Cluster Shared Scramble

Hyper-V Clustered Shared Volumes are great…. except when the mount points get scrambled.   How does that happen you ask?   It happens like this. You have a problem on your storage network that prevents your Hyper-V servers from communicating with the Cluster Shared Volumes and they all go offline. You resolve the issue and the cluster shared volumes all come back online however some – or all – of your Virtual Machines won’t start because they can’t find their storage even with all Cluster Shared Volumes online!  If you dig deeper into the error you will find these error messages.
********************************
Cluster resource ‘Virtual Machine Configuration SERVER’ of type ‘Virtual Machine Configuration’ in clustered role ‘SERVER’ failed. The error code was ‘0x2’ (‘The system cannot find the file specified.’).
and
‘Virtual Machine Configuration SERVER’ failed to register the virtual machine with the virtual machine management service. The Virtual Machine Management Service failed to register the configuration for the virtual machine ‘7308EEBF-721E-4329-9B50-D9EFDCC12B52’ at ‘C:\ClusterStorage\Volume2\Virtual Machines\SERVER’: The system cannot find the file specified. (0x80070002). If the virtual machine is managed by a failover cluster, ensure that the file is located at a path that is accessible to other nodes of the cluster.

*******************************
If you’ve never had this problem, you won’t understand what a nightmare this is. If you’re currently having this problem then read on friend, I can help!
If you look at your Clustered Shared Volumes in Failover Cluster Manager
screenshot1

you will see that the Cluster Shared Volume that has your VM data on it is mounted to a different volume in this case “C:\ClusterStorage\Volume1” instead of “C:\ClusterStorage\Volume2” which is where your VM is looking for it. Windows Mounted it to a different folder!

Thankfully the problem is easy to resolve. You need to look at your error logs and see what Volume number the Virtual Machine is trying to access and rename the where folder where your VM data actually is to match. (In this case you would rename “Volume1” to “Volume2” as in the screenshot below.  If Volume2 already exists you can rename it to Volume2.old temporarily.

screenshot2

Once this is done you should be able to boot up your malfunctioning Virtual Machine no problem. You can repeat this process for any other volumes that were mapped to the wrong folder. You may need to temporarily rename some folders to .old if you run into duplicate names but once you sort out the folder names everything should work again!

What the FBI vs. Apple Debate is All About

As an I.T. consultant, I am asked often for my opinion on the battle between the FBI and Apple over gaining access to data on an iPhone that was used by one of the San Bernardino terrorists. I usually start my response with “Well, it’s complicated…” which is a typical dodge that we analytical people rely upon when there are no good options. We go into a loop known as “analysis paralysis.”

However, there are two sure things that I can tell you: This is NOT just about gaining access to a single phone as the FBI insists. And this is NOT about the inability/unwillingness to create a back-door as Apple has insisted. Rather, this whole blow-up is really a proxy for the larger battle that pits Security versus Privacy. This is a battle that has been brewing for decades during which time the FBI has acted like the Army of the Potomac—an overwhelming force that likes to avoid confrontation.

But now they have decided to go on the offensive in a big way—by confronting Apple, which is America’s most valuable corporation and one of its most admired. And the FBI has further decided that the field of battle will be in American public opinion.

It is not surprising then that this battle has engaged the public with the same ferocity and divisiveness that we see in the current presidential campaign. Internet polls, though probably not trustworthy, show just how deeply emotional this issue is. And the private polls demonstrate the division of opinion, with a Pew Research poll giving a slight edge to the FBI and a Reuters poll giving a slight edge to Apple.

But don’t look to me to solve this debate, nor to provide such great insight that you are able to solve it yourself.  I am actually far more interested in the covert agenda of both the FBI and Apple. Why would the FBI make this case so public and risk ridicule? Why would Apple disobey its own government and risk public disdain in the wake of a terrorist attack? There are some really interesting possibilities when you think about it.

