This week I am sitting the Stratus everRun Enterprise Technical Certification course, held at Stratus Technologies, headquartered in Maynard, MA. Much to my delight this is an accelerated course where they cram five days of training into three! I have worked with this and similar technologies originally designed and offered by Marathon Technologies since the nineties, so it’s like old home week coming here. Last year Stratus purchased Marathon and ultimately this is good for the evolution of the everRun product line. This week’s course is designed to train experienced technicians on the newly redesigned everRun Enterprise and I can say that I am very impressed with the new system. Originally built on Citrix XenServer the new product is built on Centos Linux 6.5 and uses the KVM hypervisor. I am a big fan of XenServer but working with this new version of everRun I see the wisdom the Stratus has leveraged in designing this impressive product. The everRun product line is designed to provide a highly fault tolerant server platform to run workloads that require up to five nines of “up time” (less than six minutes of downtime per year). This product is highly regarded as one of the best solutions in the industry for protecting critical applications and data. If you operate computer systems that cannot afford to be down you owe it to yourself to look at this system. Class wraps up tomorrow and I’ll be dashing to the airport to head home to sunny Seattle!
Category Archives: Security
We are pleased to announce that Scott’s books have arrived! ‘The Business Owner’s Essential Guide to I.T.’ is 217 pages packed full of pertinent information.
For those of you who pre-purchased your books, Thank You! Your books have already been signed and shipped, you should receive them shortly and we hope you enjoy them as much as Scott enjoyed writing for you.
If you haven’t purchased your copy, click here, purchase a signed copy from us and all proceeds will be donated to the WA chapter of Mothers Against Drunk Driving (MADD).
A couple of days ago (June 2), the UK’s National Crime Agency announced that law enforcement agencies have effectively disabled key nodes of the GOZeuS network, which provided a key delivery mechanism for CryptoLocker’s ransom malware. They’ve also identified a person believed to be the leader of the criminal enterprise behind GOZeuS, and international officials say that other arrests are “in progress.”
While this is good news, it’s unlikely to be a permanent solution to the ransomware problem, given the distributed nature of Internet-based malware. It does, however, give us some breathing room – perhaps as much as a couple of weeks – to think about how to protect against it.
In case you’re not familiar with what CryptoLocker is, it is a particularly nasty form of malware that first appeared in the fall of 2013, and is typically spread by tricking a user into clicking on a disguised executable. Disguised executables are, in part, enabled by the unfortunate design choice Microsoft made in Windows XP that continued through Windows 7, which was to “Hide extensions for known file types” by default. (Personally, this always annoyed me, and one of the first things I always did when setting up a new PC was to deselect that option. It does appear that it is no longer selected by default in Windows 8 and 8.1.)
This meant that, for example, a Word document that was called “My Important Customer Proposal.docx” would display in Windows Explorer (and elsewhere within the OS) as, simply, “My Important Customer Proposal.” That also meant that if someone sent you an email with a file attachment called MalwareDesignedToStealYourMoney.pdf.exe, it would display in Windows as, simply, MalwareDesignedToStealYourMoney.pdf. An unsophisticated or careless user – or someone who perhaps was just exhausted from a long day and not thinking clearly – might look at the file name and think it was an ordinary Adobe PDF file, and double-click on it to open it up…not realizing that the “.exe” that was hidden from them meant that it was really an executable that was designed to install malware on their system.
“But why,” you might ask, “wouldn’t my anti-virus software protect me against this?” The answer is that some anti-virus products might protect you, depending on how the options are set. But many, if not most, users have local administrator rights to their PCs. (Yes, arguably they shouldn’t, but every IT admin that’s ever tried to take those rights away has had to deal with the howls of protest when users – often top executives – suddenly can’t install iTunes or some other equally essential utility on their PCs.) So unless your AV product is set to scan files whenever they are accessed – a setting that often isn’t enabled even on products that are capable of doing it because it can slow your system down – you won’t know that you’re installing something bad until it’s too late. Local administrators, by definition, have the authority to install software. You launched the installation program, you’re a local administrator, so it’s going to get installed.
