Monthly Archives: May 2012

London 2012 Olympics – Please be careful of Malware attacks

These are starting to surface in all vectors (e.g., email, Facebook, malicious websites, etc)

London 2012 Olympics – Please be careful of Malware attacks
http://securitywatch.pcmag.com/apps-and-websites/298489-beware-of-olympic-related-scams-malware-spam

QUOTE: Cyber-criminals are using the upcoming summer Olympic Games in London as bait to lure unsuspecting Internet users to their malicious websites and scams. The Department of Homeland Security laid out the many threats to the Olympic Games in a detailed warning last week. DHS warned about politically-motivated attempts to disrupt the Games that may use physical methods or cyber-attacks, such as defacing websites and distributed-denial-of-service attacks. The warning also devoted a section to potential spear phishing attacks to steal information and malware and spam designed to divert Internet users to malicious sites.

Internet users need to beware of social engineering scams, malware redirects, poisoned search results using blackhat search engine optimization (SEO) techniques, and regular scams, DHS warned. The DHS is also worried about the potential of malicious mobile apps masquerading as Olympic-related applications.

McAfee Study – 1 in 6 users do not use AV protection

An up-to-date report on AV protection trends

McAfee Study – 1 in 6 users do not use AV protection http://securitywatch.pcmag.com/security-software/298505-one-in-six-pc-users-goes-naked-security-wise

QUOTE: You’ve got antivirus protection, I’m sure – perhaps you even have a full security suite installed. But what about your friends and neighbors? A study by security giant McAfee reveals that one in six consumers worldwide either has no security protection installed or has protection that’s disabled. An optimist might say instead that five in six do have protection. However, the billions who don’t cause trouble for all of us, as their PCs can easily be co-opted to spread malware, spew spam, or participate in distributed denial of service attacks.

 Who’s Safest? – According to McAfee’s report, the top five best-protected countries are, in descending order: Finland, Italy, Germany, New Zealand, and Denmark. In Finland, a hair over 90 percent of consumers have at least basic security protection installed on their PCs. That figure drops to a bit over 86 percent in Italy and on down to 85 percent in Denmark.

Windows 8 Release Preview – released today with Metro compliant apps

The apps were highlighted as a key surpise in early reivew of the new Windows 8 version released to the public today

Windows 8 Release Preview: Microsoft gets its apps together
http://www.zdnet.com/blog/bott/windows-8-release-preview-microsoft-gets-its-apps-together/5042

 

QUOTE:  Microsoft’s carefully timed unveiling of Windows 8 has been frustratingly incomplete. Today’s launch of the Release Preview fills in many of the missing pieces, with the biggest surprise being a rich and polished collection of Metro style apps. Microsoft publicly unveiled the Windows 8 Release Preview today. If you’ve been skeptical of Windows 8 so far, prepare to be surprised. Microsoft’s painstakingly staged reveal started with a Developer Preview last September, followed by a Consumer Preview at the end of February. Each milestone has unveiled new features, but the overall picture has been frustratingly incomplete.

ADDITIONAL LINKS FOR NEW RELEASE OF WINDOWS 8
Microsoft’s Windows 8 Release Preview: What’s in and what’s out
Windows 8 from every angle: A guided tour of the Release Preview

Microsoft – New MVP Award Website launched

A new implementation of the Microsoft MVP site was launched today

Microsoft – New MVP Award Website launched today http://blogs.msdn.com/b/mvpawardprogram/archive/2012/05/31/the-new-mvp-award-web-site-has-launched.aspx

The new MVP Award Web site went live today, offering a more in-depth look at this dynamic global community. Here are a few new features you’ll find at the site’s new URL:

· MVP Spotlights—a monthly series that offers a picture of the way individual MVPs make a difference in the community.

· Regional highlights and events—the site is published in 11 languages and showcases what’s happening in MVP communities around the world.

· Live social media feeds—these often reflect local languages and events.

And don’t forget to sneak a peek at the new Find an MVP page, featuring a mosaic of MVP profiles that updates regularly. Recognize anyone?

Microsoft – New MVP Award Website http://mvp.microsoft.com

Facebook – New More granular site ADMIN rights implemented

Facecrooks Security shares how administrators for large corporate sites can set authoring rights on a more granular level than in the past.