Apple’s agenda is first and easiest to uncloak. They claim it is impossible to do what the government wants which is to provide a backdoor. And even if it did manage to create a backdoor, then the bad guys would eventually find it and exploit it. These are pretty lame excuses. Of course Apple could build a secure back door. What they really mean to say is they do not WANT to do it because if they do it for the US government, they will need to do it anywhere they do business—including a place like China which is one of Apple’s biggest marketplaces. Failure to comply with a request from the Chinese government could result in a ban on iPhone sales in that country which would cost Apple a fortune. And as far as protecting the backdoor—well, if Apple is too afraid to protect their backdoor, then I would be concerned about their ability to protect their front door (i.e., their Cloud service) as well.

The FBI’s agenda is far more interesting to speculate upon, especially in light of their decision to cancel a court hearing because a third party has offered to break into the iPhone for them. Who is this 3rd party? And wasn’t it convenient of this 3rd party to make this offer just before the hearing? No longer a battle of Security vs. Privacy, this has become a head game; and the timeout just before the hearing is like icing the field goal kicker right before a last second attempt to win the game. I’ve come up with five possibilities here that run the gamut from overwhelming victory to embarrassing retreat:

  1. The FBI, hoping for an overwhelming outcry from the American public which never really occurred, is trying to save face from what could be a very public beat-down by the judge in this case. In this scenario, we never really hear an ending to this story…it just disappears.
  2. The FBI ratchets up the pressure on Apple and makes them a little nervous—and more crucially, their customers nervous—that their iPhone is not as secure as they think. In this scenario, there really is no 3rd party able to crack the iPhone. Just a couple news cycles to make Tim Cook sweat.
  3. Thanks to the mysterious 3rd party, the FBI gains the upper-hand and no longer needs Apple or American public opinion. In this scenario, however, the FBI risks the ultimate humiliation—all this publicity, and what if they don’t find any useful information at all on the iPhone? This would be reminiscent of Geraldo Rivera breaking into a secret Al Capone hideout on live TV—only to find absolutely nothing. Career kill.
  4. The 3rd party actually does crack into the iPhone but forever remains anonymous. Why? Because the mysterious third party is…Apple! In this scenario, Apple complies with what the FBI wants. But because Apple’s identity remains a secret, they will not be compelled by other nations such as China to crack into more iPhones.
  5. The fifth scenario is a doozy. Think for a minute…why would the FBI risk losing in the court of public opinion, or losing in the court of judicial opinion, or losing everything if it finds no useful data on the iPhone? It seems like the FBI has a lot to lose and maybe nothing to gain. But what if in actuality it was the reverse—the FBI had everything to gain and nothing to lose? How could that be? In this scenario, the FBI long ago already cracked the iPhone and gained valuable information off of it. Holding all of the cards, they then decided to go after a much bigger prize—specifically Encryption and symbolically Apple. Still smarting from the Clipper Chip fiasco from the 90’s, the FBI pretends to be desperate to crack the iPhone: they prey on Apple’s patriotism to do the right thing; they whip up anti-encryption sentiment in American public opinion; and all along they already have what they need. It is a no-lose situation for the FBI. When they eventually demonstrate that they have lifted critical information off of the iPhone thanks to a “3rd party”, they will look like heroes to the American public, Apple will be sharply rebuked, and encryption will remain an underachiever.

I am sorry. You read this to the end hoping to get my opinion on whether Apple should have complied with the FBI’s request.  But this is not just a simple court case of right versus wrong. Rather, it is a heart-and-soul battle over the internet, and all that it stands for. And like all heart-and-soul battles, such as Labor vs. Capital, Liberal vs. Conservative, it is probably best that both sides remain strong so that a sustained stand-off guarantees no tyrannical winner and no indispensable loser. We need both Security and Privacy, I don’t know how anyone can choose one over the other.

 

3/31/2016 UPDATE: The FBI just announced that they have successfully accessed the iPhone with the help of a third party. It will be interesting to see if the FBI discloses what they find on the phone. We will also be watching for Apple’s response and whether the FBI will share with Apple how it was able to access the iPhone.

 

Will an Amazon Dash Button be in Your Stocking this Holiday?

The tagline for the Amazon Dash is “Never run out of your favorite things.” Basically, an Amazon Dash© is a small key fob with the name of a branded product and a button. Whenever you’re running low on the product named on the Dash Button, just click the button to place a reorder from Amazon. You can read more at http://amzn.to/1QE8Y1O

When the Amazon Dash was first announced in April of this year, many people thought it was an April Fool’s prank. When people realized the Amazon Dash WAS a serious product, there wasn’t a lot of optimism. But the tide is slowly turning.

