese human rights activists,” he said. “Who else is going to care about that but the Chinese government?”

However, he said, there is one other possible culprit. China is home to a particularly active cadre of patriotic civilian hackers.

Heroes at home

Bruce Schneier, chief security technology officer of the BT Group, an international communications company based in London, said some of these guys are heroes in their home country, thanks to hacks they’ve made on organizations, media and governments that are pro-Tibet, pro-Taiwan, or otherwise critical of Chinese interests.

While not the same as official government hackers, these cyber-vigilantes are liable to pull stunts that benefit the government and, in some cases, they might even sell information they’ve gathered to the government. Both Schneier and Lewis said these civilian hackers aren’t truly independent, in that they’re probably tolerated, if not outright encouraged, by the government.

It’s also important to note that China isn’t the only government that’s up to online shenanigans. Using hackers to conduct espionage is awfully appealing, precisely because it’s so hard to conclusively pin on a specific source.

Lewis said there are at least a half dozen other governments, besides China’s, that have highly sophisticated hacker capabilities. This includes the United States. In fact, he said, attacks are common enough that they’re almost not something to get worked up about. “We shouldn’t be outraged at this latest hack,” he said. “This is just normal stuff between countries. It you want to be outraged, be outraged that our defenses are so poor.”

FireFox3 Released!

You have to get firefox3.  Its amazing.   The new looks on firefox 3 alone are outstanding, it has a cool UI with awesome new buttons, if thats still not enough to convince you check out what else it can do.

GET IT HERE!

This is from the whats new section of the firefox website:

More Secure

• One-click site info: Click the site favicon in the location bar to see who owns the site and to check if your connection is protected from eavesdropping. Identity verification is prominently displayed and easier to understand. When a site uses Extended Validation (EV) SSL certificates, the site favicon button will turn green and show the name of the company you’re connected to. (Try it here!)
• Malware Protection: malware protection warns users when they arrive at sites which are known to install viruses, spyware, trojans or other malware. (Try it here!)
• New Web Forgery Protection page: the content of pages suspected as web forgeries is no longer shown. (Try it here!)
• New SSL error pages: clearer and stricter error pages are used when Firefox encounters an invalid SSL certificate. (Try it here!)
• Add-ons and Plugin version check: Firefox now automatically checks add-on and plugin versions and will disable older, insecure versions.
• Secure add-on updates: to improve add-on update security, add-ons that provide updates in an insecure manner will be disabled.
• Anti-virus integration: Firefox will inform anti-virus software when downloading executables.
• Vista Parental Controls: Firefox now respects the Vista system-wide parental control setting for disabling file downloads.
• Effective top-level domain (eTLD) service better restricts cookies and other restricted content to a single domain.
• Better protection against cross-site JSON data leaks.

Easier to Use

• Easier password management: an information bar replaces the old password dialog so you can now save passwords after a successful login.
• Simplified add-on installation: the add-ons whitelist has been removed making it possible to install extensions from third-party sites in fewer clicks.
• New Download Manager: the revised download manager makes it much easier to locate downloaded files, and you can see and search on the name of the website where a file came from. Your active downloads and time remaining are always shown in the status bar as your files download.
• Resumable downloading: users can now resume downloads after restarting the browser or resetting your network connection.
• Full page zoom: from the View menu and via keyboard shortcuts, the new zooming feature lets you zoom in and out of entire pages, scaling the layout, text and images, or optionally only the text size. Your settings will be remembered whenever you return to the site.
• Podcasts and Videocasts can be associated with your media playback tools.
• Tab scrolling and quickmenu: tabs are easier to locate with the new tab scrolling and tab quickmenu.
• Save what you were doing: Firefox will prompt users to save tabs on exit.
• Optimized Open in Tabs behavior: opening a folder of bookmarks in tabs now appends the new tabs rather than overwriting.
• Location and Search bar size can now be customized with a simple resizer item.
• Text selection improvements: multiple text selections can be made with Ctrl/Cmd; double-click drag selects in “word-by-word” mode; triple-clicking selects a paragraph.
• Find toolbar: the Find toolbar now opens with the current selection.
• Plugin management: users can disable individual plugins in the Add-on Manager.
• Integration with Windows: Firefox now has improved Windows icons, and uses native user interface widgets in the browser and in web forms.
• Integration with the Mac: the new Firefox theme makes toolbars, icons, and other user interface elements look like a native OS X application. Firefox also uses OS X widgets and supports Growl for notifications of completed downloads and available updates. A combined back and forward control make it even easier to move between web pages.
• Integration with Linux: Firefox’s default icons, buttons, and menu styles now use the native GTK theme.

