The IT Detective – Tale of a data breach

November 21, 2017 at 5:03 pm | Posted in cybersecurity, Knowledge | Leave a comment
Tags: ,

Of all the IT detective agencies in all the towns in all the world, she walked into mine. She was blonde, beautiful, and had eyes so blue they would scorch your soul. And I knew just how much that would hurt. See, I was in love with her once. Hey, maybe I’m still in love with her. How could I not be? She knew her way around a secure IT password policy and she worked for a major credit reporting agency. Even though she was the life of the party, I knew she was all business where it counted.

One look at her and my heart started banging like a bad platter on a Seagate hard drive, but I knew I had to play it cool. “Hello, pretty lady.” I said. “What brings you to my office?”

“Hi there, handsome fella’,” she replied. “I hear you’re investigating that big data hack from September. I figured I’d come looking for you before you came looking for me.”

“A lot of people’s Personal Identifiable Information (PII) was stolen,” I said. “People were outraged. They were mad, and they want answers. They want to know why it happened, and what to do next. And I want to give them those answers.”

“Well, I don’t work for Transfaxian anymore. And I had nothing to do with that data breach,” she insisted. “I just want to help you help the people who got hurt.”

She said she had nothing to do with it, but the timing of her departure was a little too coincidental. Still, if she was willing to sing, I was willing to play backup, so I invited her to Sam’s Pub to tell her story.

Casablanca1942_610_678x380_01252016035421

When she walked into the bar, she lit that dark room up like the activity lights on an overworked Cisco router. Sam poured us some drinks, I tossed him a quarter for the jukebox, and he played our favorite song. It was time to grill this pretty lady. Did I have an axe to grind? Maybe I did. We were a nice couple for a while, but work got in the way.  I spent so much time investigating data breaches that it affected me day and night. How could it not? Who can sleep when their PII is being sold on the dark web?

I was stuck in a dark cloud and depressed.  She got tired of being ignored, and kicked me to the curb. But before the first question came out of my mouth, she flashed me a smile. You know, the smile that melts the most frozen of hearts and makes you feel at ease. The last time I smiled like that, I’d just pulled off a flawless two-day security audit.

“So,” I said. “Why were the hackers able to get the Social Security numbers, birth dates, addresses and some driver’s license numbers?”

“I just know what I read in the papers,” she said. “They knew there was an unpatched flaw with Apache Struts CVE-2017-5638, but their own security team couldn’t find the flaw to fix it.”

“So they knew!” I nearly yelled. I knew she hated black olives, zero-day attacks, and unpatched servers, and when I raised my voice, I could see tears in her eyes.

“Yes, they knew,” she whispered. “But I was just another hard-working sales person trying to make a quota.”

She was one of the best sales people ever; she once sent me a postcard from Cancun after she won a sales contest. I knew this lady could pull the wool over my eyes if I wasn’t careful.

“Did you always use two-factor authentication?” I asked carefully. “When you logged into your computer or a company website, did you have to enter a username and password plus a random 4-8 character one-time code?”

She frowned. “No, I just put in my username and password when I booted up my computer or logged on to the website. I didn’t need anything else.”

“What was your password?” I asked.

“What was yours?” she responded coldly.

“Your name plus the date we met, hashtag smiley face.”

“So, at least 10 characters with numbers and special characters?” she said. “Yes, we followed that standard.”

“Ah, but how often did you change it?”

“It was supposed to be 60 days, but I changed mine every 45 days,” she said.

Clearly, it was time for harder questions. “Did your department use email to send documents like PDFs, Word files, or Excel files as attachments to other employees? Not to customers or people on the outside?” I asked. She looked away. I could see she was stalling. “Or did you use some kind of cloud storage, like SharePoint or Google drive, and just email links to the document locations?”

“Okay, okay. We emailed attachments to other department members all the time. It’s not a crime, even if it can leave cached copies on servers outside our firewall,” she snapped. Like she was a dancer in another life, and she was dancing fast now. “We didn’t use shared storage. I guess we could have emailed the links instead of emailing the documents to other team members, but we didn’t.”

“Did anyone in your department ever get phished by a hacker?”

She looked offended. “We were smart. We had great email filters. Email from customers came to the inbox, and email from spammers went to the spam folder.”

When she talked security, it drove me crazy, and it crushed me that we were not together anymore. I reminded her, “It’s a lot easier than you think to get phished, pretty lady.”

“Well, not me. I followed the company’s rules. I always used the VPN when I was on the road or in the coffee shop. And we were pretty restricted on our laptops. We couldn’t open our personal email accounts on Gmail or Outlook or Hotmail. Oh, and we weren’t supposed to use social media on the laptops.”

“You expect me to believe that?” I pressed.

“Okay, fine. So I would sometimes check Facebook or hit an Ann Taylor sale online,” she said. If she was wearing Ann Taylor now, nobody wore it better than her.

“I just worked a big case involving some Nigerian hackers,” I explained. “They used a company’s email account to send fake invoices to customers that used routing numbers for a bank in Nigeria. The customers paid the invoice, but the Nigerians got the money. Did anybody get hit with ransomware at your company, as far as you know? Or did you hear talk about any other kinds of security issues?”

“No way. The security was tight,” she said.

“Okay, so what if someone at Transfaxian lost their corporate cell phone?”

“They did a remote wipe. You lost the phone, but the data was gone. I didn’t lose sleep over it,” she said coolly.

“Did you ever have to back up your laptop?” I said.

“No, why would I? Most of my work was saved in the corporate app. I never had a device fail on me. I like to play the odds,” she said with a devilish grin.

“Well, how often did your corporate IT department apply Windows updates to your laptop?” I asked. “Large companies typically push updates to their employees on their own schedule. The credit bureau hack was possible because your company did NOT update an Apache server. Do you remember being asked to reboot your computer during the work day on a regular basis?”

“I know I occasionally had to reboot for updates. Sure. I thought we were on top of the security fixes, but I’m really not an expert,” she said sadly. “You believe me, don’t you? It wasn’t my fault. I heard some big-shot officers traded their stock and walked away with a fortune. All I walked away with was a coffee mug and a red Swingline stapler.”