It would make perfect sense to see the makers of office supplies and medical supplies jump on this technology. Pricing becomes secondary to convenience when the corporation or your health insurer is footing the bill. And while there ARE Dash buttons for various cleaning supplies and Depend© garments, the primary target of the Amazon Dash are young 20-somethings.

If you love technology and you’ve got a thing for Ice Breaker© candies, you might think it’s fun to have a button to automatically order more of your favorite treats. And later when you get a pet, you might find it convenient to reorder Fido’s favorite chow with a Dash Button. A few years later when you’re married and there are crying babies in the house, you’ll NEED that button for diapers and laundry detergent. At that point, they’ve got you hooked.

If Amazon succeeds in developing a market for this product, they will reintroduce the concept of brand loyalty. You’ve got a LOT of product makers who would love to see that happen, so the Amazon Dash Button is slowly gaining momentum. This is definitely something to watch over the next couple of years.

Note: We should also note that the Amazon Echo©, which was part of the ‘Cool Tools’ demonstration at our PAR3 Fall User Conference, can also be used to request re-orders of items in your purchase history with a simple verbal command.

 

Defeating Cryptolocker

Last year was a busy one on the IT security front. Between Heartbleed, Shellshock, Poodle, botnets, and keyloggers, I’m sure that everyone in the IT field has been kept on their toes. Keeping malware off your network has always been a big challenge yet the most difficult one from which to recover has been Cryptolocker and if you were hit with it, you’re already well aware of that fact . You may remember me talking about it here previously. When I originally wrote that article the only way to recover the the encrypted files was to have a secure backup to restore from. For anyone that was infected and didn’t have a good backup of all their files, there is good news this year!

The US Department of Justice, in coordination with law enforcement around the world, were able to organize a massive takedown of the Gameover Zeus botnet and obtain the private encryption keys the attackers used to encrypt files. What’s more, the good people over at FireEye and Fox-IT have released a website to send you the decryption key after analyzing an infected file. They have also provided a free tool to help you decrypt your files.

After downloading and using the file I realized it doesn’t come with much in the way of documentation so I’m here to help. First let’s document the different switches and what they do.

-h, –help show this help message and exit
–key RAWKEY Rawkey needed for decryption
–find Show files encrypted by Cryptolocker
-r Recursively search subdirectories
-v Verbose output
-o DESTDIR Copy all decrypted files to an output directory,
mirroring the source path
–csv CSVFILE Output to a CSV file

To decrypt your files, first you need to go to https://www.decryptcryptolocker.com/ and submit an infected file.
Once you submit the file along with your e-mail address you simply wait for them to e-mail you the decryption key.
Next, download their decryptolocker.exe recovery program from the same page.
When the download is complete I would suggest copying and pasting decryptolocker.exe into a temporary directory like c:\temp so that it will be easier to run from the command line.

To test decryption on your first file:

  • Open a command prompt
  • Navigate to the folder that you have the decryptolocker.exe file in
  • Run the following command
  • Decryptolocker.exe –key “” “”

Example: C:\temp\Decryptolocker.exe –key “—–BEGIN RSA PRIVATE KEY—– MI…m0Q== —–END RSA PRIVATE KEY—– ” “C:\Documents\Mydoc.docx”

This command will make a backup copy of the infected file and hopefully decrypt the file so that you can open it. If it works you can rerun the command for any other files that may be infected.

The tool also has a way to scan a folder or drive and return a list of potentially encrypted files. One note is that the scan doesn’t work well on a network drive so you should run it on the server where the files are actually stored. That command looks like this:

Decryptolocker.exe –find -r “C:\Documents” –csv “C:\Documents\encryptedfiles.csv”

The -r switch is recursive and tells it to scan all subfolders of the root directory you specify and the –csv switch will make you a nice list of all the encrypted files it finds. Once you have a list of potentially encrypted files you can create a batch file or script to automate the process. If you are not able to decrypt some of the files with the key you received they may have been encrypted with a different key. In this case you need to submit the file(s) that didn’t work with the first key to the website above and get a new key(s).