Once installed, CryptoLocker checks in with a server on the Internet that assigns a public/private key pair to that PC, and CryptoLocker then happily goes to work using the public key to encrypt all the documents, spreadsheets, pictures, etc., on your system. The latest variants will even encrypt files on network drives if they’re mapped using a drive letter. (So far, it doesn’t appear that CryptoLocker knows how to navigate across UNC paths.) There is even some evidence that the latest variants may wait up to two weeks before locking you out of your files, in the hopes that you will move through a full cycle of backups during that time, meaning that all your backups will also be encrypted and therefore useless to you. Once it’s done its dirty work, you will suddenly be unable to access any of your files, and will be presented with a screen that tells you that you have, typically, 72 hours to submit payment – typically via untraceable money cards or bitcoin – in order to obtain the private key that will decrypt your files. Otherwise, the private key will be automatically destroyed, and your files will be forever out of your reach.
If the thought of having to cough up the equivalent of $300 US or lose all your data leaves you with cold chills (as it does me), what can/should you do?
- First and foremost, educate your users. One of the most basic rules of computer safety is that you simply don’t open email attachments from people you don’t know – and, for that matter, don’t open them from people you do know unless you were expecting them and know what they are. Remember that it’s not that tough to impersonate someone’s email address. At the moment, most CryptoLocker payloads are disguised as invoices from financial institutions, messages from shipping companies, notices from law enforcement agencies, etc., often with scary messages about account closures, final notices, and amounts due. Also beware of zip file attachments. Make sure your users are aware of these common tricks, so they don’t reflexively click to see what a file attachment is.
- If you’re still running Windows 7 or earlier, deselect the “Hide extensions for known file types” option. This will at least make it slightly more likely that someone will notice that there’s something not quite right about the file they’re about to click on.
- Keep your anti-virus products up to date.
- Restrict permissions on shared folders.
- Consider removing local admin rights from users.
- Consider using a prevention tool like “CryptoPrevent” from the folks at Foolish IT, LLC. This is a tool that is free for both private and commercial use – although there is a paid version that will automatically update itself and offers additional features like email alerts when applications are blocked. When installed, it will, silently and automatically, lock down a Windows system by, among other things, preventing executables with double extensions (like “something.pdf.exe”) from running, and preventing executables from running if they’re located in folders where you wouldn’t expect legitimate programs to be located. It implements over 200 rules that will help protect you from other forms of malware as well as CryptoLocker.
It should be noted that, if you’re running a Professional version of Windows that is joined to a Windows domain, all of these rules could be set via group policies, and there are even pre-packaged prevention kits, such as CryptolockerPreventionKit.zip, available at www.thirdtier.net/downloads that will make it easier to set those group policies. But if you’re not comfortable with the whole concept of group policies and/or you’re not in a Windows domain or you’re running a home version of Windows, CryptoPrevent is a fast and easy way to deal with the issue.
Please do not assume that the latest law enforcement announcements mean that we don’t have to worry about CryptoLocker anymore. It’s estimated that CryptoLocker raked in as much as $30 million just in the first 100 days after it appeared in the wild. With that much money in play, it – or something else like it – will inevitably reappear sooner or later.
As nearly everyone knows, Microsoft ended all support for Windows XP on April 8. To Microsoft’s credit, they chose to include Windows XP in the emergency patch that they pushed out last night for the “zero day” IE/Flash vulnerability, even though they didn’t have to, and had initially indicated that they wouldn’t. (Of course, the bad press that would have ensued had they not done so would have been brutal. Still, kudos to them for doing it. Given that so many of us criticize them when they do something wrong, it’s only fair that we recognize them when they do something right.)
But what about next time?
The fact is that if you are still running Windows XP on any PC that has access to the Internet, your business is at risk – and that risk will increase as time goes on. The IE/Flash issue should be a huge wake-up call to that effect.