“I believe you, pretty lady. However, there are folks out there who are just trying to make it in this world, trying to see if a little sun will shine on their dreams. So what do you want me to tell those hardworking stiffs who are running scared because their PII is exposed?”

She took a deep breath. “Tell ‘em, you should keep your credit frozen for the rest of your life. Or until they come up with a new kind of credit fix. Freezing your credit will keep you as safe as possible. Right now my former company says they’ll waive any fee to place, lift, or remove a security freeze through January 31, 2018.

“Other than that, make sure to join a service that lets you monitor your credit on a regular basis. I personally use Credit Karma. You also need to know that in the next few months, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. Oh, and tell people to read the Ouch! Security Awareness newsletter so they can learn to protect themselves,” she finished.

“That’s a nice speech, but it doesn’t address how the hackers got in,” I said. Her face turned red and that firecracker personality that I’d fallen for came to life. “So what would YOU have done, big shot?” she challenged.

“That’s a hard fix, but an easy answer,” I replied. “After all, that’s why they call me the IT Detective.”

  •  Hide the version and OS identity from errors whether you are running Apache or another server. When an attacker types a nonexistent URL on your server, the version of the server can be displayed in the error message. On an Apache server, you can turn the ServerSignature off to stop the server version to being seen during an error.
  • If your web page will accept comments from customers, validate those comments to prevent cross-site scripting (XSS) attacks.
  • Explicitly parameterize queries to prevent SQL injection attacks to prevent an attacker from using a web form field or URL parameter to gain access to or manipulate your database.
  • And for heaven’s sake, keep your software updated on your server, including third-party software.

When the hail of bullets stopped, she waved away the smoke and said, “I was your bleeding heart. I was your crying fool, but you loved your IT detective job more than me.”

“I was in love with you once, you know,” I told her. “And I’ll always take the blame for why we split. I’m no good at being noble, but it doesn’t take much to see that the problems of two people don’t amount to a hill of beans in a crazy world where people’s PII is being stolen every day. Someday, maybe you’ll understand that.”

She tossed a $50 bill on the bar and stood up. “It’s time to move on, time to get going. What lies ahead, I have no way of knowing. But I told you what you wanted. So this is goodbye, handsome fella.”

“Goodbye, pretty lady,” I said. We hugged. I did not want to let go, but I did.

As I watched her walk away, I knew two things:

She would always have a piece of my heart, and the data breaches would continue. My job would never get any easier. When the most vulnerable piece of any network is the user, it just makes my job harder. It comes with the territory.

I ordered another drink, tossed out another quarter for the jukebox, and said, “Play that song again, Sam.”

313e5679fa35d8fa9f63dd415b238c6b

Stay safe,

George Monsalvatge

 

Upgrading to the MCSA Windows 10 and announcing the retirement of Windows 7 exams

October 6, 2017 at 12:04 pm | Posted in Certification Paths, Microsoft | 2 Comments
Tags: , , , ,

Hi, can I still upgrade from windows 8.1 to MCSA 10, by taking 70-697?

While researching this reader’s question, I went to the Microsoft certification site and discovered that the MCSA: Windows 8/8.1 was no longer listed anywhere on the site, including in the retired certifications list. The only desktop MCSA described is the Windows 10 MCSA.

I’m confident that the information we reported in November 2016 is no longer current, and students should look at the Microsoft site first to determine which exam to take.

I also reached out to Microsoft regarding the exams for MCSA: Windows 10. Their official response was that it was no longer possible to upgrade from the Windows 8 certification. The only way to achieve a MCSA: Windows 10 is  to pass two exams, 70-697 and 70-698. Passing only one of these exams earns you the MCP (Microsoft Certified Professional), but nothing more.

The death of desktop certs

If you look at the most recent Microsoft certification paths, you’ll see that the MCSA: Windows 10 is listed as a point on the path to MCSE: Mobility.

mcse 2017

Once you’ve earned the MCSA, taking one more “elective” exam (70-398, 70-695, or 70-696) will earn you the MCSE: Mobility credential. Current and future Microsoft certifications will be divided into the following categories that reflect Microsoft’s move away from local installation:

  • Mobility
  • Cloud
  • Productivity
  • Data
  • App Builder
  • Business
Grab your Windows 7 certification while you still can

After a long, hard run, Microsoft has finally released retirement dates for Windows 7 certifications. All of the following exams will expire on July 31, 2018:

70-680: Windows 7, Configuring
70-685: Windows 7, Enterprise Desktop Support Technician
70-686: Windows 7, Enterprise Desktop Administrator

As of this writing, each of these exams earns the MCP, but no credit toward an MCSA or MCSE.

Happy certifying!

-George Monsalvatge

OMG, my refrigerator got hacked!

August 10, 2017 at 9:39 am | Posted in Uncategorized | Leave a comment

Years ago I started worrying about getting a virus on my laptop. More recently I began worrying about getting a virus on my iPhone. As of 2017, my new fear is that my smart refrigerator can send spam – or worse.

Last year a photograph of a smart refrigerator displaying an adult site on the display floor of a major retailer went viral. (I tried to find and credit the original source; it was posted on John McAfee’s twitter feed but it’s not clear whether it’s his photo.)

BadRatedFridge

We live in a golden age. You can change the temperature in your house from a remote location by simply using your phone to access your Internet-connected thermostat in your home. But who else can connect to this device?

HandsOnLabs

Connected devices or smart devices, referred to as The Internet of Things (IoT) devices, have simplified our lives more than we could ever imagine – or so their manufacturers claim. IoT devices have moved beyond home alarm systems to control home automation components like electric lights, HVAC systems, robotic vacuums, ovens, refrigerators, freezers, and even water faucets.

IoT devices are used in medical devices such as heart rate monitors, blood pressure monitors, pacemakers, and hospital equipment. IoT devices in automobiles send and receive information to the device manufacturer or update the equipment components. They let us know remotely if our brakes are worn, if it’s time for an oil change, or if it’s time to change our cabin filter. We’ve come a long way from the diagnostic port on a 1973 VW which could tell you if your alternator was charging your battery properly.

In short, IoT is big business, and everybody wants to cash in. IBM has rolled out a bunch of commercials promoting the IBM Watson IoT.