If you have thousands of files that have been encrypted with multiple keys, getting them all back can be a daunting task. Happily Par3.IT has extensive scripting experience and we have been able to automate much of the process. Contact us using the form below for more information, or call us to see how we can help.

Your Name (required)

Your Email (required)

Your Message

Please leave this field empty.

“Shellshock” Bash Bug Security Recommendations

By now you may have heard about the latest internet security threat known as “Bash Bug” or “Shellshock.” This threat, if exploited, can allow an attacker to control and send commands to a vulnerable device. We have been tracking this threat since it became public last Wednesday night and continue to review information as vendors provide assessments and patches for their products.

This threat has received the highest rating for both impact and ease of exploitability according to the National Institute of Standards and Technology:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

This threat is due to a bug in a very common component found on Apple and Linux devices. The scope is enormous because Linux is found not only in typical computer gear such as servers, routers, and firewalls–but also in appliances such as wireless access points, cameras, alarms, phone systems, HVAC, etc. Public Web sites may be particularly vulnerable to this threat.

Because there are so many potentially vulnerable devices detection and remediation can be difficult.   Here are some recommendations to assist in identifying vulnerabilities on your network.

RECOMMENDATIONS

  1.        Make a list of all your public-facing equipment (typically routers, firewalls, servers) and contact the vendor to determine if their equipment is vulnerable and if there is a patch available.
  2.        Make a list of 3rd party vendors that provide public-facing web services on your behalf such as your web hosting service, email services, etc. and contact those service providers to make sure affected system have been patched.
  3.        Check your internal network for appliances that may have a web, telnet, or SSH based user interface. Contact the vendor to determine if their equipment is vulnerable and if there is a patch available.

The process of identifying vulnerable devices, especially on your internal network, may be difficult. Par3.IT can perform due diligence on your external and internal network for you. The costs are as follows:

  1.     2 hours of labor to identify POSSIBLE vulnerable systems on your internal and external network including your public web site.
  2.     Optionally, and at an additional cost, we can contact the vendor of the POSSIBLE vulnerable systems to determine if the product is actually vulnerable, and if so then perform remediation.

Please call for further information or fill out the form below to schedule a scan of your network

Your Name (required)

Your Email (required)

Your Message

Please leave this field empty.

Disaster Recovery For Your Business Made Simple Using Hyper-V

I’ve written a few articles about security, but I want to write about something equally important – mitigating downtime.  Most people know that you need to have a good back-up strategy in place so you don’t have data loss in the event of a hard drive crash or a fire but often the downtime involved is overlooked.  When your employees can’t work and customers can’t do business with you, how much does it cost for every hour you’re down?  What if the outage lasts for a day or more?  There’s a financial cost but your reputation can also be at risk.

A recent Symantec SMB Disaster Preparedness Survey 2011 found some interesting numbers related to this.  Surveying 1288 small businesses with 5-1000 employees worldwide, they found the average number of outages per year to be 6 and the average cost per day of these outages to be $12,500.  That adds up $75,000 per year in lost revenue and productivity.

We are so dependent on technology in all businesses these days that it’s nearly impossible to do anything when your computer system is down.  Having multiple offices or locations won’t help when all of your technology assets usually reside in one location.  Even in a rather simple scenario such as hardware failure and with an up-to-date backup, the hardware needs to be repaired/replaced and the backup restored before you’re back up and running.

In the past, attempting to maintain maximum uptime has been expensive and required multiple servers of the same type, SAN infrastructure, dedicated network switches and usually some expensive software to facilitate the replication.  With the release of Microsoft Hyper-V Server 2012 that is no longer required.   You can still use clustered Hyper-V servers with SAN infrastructure for a fully redundant, high-performance environment, but if all you need is to have a handful of servers replicated to another site in case of a disaster, you can accomplish it all much easier and at a fraction of the cost.   On Microsoft’s newest release Hyper-V Server 2012 R2 you can even replicate your servers to multiple different locations.

The first step is to virtualize all your current servers on Hyper-V 2012 R2.

