|
|
|
|
Windows Secrets Newsletter • Issue 133 • 2007-12-06 • Circulation: over 275,000 |
|
Contents TOP STORY: Hide sensitive files with Alternate Data Streams KNOWN ISSUES: Microsoft to cut WGA "kill switch" out of Vista WACKY WEB WEEK: But, my mom said I could! WOODY'S WINDOWS: The secret life of 3D Pinball PERIMETER SCAN: Use Process Explorer to dig into your system PATCH WATCH: Service Pack 1 for Office 2007 now due Dec. 11 YOUR SUBSCRIPTION: How to change your address or unsubscribe |
|
For links to every topic in this issue, scroll down to the
Index |
|
ADS
|
|
TOP STORY Hide sensitive files with Alternate Data Streams
What the heck are Alternate Data Streams? For many years, a feature called Alternate Data Streams (ADS) has been supported by drives formatted as NTFS (Microsoft's so-called New Technology File System, which is typical of Windows NT, 2000, XP, and later). Using NTFS, which is an improvement over the older FAT-32 file system, data can be stored in a separate "fork" or "stream" of any file or folder. This makes Windows more compatible with Mac operating system files (which consist of a resource fork and a data fork). The separate stream can also be used to store other things, such as information you can enter on the Summary tab of some files' Properties dialog boxes. When data is stored in an NTFS stream, it is essentially invisible to Windows Explorer, text searches, and most of Windows' other routine file functions. For example, you can store a 5MB .zip file inside the stream of a 1K text file. When you do, Windows Explorer still displays the size of the text file as just 1K! Because streams are such an effective hiding place, some malware may try to hide in the NTFS stream of an otherwise innocent-looking file. Fortunately for honest Windows users, the "stream" portion of a file is lost during browser and FTP downloads. This means that streams aren't typically used by malware to distribute itself, but to hide files within streams only after the malware has already infected your system. Because NTFS streams are hidden from most Windows file functions, it's a good idea to make sure that your antivirus software is capable of scanning for malware hiding in ADS. Major antivirus products, such as ZoneAlarm and McAfee Antivirus, have this capability. If you have a legitimate reason to hide files — a parent who doesn't want children or casual visitors to run across certain information, for example — you can easily copy any file into a stream using simple commands that are built into Windows. It's true that you can protect private information by converting it, for example, into a password-protected .zip file. But if this file can be seen by others, and has a name like ProposedMerger.doc, your co-workers could ask you to explain it or decrypt it. Or an intruder could use password-guessing tools to try to open the file, which could expose you to insider-trading charges. If the encrypted file is hidden within a stream, it's less likely to be seen by casual users in the first place. Removing or copying your data out of a stream requires special tools. Fortunately, these products are free and, as I explain below, easy to download and use. How to create a file with a hidden stream A simple example shows us how to hide an application inside a file stream. You can create a hidden application using a command prompt, in which file streams are always referred to using the format filename:streamfile. Armed with this knowledge, here's how to add a stream to a file: Step 1. To get a command prompt, press Windows+R (the Windows key plus the letter R) to open a Run dialog box. Type cmd and press Enter. Step 2. Enter a command using the following format: type file1 > file2:file1 where type is the old DOS command, file1 is the file to be hidden in the stream, and file2 is the file that will contain the stream. The redirection symbol (>) writes the contents of one file into another location. You may need to include the full path of the files involved when you enter the actual file names. Press Enter to create the resulting file. Step 3. Type exit and press Enter to close the command window. Example: To copy the Windows Calculator program into a text file named eula.txt in a folder named c:\doc, use the following command: type c:\Windows\System32\calc.exe > c:\doc\eula.txt:calc.exe If you use Windows Explorer to look at the eula.txt file (or the \doc folder where the file lives), you won't see any difference in its size. The only difference is that its date attribute will change to reflect the date when you executed the command. You can, of course, modify the date of a file using any of a variety of downloadable utilities. You can launch the embedded program (and confirm that a working copy of the Calculator app has, in fact, been embedded into the stream of eula.txt) using Windows' start command: start c:\doc\eula.txt:calc.exe The start command is quirky in this case. You must include the entire path to the file2:file1 combination, even if you're in the same folder when you run the command. Unfortunately, Windows Vista apparently doesn't support this use of the start command to launch apps hidden in streams. You'll need to use one of the techniques described below, all of which work in all NTFS-compatible versions of Windows. It's not necessary for you to name the streamed copy the same as the original file. For example, in the case above, the stream version of Calculator could have been named eula.txt:xyz.exe and the app would work just as well. Files aren't the only resources that have streams. You can embed a file inside a folder. The following example embeds a picture file in a folder stream. In this case, the syntax is foldername:file1. In the following command, note that the quotation marks around the paths that contain spaces are required: type "c:\My Pictures\blue hills.jpg" > "c:\doc:blue hills.jpg" To confirm that the picture is there, I can launch it using Windows' MS-Paint accessory: mspaint "c:\doc:blue hills.jpg" As