‘Hey Microsoft just called me’

Uhmm.. no they didn’t.  First off Microsoft isn’t going to call you, or really any other software company (try phoning their tech support and see how long it takes, imagine them actually phoning people proactively to solve problems).

The solution:  Don’t get rattled and don’t trust anyone (not webpages or people you don’t know).

This applies to those pop-up webpages you can’t close (often with loud messages playing).. “Call this number you are infected, owing taxes, under arrest, piracy, being investigated for terrorism.  You often see the terms FBI, RCMP, CIA, CRA and other scary federal agency letters, seals and the like.  Just as often you see spelling mistakes and poorly phrased English.

Here’s a quick list of thing to watch for in the ‘Tech Support Phone Scam’, I’ll cover the ‘Webpage scam further down’:

  • Clue #1: THEY called YOU
  • Clue #2: The Caller ID says ‘Microsoft’, ‘Tech Support’, or something techie sounding
  • Clue #3: They have a thick foreign accent and some ‘normal’ sounding name
  • Clue #4: They claim your computer is doing ‘something’ (spam, virus, hacking)
  • Clue #5: They ask you to open the windows Event Log Viewer
  • Clue #6: They ask you to go to a Website and install a Tool (Ammyy, TeamViewer, LogMeIn Rescue, and GoToMyPC)

As long as you don’t let them in (via the remote control programs) they can’t do anything but swear at you.  If you do let them in they’ll likely run for SYSKEY and now you have to pay a ransom to get your files back.  Couple hundred to a few thousand dollars with no guarantee you get your files back.

The annoying WebPage with plenty of threats and you can’t close it:

  • Clue #1: You can’t close the page
  • Clue #2: It’s usually playing some loud record voice telling you how you are in serious trouble (virus, taxes, police etc..)
  • Clue #3: You have a convient phone number to call to get this all fixed ASAP

If you call you are now in the ‘Tech Support Phone Scam’ at Clue #3 and they will quickly need you to allow them remote access (Clue #6).  To get rid of the page you can reboot or in your Taskbar (that bar on the bottom usually) RIGHT click on your browser and select ‘Close All’.

Variations of these scams include:

  • A relative needs money for bail in some foreign country, usually they got this information from your relatives FaceBook page.
  • CRA/IRS is coming to take your house (foreclose), sometimes they want you to send Bitcoins (digital currency) to some address.
  • Some crazy distant relative left you a pile of money but you need to pay for the ‘processing’ so they can mail you some massive cheque from Namibia or something.

If you want to help stop these people, tell others and especially our less digitally knowledgeable relatives (usually older and retired).  If you really want to help perhaps take a few lessons from 419 Eater (a site that helps fight back).

Randsomware – the ‘new’ virus type

HelpLocky encrypts your data using AES encryption and then demands .5 bitcoins to decrypt your files.  Though the ransomware sounds like one named by my kids, there is nothing childish about it.  It targets a large number of file extensions and even more importantly, encrypts data on unmapped network shares.  If you don’t have a backup your data is gone, unless you pay and hope they payment isn’t yet another scam.

Those of you with a server are pretty safe.  Backups, Shadow Copies and the like but stand-alone computers are at risk.  The virus (usually run as a script or macro from an email attachment) will disable your shadow copy (removing backups) and sometime hunt the backups down wiping them out.

So far I’ve seem 5 infections of this virus and only 1 had data loss (that client at least remembers me specifically telling them.. “Seriously, you really need a backup of some type, you know, just in case”).  Each infection differed in the targeted files.  Sometimes it was MS Office files, image files or PDFs but there is no limit to what it COULD encrypt.. it just happened to have a priority before we stopped it.

Why did the anti-virus get it?  Because the user ran it, not as a virus but a function with their security and authorization.  Much trickier, to limit what the user can do a file (like saving & deleting) than limiting access to the same file.  It sound like a fine point but the micro-management required means you need a server and if you had one this virus is only inconvenient event, not a source of data loss.

The real victims are home users and ‘server less’ environments.  The most recent off-line backup could be the only fall back.

So if you see a .locky file on your machine, reboot.. NOW!  Pull the power cord if you need to it’s only in memory (usually) and that stops the encryption process.  If you are on a network you can look at the file properties of the newly created ‘How to fix’ file in the same directly (could be a few names but you’ll know it when you see it) and the under the Details of the file properties it’ll tell you the user/system infected (the one that created the new file).  Reboot that machine ASAP.

