Cisco Systems earlier this week released a report from its Talos cyber intelligence unit. It contained a warning of 500,000 routers and storage devices in 54 countries that have been infected with malware. Their findings (https://blog.talosintelligence.com/2018/05/VPNFilter.html) pointed to the Russian government as having sponsored the hack, calling it “VPNFilter,” and that the software was simply waiting for activation. With a high preponderance of these devices in the Ukraine, it seems that an attack might be pending, or at least imminent.

I won’t bore you with the details (and they are voluminous), but the recommendations for how to thwart the hackers are quite interesting. End users are instructed to reboot their routers, modems, and network attached storage (NAS) devices to the factory default state and then to install the latest firmware. Internet Service Providers (ISPs) are instructed to reboot routers and cable modems for their customers and to ensure the devices are patched. Those two steps should, for all intents and purposes, knock out any of the malware that may have infected the devices.

Here’s my question: How many home users – or business owners – know how to perform those two steps? I do, because it is something I learned a long time ago as part of my job. But I can’t see asking any of my clients to do that. For one thing, the recommendations didn’t take into account the main task of saving existing settings – or at least writing them down – so they could be recreated after the device was flashed and rebooted.

In a “best case scenario” I can imagine someone was using a Linksys modem they purchased from a big box store and they didn’t configure anything; they simply followed the installation instructions. But in all likelihood, the SSID (i.e., the broadcast name) of their Wi-Fi is going to change. That means all of their wireless devices – computers, printers, tablets, and phones – will also need to be reset.

The report acknowledges that most of these devices are what we frequently call “set it and forget it,” meaning that they are expected to simply do their job once they’ve been installed. My concern about the recommendations centers on the fact that most individuals have no idea how to obtain the current firmware for these network attached devices. It isn’t very obvious from any of the manufacturers’ literature (and these include Linksys, TP-Link, and Netgear) that this is a task anyone should ever consider doing.

Granted a half-million devices is only a small drop in the bucket in terms of world-wide network device distribution. Yet it seems we have entered into a new “normal” for what people need to do – and learn – in order to better protect themselves from cyber security threats.

Thanks and safe computing!

A security-based newsletter entered my Inbox Tuesday afternoon and, like a gerbil, I immediately clicked it open to see what kind of shenanigans were going on in the world of cybersecurity.  You can imagine how intrigued I was at the following title:  “Chrome Is Scanning Files on Your Computer, and People Are Freaking Out.”

Well, that certainly got my attention, and I clicked on the link to read the article at Motherboard, and a lot of the associated links, and those associated stories and their links, and before I knew it, more than 30 minutes had gone by – and my jaw was just as slack at the end of that adventure as it was at the start.

Here’s the original article:  https://motherboard.vice.com/en_us/article/wj7x9w/google-chrome-scans-files-on-your-windows-computer-chrome-cleanup-tool

I’m going to give you the “Reader’s Digest” version because I don’t know if many of you are going to read that.

Let’s start with the basics.  Google Chrome is a browser, just like Microsoft’s Internet Explorer, and Mozilla’s Firefox, and Apple’s Safari.  The browser lets you explore the pages on the World Wide Web.

The focus of this article is that deep within the Google Chrome settings, there is a ‘clean up’ option that uses a third-party product (from antivirus vendor ESET) to scan for malware that could, potentially, harm the Chrome browser itself.

One of the parameters associated with this option, “Report details to Google,” is defined as follows: “Includes information about harmful software, system settings, and processes on your computer.”  And the default for this setting is to ALWAYS SEND the data to Google!  Obviously, this setting lets Google’s developers know how to handle any problems that may have been encountered during the scan.

Now that’d be great if Chrome simply scanned a few known locations in which malware frequently appears and then closed down.

Unfortunately, as the reporter describes it, the scanner reached further into the computer than anyone would have suspected, and it was going through the My Documents folder.  I can’t imagine that any malicious software would reside there that could cause any harm to the browser.  So that’s just overkill.  The exaggerated claim is that Google is spying on you, your files, and your computer.

According to a leading Google developer, the scanner “only runs weekly, it only has normal user privileges (meaning it can’t go too deep into the system), is “sandboxed” (meaning its code is isolated from other programs), and users have to explicitly click” on a box if anything is detected.