If you already have your servers virtualized using Vmware or Citrix Xenserver you will need to convert them to Hyper-V 2012 R2. To accomplish this you will need to purchase a new server to install Hyper-V on and then migrate your virtual machines over to it.  Happily, you should be able to reuse your existing server as your offsite server, it will just need to be formatted and then installed with Hyper-V 2012 R2 once your VMs are running on the new one.  If you are running an older version of Hyper-V you can just upgrade but I would recommend the same migration steps as above for safety reasons and you’ll also need another server for your replicas anyway.

If your servers aren’t currently virtualized, I highly recommended it for reasons I will discuss in the next article.  If your servers are each running on their own physical hardware you will need to buy a new server capable of running them all, install Hyper-V server 2012 R2 and then migrate them to virtual machines.  You may be able to reuse one of your existing servers at the offsite location if it supports virtualization, and is powerful enough to run all your virtual machines.

When you have all your servers running as virtual machines on Microsoft Hyper-V 2012 R2 the next steps are simple.  You simply need to install Microsoft Hyper-V 2012 R2 on a second server (hopefully you have available hardware from previous migration steps, if not you will have to purchase a 2nd server).

EnableReplicationOnce you have Hyper-V 2012 R2 installed and configured on a secondary server you can simply right-click a server on your primary Hyper-V instance and select “Enable Replication” from the drop down menu (shown right).  This will run a wizard that will ask for the server you want to replicate to and have you choose some replication options.  Once complete the server starts its initial replication.  You can then open your secondary Hyper-V server in the management console and see the VM shows up there as well.  It will be ready to start up when necessary as soon as the initial replication finishes.  If you want to replicate the servers to a 3rd location, (if you want an onsite and offsite standby) all you have to do is right-click on the primary server again and choose “Extend Replication” and choose the 3rd server.

As you can see this is a very simple and inexpensive method of cutting potential downtime out of your business.   No expensive software (Hyper-V 2012 R2 is free!) and the only hardware required is two servers.  Additionally you have some snapshot capability on the Failover server in the case of software corruption or virus outbreak.   It is not a replacement for a good backup strategy but it does offer some limited but quicker recovery than having to do a full restore.
RecoveryPoints
Virtualization can really benefit your business in many ways.   For a free, no obligation, virtualization analysis to see how new virtual technologies can benefit you, fill out the form below

Your Name (required)

Your Email (required)

Your Message

Please leave this field empty.

Covering the hole in your firewall’s security – SSL

In the last few months we’ve talked quite a bit about malware threats, and how viruses like Cryptolocker and Sirefef have crippled unprepared companies in the past year. PAR3 recommends a layered defense strategy of Antivirus, Firewall, Patching, Web Filtering, and User Training to combat these threats.

A key component of a layered defense is your firewall. The firewall is the gateway to and from your network.  It can (and should!) provide services such as Antivirus, Web Filtering, Intrusion Prevention, Application Control, and Data Leak Prevention. The weak spot we’re discussing today is the major hole in scanning traffic at the firewall — SSL connections.

In the past, SSL connections weren’t a big threat because for the most part, the only encrypted traffic on the internet was financial transactions and other e-commerce. But over time, more and more websites have become completely encrypted. Facebook and Twitter have used SSL connections for years and last year Google also switched complete encryption for all web searches. Before very long most websites will use SSL for better user privacy. 

If someone shares a virus or infects an SSL-encrypted website, your users will be able to download it without the firewall ever knowing it’s there.

“SSL” stands for secure socket layer. It’s a level of encryption designed to keep information private between the sender and its destination, and insure no one in between can read it. As part of this encryption process, each website is issued a unique SSL certificate. When an end user opens information sent from a website, the encryption routine should match the unique SSL certificate assigned to that website, or else a “certificate error” like this one will appear.
CertError
This the primary purpose of using SSL, and the reason certificate errors should not be ignored.  What your browser is trying to tell you is there is potentially someone eavesdropping on your transaction, which could be very bad if it’s financial information.

However a firewall protects you by ‘scanning’ the data, checking for viruses or bandwidth issues, before passing it along to the end user. When data comes from an SSL connection, most firewalls can impersonate the end user and decrypt the data. However, the problem arises when the firewall then needs to re-encrypt the data before sending it to the end user.  The firewall is forced to re-encrypt using their own SSL certificate, since they don’t have access to the website original – which means the end user will get a certificate error, warning that the encryption routine has been tampered with. 

