Last week was fun in the IT (information technology) world. Not because of any real damage by conficker - but because of the absolute media over-hype of something they don't have a clue about. I had a couple of customers call me - and the conversations were short: "Rex, do we need to worry?" - "No Bob you don't." - "Ok - thanks Rex."

absolute media over-hype of something they don't have a clue about.

None of my normal customers were affected by Conficker - and I have over 500 clients. Why?  Mainly because they follow my Simple Rules for Computing. That means you do the following:

1. You have a good backup of your data files (my docs, etc)
   
2. Behind a NAT router
3. Use OpenDNS on your network
   
4. Follow common-sense and don't open every email attachment sent
5. Don't install software that you don't absolutely trust
6. Keep your computer patched (see links below)
   
7. Lastly - run anti-virus such as AVG

Notice I put anti-virus last on the list? That's because anti-virus programs don't stop the majority of complex viruses, trojans, and worms these days. Your anti-virus today is much like an alarm system - it warns you once something is already on your system. Think about it this way - if the anti-virus programs really were that good - we wouldn't need to worry about anything right?

Here are the bullet points about Conficker:

• If you are running Auto-Updates on your computer - you were patched in October 2007 and have nothing to worry about.
• If you are behind a NAT router (Linksys, DLink, Netgear, etc), then you can only get the worm through attachment, malicious website, or possibly a USB drive.
• Conficker has infected quite a few machines in the US.
• It is a very complex worm and is designed to change itself frequently.
• If you are infected, Microsoft has a removal tool - but I recommend the usual backup, wipe your machine, reinstall Windows so that you can trust your machine again.
  

--------------------
What was the deal about April 1st?
--------------------

There was code in the worm that indicated it would do something on April 1st. Nobody knows for sure yet, but many guess that it would download another set of instructions. That's it.

If you weren't already infected, you had nothing to worry about. Period.


------------------
Helpful Links
------------------

Vista Updates
http://www.microsoft.com/windows/downloads/windowsupdate/learn/windowsvista.mspx

XP Updates
http://www.microsoft.com/windows/downloads/windowsupdate/learn/windowsxp.mspx

Labels: conficker, security, spyware and malware

=============
From Email to a client
=============

I've finally compiled my list of suggestions for helping to secure them and streamline the process of setup. This will help insure consistency of the laptops which will provide a much better classroom experience. Hopefully, the computers will be running XP, but these recommendations will work for Vista as well.

Implementing all of this will take quite a bit of time to get it setup. However, the long-term benefits greatly outweigh the short-term expense.

*Assumes all computers running the same (or very very similar hardware).

==============
Initial Preparation - before any use by a student or faculty
==============

Cost: FREE (except time & software licenses)

• All computers must have any "junk" software removed.
• Default applications must be installed - Firefox, MS Office, PDF Creator, OpenOffice.org, AVG, Adobe Reader, Picasa, Google Earth, Virtualbox, Thunderbird, etc.
• All class specific applications must be installed - typing software, etc
• TCP/IP set to OpenDNS.

===============
Imaging of Computers
===============

Cost: FREE or $100/computer

Imaging of the computers is very critical. This insures that you have a full and complete bit by bit backup of your systems. In a worst-case scenario, it can save tons of time. Also, after the class is over, the computer can be returned to "ready to go" state for the student.

The basic step is your setup 1 computer just how you want it (known as the master). It has all the software and drivers installed needed. Once you have this master setup, then you can image all the other computers (known as slaves) to the master.

The advantage is time. Rather than have to go to each computer and set them all up individually, you create them all at once by using a master/slave setup on your network. The master computer is running the server version of the imaging software and distributes its image to all the slaves on the network.

Free - There are free open source solutions out there that work really well although they aren't as intuitive as the proprietary options.

http://www.clonezilla.org  - best open source for networked imaging

http://ping.windowsdream.com - best for single machine imaging

$100 / computer - these are software that I've used in the past extensively and work well.

Acronis True Image Echo Workstation
http://www.acronis.com/enterprise/products/ATICW/

Norton Ghost
http://www.symantec.com/norton/ghost

===========
MS Steady State
===========

Cost: FREE (except setup time)

Note: Runs on 32-bit XP, Vista only

Microsoft has released a product called Steady State. Once installed, it uses imaging technology to return a computer to an exact state every time the computer is restarted. This means that after setting up a computer initially, the computer will be returned to that state after every reboot.

This software can be incredibly useful to make sure that a computer is always in a clean workable state for the classroom. Unlike relying totally on imaging (which requires the master/slave process each time), Steady State returns the computer to a proper state after reboot - automatically. The computer can much more easily be locked down for internet access, etc.

