Category Archives: Computer Tech

The scourge of Ransomware

From Wikipedia:

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files.

To say that Ransomware has become a serious problem in recent times is putting it mildly. In the last year, numerous SA businesses and users have become victims of this nasty type of malware. According to BlueCoat, a security vendor, Ransomware is now the leading mobile threat and ranks very high on the list of desktop/server threats.

Briefly, Ransomware infection is primarily by email link or email attachment. Once the user clicks a link in the infected email or runs the attachment, the infection silently takes place. From there, files accessed by the user are encrypted with a key, known only by the malware author. A message ( in the form of a file typically called HELP_DECRYPT.TXT ) is left in the folder where the file was first encrypted – the message provides details of how to send payment, often in bitcoins, to the malware author, so that they will send the key to unencrypt your files.

CryptoWall 3 and earlier versions, as well as some competing malware, targeted specific files that you accessed. Newer variants like CrytoWall 4 will now encrypt an entire folder and not just the files you access. They also have the ability to infect/encrypt files on the network shares of servers. Chimera is a new type of Ransomware that threatens to post copies of your documents and images on the Internet unless a ransom is paid. PowerWorm has recently come to light as another variant that encrypts files – but it has a bug in that the key is destroyed ( mistakenly ) after encryption.  Which means that paying a ransom will not get you your files back – ever.

Another method of infection is through websites that are compromised by the Angler exploit kit. Just visiting the site results in a drive-by attack called Pony which scours the infected computer for any login credentials for websites, banking, network resources and applications. Once done, the infected computer is then redirected to alternate sites where Angler will install CryptoWall 4 which in turn will result in encrypted files. CryptoWall 4 also renames files with randomly generated characters meaning that you don’t even know which files have been encrypted.

This is real scary stuff …

Paying, what amounts to around R 5,000 – 30,000 ( 1 – 6 bitcoins ) per infection, is beyond the ability of most.  Another issue is that there is no guarantee that the perpetrator will actually send you the encryption key. Paying a ransom is not a good idea …

 

What can I do to protect myself?

  • always keep your Operating System and installed applications up to date
  • do not use Adobe Flash and plugins for browsers, and try to limit your usage of Java
  • make sure you have  a good Anti-Virus package installed and make sure it is updated continuously
  • do NOT click on links in emails ( even if they look genuine ) and do not save or run attachments from emails that appear to be from friends, family or known business connections
  • use common sense and logic when accessing email and visiting websites; look for things that are out of the ordinary and double check items that look ordinary
  • attend Security Awareness Training which gives you the tools to navigate email, websites and other internet applications safely
  • backup your data regularly

What can I do if I’m infected?

The answer to this is: nothing – if you’ve not followed the last recommendation above. The only option is to clear out the infection and restore data from backups. Clearing out the infection often means rebuilding the infected device from scratch, reinstalling all applications and restoring your data.

If you don’t have a backup, then there are no further options. Unless you want to take a chance and have the funds available to pay the ransom ….

Mac OS X 0-day

Gone are the days when Mac OS X was regarded as secure and not a target for malicious code. Hackers are actively exploiting a privilege-escalation bug in the latest edition of Mac OS X caused by new error-logging features added to that version ( 10.10.4 ).

The issue is serious enough that it allows drive-by attacks not requiring system passwords, and installs malware.

As if this isn’t bad enough, a sequel to a firmware injection malware developed earlier this year, has just been released and it hitchhikes on Thunderbolt peripherals to infect the MAC these peripherals are connected to at boot time.

Grrrr

Security issues invade non-traditional areas

We’re mostly used to malicious attacks being associated with computer, servers, mobiles and other IT-related systems. But more and more, computing is being pushed into areas that aren’t traditional for these attacks yet are fast becoming critical areas.

InternetOfThings (IoT ) devices and automotive applications are starting to appear on hackers’ radars.

