Spybot Search & Destroy Weekly Update – October 29, 2014

2014-10-29 Adware + Firseria + InstallMonetizer PUPS ++ SoftwareMile + UpToDown Spyware + Marketscore.RelevantKnowledge Trojan ++ Win32.Agent.ekyu ++ Win32.DownLoader.elf + Win32.HLDS.flood ++ Win32.Madang.A + Win32.Ramnit.F Total: 2601222 fingerprints in 812028 rules for 7358 products. »www.safer-networking.org/about/updates/

How to Turn Taskbar Notification Area System Icons On or Off in Windows 10

System icons, including Clock, Volume, Network, Power, Action Center, Input Indicator, and Notification Center are special icons that are part of Windows. For these icons, you can change how the icons and notifications appear, and also whether they show up at all. You might turn off a system icon if either you or your computer manufacturer have installed a similar program. If you turn a system icon off, you can always turn it back on later.

Turning off a system icon removes the icon and turns off notifications.

This tutorial will show you how to turn on or off system icons on your taskbar notification area in Windows 10.

Read more…

How to Open the Control Panel in Windows 10

In Windows 10, there are a few different ways to find and change your settings: PC settings, Control Panel, the Settings charm, and Search. Most of the settings that you’ll want to change can be found in PC settings.

In PC settings, you can change most Windows settings, such as changing your screen resolution, adding and removing devices, personalizing the lock screen, changing the date and time, and adding user accounts.

The Control Panel includes some additional settings that you might use less often, such as customizing the desktop.

This tutorial will show you how to open the Control Panel in Windows 10, and to change it to display with the Category, Large icons, or Small icons view.

Read more…

JEA ToolKIt helper

 

JEA – Just Enough Admin – brings Role Based Access Control to Windows. It enables you to delegate specific cmdlets to specific users on specific endpoints.

 

A tool to help you create and mange JEA configurations is now available form

 

http://blogs.technet.com/b/privatecloud/archive/2014/10/24/introducing-the-jea-toolkit-helper.aspx

 

A white paper on JEA is also available from the same link

Swift Programming 101: Mastering Protocols & Delegates (Part 1)



Step-by-step tutorial teaches you protocols and delegates in Swift!

http://www.iphonelife.com/blog/31369/swift-programming-101-mastering-protocols-and-delegates

All the best! 
Kevin McNeish 
Author: iOS App Development for Non-Programmers book series 
Twitter: @kjmcneish 

Malvertizing is still around…

Incident reported on 22 October 2014.  Cite: http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php

“Without having to click on anything, visitors to the impacted websites may be stealthily infected with the CryptoWall 2.0 ransomware. Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit. The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computers. Similar to the behavior of other “ransomware,” CryptoWall then encrypts the end-users’ hard drive and will not allow access until the victim pays a fee over the Internet for the decryption key. Typically, the end-users face an escalating time deadline; failure to pay by the deadline results in their hard drives being permanently encrypted, thus rendered effectively useless, with all information inaccessible.”

The affected sites are listed in the proofpoint article.

Do you use Chrome? And have a Google account? And use 2 Factor Authentication? You may want a “security key”

https://support.google.com/accounts/answer/6103523
“If you use 2-Step Verification, you can choose Security Key as your primary method, instead of having verification codes sent to your phone. With Security Key, there’s no looking at codes and re-typing―you simply insert your Security Key into your computer’s USB port when asked.”

Yes, you have to make sure you don’t lose your USB key.  But, what happens if you lose your key? Well, you can enter a normal Verification Code at any time.  And, Google says:
Is my account safe if I lose my Security Key? Your Security Key has no record of your accounts. Somebody who finds the Security Key cannot query it for the accounts it contains, because it doesn’t store this information. All the Security Key can do is to answer a challenge from an account that it has been previously registered to. A lost Security Key is useful to the finder if only he/she also knows the username and the password for the Google Accounts where the Security Key has been registered. It is similar to losing a house key on the street — it is useful to the finder only if he/she can somehow guess which house the key belongs to.”

VSO now available in a European Azure Data Center

I don’t normal do posts that are just re-posts of TFS announcements, it is much better to get the information first hand from the original post, but this one is significant for us in Europe…

Up to now there has been a barrier to adoption of VSO that the underlying data will be hosted in the USA. Now there are all the usual Azure Microsoft guarantees about data security, but this has not been enough for some clients for legal, regulatory or their own reasons. This has made VSO a non-starter for many European’s where it at first appears a great match.

As of today you can now choose to host your new VSO account in Europe (Amsterdam data center). It won’t remove everyone’s worries of cloud hosting, but certainly is a major step in the right direction from a European point of view, addressing many regulatory barriers.