More Personal

• Star button: quickly add bookmarks from the location bar with a single click; a second click lets you file and tag them.
• Tags: associate keywords with your bookmarks to sort them by topic.
• Location bar & auto-complete: type in all or part of the title, tag or address of a page to see a list of matches from your history and bookmarks; a new display makes it easier to scan through the matching results and find that page you’re looking for. Results are returned according to their frecency (a combination of frequency and recency of visits to that page) ensuring that you’re seeing the most relevant matches. An adaptive learning algorithm further tunes the results to your patterns!
• Smart Bookmarks Folder: quickly access your recently bookmarked and tagged pages, as well as your more frequently visited pages with the new smart bookmarks folder on your bookmark toolbar.
• Places Organizer: view, organize and search through all of your bookmarks, tags, and browsing history with multiple views and smart folders to store your frequent searches. Create and restore full backups whenever you want.
• Web-based protocol handlers: web applications, such as your favorite webmail provider, can now be used instead of desktop applications for handling mailto: links from other sites. Similar support is available for other protocols (Web applications will have to first enable this by registering as handlers with Firefox).
• Download & Install Add-ons: the Add-ons Manager (Tools > Add-ons) can now be used to download and install a Firefox customization from the thousands of Add-ons available from our community add-ons website. When you first open the Add-ons Manager, a list of recommended Add-ons is shown.
• Easy to use Download Actions: a new Applications preferences pane provides a better UI for configuring handlers for various file types and protocol schemes.

Improved Platform for Developers

• New graphics and font handling: new graphics and text rendering architectures in Gecko 1.9 provides rendering improvements in CSS, SVG as well as improved display of fonts with ligatures and complex scripts.
• Color management: (set gfx.color_management.enabled on in about:config and restart the browser to enable.) Firefox can now adjust images with embedded color profiles.
• Offline support: enables web applications to provide offline functionality (website authors must add support for offline browsing to their site for this feature to be available to users).
• A more complete overview of Firefox 3 for developers is available for website and add-on developers.

Improved Performance

• Speed: improvements to our JavaScript engine as well as profile guided optimizations have resulted in continued improvements in performance. Compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3, and the popular SunSpider test from Apple shows improvements over previous releases.
• Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 over a web browsing session. Memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned.
• Reliability: A user’s bookmarks, history, cookies, and preferences are now stored in a transactionally secure database format which will prevent data loss even if their system crashes.

DIY: Computer Controlled power switch

If you’re as geeky as i am, You probably want to be able to control everything with a computer. Well, i can show you how to control a power witch with your PC!

Warning!!!
You have to understand, before you try any of this, that I’m not responsible if you get injured; if any of your property is damaged, or if you get shocked - lighting your clothes on fire and turning you into a screaming human candle - I’m not responsible. So, please, be careful and pay close attention to any details… it’ll save you a lot of annoyance and tribulation.

Mistakes only happen because of the unknown or overlooked… the closer you pay attention to what you’re doing the less likely you’ll be to make a stupid mistake. I know this because I am the master of stupid mistakes.

The main part is a special “relay”. You can pick these up on ebay for pretty cheap - you could try your local electronics store, but I honestly doubt you’ll have much luck. None the less - you’ll need it.