Some security researchers recently used a vulnerability in the Jeep’s Uconnect service to gain control of some critical functions of the Cherokee including braking and steering – that is very worrying. Those action sequences in spy movies from only a few years ago where cars are remotely controlled, are suddenly reality.

One has to wonder at the rational ( or stupidity ) behind Jeep’s decision to merge control and infotainment systems – isn’t it obvious that issues with the internet-accessible infotainment system will enable access to the control system?

The problem is set to become much worse because IoT is spreading to every facet of our lives and security is not always on developers’ minds when designing new products. ADSL modems and routers are perfect examples of this – many never receive any updates during their lifetime, others remain full of holes even with updates and considering the home environment these are often used in, end-users don’t patch or don’t know to patch these devices.

The recent installment of Terminator ( genisys ) proposes a reality where everyone will be installing the latest version of the perpetrator’s Operating System – at that point, Skynet takes over. Considering the spread of software and IoT in the last few years ( think fridges, washing machines, children’s toys, cars, mobiles, kiosks, etc. ) this as not as far fetched as you might think.

Malicious parties have been infecting and controlling millions of devices around the planet for a number of years, performing denial of service attacks, enacting financial fraud and generally causing massive mischief.

What can we do? Not a whole lot, except protect the systems that we have control over and make sure they don’t become part of the problem. Everything else? Well it’s a bit of a crap-shoot.

Backups and online data

This past weekend has not been a good one for Mweb Business. On Friday, some misconfiguration, glitch or human error caused the loss of many clients’ hosted systems on Mweb’s virtual hosting platform. Clients were greeted with a message stating that their new/clean virtual machines were now up with a new IP address. And no data.

That will be a catastrophic loss for many clients. And for 2 reasons:

  • a problem at Mweb led to this data loss
  • many clients may have been under the assumption that their data was safe, or did not backup their data

I preach backup incessantly and for good reason. Your data is yours and yours alone. It is your responsibility alone. Even if you are using a 3rd party to do your backups, mistakes and issues do happen – you need to make sure that the backups are being done, that they are being done correctly and that the backup data can be restored.

The onus here was on both parties and I do feel for both parties. In Mweb’s case ( and considering that I have a very poor regard for them ), this may have been a slip of the finger, a glitch in the system or something innocuous.  I.o.w. a genuine issue or just bad luck.

From the client’s point of view, they should have been performing their own backups. Yes, the outage would have been an inconvenience, and in some cases a critical one, but at least they would have been able to recover from this. Mweb’s T&C’s stating they are not responsible for client data is scant compensation to those who have lost data.

There’s a lesson here that some will not see or simply ignore: backups are important and critical to your business. Make sure your backup system is working and in proper condition.

More details here:

http://www.itweb.co.za/index.php?option=com_content&view=article&id=144811%3AMWeb-Business-outage-cause-Someone-pushed-the-wrong-button-

http://mybroadband.co.za/news/hosting-storage/132661-massive-mweb-business-data-loss.html

Flash triple threat

The last week has been a very interesting one ( read OMG it’s almost the end of the world ) in the security world. There were new threats from all corners but Adobe Flash stole the show with 3 critical issues in 2 days.

All 3 issues could result in remote code execution or DoS attacks. Grim stuff.

The CVE details are:

http://www.cvedetails.com/cve/CVE-2015-5123/

http://www.cvedetails.com/cve/CVE-2015-5122/

http://www.cvedetails.com/cve/CVE-2015-5119/

What’s really scary is that CVE lists 30 critical issues of level 10 for Flash in July alone. If ever there was a time to stop using Flash, it’s now. The problem is that many sites are still using it in frames, ads and other areas, including sites that actively promote not using Flash.

To be clear, these vulnerabilities are actively being exploited at this time. We’ve also seen an alarming rise in Remote Trojan/Ransomware attacks locally here in SA, which may or may not be related to Flash vulnerabilities. These result in the encryption of client data and a subsequent blackmail request for payment to unlock the data. The primary injection method for this is spam email and associated attachments.