Like I said, this is the first time I’m hearing about this.  But the text of the “agreement” you have with Google when using Chrome can be found here: https://www.google.com/chrome/browser/privacy/whitepaper.html#unwantedsoftware

I looked into this, and it seems that this clean up “feature” has been in existence for more than a year, and is only now getting any reaction.  But that’s the wonderful nature of the Twitter universe.  Someone makes a discovery; some of her followers take a closer look and get agitated; a reporter asks a few questions, and then everyone gets all riled up about the intrusive nature of a global corporation.

I doubt that any of my clients who have Chrome have EVER seen a pop-up that malware was found.  And I know that many of you use Chrome and that some of you have encountered instances of malware.  It’s simply that the software I have installed on your computers scans more frequently than once a week, is constantly updated, and – most importantly –I monitor the results (not Google!).

While I would want everyone to turn off the setting that sends data to Google, the steps I have followed do not work for more than the logged on session.  If you close your browser and then re-open it, the setting turns itself on again.  I have checked, and it seems that this setting simply cannot be eliminated.

What’s my recommendation:  If you don’t mind having your machine bogged down every now and then by a scanner over which you (and I) have no control, you can continue to use Chrome.  But I would really like to know if you ever get a pop-up from Google about malware.  Otherwise, if you’d prefer a less intrusive browser, send me an email or give me a call and I’ll install Firefox and transfer your favorites.

Thanks and safe computing!

Read More →

It is Black History Month, but it also contains Groundhog Day, Valentine’s Day, President’s Day (remind me, why did we decide to smoosh all of those birthdays into only one day?), and let’s not forget my favorite: National Margarita Day (2/22). For a short month, this is chock full of “days.”

What’s all that have to do with computers and security?

Quite a lot!

Every day, there is another announcement of some form of threat to your security: a data breach here, a ransomware attack there, new forms of malware, some other scheme for mining cyber-currency from your computer or smart phone, and even more sinister, the ever-present phone calls from “flaming idjits” that tell you about a problem with your computer that they have detected and called to help you fix. Please! That one just makes me angry. (Although you might be amused at the sheer number of individuals whom I’ve told to engage in physical acts that would require contortions beyond the ability of most…)

I know that no one can be kept on “high alert” day after day without getting weary of it. It is tough for me, and it is a major aspect of my job. I am always pleased when one of my clients gets an email and forwards it to me to ask, “Is this legitimate?” or “What should I do about this?” That means you’re staying on your toes and looking out for your own safety. That’s what I want you to do; that’s what I need you to do.

However I don’t know how many others are getting emails and continuing down the path of – there’s no other word for it – ignorance, and clicking on that link. Because, despite all of the protections that I’ve put in place on your computers, there is still the risk that if you click on a link in an email something bad could happen.

So what should you do if you are attacked?

1. First of all don’t panic, although that’s what most people do.

2a.  Simply pull the Ethernet cord from the back of the computer (there’s a little hitch to squeeze in before you unplug it).

2b.  Business owners, you need to make sure the affected computer is no longer communicating with the server.

3.  Do NOT turn off the computer! You will lose any forensic information that is available. I’m going to need that data to help remediate the problem.

4.  Call me immediately, and use your phone to send me an email with a photo of what’s on your screen so that I can identify the exact nature of the problem.

5.  Let me handle this for you – it is not a “DIY” (do it yourself) project! Don’t start “Googling” for the fix! Some Russian firm with 500 employees wrote the malware and will charge $79.95 to your credit card to fix the solution they created in the first place. And it won’t get fixed – you’ll simply be scammed…

6a.  After I have assessed the damage, and if it is necessary, you can reach out to the local police and to your insurance company.

6b.  For business owners, this is a reminder to make sure you get, or review, your cyber-liability insurance policy.

There, some “tough love” on Valentine’s Day. I hope that you don’t have to go through any of this, and can simply relax and enjoy National Margarita Day with me.

Thanks and safe computing!

A client called in on my support phone earlier this afternoon and told me that she had a “Microsoft System Security Alert” screen that was talking to her and that she couldn’t do anything with her computer.