Unfortunately we will have to wait a few sprints to be able to migrate any existing VSO instances, but you can’t have everything in one go!

For the full details have a look at Brian Harry’s and Jamie Cool’s posts


Source: Rfennell

FBI Warning – Fake Fraduluant Corporate Purchase orders

The FBI warns of an increase in highly realistic purchase orders used to defraud corporate suppliers

http://www.fbi.gov/news/stories/2014/october/cyber-crime-purchase-order-scam-leaves-a-trail-of-victims/cyber-crime-purchase-order-scam-leaves-a-trail-of-victims

QUOTE: What began as a scheme to defraud office supply stores has evolved into more ambitious crimes that have cost retailers around the country millions of dollars—and the Nigerian cyber criminals behind the fraud have also turned at-home Internet users into unsuspecting accomplices.

FBI investigators are calling it purchase order fraud, and the perpetrators are extremely skillful. Through online and telephone social engineering techniques, the fraudsters trick retailers into believing they are from legitimate businesses and academic institutions and want to order merchandise. The retailers believe they are filling requests for established customers, but the goods end up being shipped elsewhere—often to the unsuspecting at-home Internet users, who are then duped into re-shipping the merchandise to Nigeria.

“They order large quantities of items such as laptops and hard drives,” said Special Agent Joanne Altenburg, who has been investigating the cyber criminals since 2012 out of our Washington Field Office. “They have also ordered expensive and very specialized equipment, such as centrifuges and other medical and pharmaceutical items.”

 

Indicators of Fraud - Businesses can avoid becoming victims of purchase order fraud by being aware of several fraud indicators:

Incorrect domain names on websites, e-mails, and purchase orders. The scammers use nearly identical domain names of legitimate organizations, but in the case of a university, for example, if the URL does not end in .edu, it is likely fraudulent.

- The shipping address on a purchase order is not the same as the business location. Likewise, if the delivery address is a residence or self-storage facility, it should raise red flags.

Poorly written e-mail correspondence that contains grammatical errors, suggesting that the message was not written by a fluent English speaker.

Phone numbers not associated with the company or university, and numbers that are not answered by a live person.

– Orders for unusually large quantities of merchandise, with a request to ship priority or overnight.

Microsoft Security Development Lifecycle – a historical account

This historical account shared by Microsoft is excellent as it lead to the strategic Trustworth Computing directive and improved security protection and update processes

http://www.microsoft.com/security/sdl/story/default.aspx#chapter-1

 
Across thousands of developers and millions of lines of code, one company learns to build secure software in an increasingly insecure world. It was 2 a.m. on Saturday, July 13, 2001, when Microsoft’s then head of security response, Steve Lipner, awoke to a call from cybersecurity specialist Russ Cooper. Lipner was told a nasty piece of malware called “Code Red” was spreading at an astonishing rate. Code Red was a worm — a malicious computer program that spreads quickly by copying itself to other computers across the Internet. And it was vicious. At the time, ABC News reported that, in just two weeks, more than 300,000 computers around the world were infected with Code Red — including some at the U.S. Department of Defense and Department of Justice.

Windows 10 – Preview version guided tour by Network World

These 20 slides share highlights of the new features that are part of the Windows 10 Preview version 

http://www.networkworld.com/article/2835036/windows/windows-10-a-guided-tour.html

QUOTE: Microsoft released a technical preview of the next version of Windows for the public to download and try for free. Although a final release with additional features isn’t expected until the middle of 2015, there are already a number of changes compared to Windows 8.1. Here are some of the most prominent features summarized in a slide show presentation

Leadership – Principles apply regardless of position you are in

Leadership is more of a special attribute of someone that makes them stand out from the rest, rather than a title or position.

http://www.johnmaxwell.com/blog/how-can-you-be-a-leader-right-where-you-are

QUOTE:  Often hear this question from younger aspiring leaders. They want to apply my teaching to their current situation, but they don’t know how. The good news is that you can be a leader no matter where you are. You don’t need a title. You don’t need a position. You don’t need a formal education. All you need to begin is the desire to lead and the willingness to learn. The key is influence.

1. Leadership Is Influence
2. Influencing Others Is a Choice
3. Our Influence Is Not Equal in All Areas
4. With Influence Comes Responsibility
5. People of Positive Influence Add Value to Others

SSL version 3.0 – Testing and Disabling services for POODLE vulnerability

To test your browser in determining if your PC client is vulnerable:

https://www.poodletest.com

For corporate users to test server vulnerabilities

https://ssltest.com

Excellent documentation on how to disable SSL3 on servers and clients:

https://isc.sans.edu/diary/POODLE%3A+Turning+off+SSLv3+for+various+servers+and+client.++/18837

To turn off SSLv3 support in Internet Explorer 11:

Setting -> Internet Options -> Advanced Tab -> Uncheck “SSL version 3.0″ under “Security”.