So, let’s do an inventory of what you’ll need for this part:
- Tools
- Utility Knife
- Soldering Iron
- Solder
- Electrical Insulating Tape
- Items
- Opto Relay Model # (480D10-12)
- Extension Cord, 4ft(You’ll be cutting this, so it shouldn’t be your dad’s/friend’s/neighbour’s or something)
- Safe (non-conductive) housing for the relay
- Parallel Port cable’

Ok, that’s pretty much it. You can see I used some fancy eye-couplings for mine (or whatever they’re called)… that’s where the soldering iron comes in handy - but you’ll also need it to re-attach one of the power lines on the extension cord when you cut it.

1. Simply take your extension cord and cut it - keep in mind when you’re doing this that where you cut is where the relay will be placed and housed. So if you need some distance to get to the outlet, cut it towards the other end. I didn’t consider that when I made mine, but I got lucky.

Now, figure out which line of the two cables you cut is the lead(positive) and which is the negative. The relay is marked which connects to which, but if you don’t know anything about power outlets or extension cords this may be tricky. Good luck!

2. Take your eye-couplings and soldering them to the ends of the wire and crimp them so they don’t come lose. Don’t solder up the other wire (in my photo you can see it has black tape on it for safety) - you’ll need to keep those unjoined if you want to put it in a case.

3. You’ll want to refer to a guide about your parallel cable, or just test it with a current tester (to determine which pin is 1). Here’s a link to the wikipedia entry on parallel ports.

This is really important - all of the software I’ve made is configured to run on pin 1. I should mention, again, that there are 8 pins on the parallel port to control a relay with… that means 8 unique items to control… if you don’t mind buying 8 relays

4. So you’ve got your hardware done and you need to test it, right? Ok - that’s good. I got to that point to, I used this great program. The webpage is in German, so uhh… here’s the direct link for download.

Once you’ve determined that you’ve got a good connection and it’s turning your appliance on/off you’ll want to head down to the last step to check out the software I had made to control this. If you’re having trouble following these steps at this point, please - PLEASE leave a comment.

Please feel free to ask any questions or leave comments in the comment section.  ENJOY!

Requsted by a reader! How to get data off old or dead harddrives.

Imagine you just bought a new 500 gigabyte western digital external hard drive. You load up all your back ups, files, importnant documentation. Then head over to a relatives house to load some data from your drive on to their PC, You accedently drop it! but its ok right? it wast a 2 foot drop onto carpet. You plug it in and turn it on, Disk Corrupted! NO ive only had this drive for 5 months! Dont panic Techstructions is here to help you!

First, you’ll have to make sure that your problem isn’t related to something else then the hard drive. The failure of your hard disk controller may also be causing this. You could always try to switch your hard drive from IDE1 to IDE2 and see if it fixes your problem. If it’s not, remove the hard drive from your system, and bring it with you to a friend’s house. If it still doesn’t work over there, then you know what the problem is.

The only solution to your problem now is to use a data recovery software, like PC Inspector File recovery. This application is completely free, and it works beautifully. It helped me once or twice in the past few years. Don’t make yourself any illusion, it’s not perfect, and doesn’t work all the time (Like any other hard drive recovery utility). Sometimes, data cannot be recovered out of a broken hard drive, unless you are ready to take your disk to a specialized recovery shop and pay 1000’s of dollars to have your data recovered.

While being at your friend’s house, install your HD as a secondary device and start the computer. Be sure that the drive is seen in the startup process, because PCinspector will not work if you are having mechanical problems with the disk drive or If it is no longer recognized by the BIOS. Head over to pcinspector.de and download the utility. The software supports the most popular file systems on the market: FAT 12, 16, 32 and NTFS. To be able to use PC INSPECTOR File Recovery you will need a working Windows System. Never install it on the drive from which you intend to recover data! The software must be installed and run on a second, independent drive (Amazon.com has many affordable hard drivesif you need one!). When you are done, the utility is very easy to use. Just let the application extensive HTML tutorial guide you through all the steps. I hope this little hard drive recovery how-to could help you. Hopefully, the application will let you recover your data.