another example, if you embed a text file into a stream, you can open it with Notepad. If you stored a plain-text list of passwords in a stream, you could open it using a command like this: notepad "c:\doc:passwords.txt" Unfortunately, not every application can read streams the way Paint and Notepad can. For instance, it's easy to store a .zip file in a stream, but I haven't found any application that can open it directly from the NTFS stream. You can use this fact to improve the effectiveness of your hidden files. If your information is sensitive, put it into a .zip file and password-protect the file before copying it to a stream. Delete the original file, using a "wipe" program to destroy all traces of the original. (I discussed "shredder" utilities in my Oct. 18 story.) Finally, use one of the tools described below to extract the hidden file the next time you wish to unzip it. The hidden nature of the stream makes it hard to find and, if you use a long, strong password, your data will be safe even from a skilled attacker. How to manage files hidden in data streams You can easily copy, update, and delete files that you've stored in data streams. The trick is that, in some cases, you may need special software to do the job. Retrieving a file from a stream If you need to retrieve data from a stream, and you don't have an application that can read the embedded file type (such as .zip), the free command-line tool called Cat is very useful. You can download it from the DarkSquall Web site. Cat is only 92KB and requires no installation or decompressing. Just put it in a folder of your choice and run it from a command prompt. To copy data out of a stream, for example, use the following syntax: cat filename:streamfile > streamfile Naturally, you may need to supply the paths for each file. Example: To extract a file named diary.zip that has been embedded in the status.doc file, your command line might look like this: cat "c:\doc\status.doc:diary.zip" > "c:\my stuff\diary.zip" Note that this only copies the file. It doesn't remove the stream. The original diary.zip file is still embedded in status.doc. Updating a file in a stream To update a file, first make your changes in a normal copy of the file. Second, use the type command, as explained above, to insert the updated copy into your hiding place. The updated file will overwrite any existing one that has the same name in the stream, and you'll see no warning of that fact. Locating and deleting files in streams If you have Windows Vista, the dir command has a new switch (/r) that shows which files in a folder have stream data. At a command prompt, just type dir /r and press Enter. However it's much faster to use a utility like ADS Spy from the SpywareInfo Web site. This utility works in Vista and also in XP. Like Cat, ADS Spy requires no installation; just copy its executable file from the downloadable .zip file and put it in any folder. ADS Spy has an option to ignore common, legitimate uses of streams, such as the "Zone Identifier" found in files downloaded using Internet Explorer. This means you can look only for files whose data streams contain suspicious or unexpected content. ADS Spy can also delete the streams of any files you select in its search results. Beware of accidentally deleting streams Using the type command with a redirection symbol, without specifying any stream, deletes any data that may have been in the stream. For example, the following command creates a copy without any streams: type original.doc > backupcopy.doc If you then use a "wipe" utility on the original copy of the file, any data that may have been in the stream will be permanently destroyed. Many common ways of handling a file that includes a stream will also delete the stream from the resulting copy. For instance, no stream data will survive when you copy a file to a FAT-32 drive (which includes most flash drives) or you e-mail a file as an attachment. Other tips for hiding files with ADS Here are some other things to keep in mind when using the ADS feature to hide sensitive materials: • When hiding data inside a file or folder, be sure the file or folder you're hiding things in is not likely to be deleted by anyone using your computer. • You can add more than one file to a single file's stream. Just use the type command for each item you add. • Remember that the type command copies (rather than moves) data into a stream. If you're hiding a file in a stream, remember to wipe the original once the copy is in its hiding place. • Don't use this hiding technique on the only copy of any file you can't afford to lose. It's best to use this trick to protect copies of files that might easily be lost or stolen, such as on laptops. Test the procedure and make sure you're comfortable with it before you take any risks with important files. • If a file or folder contains a stream with material you're hiding, don't e-mail it or move it to a non-NTFS disk. Doing so will destroy the stream. Many backup programs will fail to preserve the stream in the backup copies, as well. • As an added precaution, keep the ADS tools mentioned here (Cat and ADS Spy) on a separate disk or flash drive so anyone snooping on your machine doesn't use them against you. These applications are small and will easily fit on removable media. Privacy is a big concern for many users. Snoopers can't pry if they never see your private files and can't decrypt the information if they do. ADS provides one more technique for preserving data for your eyes only. Reader Rand New will receive a gift certificate for a book, CD, or DVD of his choice for suggesting this topic. Have a tip about Windows? Send us your comments via the Windows Secrets contact page. Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine's Here's How section. |
|
ADS
|
|
KNOWN ISSUES Microsoft to cut WGA 'kill switch' out of Vista