If you have watched a TV show or movie recently, it seems that any nerdy character with a bad haircut, an unfortunate tattoo, and an earring who can speak a complete sentence without using the words “like” and “you know” can hack into every security camera or device in a building. That’s fiction, but what about reality? IoT devices are notorious for lacking integrated security. Most of them just have a userid and password as credentials.

NetgearSetup

Criminals, identity thieves, or just plain pranksters would love to disarm your alarm system, steal your information, or just make your life miserable by hacking into an IoT device. An IoT device can be compromised in two ways:

  • An IoT device can be told to do what it is not supposed to do. A networked component in your smart TV could become part of a botnet attack. As hackers demonstrated to Jeep, an IoT device in an automobile may be hacked so that attackers can disable the power braking system.
  • IoT devices can be told to do what they are supposed to do, but at the wrong frequency. These attacks could include turning on the water or the lights in your house at the wrong time, flooding your basement or leaving it well-lit for thieves.

Every device or software may have flaws. A flaw that nobody else knows about is referred to as a “zero-day exploit.” According to a WikiLeaks report, the CIA has a set of tools to hack IoT devices via “zero-day exploits.” One zero-day exploit lets you activate the microphone on a smart TV or other device to remotely record conversations. According to the report, the CIA has many zero-day exploits for Android and Apple iOS devices. Who else has this set of tools? A government agency could use them to spy on their own citizens, or a rival nation, or even disrupt an election of another country. I am looking at you, Vladimir Putin.

VladimirPutin

According to Gartner Inc, there will be over 20 billion IoT devices by 2020. There is consumer demand for these IoT devices. Consumers want it simple and fast, and device manufacturers do not want to make these device overly complicated out of the fear that consumers won’t buy them. Adding additional security to these devices is not generally in the device manufacturers’ best interest if they want to increase sales. However, technology always changes. Devices, unlike computers, rarely have the ability to accept a patch or update. WiFi routers may have firmware updates, but not all Internet-connected devices do. This leaves the consumer at a security disadvantage. Worse, it leaves them open to hacking.

What can the consumer do?

Most users do not change the default security on devices. WiFi routers’ passwords are rarely changed out of the box by the average consumer; nor are the passwords of security cameras. If you think the password is like your front door, you should lock your front door, and for heaven’s sake, change the default password.

You should try to practice good password hygiene.

  • Avoid reusing credentials – Use different passwords and user IDs for your different devices. How in the world can I keep up with all these passwords? I can barely remember my daughter’s birthday or the security code for my ATM card. You can get a password manager app and install it on your phone.
  • Change passwords frequently – Passwords can become stale. Your roommate that moved out two months ago knows your WiFi password, and so does his ex-girlfriend. It might be time to change a few passwords.
  • Make the passwords strong – The passwords should be at least 15 characters. You should have a mix of uppercase, lowercase, numbers, and special characters. You can make the passwords out of a phrase, song lyric, or something that you can remember. For example, take a look at the following:
    • Ih8DaNew0rle@ns$aintz translation ”I hate the New Orleans Saints”
    • Its@Sm@11W0rld@fterA11 translation “It’s a small world after all”
    • A7thN@tionArmy#C0u1dNtH0ldMeB@ck translation “A seven nation army couldn’t hold me back”
    • WhyD0e$MyC@tP00p1nD@Corner translation “Why does my cat poop in the corner?”

It’s a given that the average consumer might not consider security a priority with an IoT device. However, the IoT goes beyond consumer devices. If a device can be accessed via Bluetooth, WiFi, or any other wireless technology, it is vulnerable and could be compromised – and that includes crucial healthcare devices. Medical device maker Johnson and Johnson had to reveal to over 100,000 patients that a hacker could exploit one of their insulin pumps. We are not talking about refrigerators and security cameras anymore. We are now talking about people’s lives and well being. It may no longer be a spy-novel plot device to suppose an assassin could remotely speed up a pacemaker or stop a medical implant from working.

A financial institution spends a significant portion of its IT budget on security. Healthcare providers only spend about 6% of their IT budget on security, and it is usually applied after the device is designed rather than being integrated into the device.

Who knows if there is a zero-day exploit in a medical device right now? It may take years for manufacturers to find them all. Who knows if a hacker found the exploit first? If it’s difficult for an automobile manufacturer to replace an electric window motor in a mandated recall, it will be extremely difficult to replace a medical device that has been installed and then recalled due to IoT insecurity. Technology has gone down a road that can bring us great prosperity and better health. We need to make sure that the potholes are paved and road is secure from bandits.

Until next time,

George Monsalvatge

Ransomware! What is it, and what can I do about it? (Part 2 of 2)

April 10, 2017 at 4:55 pm | Posted in cybersecurity, Knowledge | Leave a comment
Tags: ,

In my first post (Part 1), I went over the basics of how ransomware exploits your computer, and the #1 weird trick that computer experts use to avoid the pain of ransomware: namely, always have a current, offline backup of your files where the thieves can’t encrypt it in the first place.  Backups can save you from the pain, the agony, and the grief of ransomware. You may have to reimage your computer and copy a known set of good files from a backup set, so the more often you back up, the better off you’ll be.

However, if everyone always had a current backup, there’d be a lot less ransomware out there. The criminals who spread ransomware know that most people don’t back up their data. According to the FBI, attacks by ransomware accrued over $18 million by June 2015, and ransomware attacks are expected to boom in 2017. Crime pays, and pays well.

GGordonLiddy

Also, cybercriminals attack new and surprising venues every day (like Android screen lockers that demand payment in Amazon gift cards), so you may be the next victim. And while backups are good, you don’t want ransomware (or malware of any kind) on your computers in the first place.  And finally, if you’re in IT, you’re always going to field the eventual call from your mom, your brother, or your college roommate, saying “Help! There’s a message on my computer screen that says ransomware has infected my router and I have to pay $200!”

In this post, I’ll go over some general suggested practices to harden the various areas of your computer or network where malware might enter in the first place. I’ll also list the better resources to turn to for ransomware news and solutions that may help you extricate someone from a ransomware attack.

(Note: the first part is mostly Windows-based, but the second part applies to all computer users.)