I launched a remote session, and by using the Windows Task Manager I quickly ended the Internet Explorer applications that were running. It was a fast and easy fix for a really stupid problem.

I was extremely grateful that this particular home user called me, instead of the 800 number that was on the bogus alert screen (shown below). But my relief was short lived.

A few minutes later she was back on the phone saying the fraudulent alert was on her computer again. I killed it and ran a scan with Malwarebytes, which turned up nothing.

I reassured her that everything was fine.

When she called a third time, I had to ask what it was she was doing – so she showed me. She launched Internet Explorer and it opened on AOL’s home page. She told me she wanted to go to Amazon to check on a book. And she did so using the AOL Search bar and typing in Amazon.

On the resulting page AOL search results list (shown below), she clicked on the first link that was displayed. I finally understood exactly what was going on.

You see, that is a sponsored advertisement, meaning some organization paid AOL money to highlight their “product” based on a search. Underneath that is, in fact, Amazon’s legitimate web site listing.

I used this as an instructional moment by turning on Internet Explorer’s Status bar. I moved the mouse over the Amazon site link to show that https://www.amazon.com appeared in the Status bar. I then moved the mouse over the ad, and the following bunch of gibberish appeared:

https://174036060.r.bat.bing.com/?ld=d3iEIp8CztNDVVjNTYoqXRUjVUCUzK_5V032YvPMriEHbBBDFcwsFXQFK3s2qR9MgRW_xhZ9J5SlsoSk6f38u2TnHoDCUsZUB1JUNHwTr9OuZjeHpOBGhVUOyzHQ20xE-ECR9lob4HeScYrxeY00wTrgAAZ5Wu2BEbi0Pb9RjRzi-woEAc&u=http%3a%2f%2fgoo.gl%2fyD6Nby%3furl%3dhttps%253A%252F%252Fwww.amazon.com%252Fbooks-used-books-textbooks%252Fb%252Fref%253Dnav_shopall_bo_t3%253Fie%253DUTF8%2526node%253D283155

I calmly pointed out that if my client knew which web site she wanted to go to, she could simply type it in the address bar of the browser and go there – no searching necessary. She’s glad to have learned that.

What I can’t figure out is how in the heck AOL permitted this ad to be displayed in the first place. By having it up there, they are actively enabling those sleazebag “support agents” to run rough-shod over the typical older AOL user, who does not have a Managed Services Provider to answer her support phone calls.

It took 15 minutes to get through to an AOL Support rep. I’m hoping – after demonstrating exactly what we found – that AOL will take this ad down and pursue the bad actors in some way. Of course, that probably won’t happen…

Beware!

Update 09/07/2017: AOL has removed this ad from the search results list. Probably the fastest action they have ever taken…

The Washington Post reports “Massive cyberattack hits Europe with widespread ransom demands.” Updates from The New York Times indicate that this new attack has even spread to businesses in the United States.

Barely six weeks have elapsed since May’s WannaCry ransomware attack, which crippled more than 300,000 computers around the world. It is clear cyber-criminals are increasing their efforts to obtain cash. What we are witnessing now is merely a prelude to even more, possibly terrifying, attacks.

As you know, ransomware is malicious software that takes over the files on your computer by encrypting them and then posting a message telling you that if you want your files back, you’ll have to pay money (ransom) to the cyber-criminals who performed the deed.

The major form of currency for payment is Bitcoin, a block-chain mechanism for payment that provides complete invisibility for the cyber-criminal. It is both currency and a monetary system. Back in January 2017, one bitcoin averaged round $900. Throughout May, when the last ransomware attack took place, prices doubled to roughly $1,800. In mid-June, for reasons that are still unknown, the price skyrocketed to $3,000. And, as of this writing (June 27, 2017), the price is down to $2,374.

What accounts for the price changes? Bitcoin is considered a commodity, and the fact that there are a fixed number of coins available, causes speculators to “bid” and “ask” on the amounts just like stocks.

As for the causes for the recent spate of attacks? A group called the “Shadow Brokers” exposed hundreds of NSA hacking tools earlier this year. Software, with names like “Double Pulsar” and “Eternal Blue,” ended up in the public domain. Once out in the open it became quite clear to cyber-criminals that anyone who could download that code, build out a distribution method, and set up a bitcoin account would be in business rather quickly.