SSL version 3.0 – POODLE vulnerability compromises security

The Internet Storm Center has excellent resources on the new POODLE vulnerability which can greatly compromise encrypted sessions for the legacy SSLv3 protocol under the right circumstances

https://isc.sans.edu/diary/SSLv3+POODLE+Vulnerability+Official+Release/18827

https://isc.sans.edu/diary.html?storyid=18837

https://technet.microsoft.com/en-us/library/security/3009008.aspx

QUOTE: Finally we got an official announcement. SSLv3 had issues in the past. Remember the BEAST attack? It was never resolved (other then moving to TLS 1.1/2). The only alternative was to use a stream cipher like RC4, which had its own problems.

But this POODLE issue is different. With block ciphers, we have a second problem: What if the block to be encrypted is too short? In this case, padding is used to make up for the missing data. Since the padding isn’t really considered part of the message, it is not covered by the MAC (message authorization code) that verified message integrity.

So what does this mean in real live? The impact is similar to the BEAST attack. An attacker may either play MitM, or may be able to decrypt parts of a message if the attacker is able to inject data into the connection just like in the BEAST attack. The attack allows one to decrypt one byte at a time, if the attacker is able to inject messages right after that byte that include only padding.

What should you do: Disable SSLv3. There is no patch for this. SSLv3 has reached the end of its useful life and should be retired. This isn’t a “patch now”. Give it some time, test it carefully, but get going with it. The other problem is that this is a client and a server issue. You need to disable SSLv3 on either. Start with the servers for highest impact, but then see what you can do about clients.

Microsoft Security Updates – OCTOBER 2014

Critical Security updates to Microsoft Windows, Internet Explorer,  Framework, Office and other products became available on Patch Tuesday.  Users should promptly update to enjoy best levels of protection. So far, no issues encountered in early use after installation.  

https://isc.sans.edu/diary/Microsoft+October+2014+Patch+Tuesday/18819

http://technet.microsoft.com/en-us/security/bulletin/ms14-oct

How to Open Charms in Windows 10

Windows 10 has the Settings, Devices, Start, Share, and Search charms available. Charms are context sensitive to the location (desktop vs Start screen) and application that is running when opened.

This tutorial will show you how to open the charms to search, share, print, and more in Windows 10.

Read more…

Turning a Disaster Recovery Test into a Disaster






I recently assisted a customer with a disaster recovery test for Exchange 2013 that went very wrong. I’m sharing what happened here in case the same unfortunate series of events happen to you so you know how to recover from it, or better yet maybe prevent it in the first place.



The customer’s Exchange 2013 environment consists of a three node DAG, two nodes in the primary datacenter and another in the DR datacenter. The DAG is configured for DAC mode. The customer wisely wanted to test the DR failover procedures so they know what to expect in case the primary datacenter goes offline.

The failover process went smoothly. The SMTP gateways and Exchange 2013 servers in the primary datacenter were turned off and the DAG was forced online in the DR datacenter. Internal and external DNS was then updated to point to the DR site. CAS connectivity and mail flow was tested successfully from all endpoints – life was good. The customer wanted to leave it failed over to the DR site for a few hours to confirm there were no issues. 

Now it was time to fail back. The documentation says to confirm that the primary datacenter is back online and there’s full network connectivity between the Exchange servers in both sites. Then login to each DAG member in the primary site and run “cluster node /forcecleanup” to ensure the servers are ready to be rejoined to the DAG.

But the customer scrolled past the part about where to run the command and ran it on the only node in the DR site. This essentially wiped the cluster configuration from the only node that held it. Instantly, the cluster failed and all the databases went offline. Since no other cluster nodes were online there was nothing to fail back to.

We fixed it by turning on the two DAG members in the primary site and starting the DAG in that site. That brought the databases online, but they were not up to date. We used the Windows Failover Cluster Manager console to evict the DR node and then add it back in. After AD replicated we saw that replication between all three nodes was working and the databases came up to date from Safety Net. We didn’t even need to reseed any of the database copies. Disaster averted.

So how did this happen and what can be done to prevent it?

Human nature is to skip large blocks of text and read for the steps that need to be done. This is especially true when you’re fairly comfortable with the steps or you’re under pressure. For this reason, I keep my procedures pretty concise with maybe a sentence or two explaining why this step or procedure is being done.

In this case, the customer scrolled past the text explaining where to run the command and just ran it from the wrong server.

Here are my suggestions for creating disaster recovery documentation.