Windows SteadyState in the Classroom
http://www.microsoft.com/windows/products/winfamily/sharedaccess/seeit/classroom.mspx

Windows SteadyState Disk and System Protection
http://www.microsoft.com/windows/products/winfamily/sharedaccess/whatis/diskandsystemprotection.mspx

FAQs
http://download.microsoft.com/download/f/c/6/fc6955de-0765-46fc-b2a9-47b4d4bcd160/SteadyState_2.5_Technical%20FAQ_updated.pdf

==============
Network Access and Protection
==============

Cost: Service - FREE (except setup time), Router - $60

All computers should be using OpenDNS for security and robustness. This is easily setup in the tpc/ip settings; however, ideally the classroom computers should be running on a separate subnet from the main building network. They need to be behind their own router that we can control.

We should immediately purchase a WRT54GL, flash it with DD-WRT firmware, and install it on the building network. Then we setup the student laptops to connect to it only.

WRT54GL
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124190

DD-WRT Firmware
http://www.dd-wrt.com/wiki/index.php/What_is_DD-WRT%3F

OpenDNS
http://www.opendns.com/smb/solutions

==================
Educating Users
==================

One of the most important steps in this process is educating the users/students on basic safety and security. Fortunately, I have a couple of blog posts that help address this. During the class itself we also spend quite a bit of time discussing simple security issues.

Layered Security Basics
http://www.smartergeek.com/blog/2008/03/layered-security-basics.asp

Simple Rules for Your Computing
http://www.smartergeek.com/blog/2008/01/simple-rules-for-your-computing.asp

Why did I get infected in the first place?
http://www.smartergeek.com/blog/2008/07/why-did-i-get-infected-in-first-place.asp

Myspace and Antivirus 2009
http://www.smartergeek.com/blog/2008/12/myspace-and-antivirus-2009.asp

Labels: acronis, backup, security, xp installation, xp software

I know - I know. Typically I don't post about Internet Explorer exploits. However, this one is pretty serious.

I do have a few customers that must use IE for sites such as the Caddo Parish and Bossier Parish websites. Both of them stupidly use Active X controls. Not that either of these sites are malicious, but they tacitly encourage people to use Internet Explorer, which puts users at greater risk.

How do you avoid the IE risks and vulnerablilities? Simple - USE FIREFOX.

www.mozilla.org

--------
The Vulnerability
--------

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/961051.mspx

Limited Exploitation of Microsoft Security Advisory 961051
http://blogs.technet.com/mmpc/archive/2008/12/11/limited-exploitation-of-microsoft-security-advisory-961051.aspx

According to the investigation thus far, the vulnerability affects Windows Internet Explorer on supported editions of Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

Our telemetry indicates that this issue is impacting home and corporate users.

This issue could impact you even if you avoid surfing questionable sites. Over the past few months, we've seen a surge in SQL injection attacks which enable miscreants to inject content onto trusted sites...

Labels: internet explorer, security

----------------------
From Email:

going to be donating a couple of old computers to Goodwill. What is the best way
to wipe the hard drives? Is reformatting safe enough?
----------------------

Simply deleting files in Windows (and most OS'es) doesn't actually delete the data. It is fairly trivial to recover it. The only way to insure security is to "wipe" or "nuke" the data and drive.

Here is a link to Darik's Boot and Nuke (aka DBaN):

http://www.dban.org/download

You can download a floppy image or CD image depending on whether the machines have a floppy drive.

Another option to use is Eraser which runs under Windows. This would be useful if the hard drives are extras or USB type that can be plugged into a Windows computer. Eraser is also useful on any computer - after sending something to the Recycle Bin - you can choose to "erase" the recycle bin rather than just emptying it.

http://www.heidi.ie/node/6

*It has a "create nuke disk" option - but creates a floppy not a CD - for erasing an entire drive.

*With any of these programs, you can typically choose one of several erase methods such as "1 pass" or "35 pass". Typically a 1 or 3 pass is plenty unless there is top-secret data you are worried about. The more passes - the longer it takes.

Labels: erasing data, security

---------------------
From Customer Email to Me
---------------------
from:    xoxoxox@aol.com
to:        rex
date:    Thu, Dec 11, 2008 at 11:20 AM
subject:    Fwd: Urgent: Bill Pay Service Information
mailed-by:    aol.com

Here is a copy of the email I was sent today.  Let me know if there is something I need to do relative to his and my computer


From: MyCheckFree Customer Service
To: :xoxoxoxoxo
Sent: Thu, 11 Dec 2008 12:00 am
Subject: Urgent: Bill Pay Service Information

You are receiving this message because you are a subscriber to online bill payment services through CheckFree or through a provider who contracts with CheckFree for these services. This message is sent on behalf of CheckFree by Silverpop Systems.

December 11, 2008

Dear XOXOXOXO,

We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may have been exposed to software that puts the security of your computer's contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.
The malicious software affects some but not all customers who accessed on line bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

    * You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
    * You were using a computer with the Windows operating system, and
    * You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
    * After reaching the blank screen, your computer's virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. We have partnered with McAfee®, the world's largest dedicated security technology company, to provide you with a complimentary copy of its VirusScan® Plus software which, when installed, will detect, block and remove any malicious software from your computer hard drive. Please contact us at 877-800-4864 for further instructions or 800-564-9184 (Option 1) for further instructions. We will also offer you both advice and free services that can help you mitigate any risk you may face as a result of this incident or other everyday exposures you may encounter.
CheckFree will never ask for your password via email or via phone.  If you ever receive an email requesting your password, do not respond and delete the email immediately.