Google can offer you some help recovering, so can Malwarebytes.org (in finding any viral leftovers).  Your server and backups are your best hope, failing those a few bitcoins and some trust in the makers of the virus are all you might have left.

Backup often, trust no email attachments.

HeartBleed & Microsoft

HackedThe Heartbleed vulnerability in OpenSSL has received a significant amount of attention, worry naught it won’t get you unless you have Apache on your Windows server. Microsoft services were not impacted by the OpenSSL vulnerability and the Windows implementation of SSL/TLS was also not impacted.

Rest assured that default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability.   Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

Vitualization vs. Cloud Computing

WorldwidePeople often get the terms “virtualization” and “cloud computing” confused, believing that they can be used interchangeably when, in fact, they are diametrically opposed.

Virtualization tricks your software into believing that it’s running on a real server, network or storage that is actually there, but it’s not: it’s virtualized. Essentially we are hiding the infrastructure from software, which allows software to believe that nothing is changing even if we move the ‘server’ to a new machine or new location.  Portable and easy to get running on new hardware.

Cloud computing is the exact opposite. A real public or private cloud richly exposes the infrastructure to the application which is not only infrastructure-aware; it is dependent on its interactions with the infrastructure.  This allows companies to turn off resources when they’re not using them and add additional resources when required, basically making a server more powerful when needed.

The PR teams will tell you Cloud Computing is the way to go, the destination and ultimate goal of business computing.  Complete horse crap.  It’s probably the next ‘leaky condo’ with more central points of failure than any system in existence (because you need to connect to it the entire path is vulnerable from failure).

Cloud computing and data storage bind client to the service providers like nothing else the monthly fees are reasonable on a per user basis but company wide they can become onerous without offering any local hardware maintenance (which is often the largest cost).  One special consideration for Canadian customer is you are not allowed to have any government communication or documents leave the country, which mean even GMail violates government contracts let alone files on the cloud.

DNS Happens

How DNS happens

How DNS happens

DNS (Domain Name Service) has been around since the first time someone tried a name instead of an IP to get somewhere on the Internet.  Which translates to only a few years younger than the first network. What happens when you type ‘google.ca’ isn’t stunningly complex, it’s really no more than your machine looking up the number of that domain and then sending you there.  The really interesting part is how much we rely on it and how it’s embedded into nearly everything.  In fact the Internet would grind to a halt in about 5 minutes without it and the fact it is made of millions of simple text files is a minor marvel.

So why the news on DNS?  My home internet (to my server) went out a few days ago and it is one of a chain of DNS servers that maintain a few domains.  It also exposed an vulnerability in my redundancy which I had thought covered, turns out some companies know less of DNS than I do and thier system weren’t capable of taking the added load.  Thus the DNS entries began to expire and the scramble was on.  Long story short, I managed to get a new DNS system up in a few hours and migrate things to a more stable platform.  The whole system is better than ever and more fault tolerant. This meant some email outages for a time and though email can recover, the deliveries where later than expected.

What I learned yet another software system that doesn’t do what it claims and I didn’t even get an error the system wasn’t working as expected.  No way to check and the only way to discover the flaw was to create the problem it was meant to protect against, seems a rather hard way to test a system.  I’ll have to break down and learn to use Unix on the command line and stop relying on a GUI that tries to hide thier failures behind pretty icons.

I’ve never been a proponent of ‘hard testing’ where one creates the disaster to check the recovery system.  My reasoning being if things are other than planned (see Murphy’s law) you’ll have created a problem you do not have the solution for (or your recovery plan would have worked).

So I’ve learned a few new tricks, found a useful service for DNS replication and for one day of annoyance managed to ‘hard test’ my failover system.  Now I just have to get my own regular Internet connection back, thank the tech gods for cell phone tethering 🙂

Microsoft rolls out Skype?

On June 27th 2012 Microsoft accidentally put Skype into thier ‘Important’ updates for the WSUS.  What happened was that millions of users got Skype installed on thier desktop without consent and let’s face.. not really needing it.

The update was ‘expired’ once the error was discovered but the fact it happened at all is rather disconcerting.  Not only was the program installed without user approval (being it was misclassified) but it makes this vector of program installation much more suspect.

The long and short is; if you suddenly have Skype on your desktop you can uninstall it.  It was a Microsoft error that put it there and with luck it will not happen again.

SSL encryption compromised

You know that little HTTPS: we all love to trust when we do online transactions.. well the old versions (TLS v1.0 and earlier) have been compromised.  This means a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a web-server and an end-user browser.

Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the destination website.

At this point the hack isn’t usable by the average weenie on some remote country, the processing power needed is extreme but as the code is improved it’ll become more important to rely on TLS v1.1+ to remain secure.  The major browsers will likely soon release a patch to implement TLS v1.2 but it’s up to the website to deploy the other end to ensure secure communication.

Just thought you should know in case you didn’t feel vulnerable enough already.

You had WHO call you?

In Canada we don’t get the FBI, NSA, CIA, Homeland Security, State Police, Local Cops or a myriad of odd agencies with dubious jurisdictions wanting to know much of anything regarding your computer server.  In Canada you get one of two agencies 95% of the time, RCMP or CSIS, neither is good but both are better than the US alternatives that are often more interested in their goals than preserving your data.

What has been getting the attention lately has been around for over a year now and courtesy of the PRC (Peoples Republic of China).  Few will come right out and say it but state based espionage is the bread and butter of China’s financial machine.. what you can’t develop, you steal.

The target of choice right now is Microsoft Small Business Server 2003.  It’s a good OS and system but if compromised it can be difficult to detect, but here is something you can look for:

C:\Inetpub\wwwroot\iisstart.htm
Examine the file with Notepad and at the very top do you see any ‘funny’ code?  Something like this:

<!–czozNjM=–!>
<html>
<head>
<meta http-equiv=”Content-Type”
content=”text/html;
etc…

That code at the top.. that’s the signature that not all is right in your system.  Who, what, how and all the rest I’m researching but your machine, though not compromised, is quite possibly working for the bad guys.

I’ll add a comment when I have a name and process for removing this beasty.

Anonymous – Good, Bad or What?

 There’s a good chance if you’ve been reading or listening to the news you’ve heard tell of a mysterious group called ‘Anonymous’.  They have no leader, answer to no one and for the most part are a complete enigma when one considers how groups work.

The group has been linked from topics as far ranging as ‘TitStorm’ in Australia (the attempt to block pictures of small breasted women) to the freedom uprising in Syria & Egypt with a collection in between.  The US government has a few times been at both ends of the stick and a few over-inflated corporate egos (HB Gary, The Tea Party, Visa, PayPal & MasterCard to name a few) have had a good slap.  You’ll want to read the Wikipedia article that covers some of their history.

So you might ask, why talk about this on LogicITy?  I want people aware of something called ‘False flags’.  The name is derived from the military concept of flying false colours; that is flying the flag of a country other than one’s own.  Governments and corporations do this regularly and it’s a mainstay in political battles.  Malware often tricks you pretending to be from someone you would trust, this is the same principle.

Anonymous has uncovered some very sneaky and dirty stuff going on in the internet, it would serve some governments and corporations to have you not listen to what they have to say.  I’m suggesting you listen to that faceless group before dismissing them as hackers, cyber terrorists or punks.

Oh.. and don’t worry about FaceBook on November 5th.. Anonymous has never been about ‘shooting the messenger’.

“Hi, this is you computer company”

“Hello, this is your computer company and we are making this free call because you have a computer virus spamming the net.”

Oddly enough you don’t recognize the voice, and they don’t seem to know anything about your computer or anything else.  They tell you it’s really bad and just need to help you fix the problem.  The final hint.. their english is really bad and heavily accented.

It’s a scam.  Most people know it in seconds but those that are less farmiliar with computers tend to fall for it.  Tricked into giving out information that can result in signing up for useless services, programs or at worse let hackers into their machines.  People feel enough the fool after these misadventures to not tell others about their experience, thus hiding how often this really happens.

Warn your folks/kin/parents (the elderly are especially vulnerable) and be vigilant.  It’s an old trick with a new twist and Telus is no help at stopping these scammers from calling (you’d think they’d block the call-centers from calling into Canada at all).

If in doubt, call me.. but you already knew that.