Reveal it all

If you run a Windows machine, you should always show hidden file extensions using Windows Explorer. The average user – your college roommate, Joe Lunchbucket – has been warned a zillion times by the IT department never to open an executable file from email or a URL, and believe it or not, he won’t. But if he unzips an attachment, say an automated email from the local printer, and sees a file named BillJones_Resume.PDF, he’s going to think it’s really a PDF file. If file extensions are hidden (the default behavior) he won’t realize the file is actually BillJones_Resume.PDF.exe.

File extension viewing can be enabled by opening Windows Explorer, choosing the View, choose Options, and choosing Change folders and search options. On the View tab of the Folder Options window, uncheck Hide extensions for known file types. (The exact path may depend on which version of Windows you run.)

FolderOptions

Keep executables and known bad links out of email, and keep updates current

Ensure that your email service filters out EXE and script files. This may not protect you from someone hiding an EXE in a ZIP file, though. At work, your corporate infrastructure should have in-mail protection such as antivirus engines that check mail and attachments before the email is sent to the inbox, and checks web links to see if they are dangerous or spoofed.

If you’re operating in a Windows enterprise environment, you or your IT administrator can use Group Policy Objects (GPO) to prevent ransomware like Cryptolocker from executing its payload in the \USERS folder, AppData, Local App Data folders, or Temp directories.

Check if you have any Remote Desktop Protocol (RDP) ports open and disable these ports to prevent access to your desktop remotely. (TrendMicro reported a sharp uptick in the number of brute-force RDP attacks in 2016.)

Patch or update your software and browsers regularly. Windows Update ensures that you have security patches and fixes for your operating system. Remember, if you have Windows 10, your free malware/anti-virus protection app is Windows Defender. To get updated malware and virus signatures, and to update Windows Firewall, you have to run Windows Update.

On a related note, make sure your device firmware (even routers, streaming devices and smart TVs, and refrigerators) are updated regularly.

Axe the non-essentials and known vulnerabilities

Remove Adobe Flash on computer. Do you need Adobe Flash? Lots of malware attacks come from fake pop-ups that tell the user to update their Adobe Flash or from malvertising that uses Flash. If you do keep Adobe Flash, make sure that your antivirus/ antimalware system actively checks for malware files. Other common browser hijacks will pop up a message saying you need to download an emergency update to Firefox or click to install free anti-virus software. Ensure that these kinds of applications update silently in the background so you won’t be fooled.

What to do if you think a ransomware attack is underway

If you suspect you’ve just landed on a site that’s infected with ransomware, disconnect your machine from the outside world. Unplug your Ethernet connection. Turn off your WiFi. If you move fast enough, you may protect network-attached drives from being affected. Get off the network and fire your anti-virus and anti-malware engines up immediately.

First – as I already stated – it’s a mistake to pay. (If you do decide to pay, it should always be a last resort.) Your first step should be to verify that it’s REALLY ransomware or malware, and not a browser hijack or a scareware popup that goes away when you close your browser and restart your computer.

It’s really ransomware: where to go for help (or to help others)

Ransomware can be divided roughly into two groups: sophisticated proware, and amateur hour. Even if it’s not just a scareware popup, some ransomware can be circumvented with built-in system tools. I know someone who was recently hit with Spora, a nasty and sophisticated cryptoware for which there’s no current fix. However, she managed to retrieve some of her files using Windows Previous Versions and volume shadow copies (VSS).

DON’T start with a random Google search. A huge number of search results from “how to fix ransomware XYZ” will be spurious or links infected with malware. (Criminals work the SEO to try to direct you back into their web.) Using another computer if you have to, go directly to the blog or forum maintained by your anti-virus or anti-malware solution provider and search for information there. In fact, major antivirus providers offer free ransomware discovery or decryption tools on their websites, and non-profit sites exist that will help you identify what’s infecting your system, so any of these links are also a good place to start:

Subscribing to security newsfeeds is a good way to keep your background knowledge high. If you want to read up on ransomware before you’re hit with an attack, Digital Guardian released its list of The Top 50 InfoSec Blogs You Should Be Reading (including authorities like Krebs On Security).

If you or someone you know is a victim of ransomware, it will tell you there’s a deadline of 48 to 96 hours to pay the ransom to get a private key. After the time has expired, the private key is gone and your data is forever encrypted. It’s possible to set the BIOS clock back in an attempt to delay the process and explore options. However, once the data is encrypted, you may not be able to access the files. If you can, make a new backup image of your files, even if they’re encrypted – you can always try decryption now, or at a later date once new solutions are released. (This is exactly what I told my friend who was a Spora victim to do with the rest of her hard drive that’s still encrypted.)

While this can’t be a comprehensive guide to fixing ransomware, I hope it was able to point you in the right direction. Before I leave, I want to share this amazing timeline of the varieties of ransomware released between May 2016 and today.

Until next time,

George Monsalvatge

 

Ransomware! What is it, and what can I do about it? (Part 1 of 2)

April 4, 2017 at 3:08 pm | Posted in cybersecurity, Knowledge, Technical Tips | 1 Comment
Tags: , ,

Ransomware! What can I do about it?

We live in dangerous times. Your cranky grandfather was right: they are out to get you – but who are “they,” and what the heck are we talking about? Ransomware, of course. It’s out there, and its coming for you.

Mobsters extort money from people. You may be a fan of mobster movies or the Sopranos on HBO, but it’s only fun to watch mobsters at work when you’re not the one getting the shakedown. I don’t know Tony Soprano, and besides, I like Joe Pesci’s character in Lethal Weapon III better than his characters in Casino or Goodfellas. Extortion could be coming to a PC, Mac, or even Linux box near you in the form of ransomware.

Mobsters

It’s fun to watch these guys on TV. It’s not so fun to be a victim in your own home.

First I’ll go over the basics of how ransomware works.  I’ll explain the most common mistake you may be making – even if you’re an IT professional – that might leave you a victim of a drive-by drive-locking. And, of course, I’ll tell you the best ways to prepare to fight ransomware.

In my follow-up post I’ll go over some specific strategies to harden your e-mail and firewall against malware attacks and share a recommended reading list for infosec news.

How the shake-down starts

You can be extorted on the Internet without being infected with ransomware. Hijacking someone’s social media account (like Instagram), changing their login, and then demanding payment for the user credentials is extortion, but it isn’t ransomware.

