Category Archives: Security

eDiscovery Part 2 – PST Files vs. Exchange Archiving

This is the second in a series of blog posts on eDiscovery, which will include video excerpts from the presentation we made at the O365 Nation Fall Conference held in Redmond last month. In Part 1 of this series, we discussed the lifecycle of an Exchange email message, what the “Recoverable Items” folder is all about, and the role of the “Single Item Recovery” feature in Microsoft Exchange.

In this segment, we discuss PST files – why you may not want people using them, how to prevent their use, and the archiving functionality that is built into Exchange 2010 and 2013 and why it’s a better option.

eDiscovery Part 1 – Lifecycle of an Email Message

Last Friday, September 26, VirtualQube was invited to present at the O365 Nation fall conference in Redmond on the subject of eDiscovery and Organizational Search in Microsoft Office. O365 Nation is a new organization created by our long-time friend Harry Brelsford, the founder of SMB Nation, and, as you might expect, most of the content at the conference was related to Office 365. However, since the eDiscovery and Search tools in question are built into Exchange, SharePoint, and Lync, the subject matter of our presentation is equally applicable to on premises deployments of these products.

This is the first of a series of blog posts on this topic, which will include video excerpts from the presentation.

It is important to note that the Microsoft tools discussed here only cover a portion of the Electronically Stored Information (“ESI”) that an organization may be required to produce as part of a discovery action. ESI can include Web content, social media content, videos, voice mails, etc., in addition to the information contained in email and Lync messages, and SharePoint content. The primary purpose of these tools is to enable you to preserve email, Lync, and SharePoint content in its original form, perform integrated searches across all three platforms – plus file shares that are being indexed by SharePoint, and export the results in an industry-standard format that can be ingested into third-party eDiscovery tools for further processing.

Since, by sheer volume, email is likely to be the largest component an organization will have to deal with, this series will begin with a discussion of the lifecycle of an email message in Microsoft Exchange – specifically, what happens to an email message when the user’s “Deleted Items” folder is emptied, and how we can insure that if a user attempts to modify an existing message, a copy of that message in its original form is preserved.

Stratus everRun Enterprise Technical Certification Course

This week I am sitting the Stratus everRun Enterprise Technical Certification course, held at Stratus Technologies, headquartered in Maynard, MA. Much to my delight this is an accelerated course where they cram five days of training into three!  I have worked with this and similar technologies originally designed and offered by Marathon Technologies since the nineties, so it’s like old home week coming here. Last year Stratus purchased Marathon and ultimately this is good for the evolution of the everRun product line. This week’s course is designed to train experienced technicians on the newly redesigned everRun Enterprise and I can say that I am very impressed with the new system. Originally built on Citrix XenServer the new product is built on Centos Linux 6.5 and uses the KVM hypervisor. I am a big fan of XenServer but working with this new version of everRun I see the wisdom the Stratus has leveraged in designing this impressive product. The everRun product line is designed to provide a highly fault tolerant server platform to run workloads that require up to five nines of “up time” (less than six minutes of downtime per year). This product is highly regarded as one of the best solutions in the industry for protecting critical applications and data. If you operate computer systems that cannot afford to be down you owe it to yourself to look at this system. Class wraps up tomorrow and I’ll be dashing to the airport to head home to sunny Seattle!

Stratus console

Scott’s Book Arrived!

IMG_1716

We are pleased to announce that Scott’s books have arrived! ‘The Business Owner’s Essential Guide to I.T.’ is 217 pages packed full of pertinent information.

For those of you who pre-purchased your books, Thank You! Your books have already been signed and shipped, you should receive them shortly and we hope you enjoy them as much as Scott enjoyed writing for you.

If you haven’t purchased your copy, click here, purchase a signed copy from us and all proceeds will be donated to the WA chapter of Mothers Against Drunk Driving (MADD).

A Brief Respite from CryptoLocker

A couple of days ago (June 2), the UK’s National Crime Agency announced that law enforcement agencies have effectively disabled key nodes of the GOZeuS network, which provided a key delivery mechanism for CryptoLocker’s ransom malware. They’ve also identified a person believed to be the leader of the criminal enterprise behind GOZeuS, and international officials say that other arrests are “in progress.”

