Safe boot trick for BlackBerry

I just learned of a nice trick for BlackBerry.

Just like safe mode in Windows XP, you can boot your BlackBerry into safe mode where it will not automatically load any third-party application. This can be useful for situations where you have something that is making your BlackBerry unstable.

This works with a battery pull or doing the hard reset key combination (Alt-left-shift-del). Right after the red light goes off, press and hold the escape key until the boot is complete. You will know that you are in safe mode because it will say “safe mode” in the top-middle of the screen.  This works on my BlackBerry Bold.

Virus definition update on the F-Secure rescue CD

So, a co-worker from the office asked me to clean their personal laptop from one of those anti-virus application that install themselves and creates a bunch of pop-ups telling you you are infected. Obviously, I didn’t want to connect that machine to our corporate LAN, so I figured I should use a rescue CD of some sort that does AV scans. I was highly recommended to use F-Protect’s rescue CD for this type of malware in my SANS 504 course that I just took last week.

So, a co-worker from the office asked me to clean their personal laptop from one of those anti-virus application that install themselves and creates a bunch of pop-ups telling you you are infected.  Obviously, I didn’t want to connect that machine to our corporate LAN, so I figured I should use a rescue CD of some sort that does AV scans.  I was highly recommended to use F-Protect’s rescue CD for this type of malware in my SANS 504 course that I just took last week.

A quick Google search returned a very useful page from techmixer.com titled FREE Bootable AntiVirus Rescue CDs Download List.  This page lists seven freely available Antivirus rescue CD options.  So I downloaded the ISO for F-Protect and burned it to a CD.  Obviously, you want to make sure you are scanning with the latest virus definition update, but since the CD is a read-only media, you can’t update the virus definition on it.  The ISO contains a virus definition file from July 2009, but that’s way to old to be useful.  I tried to follow the instructions that were on the techmixer.com page about F-Protect to use the updates on a USB stick, but without success.  When all else fails, read the instructions.  😉

I downloaded the PDF manual from http://www.f-secure.com/linux-weblog/files/rescue_cd_user_guide.20090717.pdf and those instructions, unlike the ones on the techmixer.com ones, instructed to create a fsecurerescuecd folder on your USB stick.  That way, the virus definition gets expanded to the rescuecd folder as well as the results of the scan is saved in a reports folder.  The trick is to use a USB drive that has nothing else on it.  Why they had to do it that way, I’m not sure.  I wished that it wasn’t so because I would rather carry only one stick instead of dedicating one to having the F-Secure virus definition file.

For those of you who prefer bullets and get ‘er done, here is a step-by-step how-to:

  1. Download the ISO  from the F-Secure web site.  As of this writing, version 3.11 is current.
  2. Burn the ISO to a CD.
  3. Have a FAT formated USB thumb drive with nothing on it.
  4. Create a fsecure folder at the root of the drive.
  5. Create a rescuecd folder in the fsecure folder.
  6. Download the latest virus definition file from F-Secure from http://download.f-secure.com/latest/fsdbupdate9.run
  7. Copy the fsdbupdate9.run to the root of your USB drive.
  8. Plug-in the USB drive on the sick computer and then boot the rescue CD.

F-Secure picked-up that I had a USB drive connected and used the virus definition for the scan.  Simply follow the on-screen instructions and your computer will be cleaned up.

How to use a Smart Card to digitally sign your e-mails in Outlook

If you are using smart card in your network only for authentication, you are missing out on the other things you can do to secure your communication with others. This post will show you how to enable your smart card to be used to digitally sign or encrypt your e-mails in Outlook 2003.

Where I currently work, we are using smart cards in order to secure Active Directory accounts with elevated privileges.  That’s great way to do two-factor authentication because smart cards are integrated in AD natively.  In order to force an account to use a smart card, you only have to click on a checkbox on the user account.

In order to be able to digitally sign and encrypt your e-mails, you have to first take the following steps:

  1. Import the certificate on your smart card into the IE Store
  2. Configure Outlook to use the certificate
  3. Start signing/encrypting your e-mail

Sounds simple enough.  Let’s get into the details of how we do all of that.

The first step is to import the digital certificate that is on the smart card into what is sometimes called the IE store.  Since I use Gemalto‘s GemSafe drivers, it is fairly easy.

  1. I first go to the Certificates section of the Toolbox and click on my certificate.
  2. This enables the Export… button.  Click on it to go to the export screen.
  3. Select Export to IE store and make sure that you select Personal as the certificate store.
  4. Click the Export button.

This puts a copy of the certificate (private and public keys) into your personal store for your use.  You can verify that the certificate was imported properly by opening up Internet Explorer, click on Tools | Internet Options | Content | Certificates.  Your certificate should be listed in the Personal tab.  Click on the certificate.  This will fill the Certificate intended purposes section at the bottom of the dialog box.  If Secure Email is not one of the intended purposes, then you will not be able to use this certificate to sign your e-mails.

Now the last thing to do is to configure Outlook to use that certificate.

  1. In Outlook (I’m using Outlook 2003), click on Tools | Options… | Security tab| Settings… button in the Encrypted e-mail section.
  2. Here we need to choose our signing certificate and encryption certificate.  Click on the Choose… button and select the same certificate in both cases.
  3. Your Hash Algorithm should be SHA1 because it is stronger than the old MD5.
  4. Your Encryption Algorithm is probably defaulted to 3DES, which is the strongest algorithm available.
  5. Make sure that the checkbox for the Send these certificates with signed messages option is checked.  This will then allow your recipient to import your certificate (with your public key only) into their store.  This way they will be able to encrypt e-mails to you and only you will be able to decrypt them.

And there you go.  The next time you write an e-mail, simply click on the Options… button and then the Security Settings… button to open the dialog box that will allow you to digitally sign and encrypt your e-mail.  Make sure that your smart card is inserted.  When you click on the Send button, you will be asked to enter your PIN before your e-mail is signed and encrypted in order to confirm your identity.

I hope this was helpful to you.  Let me know if you have any questions.