Ransomware is a type of malware that infects your computer and encrypts your files or blocks access to your own data. The ransomware displays a message stating that the attacker will unlock your files for a price, and that payment should be rendered through a nominally untraceable electronic currency, such as BitCoin or MoneyPak. It usually gives you a time limit and threatens to permanently destroy your data if you don’t pay before the deadline.

For home users, that price is usually set between $150-300 USD or Euros. For business victims, the demand might start at $500 – or it could be $10,000 and escalate from there.

How did the ransomware get there?

The malware that carries the encrypting payload is loaded on your computer in a number of ways. The malware could have come from a downloaded file or from a browser hijack. The malware could be hidden in another program. Any web site that hosts third-party ads, like recipe blogs and your favorite vintage car forum, can be a huge vector for malware no matter how innocent the site itself is; just visiting the site or clicking an ad by accident can expose you to a silent malware download.

No operating system is immune (not even mobile phones or home appliances). Ransomware can affect PCs running any operating system and Macs. Yes, I said Macs. A ransomware called KeRanger was found in a BitTorrent software that was designed to install on the Apple OS X operating system. The KeRanger malware will encrypt files on your computer and try to encrypt Time Machine backup files to prevent you from recovering the data from a backup. The KeRanger malware attackers want $400 for the private key.

[Note: If you frequent Bittorrent sites, you know they have pirated files for download from shady servers. Don’t be surprised when you lie down with dogs and get up with fleas.]

What happens when the ransomware activates?

A majority of active ransomware uses a variation of Cryptolocker. Once the malware is loaded on your computer, it first contacts a central server on the Internet. That server creates a unique encryption key pair. A public key that is kept on the local computer and the private key used for decryption that is kept on the attacker’s central server. Once the public key and private key are created, the malware will begin encrypting files locally on your computer and any mapped drives.

The attacker has the private key and will sell it you to use to decrypt your files. If you have ransomware on your computer, you will get a pop-up that instructs you to pay money via BitCoin, MoneyPack, or something similar.

CryptoLocker

When ransomware is an offer you can’t refuse

Ransomware is common because it’s cheap to implement (for the attackers) and hugely effective. Steve Perry of Journey once sang the wheel in the sky keeps on rolling. Well, when it stops rolling, everybody raises hell. If your business has an outage, the data has to be restored. Money never sleeps; your network has to hum along 24 hours day. The Internet is like Waffle House: it never closes. (I can go on and on in this vein. Don’t try me.) In short, your customer expects that you will never be closed and that your (and their) data will always be there. Ransomware that locks your data up has kneecapped you right in the business income.

Many business victims would rather just pay the ransom and get access restored. The logic goes that it’s better to pay rather than to lose an unknown amount of revenue from the downtime they’ll incur while trying to root out the infection and restore systems.

Unfortunately, this is EXACTLY why ransomware continues to flourish, and exactly the wrong response to an attack.

Whatever you do, if at all possible: DON’T. PAY. THE. RANSOM. There are two very important reasons why this is a bad idea:

  1. You are dealing with criminals. There is no guarantee you’ll even get the private key to unlock your files.
  2. If you pay, you only encourage this crime to continue.

However, it’s easy for me to lecture you on this. I didn’t have my laptop full of all my kids’ photos, my graduate thesis, the last video of my late wife, or some other valuable data extorted from me. I can honestly say that if I was in that situation, I don’t know whether I would pay to get that data back.

The #1 mistake that leaves you vulnerable to ransomware

Pirating movies. Frequenting shady websites. Buying a “smart” refrigerator and letting it connect to your home wireless router without changing the default settings. Failing to keep your anti-virus programs updated. All of these are bad ideas, but they’re not the #1 mistake that makes you most likely to shell out the (bit)coin and retrieve your data.

Sure, our goal should be to never get infected with ransomware. But given the speed at which these attacks evolve, it’s not realistic to assume that our firewalls and anti-virus software will be 100% effective. The best offense is always a good defense; with ransomware, the best defense is a secure recent backup.

Threats only work if you’re afraid of the consequences. With a secure external backup, you can wipe your system and walk away from the demands.

After all, if you have a full image of your system and a secure external copy of your data, you can risk losing a few days’ worth of files while you wipe and reimage your system to remove the malware.  You could use a snapshot to restore your system, or clean your machine and restore your data.

Unfortunately, home users (and many small businesses) rely on cloud-connected file servers like OneDrive and Dropbox to back up the physical copies stored on our hard drive. Or we never keep a local copy of our files, assuming that our cloud providers have better intrusion security than we could provide for ourselves.

Rest assured: backing up to the cloud won’t protect your data. Malware like Cryptolocker can encrypt files on mapped drives and external drives. This definitely means your Dropbox, OneDrive, Google Drive or cloud service that is mapped to your machine can also be infected and your cloud-based files can be encrypted just like your local ones.

You should treat the personal data on your laptop or desktop, company data on your company’s laptop, or data on your company’s devices just like the data on corporate servers and schedule regular backups. Furthermore, you need to back up to external drives.

You should have your drives backed up to an external drive on a regular basis or use a backup service that does not use an assigned drive. Why does it have to be an external drive? Variations of Cryptolocker can check for shadow files on your computer and disable or delete them.

How often you perform backups will determine how much you lose.

In our next post…

In my next post I’ll share a few ways to harden your OS, firewall, email, and end users – even your grandma – against some common ransomware entry points. I’ll also suggest ways to handle the dreaded “friends and family support call.”

Until next time,

George Monsalvatge

 

NASCAR and Microsoft: A match made in Victory Lane

June 24, 2015 at 4:42 pm | Posted in Microsoft, Vendor news | Leave a comment
Tags: , , ,

I grew up in “stock car” country and loved to see auto racing, so I was pretty pleased when Microsoft announced it has teamed up with Hendrick Motorsports. NASCAR and Hendrick Motorsports will use the Windows 10 platform and Microsoft Azure to deliver technology solutions to make the cars faster and the fan experience better.

Microsoft will sponsor the Dale Earnhard Jr’s Number 88 car.