What can you do?

  • Disable and remove Flash completely – this is the best choice but it may result in some websites breaking – it’s a choice you need to live with ( or not ). Also, disabling Flash in your browser does not disable it in your OS and will result in the OS still being vulnerable to application-based attacks. Complete removal is the only option.
  • Disable Flash in browser and set to ask for activation – Firefox ( I”m not sure about other browsers ) can set a plugin like Flash, to ask for activation on each event. So normally, Flash does not work however you can click a placeholder to activate a particular Flash element on a page.
  • Carry on using Flash – no comment

For applications that rely on Flash in the Operating System, it’s time to send a friendly email to the developers asking them why they are opening their clients up to potential security issues.

For users of Youtube, most browsers already support Google’s HTML5 Flash-less option. You can check the status of browser support here:

https://www.youtube.com/html5

Of course, you also need to update your OS regularly and any other 3rd party applications. And keep an eye open for spam emails.

For those with a few extra minutes, Steve Jobs wrote a fairly famous open letter to Adobe in 2010 criticizing Flash. I’m not a Jobs fan but this hits the nail on the head – well said.

The latest issues are a direct result of the hacking of one of the largest hacking companies ( The Hacking Team ), based Italy. Hacking the hackers – where have I heard that before? Some movie I think …

MS Windows critical font vuln

Microsoft release an out-of-order patch yesterday for a critical vulnerability relating to custom fonts resulting in remote execution of code on a machine. More details here:

http://gizmodo.com/go-update-windows-right-now-1719187152

Note that because Windows Server 2003 has just gone end-of-life, there is no update for it.

Home routers: security fail

It’s no secret that I absolutely hate non-business/home-based ( ADSL/3G/other ) routers. From  a security point of view, they have a history of never-ending security issues that result in a variety of malicious attacks including DNS reflection, remote control, spam, malware infections and  other attacks.

There are other serious issues including ( but not limited to ):

  • vendors of these devices are slow to react to vulnerabilities and often don’t even patch these
  • users either don’t know that updates are available, don’t know how to apply patches/updates or just can’t be bothered to apply updates
  • the firewall/protection features of these devices are limited
  • there are common back-doors included in many of these devices which opens up access to attackers

Because non-business grade routers/firewalls don’t carry any sort of guarantee or warranty in terms of performance, vendors do not put ( as much ) effort into these in terms of keeping them secure. The following link describes just how bad the situation is:

http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/

If you have any concern over your internet security or use your internet link for any secure services ( like online shopping or internet banking ), consider purchasing/using a business-grade firewall that will:

  • provide you with a decent level of protection
  • be updated regularly by the manufacturer

Keeping your desktop computers, laptops and mobile devices safe is only one part of home security. You also need to look at the security of your network devices  including routers, printers and WiFi access points as these are an important point of access to your home network and can compromise your systems as easily as a virus on your computer.

Invoiceplane takes another step

I took quite some time to find an accounts/invoicing package that suits my work style but I finally came upon Invoiceplane last year. The basic requirements were:

  • product/service database
  • client database
  • create quotes
  • create invoices
  • send invoices via email
  • classification of invoices and quotes ( workflow eg. created, sent, overdue, etc. )
  • list invoices by client
  • list overdue invoices
  • create recurring invoices

And Invoiceplane delivered on all accounts with a nicely designed interface with good usability and ergonomics. The UI includes a top bar menu divided into a few prime categories: clients, quotes, invoices, payments and reports. There is also a one-shot dashboard giving an overview of quotes and invoices, with quick links to various aspects of the quotes and invoices.

Installation is straightforward – you need a LAMP or WAMP system with MySQL, Apache and PHP support. Once installed, there is some basic setup, which includes setting up email and invoice/quote templates and then you can start adding clients. Custom fields are a nice addition allowing one to add fields/parameters to customers that aren’t available by default.