What the perpetuators of WannaCry found out — all too quickly — was that they needed a better back-end support system of “help desk” operators to explain to people how to obtain bitcoins and how to provide payment. In the end, one researcher found a controlling website name, purchased it, and effectively turned off the ability of the malware to “phone home.” As a result, files were not encrypted and the bit-coins did not reach the cyber-crooks. The lack of adequate planning “cost” them hundreds of thousands of dollars.

The majority of computers that were affected in May were running Windows XP, an older operating system that Microsoft stopped supporting in 2014. Yet there were also thousands of Windows 7 computers that didn’t have the April 2017 Microsoft monthly update installed.

There’s the 1999 film quote: “The first rule of Fight Club is: You do not talk about Fight Club.” Well, the first rule of running Windows is: You really have to install your Microsoft updates.

So why, if businesses know these horrifying threats exist, don’t they update their computers? I don’t have an answer for that, because not patching computers doesn’t make any business sense. You can say you don’t have the time or the manpower, but those are not valid excuses. Because the reality is this: if you want to continue to use your computers while these scourges exist, you should invest in an automated means of patching them!

What else should you be doing?

You should be verifying your backups and check that they have all of your data. If one of your computers gets hit, you must have the ability to restore those encrypted files. If you don’t take backups now, then add that to your list of things to do.

Finally, you need to upgrade your security tools. If you only use an anti-virus product that scans for known virus signatures, you are not adequately protected from these zero-day threats. You must have a modern, enterprise-grade, Internet Security product along with malware protection.

What is a small business or individual supposed to do if they get hit with ransomware? For one thing, they should contact the FBI and the local authorities. In 2000, the FBI established the Internet Crime Complaint Center (IC3) at htttp://www.ic3.gov where you can fill out an online form to file your complaint.

In the recently released 2016 Internet Crime Report, the FBI reports the IC3 received:

  • 2,673 complaints identified as ransomware with losses of over $2.4 million.
  • 10,850 tech support fraud complaints with losses in excess of $7.8 million.

Wait; what’s that? Last year, the FBI received four times as many reports of fake “tech support” complaints as they did for ransomware. And those cases cost small businesses and home users three times as much money!

This leads me to conclude that more people fall for the phony phone calls from “Microsoft” saying there are problems with their computers — but are willing to report and admit it — than they are about reporting being a victim of ransomware. Undoubtedly this is because the files that were encrypted were client-related and could cause substantial problems for their business and have ramifications in terms of bad press, privacy breach notifications, and possible law suits.

Where is all of this going to end up? I’m only certain of one thing. Cyber-criminals are going to continue to up the ante because they are going to go where the money is. Consider the bad actor parked across the street from a high-end automobile lot wirelessly loading malware into the electronic control units (ECU) of the cars waiting to be delivered. As security research firm FireEye reports, “a group of vehicles disabled on a busy highway could cause serious disruption. Municipal authorities may have little choice but to pay the ransom to reopen a busy commuting route.”

Every hardware component and computer that relies on software must be patched automatically, your Internet Security software must be enterprise-strength, and back-ups taken and inspected regularly. The threats already exist out there, and they are not going to go away any time soon.

In a recent article about ransomware and the affect it has on small businesses, the author states that “security experts say the first thing to do after a ransomware event is to upgrade security and backup processes.”

I had to read that twice before I realized how true it was and how erroneous the statement is.  If an IT consultant is taking these steps after the fact, then they have failed to adequately protect their client.  I cannot see working that way – it is backwards, last generation thinking.

You want to engage with an IT consultant who prepares an entire range of security measures for blocking the possibility of ransomware from affecting your small business in the first place.  Implementing heightened security and backup after the fact won’t cut it; security measures have to be implemented before a calamity occurs.

A new proverb in our industry states that “there’s at least one employee in the office that will click on anything.”  And because that is more often true than not, you need more than the standard list of preventative measures in place, which consist of:

  • Making sure you are running a robust security solution (Internet security, anti-virus, and anti-malware)
  • Keeping the operating system up-to-date
  • Avoiding the use of plug-ins (such as Java, Adobe Flash, and Silverlight) in your web browsers
  • Being careful with email attachments and links in emails from people you don’t know

While those steps are usually issued to help safeguard home users, a small business owner also needs to include the following elevated measures:

  • Employing an advanced Unified Threat Management device (firewall)
  • Enabling server and desktop back-up to a local device and the cloud

These additional factors should help obviate the statement made by the sources for the article’s author.