No88Car

For those of you not familar with NASCAR, NASCAR is auto racing using cars that resemble standard stock cars, but these go 200 miles per hour around a track. Unlike Formula One or other open wheel racing, stock car racing is full contact. These drivers bump and bang their cars into each other for 500 miles. Dale Earnhard Jr is the most popular driver in the sport, and Hendrick Motorsports  is the most successful team; it includes four-time champion Jeff Gordon  and six-time champion Jimmie Johnson.

HendrickDrivers

Microsoft has made in roads into other sports recently. If you are a fan of American football, then you may have noticed that every NFL team uses Microsoft Surface tablets. NASCAR has a large fan base in the United States. One of the reasons for its large popularity is the interaction of the fans. When they’re at the track, fans can get pit passes to tour the the garages and see the cars and teams up close. Even if a fan is not at the track on race day, the fan can get a 3D virtual picture of the live race, hear live race radio, and stream live audio of the driver talking with his crew during the race. Technology plays a big part in the fan experience in NASCAR as well, with the NASCAR teams trying to shave a hundredth of a second off a lap or pit stop.

RaceView

In 2014 NASCAR used a Windows touch-enabled mobile line of business application for the race car inspection process across all three NASCAR series (Camping World Truck, Xfinity and Sprint Cup), which reduced inspection times by nearly half.  NASCAR will use Windows 10 as its platform to run all apps for different types of devices and race operations. NASCAR teams will use this information to make quicker and more informed decisions in race situations.  Hendrick Motorsports will use Azure to capture and analyze terabytes of data for race simulations. Making critical decisions at critical times is how great race teams win. How many laps can I keep the car out on the track before I need to get gas in the pits? How many laps can get on these new tires now that the sun has come up and heated the track up by 10 degrees? If we give the car a track bar adjustment late in the race, will this give us a competitive edge?  Knowledge is not only power, it is the difference between winning and losing.

NascarActionFire

Earnhardt said, “I’m a big technology user and really enjoy Microsoft products.” Dale Jr. may be excited about playing around with Windows 10.

As you’ve probably already heard, everybody that owns Windows 7, Windows 8, or Windows 8.1 can get a free upgrade for Windows 10 on July 29th, 2015. I know I’m supposed to be writing a more computer-oriented post here, but personally, I just can’t wait to see what improvements this will bring to my favorite sport. I hope to see you at the track.

FansAtTrack

Shake and Bake!

–George Monsalvatge

What went down at Microsoft Ignite 2015

May 13, 2015 at 11:53 am | Posted in Conferences, Microsoft, Vendor news | Leave a comment
Tags: , , , , , , , , , , ,

After spending a week in Chicago at Microsoft Ignite, I have a lot to report.

MsIgniteCover

First, some comments on the big picture. Microsoft CEO Satya Nadella said that Microsoft has changed their strategy from buying companies to partnering with companies to get at new technologies and provide services to Microsoft customers.  Microsoft wants to be mobile first and cloud first. They announced that there will be new changes to Azure to make it the next-generation hybrid cloud. Microsoft hopes to convince customers to use Azure as their secure public cloud deployment.

Windows 10

Yes, there was a big splash for Windows 10.  Microsoft VP Joe Belfiore presented Windows 10 at the keynote.  Windows 10 is billed as “Windows as a service.”  The voice assistant, Cortana, will be built-in. Cortana can perform web queries and pull indexed files on the computer or OneDrive. Internet Explorer’s days are numbered; IE is slated to be replaced by the new Edge browser.

TheEdgeWindows

The Edge browser will have a language extension to quickly translate a website from one language to another. You will be able to use Microsoft Passport with Windows 10 which means you can use your face as authentication to log in. Encryption in Windows 10 will improve. In the past, you could use BitLocker to do an “all or nothing” drive encryption. Now you can encrypt by document, not drive. You can further extend the protection capabilities by emailing the encrypted file to another person in the company and allow that person to open the file if they use the same encryption type. Users outside the company will not be able to open the file. You could have the encrypted file copied to a USB thumb drive so that another person in the same company could open it, but not have a person outside the company open it.

Windows Update for Business

WindowsUpdateForBusiness

When you mention Windows updates to someone, their eyes roll and a low guttural groan comes from their mouth. A system administrator does not like to be overloaded with untested patches that will be applied to unsuspecting computers. With Window Update for Business, the administrator will have more flexibility on what updates are applied to company computers. You can configure distribution rings so that updates will not show up on the first Tuesday of the month.  You can configure maintenance periods to avoid updates and configure peer-to peer distribution.  Windows Update for Business will be free for Windows 10 Pro and Windows 10 Enterprise.

HoloLens

MicrosoftHoloLens

Microsoft mentioned  HoloLens, but did not offer a demonstration. HoloLens is a holographic headset which overlays virtual environments onto real ones.  Is this another Google Glass, or something else?  Too soon to tell.

Reinvent the nature of work

Millennials are changing the way business works. Yes, Millennials were raised by “helicopter parents” and always got a trophy for participating. However, this same generation will be the majority of the workforce in five years (2020). Millennials believe work is what you do , not where you are.  Companies such as Uber and AirBnB have used technology to disrupt industries in a similar way to how Millennials have changed corporate culture.  Millennials care less about how the individual worker is productive, and more about how the team is productive. Microsoft  announced that Office 2016 and Skype for Business will help change the nature of work to better fit the needs of this generation. Skype was mentioned a lot because studies show that 55% of communication is body language, rather than spoken word.

BodyLanguage

Security

VP Brad Anderson mention that the attendees of the Microsoft Ignite conference were not James Bond, but rather  the dude with all the nifty gadgets, Q.

JamesBondQ

Security is the number one topic on every company’s agenda. Microsoft took the opportunity to highlight the security features of Windows 10. Device Guard verifies whether each application is signed by Microsoft.  Device Guard will prevent the application from downloading if the code is not approved.   Outlook has been improved to prevent data leakage.  Data leakage protection keeps data from being copied and pasted to non-approved applications, such as Twitter, so employees cannot Tweet security secrets.  You can create a policy to allow copy and paste, but ensure that the action is logged for security purposes.   Microsoft also announced its Advanced Threat Analytics (ATA) software that uses deep packet inspection and file analysis to determine suspicious data. ATA can spot the location of a potential attack.