If after trying this, you still are unable to recover your data, you can always ask experts to do the job for you. The folks at DTIData and at the RAID Data Recovery Group can probably help you get your data back, no matter how damaged your drive is. Here are the specific pages on their sites concerning hard drive data recovery solutions:

* DTI Data Recovery
* Hard Drive Recovery Group

Here are 2 great articles about hard drive recovery. Read them!

Beginners Guides: Hard Drive Data Recovery

Data Recovery Myths

several readers wrote to me about the knoppix Linux distribution CD. This bootable CD has the ability to mount and read FAT, FAT32 and NTFS partitions, even damaged ones. So after your HD crashed, you can always use this to recover your data and back it up on a USB key or second HD.

Knoppix can be downloaded via This location.

This site has some VERY complete instructions about how to use Knoppix to recover your lost data, so I won’t have to write about it.

Some people seem to think that if your hard drive has some mechanical problems, you can try putting it in the freezer for a few hours.

RFID chips in driver license

“Some federal and state government officials want to make state driver’s licenses harder to counterfeit or steal, by adding computer chips that emit a radio signal bearing a license holder’s unique, personal information.

In Virginia, where several of the 9/11 hijackers obtained driver’s licenses, state legislators Wednesday will hear testimony about how radio frequency identification, or RFID, tags may prevent identity fraud and help thwart terrorists using falsified documents to move about the country.”

Makes you feel all warm and fuzzy inside huh? Using RFID to identify people would help prevent identity theft and fraud, or would it? You be the judge.

Seems to me like RFID will make it EASIER to steal your identity.

Google labs is awesome.

If you’ve never heard of Google labs you’re missing out. Google labs is a experimental ideas that Google is working on that haven’t quite made it to the public eye yet. Everytime i check out the labs page found at http://labs.google.com/ theres something new, and it really feels like im getting to expierement with the future of the internet when i try their upcoming products. Heres a few things still in development:

Gtalk Labs edition.

Google Talk, Labs Edition is an experimental release of the Google Talk client. It has many of the same great features as the Google Talk Gadget, including instant messaging, emoticons, and group chat. Google Talk, Labs Edition also comes with new desktop notifications from Calendar, Orkut, and Gmail.

My Favorite feature: You can copy a link in youtube and when you share it with your friend, that you are chatting with you can watch the video right from Gtalk, Yes the video shows up in the chat!!

Theres a whole bunch more features, You’ll just have to check it out for your self! And if you really wanna you can add me as a friend techstructions@gmail.com because i dont have any :*(

Experimental search

This is another cool one. ” See results on a timeline, map, or in context of other information types. With these views, Google’s technology extracts key dates, locations, measurements, and more from select search results so you can view the information in a different dimension.”

Try these searches:

View on a timeline:
thomas jefferson
civil rights movement
nanotechnology

View on a map:
pga tours
olympics
bioinformatics conferences

View additional info:
space exploration
cars
koalas

Those are just a couple of things on the Labs page… Theres way too many for me to blog about for now, those were just my favorite! Have Fun googling!

ALSO check out my other article on Gmail labs edition found here:  http://www.techstructions.com/?p=71

Speed up XP loading time by modifying network settings!

When you start up your computer and you are connected to a LAN and your computer is set to DHCP and your computer has to search for the DHCP server and then request and IP address and all other configuration.  This process takes up some time and slows down the time it takes to boot the computer up.   Following the directions below will help your set a static IP address.  Even if your ISP says to use DHCP this tweak may still work for you, but you are warnned!