The next step is to add services/products – these can be created ( and saved ) while generating invoices or you can pre-create them in the Products section.

And finally, start creating invoices selecting pre-created products from the database or creating these on the fly. VAT and Tax are catered for in invoices as well as invoice terms ( I use this field to include my bank details ) and due date.

The latest version 1.2 includes the ability to lock invoices to read-only once created as many tax authorities require that an invoice not be altered once it’s created. As payments are processed on the system ( which includes amount, payment date and type ), these are offset against the invoices which have their status altered to Paid. Any invoice can also be converted into a recurring invoice with variable generation terms ( ( eg. monthly or yearly ).

For reporting, there is invoice ageing available as well as payment history and sales by client. All invoices, quotes and reports are generated as PDF files which can be tailored with logos and some other items. One really neat feature if the quote system is that a URL is generated at which a client can approve or disapprove the quote. Once approved, you can convert the quote into an invoice.

All in all , this is a fantastic piece of software that does the basics and does it well.

Online security in the shopping season

Online security should always be the focus of anyone using the internet.  Yet major holidays tend to be more important seeing as there are many who only shop online around this time. Black Friday especially is a big draw-card.

The fact is that online security is part common sense and part preventative maintenance. If you get the basics right, then you’re 90% there …

Richard Henderson @ Fortinet has put a great list together that will help perennial shoppers, daily buyers and those just dipping their toes into the water.

Take a look …

eMailStor Services and other

It’s not often that I blog about business services that we offer as this is supposed to be a general IT blog, however I’ve had quite a few inquiries about what it is that eMailStor does so a blog entry is the easiest …

eMailStor was started to service one requirement: SMTP relay. This is the component that’s used by either an email server or an email client to send email. You might ask: Our ISP or our email server offers this service so why yours? There are 3 main reasons:

  • Your upstream ISP often has restrictions in place to limit the amount of email you can send in a certain period
  • You may be on unfamiliar networks that have additional restrictions for sending email ( eg. travelling, on other companies networks, internet cafes, etc. )
  • Many relays are public relays and as such, are open to security and other attacks

For spam  reasons, many ISPs have, over the last few years, implemented restrictions for sending email. Typically this is done based on the amount of email you send within a certain period of time. Locally, 25 – 50 emails per sender per hour seems to be a general average.

Anything above this and your email will either be rejected or you’ll receive notice that you can’t send any more email. Even 3rd party email services like Google use limits like these. Once you hit these limits, you can expect some issues, the worst is having your ADSL line locked or your Gmail account closed for 24 hrs.

So eMailStor provides a number of packages to service your requirements in sending email. These are classified by emails sent per sender or domain per period.

The biggest benefit is that eMailStor only defers your email for an assigned period should you reach your package limit – we do not block or alter your email in any other way ( if you use an on-site email server ). Once you enter a new period, any remaining email will be sent unless of course you reach your limit again, in which case the process repeats until all your email is sent.

Other benefits include:

  • Custom limits and rates per user or domain
  • Send email from any device and/or any network
  • Outbound email anti-virus scanning
  • Contain virus or malware outbreaks
  • Usage reporting available
  • Custom sending ports to work around ISP blocks
  • Private relay ensures that only authenticated clients are allowed to send email, increasing the effectiveness of our solution and reducing the chances of blacklisting

We currently have around 250,000 to 350,000 emails sent through our system per month, and we have sufficient capacity to cater for around 10x this rate. So we can address the needs of Mom and Pop shops all the way to corporate requirements. We can also assist you in configuring your email client or server to use our service.

The Relay product has been an overwhelming success and as such, we’ve added additional Internet products over time, one of the most important being DNS/domain registration and hosting.

There are 2 parts of DNS if you want to use email, web or other services with your domain name ( eg. company.co.za ).