Coming Soon

WindowSQLServer2016

Yes there will be a new version of Windows Server and SQL  Server, Windows Server 2016 and SQL Server 2016 respectively. There was not a sneak peak of either one. However, there was mention that SQL Server 2016 will allow you to stretch part of a table into the cloud. A good use of this could be stretching a table that contains historical data.

Microsoft Ignite was different than Microsoft TechEd shows in the past. For starters, it was a heck of a lot bigger. There were over 20,000 reported attendees at the inaugural Microsoft event.  The McCormick Convention Center was a city in itself. If you were there, I hope you got an opportunity to visit the Hands On Lab.

20150507_082212-1

The Hands On Lab offered you the opportunity to run through different labs on SharePoint, Azure, Office 365, SQL Server, and others. Attendees of Microsoft Ignite can access these labs online through https://myignite.microsoft.com/#/ until  June 1st, 2015.  If you did not attend, you can still access Microsoft online labs at https://technet.microsoft.com/en-us/virtuallabs/bb467605.aspx for free.

Microsoft Ignite was a blast. It will be back in Chicago next year. I hope to see you there!

20150507_194310-1

–George Monsalvatge (that’s me in the middle)

Microsoft Ignite 2015: Sweet Home Chicago

April 29, 2015 at 12:51 pm | Posted in Microsoft, Vendor news | Leave a comment
Tags: , ,

Leonard and Phil Chess started a record company named Chess Records  in Chicago that forever changed the face of music. In the first week of May 2015, Microsoft will have their new educational megaconference, now named Ignite, in Chicago. Will something be announced at the Ignite Conference that will change the tech world?  I don’t know, but I can’t wait for the keynote address.

IgniteChicago

 

Instead of hosting separate events for SharePoint, Lync, Exchange, Project, and TechEd North America, this year Microsoft rolled several annual conferences into Ignite. Not surprisingly, this conference is already sold out. However, even if you can’t attend in person, you may still be able to look at Windows 10, as well as learn the latest features and changes taking place with Azure, Exchange, SharePoint, Office 365, SQL Server, System Center, Windows Server, Visual Studio, Intune, Lync, and more. Microsoft usually publishes online versions on Channel 9.

Because Ignite replaces the venerable TechEd, Microsoft will provide opportunities for you to get certified at the conference. During the week of the conference, there will be onsite testing available to all attendees for  $75, that’s 50% off the regular price. You can visit http://www.microsoft.com/learning to preregister for the exam. Use the promo code ignitena at checkout to get the 50% discount.

There will be at least 15 exam prep sessions conducted by Microsoft Certified Trainers (MCTs). MCTs will walk you through each objective on the exam to ensure that you know what is covered on the test. Check the Microsoft Ignite schedule for the times and rooms for these sessions.

There will also be a study hall at Microsoft Ignite that will free access to practice tests before you go take an exam. The study hall will located in Certification Central. Along with free exam prep resources, there will be MCTs on hand to answer questions and offer advice on taking the exams.

This inaugural event will include a Hands-On Lab that gives you the opportunity to run through hundreds of labs on Azure, Exchange, SharePoint, Office 365, SQL Server, System Center, Windows Server, Visual Studio, Intune, Lync, and more. These labs are self-paced and are a great way to increase your knowledge about a topic or learn a new technology.

HandsOnLabs

MCTs are running these labs on site to ensure that everything runs smoothly. The Hands-On Lab is open every day, and I encourage you to stop by. I will be working in the lab, so come by and say Hi.

20140513_144846-1

Also do not forget about the Attendee Celebration on Thursday. The food will be great and the beer will be cold. To quote the late famous Chicago Cubs announcer, “Holy Cow”!

HolyCow

 

New conference, but still the man with the unpronounceable name,

–George Monsalvatge

Microsoft TechEd 2014 — I’ll see you there!

May 9, 2014 at 3:38 pm | Posted in Conferences, Microsoft, Transcender news | 3 Comments
Tags: , , ,

TechEd 2014 is happening next week in Houston (May 12-15). If you haven’t already heard, this event is SOLD OUT, and no, you can’t just buy tickets from a scalper. (It looks like a limited number of Expo Only passes are available as of this writing, but that’s it.)

IneedTix

Why all the hubbub to attend an annual event? What’s in it for you? Well, not only do you get to attend four days of presentations on the latest tech, but if you’re in the market to upgrade your resume, you’re in luck: Microsoft will be offering 50% off of all MCP exams to attendees at TechEd.

Study hall, free Transcender practice tests, and Hands-On Labs

Not only can you take your MCP exam at TechEd, but you’ll have plenty of support to prepare for your exam. There will be targeted exam prep sessions led by different MCT Ambassadors (check the TechEd schedule as times and locations are released/updated).

Or, you can escape the convention center and study using Transcender practice tests in a quiet environment (including our newly released  70-412, Configuring Advanced Windows Server 2012 Services R2). The Study Hall is located in Room 339 on level 3 of the Hilton Hotel this year. The workstations there will also provide you with free e-books and on-demand training from  the Microsoft Virtual Academy (MVA). To get there, just take the sky bridge on the 3rd floor of the Convention Center across to the Hilton Hotel, 3rd level.

I believe one of the greatest features of TechEd is the Hands-On Lab. The Hands-On Lab offers you 214 different labs on different technologies that you can work through at your own pace. For example, if you do not have SQL Server 2014 installed at your office, or have access to a private cloud that you can practice with, the Hands-On Lab is the place to go.

HandsOnLabs

Where’s George? Find me and win a future practice test discount

Myself and the best MCTs on this planet will be working in the Hands-On Lab to help you through any technologies. I’ll also be available in the Study Hall to help set you up with practice tests and study materials.

If you can find me at the Hands-On Lab (or the Study Hall), come on up and say hello. Bonus points if you can pronounce my last name correctly — hint: it’s spelled “Monsalvatge.”

TechEd2014blogPhoto

If you see this smiling mug, snap a photo and post it to social media — or, better yet, snap a selfie WITH me in the frame tag us on Facebook, @Transcender , or Tweet us @TranscenderPrep and we’ll send you a post-show discount!  

