Archive for May, 2015

Removing Crapware from Windows

2015/05/28

Every so often my PC starts getting slow. In the task manager there are dozens of processes that I don’t recognize. It’s a real pain to clean these out. But, …, I guess this is just basic maintenance that needs to be done. Here are my notes for today. I doubt this makes good reading, unless you land here via a search engine and want to see how I got rid of something.

The first lesson here is that removing crap is best done in the Administrator account, and not just in an ID with administrator privileges. Some utilities (sc for example) test for user ID and not just privileges. If you use Windows Vista, 7, or 8, this account is “hidden”. Sigh. If you’ve ever wondered what the option “run as Administrator” is, now you need it.

On the site windowsvc.com, I found this helpful way to remove crap installed as a service. In this case, I wanted to remove BrsHelper:

Open a command prompt by right clicking its icon and selecting “run as Administrator”. Copy the lines in red respectively to stop, disable auto-start, and to delete the service entirely. For example,

sc stop “BrsHelper”

sc config “BrsHelper” start=disabled

sc delete “BrsHelper”

I note on the web that others get “Access Denied” with sc even when running it as Administrator. I didn’t have that problem, but beware. This seems like a nice utility. It does have a side effect of staying in memory after using it. I had to kill its process tree from the task manager when I was done with it.

The Administrator account isn’ t just hidden, it isn’t enabled at all. To enable it, run the command prompt as Administrator as above, then type:

net user administrator /active:yes

Now the Administrator account is active, and you’ll see it when you want to log in or just change user accounts. BEWARE, initially it has no password. Be sure to set a good one if you want to leave it active. To disable it, repeat the above command with “no” instead of “yes”.

There are other ways to do this. Vishal Gupta’s site www.askvg.com offers three other ways here.

I was trying to remove the crapware YTdownloader, and ran into the above Administrator problem. There is an interesting utility autoruns.exe which lists all of the programs that are set to auto run. You must run this program as Administrator, but you can tune the autoruns without messing directly with the registry. You can also submit whatever you find to VirusTotal. My local McAfee claims there is a trojan inside YTdownloader.exe. There are other reports that it is malware. My early attempts to remove it got trapped by McAfee which claimed that the program was moved to a quarantine area. But going to McAfee’s interface for its quarantined files showed no sign of YTdownloader. I could find it using the file explorer, and there was a directory of the same name, which I could delete but only as Administrator. This didn’t get rid of a companion program BrsHelper, which I killed as above.

Incidentally, YTdownloader is sometimes called YouTube downloader. Beware of being tricked into installing YTdownloader by trying to download videos! I don’t understand the relationship here.

I also got rid of a couple Dell programs with bad reputations: dkab1err.exe (the character after the “b” is the digit one.) and DKADGmon.exe. They must have gotten installed when I used a Dell printer at one of my consulting client’s sites. With Administrator active, I had no trouble deleting them. I did have to deal with an extra prompt to continue however. Just click it and move on.www-searching.com

The program biomonitor.exe was always running. The utility autoruns.exe didn’t list it. Apparently it is part of HP’s SimplePass fingerprinting tool. To delete it, kill the process tree for biomonitor from the task manager, and then uninstall HP SimplePass from the control panel.

I came across a program WindowexeAllkiller.exe. While it looked interesting, it required the .Net framework, thus I didn’t try it. CNET warns that while safe, an inexperienced user can get into trouble. The author recommends checkpointing Windows before using it. The apparent goodness of this tool is that you can eliminate several bad programs at once. I suppose this is why it is such a dangerous tool. Some feedback on this tool would be welcome.

As I was thinking I was done, I noticed an unexpected tab in Chrome for www-searching.com. (Note the hyphen.) I don’t know how it got there. As I was on a roll looking for strangeness, I quickly found that this program was a search engine of sorts that was designed to track you and steal your personal information. The only damage it did to me was to install a shortcut to its site on my task bar. Of course I deleted the task bar item and the tab in Chrome, and then I did all the due diligence to get rid of potential infection elsewhere. I searched the registry, checked for Chrome add-ons and for a hijacked home page, checked the Chrome history and was very surprised to find nothing, checked the scheduled tasks, searched the file system, and looked for ads by it. I couldn’t find anything else. Malwarebytes was reputed to find and remove it, but a complete scan found nothing. Maybe I was lucky that I didn’t try out this bogus search engine!

I noticed on the web that www-searching.com was also similar to ohtgnoenriga.com (Gads, what language is that?) as well as search.conduit.com “Conduit Search”. I also looked for ohtgnoenriga and conduit.com on my system, and fortunately found nothing.