How can we protect our network while still letting the users know that their traffic is private and secure on the internet?  This is the tough question we find ourselves facing today.  

There is a way to set up your security appliance to unobtrusively scan SSL connections. We can accomplish this by getting your users to trust your firewall as a valid certification authority. In this example I will be using a Fortigate security appliance.  

1) First, enable the SSL Inspection on the Fortigate Firewall Policy
SSL Inspection
2) Next, go to a computer behind the firewall, open Internet Explorer, and navigate to any https page (in this example we’ll use https://www.google.com). 

– You will be greeted with a certificate error. Choose to continue anyway.
– Once the page loads, you can click on the error and choose View Certificates and go to the Certification Path.
– As you can see, this is a valid certificate for www.google.com, however it has been issued by Fortigate CA instead of a real certificate authority.

 Certification Path
3) Click on the Foritgate CA Certificate (or whatever your root certificate happens to be).

– Choose View Certificate.
 – Click on the Details Tab, and choose “Copy to File”  
 – If you don’t see the Copy to File button then you need to add the site you are using to your Trusted Sites, refresh the page and try again.
– After you click the “Copy to File” button you will get a short wizard. You can stick with the default DER format to export the certificate, but you must choose a place to put it.
Now you have a copy of your firewall’s root certificate.

 CopyToFile
4) Next you need to take this certificate, and deploy it to all your users.  The easiest way to do this is through Group Policy.  

– Go to your server and open your Group Policy Management tool.
– Create a new Policy and link it to the root of your domain.
– Open the new group policy and navigate to the following location: Policies\Windows Settings\Security Settings\Public Key Policies.
– Right-click on “Trusted Root Certification Authorities” and choose import.
– Select the certificate you exported earlier, and save and close.

 Group Policy

One small caveat is that this will only work for Internet Explorer and Chrome. Firefox uses its own Trusted Certificate store that you will have to import the certificate to.    We have found a few ways of centrally deploying certificates to firefox but they are complex and require custom scripting based on your environment.    Contact us for further info.

Your Name (required)

Your Email (required)

Your Message

Please leave this field empty.

Cryptolocker: 2013 Menace of the Year

CryptoLocker-thmbI ended the year talking about the Sirefef Trojan/botnet that I has caused many problems including e-mail blacklisting at a few of our clients last year. To start off the new year I thought it would be fitting to talk about one of the most costly viruses of 2013, that is still a major threat today: Cryptolocker.

Cryptolocker is a more complex version of ‘ransomware’, which locks the PC and demands a ranson. Typical ransomware is usually not very troublesome for Small Businesses who store critical files on a server.  In these cases the infected PC can be wiped and reinstalled from scratch with minimal data loss.

However Cryptolocker encrypts important files on the infected PC AND all attached network drives. The user then sees the screen pictured at left, demanding money for the decryption key. This is a huge threat to anyone who doesn’t have a Cloud-based or offsite backup strategy.

The Cryptolocker virus encrypts all files on the infected PC along with any network files to which the infected computer has access. Once encrypted it is impossible to regain access to these files without paying the ransom for the decryption key. Paying money to hijackers and thieves is never a good idea, so in most cases it’s best to restore your files from the last backup once you isolate the infected computer. The only downside to this method is that it relies entirely on the robustness of your backup and recovery strategy. If your backups are stored locally or on the network, there is a good chance they will also be encrypted by the virus.

The Cryptolocker virus is typically spread via an infected e-mail attachment that the user opens. It then copies itself into the user’s application data folder, and executes. One way to protect yourself from e-mail attachment viruses like this is to use the Software Restrictions feature of Group policy to block .exe files from executing from the Application Data folder and all Temp folders.

Tools like Malwarebytes will detect and remove the Cryptolocker virus, but cannot restore the encrypted files. In fact this virus is one of the biggest reasons that Small Businesses today should make use of Cloud Services.

To illustrate how dangerous this virus can be: one business in Australia was shut down for five days with staff sent home on leave. Every network share’s business data was encrypted (over 64,000 files) after a staff member clicked on an attachment despite telltale suspicious signs. Neither their firewall failed nor their antivirus software detected the virus — which is not unheard of, due to savvy virus writers who constantly update their malware to bypass the latest detection software. (In my previous article I stated a number of  methods to protect yourself from most of the dangerous viruses that exist today.)