1. Click Start and click on Run.
2. Type command in the text box and click OK.
3. In DOS, type ipconfig and hit enter.
4. This will show you your current IPs that your NIC and PPPoE adapters have. Only pay attention to your Ethernet Card Adapter, not to the PPP adapter.
5. Next, right click My Network Places and select Properties from the drop down menu. This will open up the Network Connections window. In here, locate your Local Area Network connection and right click it, select Properties from the drop down menu.
6. When the next Window that opens up, select Internet Protocol (TCP/IP) and click Properties at the bottom.
7. In the next window, click ‘Use the following IP Address’.  This is where that DOS window comes in handy. Copy the same exact IP Address from your Ethernet card (in the dos window) and place it where it says IP Address. Same goes for the Subnet Mask and Default Gateway. If your Default Gateway is blank, then just leave it blank. Click Ok, then Ok again.
8. In the DOS window type exi

mt dos then enter. Reboot your machine.

Now there is absolutely NO loading. You can connect as soon as you see your desktop.

Quick Note: If you use DHCP (Dynamicic IP Address) to connect to the net, you may find that your net connection does not work after this. So if some day your network connection stops working, just go back into the NIC card properties and select automatically get IP address and reboot.

NEW! G-Mail Labs edition!

I love when Google releases labs editions of their already awesome free stuff!  You have to check it out, its called g-mail labs edition, and has a LOT of new stuff you can do. Taken from their site heres some of the features:

Gmail has a new look on the iPhone browser
Now with auto-complete when composing, automatic refreshing, and faster load times when viewing email. Learn more

More friends are more fun. Gmail welcomes your AIM® friends.
Now you can talk to your AIM® friends using an integrated chat list right inside Gmail. Learn more

AOL and AIM are trademarks of AOL LLC

Colored labels
Better organize your email with new colored labels. Just click the color swatch next to each label to assign a color. Learn more

Group chat
Chat with multiple people without multiple windows. Invite your friends to a group discussion. To start a group chat, click ‘Group chat’ from the ‘Options’ menu when chatting. Learn more

New emoticons
Start sending richer expressions to your friends. Learn more

Free IMAP
Sync your inbox across devices instantly and automatically. Whether you read or write your email on your phone or on your desktop, changes you make to Gmail will be seen from anywhere you access your inbox. Another way to use Gmail on your iPhone is through the browser. By going to m.gmail.com you get the full Gmail experience including conversation view, search, and more. Learn how to set up IMAP on other devices.

• Increased attachment limit– 20 MB!
  Now you can start sharing more of those home videos, large presentations and files you just can’t seem to get smaller. We have doubled the allowable attachment size to 20 MB to make your Gmail space even more useful.
• Get mail from other accounts
  Now Gmail can check for the mail you receive at your other email accounts. You can retrieve your mail (new and old) from up to five other email accounts and have them all in Gmail. Then you can even create a customized ‘From:’ address, which lets you send messages from Gmail, but have them look like they were sent from another one of your email accounts. Please note that you can only retrieve mail from accounts that have POP3 access enabled.

• Embarrassment-reducing new message notifications
  Ever replied to a message only to find out that someone sent a better, smarter reply right before you? Now, if someone sends a reply while you’re in the middle of reading a conversation (or replying to it), you’ll get a notification that a new message has arrived. Click “update conversation” to see what you’ve missed.
• Forward all
  When viewing a conversation, use the new “Forward all” link on the right if you want to forward the entire conversation instead of just one message.

How to eavesdrop on bluetooth conversations

Next Page »

• Recent Posts

  • DecaffeinatID: A Very Simple IDS / Log Watching App / ARPWatch For Windows
  • Why Tracking Global Hackers is almost impossible.
  • FireFox3 Released!
  • DIY: Computer Controlled power switch
  • Requsted by a reader! How to get data off old or dead harddrives.

• Archives

  • June 2008
  • May 2008
  • April 2008

• Blogroll

  • geekforum.org
  • gotthegeek.com
  • Techstructions Social Networking
  • Themes

• Computer Basics

  • Computer Basics: Connectors
  • Computer Basics: Power Supply

• Featured post

  • Featured: Cryptography

• Tutorials

  • Build a Computer
  • Networking Topologies (basic)
  • Outlook Filters (basic)
  • Outlook set up (basic)

• Login

  Username:
  

  Password:
  

  Remember me

  • Register
  • Lost your password?

Advertise on this site