Finally, I deactivated my Administrator account as above.

SCIM – System for Cross-domain Identity Management

2015/05/15

SAML, OAuth, and OpenID Connect, as we have seen, all require the registration of the Client Applications, the Resource Owners (End Users), and the Resource Servers. The Authorization Server (AS) = The OpenID Provider (OP) is thus forced to keep the registration data, perhaps stored in tables. While these standards loosely define what goes into these tables, they do not define either how they are collected nor how these data are managed. SCIM, the System for Cross-domain Identity Management [not to be confused with SCIM the Smart Common Input Method platform] is an attempt to do this. See Ping Identity’s history in their SCIM white paper and a brief Wikipedia article for descriptions of some early attempts. The IETF lists some current draft specs.

The “C” in SCIM used to stand for “cloud”, but on-premises use of SCIM for internal identity management is popular as well. A SCIM server can be in the cloud and still manage on-premises applications using a secure SCIM channel through the firewall. This becomes a “cloud identity bridge”.

In my earlier IAM posts, I noted that the IdP or the AS had table descriptions for Clients, Resource Providers, Resource Owners, etc. This is the beginning of a Schema for SCIM. It needs groups, roles, entitlements, devices.

OpenID Connect

2015/05/01

OpenID Connect allows Client Applications to verify the identity of the End User based on the authentication performed by an Authorization Server. It also allows the Client to obtain basic profile information about the End User.

There are a number of versions of how OpenID Connect was born, e.g. here, here, here, and officially here. I like the story that after multiple influential companies implemented SAML, WS*, and OpenID 2.0, and also Facebook implemented Facebook Connect, Eran Hammer and David Recordon put forth a one page proposal for what became OpenID Connect. I can’t find this historical one-pager, and even the core spec today is around 100 pages with half a dozen other supporting documents. Some have called it a functional merger of OpenID and Facebook Connect that is layered on OAuth 2.0. Others provide the “formula”:

(Identity, Authentication) + OAuth 2.0 = OpenID Connect

Whoever should be getting historical credit, the basic idea is both simple and brilliant: Take the authorization mechanism of OAuth 2.0, make a couple tiny additions, which I’ll explain in a moment, and viola, we’ve got a authentication mechanism.

As with OAuth 2.0, there is a registration process that is not specified, but it is essentially the same as for OAuth and is described in the spec under OpenID Connect Discovery and under OpenID Connect Dynamic Client Registration. There is a bit of a pas de deux on terminology. What OAuth calls the Authorization Server AS is also referred to as the OP for OpenID Provider, and OP has an Authorization Endpoint and a Token Endpoint. The client obtains these endpoints during registration.

The fundamental new idea is simply to add a new scope value openid to the initial authorization request message (described in my last post on OAuth 2.0) to the Authorization Server AS. Having openid as one of the scope values, makes requests not only for access tokens but also for a new “identity token” and also opens up the possibility to request more information about the end user. Here are some of these request parameters:

  • scope: must contain the new value openid and may contain one or more of the scope values of profile, email, address, phone, and offline_access
  • response_type: code – means both access and id tokens be returned from the token endpoint in exchange for the code value obtained from the AS
  • client_id: obtained during registration at the AS
  • redirect_uri: one of the pre-registered redirection URI values for the client

This request asks the AS to authenticate the owner/operator of the browser that is sending the message and to return an id_token as well as access_tokens. The id_token will affirm that the user has authenticated recently. The id_token may contain additional claims or information about the user. The method of authentication is not defined by the spec. The id_token includes a JSON object that includes:

  • iss = issuer identifier for the issuer of the response
  • sub = subject identifier, a locally unique within the issuer for the end-user
  • aud = audience(s) for whom this id_token is intended = array of case sensitive strings or a single such string
  • UserInfo Endpoint
  • iat = Issue timestamp
  • exp = Expiration datetime
  • auth_time = time end-user last authenticated
  • How the user was authenticated (optional)
  • many other optional tags

The user runs a protected application which may make additional GET requests to the UserInfo endpoint for REST APIs for identity attributes. Curiously the spec warns that these claims may not be for the end user (due perhaps to man-in-the-middle attacks)! In addition there are language dependencies on the claim values.

The final OpenID Connect specification is dated Feb 26, 2014; and the certification program was launched April 22, 2015 with Google, Microsoft, Ping Identify, ForgeRock, Nomura Research Institute, and PayPal the first to self-certify.

Multiple companies, in support of OpenID Connect, have announced they will no longer be supporting OpenID 2.0 at some point in the near future.

My next IAM post is about SCIM.  It is here.