  • registration: you need an anchor for your domain – this is the registrar and there is normally an annual cost for this service ( coza domains in SA are R75/yr )
  • hosting: you need to host your domain records somewhere so that you can point them to the ISP or company that controls your email, web or other internet services

eMailStor DNS and Global DNS provide a one stop shop for registration and registration/hosting. We invoice you once a year for the package you’ve chosen and take care of all the management and renewals associated with DNS maintenance. Our DNS service includes some neat benefits:

  • dynamic DNS updates
  • bulk zone and record management
  • all DNS record types supported
  • easy and quick domain transfers
  • fast turnaround for domain actions
  • consistent contact and name server details
  • wide variety of TLDs include .com, .net, co.uk, .cities ( .joburg, .capetown, .durban ), etc.

We also offer Email and Web hosting services locally and internationally with our dedicated custom support. These hosting services include shared, VPS, dedicated and co-location.

That’s quite a bit of information but I’ve tried to keep it as simple as possible. If you need more info, drop us a line at sales@emailstor.co.za

Apple Pay thoughts and security

The big Apple event on Tuesday wasn’t that big a deal in my opinion. The iPhone 6 was expected although not in 2 editions but that is the least that Apple had to do to catch up with Android. Apple watch? Meh … sleek industrial design and interesting software options but ultimately I still think that smart watches in general have a limited use.

Couple of reasons why:

  • short battery life – until you start using one of these, you won’t realise what an issue that is ( my current Seiko is going on for 4 years now on the same battery, 1 day on a charge for smart watches is a problem)
  • you don’t get any health info while your watch is on charge because you can’t wear it at the same time as charging
  • security – smart watches can be hacked; do you really want your health and personal info out there for all to see? And how do the vendors handle your privacy and security?
  • you still need a phone to use in conjunction with most smart watches – no phone? limited usefulness …

So onto the main crux of this article: Apple’s new NFC-based payment system. What’s new? Well pretty much nothing that hasn’t been done before – think Google Wallet. They have some  good integration with Touch ID on the iPhone, and the on-board security chip, along with agreements with a number of American banks and the 3 main payment networks AMEX, Mastercard and Visa. The only benefit Apple brings to the table is a large user base as well as a knack for popularizing systems like this. And that is it.

With Apple stepping into the NFC payments game we will see a large increase in the people using it. This of course will lead to security and privacy concerns, not only in potential vulnerabilities in the technology itself and how criminals can exploit them. But also in how users may not secure their devices, and therefore their electronic wallets, properly. Some banks are even putting transaction limits in place as a form of risk analysis/protection.

Although the recent nude celebrities hack on iCloud wasn’t entirely Apple’s fault, this episode goes to show how far end users and vendors have to go to understand personal security and privacy properly. And that’s the crux of the matter. We’ll also have to see how country-specific consumer rights, privacy and legal laws impact on a global product like this.

But security is always a primary concern. And while Apple has promised fixes to iCloud and iOS in the next period, the perception of Apple’s security is not good, and their track record is similarly poor.

Anyone can spend $1500 buying Elcomsoft’s iOS Forensic Toolkit or $79 on the Phone Password Breaker and proceed to literally pull an iPhone apart, getting access to pretty much every single piece of data you’ve ever put on there. There are also cheaper ( $0 ) hacks out there involving an iPhone and iTunes running on a Windows machine. Scary stuff when you’re storing potentially vital personal data on your phone.

So what else can we say about Apple Pay? There are some more practical issues:

  • battery life of your phone will suffer with having NFC switched on all the time ( I can’t see people turning it on and off when required )
  • there is a much wider attack surface with NFC being switched on all the time, potentially leading to a security nightmare
  • the payment industry is actually moving away from NFC towards bio-metrics
  • many US retailers and banks have cited the high cost of NFC-enabled payment equipment as a reason for not going all in

So, while I think Apple could be moderately successful with something like this, there are significant issues to be worked out in the practical implementation. We’ll see …