How to Set Admin Roles for your Facebook Page http://facecrooks.com/Internet-Safety-Privacy/how-to-set-admin-roles-for-your-facebook-page.html

QUOTE: Finally, Facebook is allowing multiple roles for page administrators! Prior to this feature, giving someone admin access to a Facebook page was an all or nothing thing. All admins had complete and total access to the page. Obviously, this posed huge security risks on many different levels and made it way too easy for pages to be hi-jacked or deleted. Also, if any admin had their Facebook account compromised, then pages under their control were in jeopardy.  Now all of that has changed and page owners can breathe a sigh of relief. Pages can have admins assigned with the following roles:

1. Manager 2. Content Creator 3. Moderator 4. Advertiser 5. Insights Analyst

MORE DETAILS CAN BE FOUND HERE https://www.facebook.com/help/?page=394501407235259

Overthinking Compact Flash camera card recovery

My wife took some extra special photos of our daughter at a beach playground, many years ago.

She brought the camera home, full of joy until I tried to copy the photos to my PC hard disk.

There were about 110 photos visible from Windows Explorer. I selected them all, dragged a copy to my hard disk.

At about photo 18, an error came up. “File not found”. I refreshed the view and there were no files on the Compact Flash card. The other 90 photos were gone.

I tried many different memory card file retrieval software programs. I tried undeleters, format checkers, memory card scanners and much more. All I could find was a single, very small, randomly named file. Windows Chkdsk reported no errors. No images were to be found. I could not cope with throwing the card away so I filed it. One day maybe I will find a way to get those files back.

Spurred on by my recent post about USB flash recovery, I thought I might try and recover these files agian. The card was a small (by todays standards) 128 MB card. Back when I first tried, I had Windows XP.   I tried all kinds of fancy tools on my newer Windows 7 platform. Nothing. Maybe the IC is no good. Maybe there is an electrical or other fault.

As a last ditch effort (I don’t really know why I did it) I ran a Windows 7 Chkdsk. It scanned the drive and found lost files and marked out 90 files. All these years later, I have the files back.

Is this a lesson to persevere ? Is is a lesson in never throwing away your data ? Is it a lesson that technology is always changing ? Nah, this is just simply a happy moment for me. I have back all my treasured memories.

Maybe my hoarding saved me. Maybe advances in technology saved me. Maybe clinging on saved me. I will leave it to you to get your lesson from this as I am sure you took something from this post.

Scheduled tasks on clusters

This post shows how to use PowerShell in Windows Server 2012 to configure scheduled tasks that apply across the whole cluster not just a single node

http://blogs.msdn.com/b/clustering/archive/2012/05/31/10312527.aspx

Well worth a read

Skywiper (Flamer Virus) – Huge 20MB modular suite of malware

The new Skywiper (aka Flamer) malware suite is modular and incredibly complex as documented in this PC Magazine article:

PC Magazine – Flamer Isn’t a Stuxnet Spinoff http://securitywatch.pcmag.com/security-spyware/298425-flamer-isn-t-a-stuxnet-spinoff

QUOTE: A new and seriously complex malware threat came to light this past weekend, targeting PCs in the Middle East. Some researchers and commentators made the natural assumption that it was connected with the Stuxnet worm which made news in 2010 by disrupting Iran’s nuclear research. After all, when Duqu turned up in 2011, experts concluded it was indeed written by the Stuxnet crowd, or coders with full access to Stuxnet source. But like the song says, it ain’t necessarily so.

 

This latest threat is called Flamer, Flame, or sKyWIper, depending on who you ask. Flamer, Duqu, and Stuxnet do have some things in common. To start, all three are seriously modular, in a way that lets their command and control servers add or update functionality at any time. Flamer takes this to an extreme, downloading its modules in multiple sessions.

Flamer definitely needs to take it easy on download impact to avoid giving itself away. At 20MB for all modules, it’s a veritable giant. A Stuxnet infestation takes just 500KB of space, according to Kaspersky researchers. Part of Flamer’s size involves the use of many third-party code libraries, prefab modules that handle tasks like managing databases and interpreting script code. Neither Stuxnet nor Duqu rely on third-party modules.