We value your business and your trust, and we apologize for any inconvenience this incident has caused.
Thank you,
Art D'Angelo
Vice President, CheckFree Customer Operations

---------------------
My Response
---------------------
Here is everything I could quickly research. It goes without saying to run a credit report on you and xoxoxo within the next 30 days just to be safe, and of course monitor your bank accounts, etc, which I'm sure you already are doing. I doubt you will have an issue, but better safe than sorry - and it can all be done online.

In easy tech terms, what happened was their DNS settings were modified which allowed attackers to temporarily redirect users to the malicious site. Fortunately, CheckFree is doing the right thing by informing all customers and being upfront about it, albeit a little late in the game.

More info on exploit:

http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html

http://voices.washingtonpost.com/securityfix/2008/12/digging_deeper_into_the_checkf.html

We need to make sure that your anti-virus is up to date on yours and xoxoxox's computer and run a scan. If you didn't use your banks online bill pay or CheckFree's site during the affected time, then you are also most likely safe.

Check for your bank or known bill recipients here:
https://mycheckfree.com/br/wps?rq=login&slpg=Y&file=authentication/login_baseline_companies&esc=93096239&sp=10001

If you both are primarily using Firefox then the chances of any problems are greatly reduced. First, Firefox would have warned of an invalid security certificate (SSL) during the redirect. Secondly, Firefox 3 has built-in phishing detection which would have probably warned of the redirect. Thirdly, Firefox doesn't run ActiveX controls (bane of Internet Explorer security) so it wouldn't have installed the software without prompting you to download something - unless the site also had a javascript exploit of some sort.

Here is what we can do to help prevent DNS exploits in the future. I can configure all of your computers to use the OpenDNS system/service which is free and works wonderfully. It takes less than 2 minutes to configure a computer and works in the background so it is totally transparent to the user.

You and everyone you know needs to be running Firefox and not Internet Explorer - I cannot stress this enough for security. Plus, you (and everyone you know) needs to follow some basic (and simple) security practices online.

As an added benefit, OpenDNS allows for filtering of content (porn, etc) on the network level. We can even block Myspace, etc, if we want. We will be adding this to the office network on my next trip out (probably tomorrow as we discussed), and we can add it to your home network. Again, the service is free except the time it takes me to set it up.

More information: www.opendns.org

Lastly, remember that using online services is still very safe. As a matter of fact, in most cases it is safer that writing a check to a local merchant or handing your credit card to a convenience store clerk. Banking online and billpay online is still the best (and safest) way to go, and in this case CheckFree is alerting customers.

Labels: dns, security

Recently, I've been consulting with a client on network improvements. Following is an email correspondence sent to them in preface to some upgrades - such as migrating to a Novell SUSE Linux network.

============
From Email
============

As a reminder, security is relative. You have to weigh the cost vs usability vs convenience. If security practices are too complicated, end users will attempt to circumvent them at every turn. However, if the security measures only present a small burden to the end users, then most users will embrace them.

There are no 1-stop security solutions. Period. Anyone that tries to embrace that philosophy is selling snake-oil and will lull you into a false sense of security. Always avoid single vendor lockin to proprietary solutions as much as possible. I always favor free and/or open-source solutions where possible.

##############
User Training
##############

Most companies fail at training their users in basic technical skills and safe practices. In the short-term weak training expenditures may result in faster employee turn-around; however, in the long-term it costs more.

Not only should users (employees) be educated on the basic skills for their jobs, they should also be educated on basic security best-practices and company policy. As technology changes, users should be further educated as necessary for their particular job. In today's fast-paced world of data exchange, this is a necessity not an option.

##############
Data Security
##############

First, you need consider that like most things, your data is only as safe as the weakest link in the change. No matter what types of technology you employ, all it takes is one rogue employee with access to the data. This is where your company policies and NDA's come into play heavily. Employees must know that there are severe consequences for breaching policies.

Data must not be permitted to leave the company network unless a user has specific permission to remove the data. This includes USB drives, company and non-company laptops, cell phones, pda's, etc. Even hand-written notes concerning company information must be carefully considered.

Any data that is allowed to leave the company network and confines must be encrypted (see mobile security). It does no good to have the company information locked down, only to transport it in the free and clear.

##############
Email Security
##############

All company email must be controlled tightly through a service such as Google Apps Premier Edition powered by Postini. This allows for superior email security, archiving, and control.

"By 2005, 24% of companies had email subpoenaed and 15% had gone to court over lawsuits triggered by just employee email. According to the same survey, 10% of email at work contained sexual, romantic, or pornographic content." - http://www.amanet.org/press/amanews/2006/blogs_2006.htm

Plan Now for Managing Electronic Data Avoid Tomorrow’s Legal Risks
www.google.com/a/help/intl/en/security/pdf/WP44-BMGuide.pdf

Labels: network, security, tutorials