  • Know your audience. You need to make an assumption about who will be reading the DR documentation. Will it be the same people who manage the infrastructure in the primary site? Maybe not, if this is a true disaster. Make sure you write the documentation for the right audience. Avoid acronyms that unfamiliar users may not know, or at least spell if out once and then add the acronym the first time you use it. For example, Client Access Server (CAS).
  • Keep your DR procedures concise. People skip walls of text. Murphy’s Law says that DRs happen at the worst times and people don’t want to read a bunch of background information that’s not pertinent to the task at hand. In a real disaster there will probably be a lot of other things going on and management asking for status. You might want to write your procedures like a cookie recipe. You don’t need to be a chef to follow a recipe, but you do need to know how to fix it if something in the recipe goes wrong. Provide links in the documentation that reference TechNet concepts, as needed.
  • Highlight important steps. Use highlighting to call out important steps in the procedures, but don’t overdo it. Too much highlighting will make it difficult to read. You can highlight using color or simple blocks of text, such as:
Important: The following procedures should be run from SERVER1.
  • Make sure the steps read top to bottom. Don’t bounce around in the document or refer to previous steps unless it’s something like, “Repeat for all other client access servers.” Avoid procedures like, “Cut the blue wire after cutting the red wire.” Try not to allow page breaks between important steps, if possible.
  • Use targeted commands, when possible. If a command can be targeted to a specific object it won’t run if the object is unavailable. For example, the command “cluster node SERVER1 /forcecleanup” will run only if SERVER1 is up, rather than assuming the user is running it from the correct server. This particular suggestion would have prevented the unexpected outage in my example.



Source: Expta

Getting ready to do a dry run of my migration

And figured that it was also a good time to double check that I could recover from my backups.  So I parked a backup onto an external usb drive that was attached to my new HyperV host.  I shared out the usb drive to “everyone” in order to get it from the domain over to a workgroup host (note to self this should be ‘unshared’ from this methodology in order to protect from cryptolocker later on).  I went across the network from my SBS box to the usb attached hard drive on the HyperV host (workgroup mode not domain ergo why I had to do the Everyone share).  So then I went to the hyperV host, set up a new virtual server with the drive settings that matched the other SBS box.  I then made the usb external drive “offline” in the parent’s  computer management [this is a key element, if you don't do this you can't attach the external usb drive to the child hyperV].  Then I went into the HyperV settings, added an IDE drive (not SCSI  – it has to be IDE) and then attached the physical external drive.

I then boot up with a matching media to whatever I’m trying to restore – Vista/SBS 2008 for SBS 2008 era, Windows 7 or SBS 2011 for SBS 2011 era and to go the repair computer section.  I say I’m going to make a full recovery and let it ‘find’ the backup.  If you’ve done this attaching to the child right it will find that backup and then let you do a full restore.

Upon rebooting remember that the nics will still be in ghost country and it will boot with a 169.x.x.x IP as your real IP is bound to the ghosted nic.

http://www.happysysadm.com/2011/01/removing-ghost-nics-after-p2v.html

(Same process as ptov-ing) and then reassign your IP address to the new nic.

Now I’m all set to do a dry run migration.

And yes to get the virtual router to work I had to manually assign a static IP to the virtual nic otherwise it wouldn’t pick up an address.  Ah the lessons we learn

PowerShell classes — using methods

.NET objects usually have methods as well as properties. A method enables you to do something to or with the object.  PowerShell classes can implement methods:

class LastBoot {
[string]$ComputerName
[DateTime]$LastBootime

## methods

[TimeSpan] Uptime([datetime]$lbt)
{
$ts = (Get-Date) – $lbt
return $ts
}

## constructors
LastBoot(){}

LastBoot([string]$computer, [DateTime]$lbt) {
  $ComputerName = $computer
  $LastBootime = $lbt
}

}

$comp = $env:COMPUTERNAME
$lbtime = Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName $comp |
    select -ExpandProperty LastBootUpTime

$obj = [LastBoot]::new()
$obj | gm

$obj.Uptime($lbtime)

 

A method is defined like this:

[TimeSpan] Uptime([datetime]$lbt)
{
$ts = (Get-Date) – $lbt
return $ts
}

 

Give the type of the return value and the type and name of input parameters. If you don’t give an input type System.Object is assumed.

Write the code to perform the method’s action

 

use return to return the any values from the method. If your method doesn’t return anything then use a return type of [void] in the definition.

 

You must use return with a method. You can’t just put the object on the pipeline as you would with a function.

 

PowerShell classes are still a work in progress and you may see changes when we see the next preview

SpywareBlaster Database Update – October 27, 2014

11 Internet Explorer
5 Restricted Sites
0 Firefox

17103 items in database

http://www.brightfort.com/downloads.html

img

Recent Comments

Archives