Too shy to post your mug to social media? Closet social media Luddite? Not to worry.  You can just give me your contact information (business card, SMS) and I’ll make sure to email you the promo code after the show. 

How to score your 50% off (or FREE) certification exam sitting at TechEd

If you want to take an MCP exam at TechEd, I strongly recommend you schedule it in advance. To do so, go to Prometric.com and then follow these instructions:

  • Choose “United States,”  and then select Texas as the state.
  • Pick test center MC62 or MC63 at the George R Brown Convention Center.
  • You can take 74-409 – Server Virtualization with Windows Server Hyper-V and System Center for FREE with promo code TENA409.
  • For all other MCP exams, use TENA50 as the Promo Code to get your 50% discount.

If you’re already a TechEd ticket holder and you plan to take advantage of ExamDiscountpalooza, here’s a word of advice from my past experience: the best day to take exams is Sunday. Yes, the test center will be open from Sunday through Thursday, but knocking it out early on Sunday will ensure testing doesn’t overlap your other TechEd sessions. Furthermore, if you happen not to pass your exam, you can retake it after 24 hours have passed instead of paying full price after TechEd is over. And finally, signing up for an early slot lowers your chance of losing your exam seat to a walk-in registrant.

George’s Picks For Events

As a longtime TechEd attendee, I am always blown away by the amount of programming available. Here are my suggestions for the events I’ve marked as “must attend” at TechEd.

The TechExpo is held Monday night from 6-8:30 at the Convention Center. You get to meet the vendors, see what new products are available in the marketplace, and get some neat “swag.” And, oh yes, there is food and drink.

Straight after the TechExpo is the Certification Nation Celebration party. Just show your MCP ID to get in. If you do not have a MCP ID, this is a great opportunity to get certified. Check with the folks at the Study Hall where the celebration will be. You can mix and mingle and share testing stories with other candidates.

Tuesday is networking night from 6:30 to 8:30  at the Convention Center. Get the opportunity to make friends and find people in similar fields.

If you are female, you may want to check out the Women in Technology luncheon from  11:45 to 1:15 on Wednesday. This is another great opportunity to network.

Thursday is the Attendee party. If you have ever been to TechEd before, you know how fun this is. This will be at the Minute Maid park, the home of the Houston Astros or affectionately known as the “Juice Box”. I will see you there.

–George Monsalvatge

Death cometh for Windows XP?

March 21, 2014 at 7:58 am | Posted in Microsoft, Technical Tips, Vendor news | Leave a comment
Tags: , ,

Microsoft has announced that as of April 8, 2014 there will no longer be any technical assistance for Windows XP. There will be no more automatic updates for Windows XP. You will be able to receive anti-malware signature updates if you have installed Microsoft Security Essentials for a limited time after 4/8/2014.  With no security patches to protect it, is this the death of Windows XP?

DeathComesForWindowsXP

I am not sure how to react to the death of Windows XP. Do I put on a coat and tie, invite some other XP users over, and say some nice words about the operating system? Do I sing “Dust in the Wind” like Will Ferrell did in  the movie “Old School”at the funeral for the beloved character “Blue”?

WillFarrelOldSchool

What I do know is that my Windows XP computer will not drop dead on 4/8/2014, but the risk of a Windows XP computer getting hacked increases significantly.

Who cares, you say? No one runs Windows XP anymore, you say? That is not quite true. As of December 2013, Windows XP computers represented  30%  market share according to netmarketshare.com.  According to the NCR corporation, 95% of the ATMs worldwide run Windows XP.  Not to mention the number of medical devices using Windows XP.  My coworker Ann snapped this photo during an unscheduled visit to the emergency room at a major metropolitan hospital on 3/14/14:

IMG_20140313_171543669_HDR

The end of support for Windows XP will require many companies to make decisions on the future of their products.  Product manufacturers will need to upgrade to stay ahead of any compliance issues caused by a lack of security updates.

Companies have been lukewarm to Windows 8, so I do not expect them to jump on the Windows 8 bandwagon. However, Windows 7 has been  up and running for several years and has a solid install base of about 47%, according to netmarketshare.com.  Granted, hardware will need to be upgraded or replaced to support the upgrade, but there are many other choices besides Windows 7.  Linux and Android have a chance to take advantage of this change.  Could the death of Windows XP mean Microsoft no longer dominates the operating system market?

In the past, companies continued to offer applications to customers who ran on outdated operating systems especially in the medical industry. I expect that companies will still support applications that run on Windows XP long after the end of the support date. People will still use old operating systems and drive old cars.  For example, I drive a car that is more than 41 years old, and I clock more than 8,500 miles a year on that car:

73VwSuperBeetle

My 1973 Volkswagon Beetle is not as safe as a car manufactured after 2010.  I drive it because it’s fun to drive, but I take precautions.  I will not drive the car for more than 100 miles at a time. I always make sure that I have an auto club subscription like AAA.  If you drive an old car, you know you’ll need to upgrade the brakes, upgrade the head lights, and upgrade the safety belts. I replaced the ignition in 2014. Similarly, if you decide to keep Windows XP on your home machine or have your company’s applications continue to run on Windows XP, you will need to keep a few things in mind:

  • Older Internet browsers are lightning rods for security hacks. Upgrade those browsers to the latest version that will run on Windows XP.
  • Keep up-to-date anti-virus and anti-malware software.  Microsoft will support anti-malware signatures for some time after the end of support date. Look for third-party companies that may continue to provide anti-virus and anti-malware support for Windows XP.
  • Scale back privileges on the computer.  Restrict administrator privileges anywhere possible to minimize risks.
  • Have a plan to move data to a new operating system.

Microsoft offers a free program to migrate your data from Windows XP to Windows 8.1 called LapLink. The program will transfer your data, but will NOT migrate your applications.  There are several third party applications that will transfer data and applications that you can purchase such as PCmover.

Although we do not like to think about it, death comes for us all.  Like my father, the insurance salesman, would say, “You always need to provide for the inevitability of death”.  If you have Windows XP, death is knocking on the door. Make sure that you insure yourself against the security risks of running Windows XP and have a plan for moving data to a new operating system.

HomerTheEndIsNear

Good Luck!

Next Page »

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: