Data security

Feb 11 2009   8:08PM GMT

Tracking down that user/computer that locks AD accounts

Posted by: Troy Tate
Data security, administration, analysis, antivirus, anti-virus, diagnostics, howto, information security, malicious activity, malware, Microsoft, Microsoft Windows, Active Directory, AD, network security, Password, policy enforcement, reporting, risk, risks, scanning, search, Security, security notification, tools, troubleshooting, Windows, password management, account management

With an environment spanning 18+ sites and more than 3000 computers around the globe, you could understand how challenging it would be to track down what device/user might be locking user accounts. There are tools out there that you can pay for that can help do this. However, Microsoft has some free tools that with a little testing and use will permit you to quickly track down where the account is being locked and address the situation.

We had a situation recently where malicious software got onto a couple of machines and attempted to use the Administrator account to login. We have account lockout on our Windows 2003 AD domain, so after the appropriate number of invalid tries the Administrator account was locked out in the domain. This is because the machines were members of the domain and the malware did not distinguish the local administrator account from the domain administrator when attempting to elevate authority. Note that we use least user authority in our environment so the malware was not able to spread beyond these two machines. We suspect the machines became infected due to out of date antivirus signatures.

Unfortunately, the antivirus we use did not alert us to the situation. The way we were alerted was by our Microsoft Systems Center Operations Manager (SCOM) implementation. It notified the SCOM admin that the domain Administrator account was locked. The operations team was then tasked with tracking down what or who was locking this account. This is where the Microsoft Account Lockout and Management Tools came in use and helped isolate the cause. Continued »

Dec 3 2008   3:50PM GMT

Holiday greeting cards, holiday shopping and computer security awareness

Posted by: Troy Tate
administration, Firewalls, Security, Microsoft Windows, Browsers, IT education, spam, antivirus, homeland security, Data security, malware, SSL, phishing, Firefox, Microsoft, anti-virus, online identity, risk, awareness, vulnerability, education, data loss

I just sent this email reminder to all users in my organization. I would recommend you do something similar if you are not already ensuring users are aware of these issues. Feel free to use my content and add your own.

 It is that time of year again when folks send electronic holiday greeting cards to one another. Some of the greetings may also be games that bear holiday messages. It is also a time when malicious software spreads using these same types of messages and software. You should also be cautious when doing any holiday shopping online or at stores. It is important that you and those you communicate with understand these risks. Your finances and identity are always at risk in today’s technology environment, but you may be less attentive during the holiday season. The following 10 tips are meant to remind you of some important security precautions.

 

1.    Do NOT use your company email address for personal holiday greetings or shopping activities. Merchants may sell your email address to other non-reputable sources and this puts your company identity at risk.

 

2.    If you receive personal holiday greetings or “cute” games at your company email address, ask the sender to not send those to you at work. Use a personal email account for those communications.

 

3.    If you do receive holiday greetings or games at your personal email address, check with the sender before opening to be sure they sent the message. Spammers and malicious software writers can easily deceive you through social engineering. They will do everything possible to get you to open their message and potentially damage your computer and/or harvest your email address as a valid address.

 

4.    Don’t trust everything you see online. Finding something on the internet does not guarantee that it is true. Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable.

 

5.    If it looks too good to be true, it probably is. You have probably seen many emails promising fantastic rewards or monetary gifts. However, regardless of what the email claims, there are not any wealthy strangers desperate to send you money. Beware of grand promises—they are most likely spam, hoaxes, or phishing schemes. Also be wary of pop-up windows and advertisements for free downloadable software—they may be disguising spyware. Close the pop-up windows by clicking the X in the top right corner. Do not click the YES, NO, or CANCEL buttons in the window. It may cause unwanted computer issues if you do. Do not trust what you see in these pop-up windows. Contact IT support if you have any questions or issues.

 

6.    Avoid phishing schemes. Banks and other institutions will not actively solicit personal information by email. When you click a link in an email asking for this type of information, your choice may risk your finances and personal identity. The link may take you to a website hosted by someone with malicious intentions. If you enter your personal information on the website, you have just had your identity taken by a social engineering attack and may have incurred a financial loss.

 

7.    If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).

 

8.    If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account. Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).

 

9.    Do not participate in forwarding chain letters or perpetuating hoaxes or urban legends. Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks could fall into this category. Urban legends are designed to be redistributed and usually warn users of a threat or claim to be notifying them of important or urgent information. Another common form are the emails that promise users monetary rewards for forwarding the message or suggest that they are signing something that will be submitted to a particular group. Urban legends usually have no negative effect aside from wasted network bandwidth, server resources and time. If you want to check the validity of an email, there are some web sites that provide information about hoaxes and urban legends: Urban Legends and Folklore - http://urbanlegends.about.com/;  Urban Legends Reference Pages - http://www.snopes.com/; Hoaxbusters - http://hoaxbusters.ciac.org/; TruthOrFiction.com - http://www.truthorfiction.com/; Symantec Security Response Hoaxes - http://www.symantec.com/avcenter/hoax.html; McAfee Security Virus Hoaxes - http://vil.mcafee.com/hoax.asp

 

10. Protect yourself while shopping online. Use and maintain anti-virus software, a firewall, and anti-spyware software. Keep software, particularly your web browser, up to date. Do business with reputable vendors. Take advantage of security features like secure passwords and encrypting information between your computer and the vendor’s website (look for the “lock” symbol in the browser or the website address beginning with “https” rather than “http”. Use a credit card rather than a debit card. Check your statements for any unusual or unauthorized activity.

 

Hopefully these tips will help you and those around you to have a happy holiday and reduce the risk of an unwelcome holiday event due to being uninformed. Please feel free to share these tips with your friends and family to help increase awareness and reduce risky behavior.

 

See the CERT Cyber Security Tips website for more information like this.

Nov 18 2008   1:23PM GMT

Do you support Windows 2000? - Heed the support lifecycle calendar

Posted by: Troy Tate
Data security

Microsoft has updated their product support lifecycle calendar. For those of you who support Windows 2000 you will need to understand the support options available to you.

Windows 2000 Professional

• • On July 13, 2010, Extended Support for Windows 2000 Professional will end.
  • Self-Help Online Support will be available after this date.
  • Custom Support will be available. Pricing and other details to be available soon.

 

Windows 2000 Server

• • On July 13, 2010, Extended Support for Windows 2000 Server will end.
  • Self-Help Online Support will be available after this date.
  • Custom Support will be available. Pricing and other details to be available soon.

 

Window XP support lifecycle is described as below:

 

Windows XP

• • Mainstream Support for Windows XP will continue until April 14, 2009.
  • On this date, Windows XP will transition to the Extended Support phase which will be available until April 8, 2014.
  • Support for Windows XP Service Pack 2 (SP2) will end on July 13, 2010.  Service Pack 3 (SP3) will need to be installed after this date to remain in a supported state.
  • Any extensions to the sales date, do NOT change the Mainstream and Extended Support dates.

Go to the Microsoft Support Lifecycle website for details on support policy on various products. You can also signup to get a quarterly Support Lifecycle newsletter to stay on top of this issue.

Nov 11 2008   3:51PM GMT

Did you see this? - MS08-067 and the Security Development Lifecycle

Posted by: Troy Tate
administration, Security, Microsoft Windows, patching, Development, debugging, Data security, malware, design, Microsoft, server, risk, awareness, blog, vulnerability, analysis

As you probably already know, Microsoft issued an urgent out of cycle security patch recently for a Vulnerability in Server service could allow remote code execution. Look here for additional Microsoft Security Vulnerability Research and Defense information about this bulletin. If you have not already applied this patch, I urge you to do so as there are reports of MS08-067 exploits in the wild for this vulnerability. For those of you who are developers and QA testers out there and wonder about how this vulnerability slipped through testing at Microsoft. Look at this article about MS08-067 and the Security Development Lifecycle. Like many of the responses to this blog posting say: keep code as simple as possible. Automated testing is not a panacea and keeping things simple may head off signficant problems later for all users and administrators.

Oct 10 2008   7:58PM GMT

Counterfeit Metrics - Type II Reverse Engineering

Posted by: Troy Tate
Security, Monitoring, reporting, IT education, Data security, malware, performance monitoring, botnet, Metrics, risk, research, awareness, vulnerability, dhs, analysis

If you are into metrics, you might find this article rather interesting. For Good Measure: Type II Reverse Engineering

A couple of the security metrics I find interesting:

Counterfeit hosts (zombied/botted): 30% (estimated)
Odds that neither end of a P2P session is øwned: 50–50
Bytes required to counterfeit a presidential candidate: 1

Dollar value of counterfeit Cuban
cigars: $100 million
Dollar value of counterfeit whisky: $700 million
Dollar value of counterfeit IT: $100 billion

Information like this really helps you understand why hackers and criminals do the things they do. I’m not endorsing it by any means.

Oct 9 2008   3:00PM GMT

Alternatives to e-mail attachments - SharePoint is risky!

Posted by: Troy Tate
administration, Networking, Firewalls, Storage, Security, DataManagement, intellectual property, email, Data security, Policy, SharePoint, Exchange, design, website, risk, policy enforcement, vulnerability

I’m looking for some help on this topic and have posted a question to the ITKE community. Hopefully someone out there has had some experience with this service for your organization and can provide some valuable insight.

One group I participate in is a mailing list from SANS. If you have not attended a SANS event or education, then you should try to get to one of their events. They are one, if not, the premier non-vendor related security and systems administration group in the IT industry. I posed the same question to this peer group and have had some very good responses. Some suggestions for solutions have come back and include:

Microsoft Office SharePoint (http://www.microsoft.com/sharepoint/default.mspx)

OpenText – Livelink (http://www.opentext.com/2/sol-products/sol-pro-llecm10.htm)

Webex Connect – (http://webex.com/enterprise/index.html) (There are other flavors for small & medium business)

 Accellion -  http://www.accellion.com)

 

These are very interesting solutions and I will certainly be looking at all potential candidates. One thing that bothers me about the SharePoint option is its security capabilities. SharePoint is typically Microsoft Active Directory integrated. This has major security implications and in fact CSO magazine has posted a recent article on this topic. I recommend that you read the article and understand what risks the SharePoint solution may open for your organization.

Why Security Pros Hate Microsoft SharePoint

Microsoft’s SharePoint collaboration platform is all the rage in today’s business world, especially since third parties gained the ability to plug security holes. But managing it can still be a nightmare for IT security shops.

I am still looking for more references and ideas for this solution, so please share what you are doing for your organization and it will be much appreciated by me and other readers.

Oct 6 2008   1:12PM GMT

Did you see this? - Process monitor now does TCP/UDP monitoring

Posted by: Troy Tate
administration, Networking, forensics, Security, tools, Microsoft Windows, Monitoring, reporting, internet, LAN, debugging, Data security, malware, performance monitoring, recovery, Microsoft, anti-virus, troubleshooting, Performance, howto, network analysis, Sandbox, packet capture, research, diagnostics, Sysinternals, toolkit, analysis

If you ever need to get under the covers of running Windows processes for investigating why a system is running slow, then the Sysinternals toolkit has an updated tool that will help you. Per the website:

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista.

I had previously talked about the Sysinternals Live website. This update to one of the excellent tools is well worth your time in investigating. Take a look at the updated tool here. The entire Sysinternals toolset can be found here.

If you have not used these tools yet, then you are definitely missing a critical item for being successful in your IT position. Check them out… it may save your reputation some time!

Oct 3 2008   7:59PM GMT

Did you see this? - Open Source Tools University

Posted by: Troy Tate
administration, Networking, Firewalls, forensics, Security, tools, Monitoring, reporting, internet, IT education, WAN, LAN, debugging, Data security, SSL, performance monitoring, blogging, design, anti-virus, troubleshooting, Performance, howto, network analysis, Sandbox, Metrics, wireshark, packet capture, research, blog, podcast, diagnostics, toolkit, analysis

If you are like me, you like those little goodie tools like nmap and wireshark that do something that is actually pretty complex but do it well and have a great following. I just came across this website that I am going to have to take some time to go through and find all of the nuggets it offers. Hope you get some use out of it too and let us know what you discover and how it made your job easier.

LoveMyTool

There are presentations on this site like the Wireshark IO Graph for Response Time Analysis (by Ray Tompkins).This should be a great online learning experience. You will find contributors like Sake Blok, a Wireshark Core Developer and Denny K Miu of StartupforLess.org - A Survival Guide for Bootstrapping Entrepreneurs

Oct 3 2008   3:25PM GMT

Did you see this? - Six things you should do on a decreasing IT budget

Posted by: Troy Tate
Data security

Still stuck with lowering IT budgets and increasing costs? Hear Laura Chappel’s six things you should do on a vanishing IT budget.

See and listen to the presentation here.

Sep 30 2008   1:34PM GMT

Did you see this? - Laura Chappell’s Troubleshooting & Security Summit

Posted by: Troy Tate
Networking, forensics, Security, tools, Monitoring, reporting, DataManagement, WAN, LAN, Data security, malware, SSL, performance monitoring, troubleshooting, honeypot, Performance, Network TAPs, howto, network analysis, Metrics, wireshark, risk, packet capture, research, awareness, education, toolkit

Maybe you already know Laura Chappell (The Viral Bitgirl), if not then this is your chance to meet her and gain loads of knowledge in 2 days.

On November 4-5, 2008 - Las Colinas, TX (near Dallas-Ft Worth airport) Laura will be holding a Troubleshooting and Security Summit.

In two full days you will walk away with more security, optimization and troubleshooting knowledge than you’d get after spending months in the field figuring this out.

Learn the best practices and most efficient tools to use to analyze wired and wireless network performance to optimize and secure network communications from Laura Chappell, Founder of Wireshark University and Protocol Analysis Institute. See the Summit 08 special pricing and group discount information below. Register today at www.chappellsummit.com.

Key points include:
* TCP Enhancements in Vista/Server 2008
* Faster File Transfers with SMBv1 vs. SMBv2
* Traffic Analysis between Virtualized Hosts
* Proven Techniques to Baseline the Network
* Latency Chokepoints
* Automatic Traffic Capture and Analysis
* Network Security and Forensics Procedures
* Key Points to Deploying Decoys
* Suspicious Traffic Signatures
* Handling Traffic Evidence

Bring Your Own Laptop (BYOL) Format
This hands-on lab-based course offers a series of demonstrations and individual hands-on labs to rapidly improve and expand your skill set. You will leave with your laptop loaded with tools, trace files and configured to improve network performance and security immediately after class.

GUEST SPEAKERS
*Gerald Combs, Creator of Wireshark - Must-Know Steps to Analyzing Virtualized Communications and the Future of Wireshark

* Tom Quilty, Cybercrime Investigator for BD Consulting and Investigation - Preparing for and Handling a Data Breach or Theft

Register Today - Seating is Limited
Register online at www.chappellsummit.com. Registration $1,295 - Early Bird $995 (ends midnight PDT Tuesday 9/30/08)

Group Discounts: Bring in two or more people from your company and receive $100 off each additional registration. Contact Brenda Czech at +1 408-378-7841 for more details.

Wireshark University Savings: Attendees receive the Wireshark University WSU03 Troubleshooting Network Communications self-paced course free with the student kits. Registered attendees also receive a 50%-off coupon on Wireshark University Self-Paced Courses.

Register today.
www.chappellsummit.com

If you go, please share some of the tips and tricks you gained with the ITKE population. Help spread the word!