Skywiper (Flame Virus) – Several good links here http://securitygarden.blogspot.com/2012/05/flame-aka-flamer-or-skywiper.html

McAfee shares excellent summary of Skywiper’s features http://blogs.mcafee.com/mcafee-labs/skywiper-fanning-the-flames-of-cyber-warfare

QUOTE: Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:

- Scanning network resources - Stealing information as specified - Communicate to C&C Servers over SSH and HTTPS protocols - Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc) - Both kernel and user mode logic is used - Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes - It loads as part of Winlogon.exe then injects to Explorer and Services - Conceals its present as ~ named temp files, just like Stuxnet and Duqu - Capable of attacking new systems over USB Flash Memory and local network (slowly spreads) - Creates screen captures - Records voice conversations - Runs on Windows XP, Windows Vista and Windows 7 systems - Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet - Uses SQLite Database to store collected information - Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware) - Often located on nearby systems: a local network for both C&C and target infection cases - Utilizes PE encrypted resources

Server stalled …. Symantec System Recovery?

I have a large number of servers out there running Symantec System Recovery (SSR). There are two ways we run it. One way, the backups go direct to local USB drives that are changed daily, the other is to run the backup to a Nas unit and then create off-site copies from the Nas unit.

The clients where we have the Nas units and Offsite backups, get occasional server stalls. The servers seem to still provide Email (SBS 2008/SBS 2011 with Exchange), file and print for a time, and then become unresponsive.

One solution is to reboot the server, the other is to unplug the USB offsite backup drive, and then resources free up and the system is ready to go again.

We have not yet had confirmation however, we believe we know what is occurring. In my example, we have 5 weeks of backups going to the Nas/San. There is a base backup performed on the weekend and then 6 days of incrementals. The offsite backup is attached to the USB port on the front of the server.

The Offsite backup attempts to copy the entire backup store of the Nas unit accross to the USB drive. This includes 5 base backups and all the incrementals. It starts with the most recent files on the Nas and copies this, then the older files until it fills the drive.

Where this seems to fail is in 2 places. It takes longer than 24 hours to copy all the data across so you no longer have a daily offsite backup and the Symantec software is meant to make space available on the USB drive if it runs out, but it does not, it stalls. If the user then walks up to the drive and pulls it out, swapping it for the next day, the server becomes unresponsive.

In the Symantec System Recovery (SSR) console there is no place to schedule offsite backups and the USB drive management is not user configurable.

To solve the issues of my clients I have elected to back off the number of base images get copied to the Nas unit (shrinking the amount of data to be copied) and run a script over the USB drives to remove all but the last 7 days of data. This leaves space for the new data to be written to the drive and hopefully with the new data plus the data that is left on the drive, there is not too much left on the Nas to be recopied and it is done in time.

It is working for now so I thought I would share this solution.

We have this issue with SSR 8.5 through to SSR 2012

 

USB not safely unplugged and now ….. “Please Insert a Disk into Drive”

Ever unsafely ejected a USB drive and then when you reinsert it … It has Zero bytes on it and no data?
Ever clicked on your USB drive letter and it comes up …..  Please insert a disk into drive X:?

Previously I told clients that there is nothing you can likely do.
The drive is toast. There are some specialist companies out there that can do data recovery however, they are expensive. It depends on how valuable your data is.

As you know, technology is always being updated and new things are coming our way so I thought .. now that I have a dead drive in front of me from a client .. I might Google for a moment and see if there is now a solution to this issue.

Bingo. There is.

I can’t Guarantee this will work in all situations however, these things have worked for me.

If it is a very simple problem with the drive, in Computer management, change the USB drive letter, to something else. I have no idea why, but it works. Maybe Windows changes the Boot device ID and does some magic in memory.

Failing this, run the following tool.

http://www.transcend-info.com/Support/DlCenter/Software/OnLineRecovery.exe

 Tell the tool what size drive you have.

 When it is done, it asks … do you want to erase and format the drive or do you want to Keep the data,

I selected keep. Up came the Autorun from Microsoft saying I had inserted a new drive and there was all the missing data. All 8 Gb of it.

The tool simply recreated the boot and partition code and it fixed the drive.

I love the way new software and technology in general, keeps surprising me.

Recent Comments

Archives