However, the most important step any security-conscious IT consultant must take is to ensure that appropriate employee education takes place on a regular basis.  This is because the ransomware threat landscape is constantly evolving. Cybercriminals have found a highly effective and lucrative approach to illegally making money.  As new forms of socially engineered threats appear, employees must be reminded and their awareness must be sharpened to distinguish between a valid email and a new phishing threat.

If you want this kind of training for your staff, contact me for further information.  Don’t be a victim to ransomware!

The last thing in the world I want to hear from a client is, “I did something really stupid,” because sometimes I am inclined to agree with them.  This was the case the other day.  I received a very distraught call in the middle of the afternoon. My client sputtered, “I should have known better, but I just wasn’t thinking.”  She went on to tell me that she received a phone call from someone who alerted her to the fact that something was wrong with her computer and that he had to remote in to fix it.

What makes this situation a bit puzzling is that she uses a Mac, and most of these fake callers say they are from Microsoft.  Now for the truly terrifying part:  She proceeded to let a complete stranger remotely access her computer for about an hour.

I won’t go into the recriminations she must be feeling.  While I tried to offer as much comfort as possible, I am quite embarrassed that one of my clients would not think to call me, or at least tell the person calling that “I already have a computer guy who takes care of this for me.”  But that is not the point of this security brief.  I need to concentrate your attention on what has to happen after this atrocious event.

Read More →

There is a reason I send out regular security bulletins explicitly warning about malicious email activity and instructing you, my clients, to call me before you do anything that could have serious repercussions.  That is because there is really bad stuff out there!

I received a voice mail from a client saying she received an email from her accountant and it contained instructions for using Dropbox.  (Dropbox is a file hosting service that offers cloud storage and file synchronization.)  When I listened to the recording, I wasn’t sure if she couldn’t follow the instructions or if she couldn’t get Dropbox to open.  Needless to say, she sent the email to her son, and he couldn’t get it to work either.

Then she called her accountant, who told her he didn’t send it, but that other clients also received the email.  After all of that, she ended her message asking me if her computer was OK.

Well, that was a tough question to answer.  Just the same I was able to conduct some forensics into what occurred with this email – and it was most certainly malicious.

Here is the text of the problematic email (unfortunately I couldn’t capture the header information).

apr1

Now, I don’t know how many times I have told you not to click on links from people you don’t know, but that wasn’t the case here. This sender (whose name has been erased) is known to the recipient. However, I strongly doubt that any business person she knows uses arbitrary capitalization like this. I also doubt a professional would ever send an invoice labeled as a “doc” file with a “jpg” file type.
Read More →

One day, you look in the Windows Task Scheduler and see the message:

The selected task “{0}” no longer exists.  To see the current tasks click Refresh

symNG2

Well after you click OK and then click Refresh, you are still missing that task.  And Windows is really great about not informing you of what that task is.

Other articles on the Internet suggest going through the actual Tasks folder to determine where the disconnect is.  I think I have an easier solution for anyone using a Symantec security product, particularly the Symantec Endpoint Protection Small Business Edition (also known as Symantec.cloud).

Open an elevated command prompt and issue the following commands:

cd \
cd program files\symantec.cloud\antivirus
avagent –SHOW_UI

The GUI will be displayed. (Norton Internet Security users simply open the product.)  Depending on your version, the screen’s appearance may differ from the one shown below (which is from NIS 21.5.0.19)

Click on Settings, and select the General tab.

symNG3

When you click the question mark to the right of the Idle Time Optimizer, you see the web page that explains that this “feature” automatically defragments the hard drive when the user is inactive for a period of time.

symNG4

I find this too pretentious for words.  If I have set a disk defragment schedule on my computer, or any of my clients’ computers, I fully expect those schedules will be maintained and adhered to.  I certainly don’t expect my security software to come along and interfere with them.  Even worse, is the error message that ends up being displayed as a result of Symantec’s change.

So, turn off the Idle Time Optimizer.  Click OK to apply.  Close the GUI, and the command prompt.

After you turn off this setting, click the Windows Start button, type “defrag” (without the quotes) in the Search bar to launch the Windows Defragmenter.  Change any one of your existing settings to force the entry back into the Task Scheduler.   You can reset the minor change immediately, and then close the Defragmenter.

Now, go back to the Task Schedule and see that there is no error message.

There you have it, an amazingly simple solution to a vexing (and stupidly annoying) error message.

Recently, Symantec updated the Endpoint Protection component of their cloud-based Internet Security offering. The Cloud Agent is a wrapper, while the base product – Endpoint Protection – is the Norton Internet Security product. The current version, NIS-22.5.2.15 has been updated to work with Windows 10 and has been given a new user interface. However, the problem with the update is in the number of settings that were added to this version and turned on by default.

Symantec partners access their clients’ portals via the Partner Management console (https://manage.symanteccloud.com). Most of the operations of the cloud product are controlled via policies and settings that are defined in each client’s web page (https://hostedendpoint.spn.com). From there you can control how the computers and servers will be protected, how USB devices will be controlled, the kind of web protection and network protection to be offered, as well as the scanning schedule. With the exception of providing Firewall rules and Program control rules, those are the only facets of the program that can be controlled via the web.

To control other elements of the product, you have to log in to the client’s computer, open up an elevated Command Prompt, access the C:\Program Files\Symantec.cloud\Antivirus folder and issue the Avagent.exe –SHOW_UI command. And that’s where we can find the latest problem. With the 22.5.2.15 update, the sheer number of settings that have been included – all without any option to control from the web – are startling.

Within the Firewall settings is the “Network Cost Awareness” setting.

SEPx1

This new policy allows you to configure the amount of bandwidth the agent will use. There is no equivalent setting in the cloud to manage this.

There is a completely new section for Tasks Scheduling.

SEPx2

Again, none of these settings are controlled via the policies on the web.

Last are the newly enhanced Administrative Settings which contain some of the more egregious changes.

There is now a 30-day report, which is gathering statistics that the end user will never even see.

SEPx3

And there is the “special offer notification” (what you and I would call advertising), which appeared on one of my client’s computers a few weeks ago. I had opened a case with Symantec Technical Support months ago about this specific setting and I was told that it would never happen again. Someone in the development group apparently didn’t get the message.

SEPx4

I am, quite frankly, horrified that these settings are on my clients’ computers. As a Managed Services Provider, I already use a Remote Monitoring and Management (RMM) software product to take care of scheduled Windows tasks, including the removal of temporary files. I don’t expect a third-party software product – ostensibly one designed for Internet Security – to be introducing a completely new and totally ungovernable set of tasks to my client base. I certainly don’t expect the software to adversely affect the performance of an end-user’s computer without my ability to control what does, and doesn’t, occur. And I absolutely want the software to respect my clients’ right to privacy from ANY kind of advertising – especially from Norton – because I sold my clients a Symantec product!

I don’t mind that I have to explain why the statistics in my RMM’s monthly reports show a nose dive with respect to performance and file clean-up. But what I do mind is that I cannot explain why Symantec did not inform its partners that they were going to be introducing these new “features” to the product. I have done some research since these settings appeared, and I have yet to find anything mentioned other than the fact that Windows 10 will be supported and that the screens have changed in appearance. It seems that all of the other items that were added did not deserve any mention whatsoever.

This product is marketed as a Symantec business product – and for years, I have sold it as a business-class product. And while I realize that it is built on the Norton consumer base, it must be completely managed; otherwise it is next to useless. There has to be a way to control ALL of these settings from the client’s web portal. Without that ability, it will be necessary log in to each of the affected computers (as they receive this update) and manually change the settings. That is going to take time, effort, and coordination. Plus, I am going to have to keep on checking to see if anything else like this occurs in the future.

Symantec, this is simply unacceptable behavior. In an effort to improve the consumer product, you’ve thrown garbage into the workings of a business product. The only way that you can reconcile this oversight is by providing discrete controls in the client web portal. Until you do that, I cannot, as a Symantec partner, continue to advise clients to purchase this product.