Those are all good methods to protect yourself from Cryptolocker, but because this virus is so devastating there are a few additional steps you can take to protect your network.    The infection is typically spread via an infected e-mail attachment that the user opens, it then typically copies itself into the users application data  folder and executes.   One of the best ways to protect yourself from this and many other e-mail attachment viruses is to use the Software Restrictions feature of Group policy to block .exe files from executing from the Application Data folder and all Temp folders.

The Australian business’ server had made room for the latest revised data by deleting all the old backups. “The receptionist could not wait for the backup to complete on the last known backup date, and pulled out the USB drive early.” This forced the IT fixers to restore from an older backup, losing many proposals and quotes. The system was recovered “but at great expense and emotional cost”.

In the event that you have taken all precautions and your network gets infected anyway, it is important to ensure you have a reliable backup process that not only runs often (hourly is best) but also synchronizes its data with an offsite or cloud location and keeps a revision history. If you have good a good backup strategy in place, recovering from a Cryptolocker infection is quick and easy.

Recap of steps to ensure Cryptolocker doesn’t cripple you:

1.)  Use a multi-tier network security structure as discussed here.
2.) Put Group policies in place to keep downloaded attachments from executing.
2.) Have a good Cloud-based or offsite backup strategy to restore from.
3.) Make sure whatever backup system you have in place is regularly monitored.
4.) Have your backups regularly tested to make sure you can restore form them in case of an emergency.

Please fill out the following form to contact us for further help on how to protect yourself with Group Policy, or recover from this latest malware threat.

Your Name (required)

Your Email (required)

Your Message

Please leave this field empty.

Protecting yourself from Zero Access Botnet/Sirefef

The Danger:

One of the biggest threats that I have encountered this year is the Zero Access Botnet also know as Sirefef and max++.    The reason this has been so dangerous is that it can bypass most antivirus systems, and installs itself as a rootkit which makes detection and removal extremely difficult.    The normal use of this rootkit is to generate clicks from your machines and steal ad revenue from advertisers, but it can also cripple your machine and can be used to silently deploy other malware which can steal your passwords and financial information.

UACEven if you have an up to date antivirus and are very careful with what UAC(User Account Control see left for example) prompts you allow to run you can still be infected.  Make sure not to click yes to any of these boxes unless you are sure what they are. This is because the virus uses many stealth and disguise techniques to get around most security measures.   The virus typically uses a polymorphic packer that is tested against most antivirus programs daily and changed when definitions are updated to detect it.   The main path of infection is through iframe exploits.  Malware authors can create a small (1x1px) iFrame, which contains scripts necessary to exploit a target machine and force it to install the malware.    These exploits target out of date plugins like Adobe Reader, Adobe Flash, and Java that allow this malicious code to run without your consent.   If you have an old Windows XP machine or are using Windows 7 with UAC disabled this malware can be automatically installed without your knowledge just by visiting a compromised website.    If you have Windows 7 or newer with UAC enabled then the installer will usually need the user to click “allow” on a UAC prompt to allow the installation.  It can do so by making you think the UAC prompt is being generated by a legitimate application such as Adobe Flash Player, Google Chrome and Java Updater.   A more in-depth explanation of its installation techniques can be found here.

Removal:

In the case of rootkits, the best way to make sure you are completely free of them once you know you are infected is to reinstall the operating system.  This is the only way to be absolutely sure   However in most cases this is simply not feasible.   One of the best ways I’ve found to remove the Zero Access rootkit is using Eset’s removal tool .    While this tool is effective in removing the virus, it is unable to repair damage to windows system files and process so after cleaning the system you will need to run SFC /scannow to repair windows files, or if that fails a Windows system repair/reinstall may still be required.

Protecting Yourself:

As scary as this latest virus is there are things you can do personally and at your business that can keep you safe from this and other Malware.  I’ve outlined the top 6 things I recommend below.

1) Antivirus.  Make sure you have up-to-date antivirus software on at least your machine.  In a business environment I usually like to implement the multi-tier approach of having both antivirus software on all machines along with a firewall capable of detecting and blocking viruses.  While this alone will not completely protect you, when used in conjunction with the other recommendations below it can ensure you aren’t infected.