Reduced-functionality mode proves problematic Microsoft announced its changes in WGA only days after Windows Secrets associate editor Scott Dunn published a lead story on Nov. 29 describing problems that have remained in the technology since it was introduced. Among other issues, numerous reports of valid copies of Windows being misidentified by WGA have surfaced. More than 500,000 "false positives" are acknowledged in Microsoft's own figures, according to a Computerworld article by Gregg Keizer published almost a year ago on Jan. 23, 2007. Currently, if an instance of Windows Vista is found by WGA to be "nongenuine," a number of features are disabled. This includes the Aero user interface, Windows ReadyBoost, and portions of Windows Defender. If users don't resolve the matter within 30 days, "reduced-functionality mode" takes over, crippling nearly every Windows function except the browser. This is also known as the Vista "kill switch." This mode continues for an hour, after which the user is logged out without warning. (WGA is often downloaded and installed by XP users, too, who are required to run it to get some Microsoft downloads. But the negative consequences of failing WGA validation are not as severe as with Vista.) The Draconian measures will be history for those who install Vista SP1, which is expected in the first quarter of 2008, according to a report in Computerworld. Under the new scheme, rather than losing some features, a "nongenuine" instance of Vista SP1 will start up with a black screen and a dialog box prompting users to "activate" the operating system or postpone activation to a later date. Users who choose to postpone will be able to log in and use all of the Vista features, although the desktop background will remain black. Thereafter, users will receive pop-up prompts every hour to complete the activation process. The background will also revert to black if the user changed the color. The changes are based on feedback from some of Microsoft's largest customers, many of whom reportedly won't upgrade to Vista until SP1 is released. In addition to the change in reduced-functionality mode, SP1 will also attempt to prevent two common hacks that are designed to get around requirements for Vista product activation and WGA validation: • One trick, known as the OEM BIOS exploit, fools Vista into thinking a computer's motherboard came from a recognized Microsoft OEM system builder, such as Dell, which doesn't require activation. • Another hack, the Grace Timer exploit, resets to a later date (such as 2099) the deadline when Vista will require activation. "SP1 will include updates that will target those exploits and disable them," comments Michael Sievert, corporate VP of Windows product marketing, in a Microsoft press statement. Sievert also says the changes will be part of Windows Server 2008, to be released next year. Although the company's goal is to combat privacy, Sievert says, "we always want to be mindful of our customers and their experience with Windows, and operate the WGA program to be as responsive as possible to feedback we hear." WGA and product activation hit 'personal use' In my view, it's questionable whether product activation and WGA validation, as practiced by Microsoft, are more of an inconvenience for mass pirates or legitimate, individual users. True large-scale pirates know how to produce thousands of copies that will validate (at least long enough to sell the copies to hapless consumers). Product activation, as it's implemented in Windows, is primarily designed to keep families from purchasing one copy of Windows and making a second copy on a kid's PC. For hundreds of years, buyers have enjoyed a legal right to make copies of copyrighted works for personal use only, as I previously described on Mar. 8, 2007. Honoring this principle, various versions of MS Office permit up to three copies to be validated. Windows, which is used by far more people than Office, has never observed a fair-use exemption. The very fact that I need to use the redundant term "mass piracy," when what I mean is "piracy," shows how far lawyers for Microsoft and other large software companies have come in redefining fair use as piracy. By definition, copying isn't piracy unless it's done in quantity and for commercial gain. But this isn't what we hear in the mainstream media about piracy, because Microsoft has a long-running campaign to make personal-use copying of a product that a family has legitimately purchased seem to be piracy. For this reason, I don't consider it accurate to call WGA an "anti-piracy" technology (which is the tagline written into most press accounts). It's certainly an "anti-copying" tool, to use a neutral term, but is arguably more of an "anti-fair-use" scheme. Windows should be seen as improperly restricting age-old consumer rights that have long been explicit in copyright laws. In addition to the philosophical concerns, product activation causes serious technical problems as well. Both XP and Vista require a new activation round when too many hardware changes are made over time. This has caused many systems to go into shutdown mode simply because of routine modifications. (If this ever happens to you, calling the 24-hour number that Microsoft displays and explaining your situation will usually get you a new activation code, gratis.) In my opinion, Microsoft has lost more in sales due to the hassles of product activation — and loses more money on telephone support — than it gains by preventing fair use (personal-use copies) by families. Have a tip on Microsoft Windows? Send us your comments via the Windows Secrets contact page. Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books. |
|
EDITOR'S BOOKSHELF
|
|
WACKY WEB WEEK But, my mom said I could!
|
|
YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, plus the week of Thanksgiving and the last two weeks of August and December. Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial Director: Brian Livingston. Editor-at-Large: Fred Langa. Associate Editor: Scott Dunn. Contributing Editors: Susan Bradley, Mark Edwards, Woody Leonhard, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
|