Windows XP was a great operating system, and met the needs of most businesses for many, many years. However, Windows 7 and Windows 8 really are inherently more secure than Windows XP. Moreover, the realities of the software business are such that no vendor, including Microsoft, can continue to innovate and create new and better products while simultaneously supporting old products indefinitely. The “End of Life” (EOL) date for WinXP was, in fact, postponed multiple times by Microsoft, but at some point they had to establish a firm date, and April 8 was that date. The patch that was pushed out last night may be the last one we see for WinXP. When the next major vulnerability is discovered – and it’s “when,” not “if” – you may find that you’re on your own.
Moving forward, it’s clear that you need to get Windows XP out of your production environment. The only exception to this would be a system that’s isolated from the Internet and used for a specific purpose such as running a particular manufacturing program or controlling a piece of equipment. Unfortunately, a lot of the Windows XP hardware out there simply will not support Windows 7 or Windows 8 – either because it’s underpowered, or because drivers are not available for some of the hardware components. So some organizations are faced with the prospect of writing a big check that they weren’t prepared to write for new hardware if they want to get off of Windows XP altogether – and telling them that they had plenty of warning and should have seen this coming may be true, but it isn’t very helpful. Gartner estimates that between 20 and 25 percent of enterprise systems are still running XP, so we’re talking about a lot of systems that need to be dealt with.
Toby Wolpe has a pretty good article over on zdnet.com about 10 steps organizations can take to cut security risks while completing the migration to a later operating system. The most sobering one is #9 – “Plan for an XP breach,” because if you keep running XP, you will eventually be compromised…so you may as well plan now for how you’re going to react to contain the damage and bring things back to a known-good state.
One suggestion we would add to Toby’s list of 10 is to consider moving to the cloud. Many of the actions on Toby’s list are intended to lock the system down by restricting apps, removing admin rights, disabling ports and drives, etc., which may make the system safer, but will also impact usability. However, a tightly locked-down XP system might make an acceptable client device for accessing a cloud hosted desktop. Alternately, you could wipe the XP operating system and install specialized software (generally Linux-based) that essentially turns the hardware into a thin client device.
But the one thing you cannot do is nothing. In the words of Gartner fellow Neil MacDonald (quoted in Toby’s article), “we do not believe that most organizations – or their auditors – will find this level of risk acceptable.”
Friday, the technology leadership of VirtualQube (and me) descended upon Austin, Texas to meet with our datacenter vendor. It was a meeting long overdue as we had been doing business together for almost four years, but this was the first face-to-face meeting for the entire team.
Our vendor did their homework and took us out to dinner to Bob’s Steakhouse on Lavaca in downtown Austin the night before. It was a GREAT meal, and we had a blast checking out a number of watering holes in the area. According to our hosts, we apparently stopped the festivities just before entering the “seedy” part of the city. I feel like that was the perfect amount of fun to have, especially since we had a 4 hour meeting starting at 9am the next day.
The first thing we started with was a tour of the facility. Our vendor is in a CyrusOne Type Four Level II datacenter. For the uninitiated, this means it’s the best of the best. Fully redundant everything, generally with another safety valve or failover in addition. And the majority of these failovers were tested MONTHLY. Whoa, that’s impressive. We even saw the four huge generators outside that were gas powered and would support the entire building in case of a loss of electricity. Looking inside them (which we weren’t supposed to be allowed to do) was awe inspiring. Basically a V-12 design, with a filter on each cylinder due to its size. I didn’t get the specs, and I would have gotten a photo but security showed up right as I had grabbed for my phone. Just believe me that this building had thought of everything that could go wrong.
I broke the rules and took a picture of all the blinking lights. Kinda looks like my home theater, only more expensive (which is tough to do!).
After the tour we talked about ways to work together for the coming years and both teams came away with a list of action items to make our collective futures brighter. And I’m off to get started on one of those projects now!