2) Patching. The primary method for infection is through security vulnerabilities in Windows, Microsoft Office, Adobe Flash, Adobe Reader, Java, Internet Explorer, Firefox, Chrome, and others.   First you need to make sure you are not running old operating systems like Windows XP and Vista as these provide a very low-level of protection against attack.  It’s nearly impossible to stop this virus from installing on these older operating systems if you visit a compromised website.    If you are running Windows 7 or newer you should use Windows update to apply all security patches.   Just patching Windows however, is not enough.   Any 3rd party programs, especially the ones mentioned at the beginning of this paragraph also need to have the latest version installed to ensure they aren’t used to deploy the malware to your system.  Keeping these 3rd party applications up to date is one of the biggest challenges in a corporate environment is a huge challenge and usually requires either expensive software or an experienced network management firm.

3) Firewall.  I mentioned having a firewall that can detect and block viruses as a good idea, but for the best protection you should your firewall should also provide application inspection and control.  These features can detect and block botnet activity so that even if you manage to get infected they can keep the virus from contacting the internet and updating itself, sending out your personal information, and downloading any other malware.  You can also setup alerts to tell you if any botnet traffic is detected by the firewall.  The only downside here is you need the right hardware, and configuration and monitoring of these devices requires advanced IT knowledge.  Many IT firms can provide firewall management services.  Examples of Firewalls that have this kind of functionality include Fortinet and Sonicwall

4) Application Whitelisting.  This is one of the newest and most advanced methods of keeping a computer safe.  Examples of some of the better programs are Faronics Anti-Executable and Bit9.  These programs work by using a central server that controls a list of allowed applications on all endpoints.  This is one of the best ways to protect endpoints from malware as it doesn’t rely on definitions that need updating, it simply stops anything that isn’t an approved application from running.   Even if the malware masquerades as a legitimate program this software can detect and block it by using digital signatures and file hashes to recognize when a legitimate application is modified.    The downsides to Application whitelisting is that it can be very expensive to implement and difficult to manage.  Also, it is not a complete solution in and of itself because if you have vulnerable applications on your computer it can be bypassed.

5) Web Filtering.  As we’ve seen the most common delivery method is though malicious iFrames on websites.  One of the best ways to protect against these kinds of attacks is to implement web filtering at your organization.  If you limit the websites your users have access to then you decrease the chances of them being able to access the sites that typically are used as delivery methods for this virus.  This can be difficult to manage because you will will have to whitelist many sites that your employees legitimately require access to and it is possible that one of the allowed websites can get compromised.  While this is not a solution by itself, implementing Web Filtering is another great layer of protection for your network.  Many firewalls and and antivirus solutions provide this capability

6) User Training.  In conjunction with the security software and methods listed above it is important to train yourself and your employees about the ways these viruses spread and what not to do.   Most infections are spread via social engineering such as drive by attacks using a compromised website or being bundled with seemingly harmless applications.   In addition to using the methods above in your organization you should train your users on what to look for.  They should be instructed not to click on anything if they aren’t sure what it is, don’t allow UAC prompts, and many other techniques that can keep them safe.   Many consulting firmscan provide social engineering testing and remediation services.

Summary:

As you can see today’s computer environment is becoming more and more dangerous and protecting yourself from the advanced malware requires using multiple techniques to make sure there are no holes that crafty Trojans can exploit.  This can be very difficult for a smaller IT department to address.   Use the form below for more information on how we can help keep your network and business safe.

Your Name (required)

Your Email (required)

Your Message

Please leave this field empty.

Cyber Monday and Online Shopping Season: What You Need to Know to Protect Yourself

Happy Thursday! With the holiday shopping season upon us I wanted to share a newsletter that found its way into my inbox last week discussing ways to stay safe online:

http://msisac.cisecurity.org/newsletters/2013-11.cfm

This article also serves as a great reminder that a comprehensive security strategy should include training / awareness at the end user level.

We at Par3/IT are happy to be your partner in meeting your security goals. Please submit the form below if you would like more information about our security offerings.

Your Name (required)

Your Email (required)

Your Message

Please leave this field empty.