While this is good news, it’s unlikely to be a permanent solution to the ransomware problem, given the distributed nature of Internet-based malware. It does, however, give us some breathing room – perhaps as much as a couple of weeks – to think about how to protect against it.

In case you’re not familiar with what CryptoLocker is, it is a particularly nasty form of malware that first appeared in the fall of 2013, and is typically spread by tricking a user into clicking on a disguised executable. Disguised executables are, in part, enabled by the unfortunate design choice Microsoft made in Windows XP that continued through Windows 7, which was to “Hide extensions for known file types” by default. (Personally, this always annoyed me, and one of the first things I always did when setting up a new PC was to deselect that option. It does appear that it is no longer selected by default in Windows 8 and 8.1.)
Hide extensions of known file types
This meant that, for example, a Word document that was called “My Important Customer Proposal.docx” would display in Windows Explorer (and elsewhere within the OS) as, simply, “My Important Customer Proposal.” That also meant that if someone sent you an email with a file attachment called MalwareDesignedToStealYourMoney.pdf.exe, it would display in Windows as, simply, MalwareDesignedToStealYourMoney.pdf. An unsophisticated or careless user – or someone who perhaps was just exhausted from a long day and not thinking clearly – might look at the file name and think it was an ordinary Adobe PDF file, and double-click on it to open it up…not realizing that the “.exe” that was hidden from them meant that it was really an executable that was designed to install malware on their system.

“But why,” you might ask, “wouldn’t my anti-virus software protect me against this?” The answer is that some anti-virus products might protect you, depending on how the options are set. But many, if not most, users have local administrator rights to their PCs. (Yes, arguably they shouldn’t, but every IT admin that’s ever tried to take those rights away has had to deal with the howls of protest when users – often top executives – suddenly can’t install iTunes or some other equally essential utility on their PCs.) So unless your AV product is set to scan files whenever they are accessed – a setting that often isn’t enabled even on products that are capable of doing it because it can slow your system down – you won’t know that you’re installing something bad until it’s too late. Local administrators, by definition, have the authority to install software. You launched the installation program, you’re a local administrator, so it’s going to get installed.

CryptoLocker screen cap
Once installed, CryptoLocker checks in with a server on the Internet that assigns a public/private key pair to that PC, and CryptoLocker then happily goes to work using the public key to encrypt all the documents, spreadsheets, pictures, etc., on your system. The latest variants will even encrypt files on network drives if they’re mapped using a drive letter. (So far, it doesn’t appear that CryptoLocker knows how to navigate across UNC paths.) There is even some evidence that the latest variants may wait up to two weeks before locking you out of your files, in the hopes that you will move through a full cycle of backups during that time, meaning that all your backups will also be encrypted and therefore useless to you. Once it’s done its dirty work, you will suddenly be unable to access any of your files, and will be presented with a screen that tells you that you have, typically, 72 hours to submit payment – typically via untraceable money cards or bitcoin – in order to obtain the private key that will decrypt your files. Otherwise, the private key will be automatically destroyed, and your files will be forever out of your reach.

If the thought of having to cough up the equivalent of $300 US or lose all your data leaves you with cold chills (as it does me), what can/should you do?

  • First and foremost, educate your users. One of the most basic rules of computer safety is that you simply don’t open email attachments from people you don’t know – and, for that matter, don’t open them from people you do know unless you were expecting them and know what they are. Remember that it’s not that tough to impersonate someone’s email address. At the moment, most CryptoLocker payloads are disguised as invoices from financial institutions, messages from shipping companies, notices from law enforcement agencies, etc., often with scary messages about account closures, final notices, and amounts due. Also beware of zip file attachments. Make sure your users are aware of these common tricks, so they don’t reflexively click to see what a file attachment is.
  • If you’re still running Windows 7 or earlier, deselect the “Hide extensions for known file types” option. This will at least make it slightly more likely that someone will notice that there’s something not quite right about the file they’re about to click on.
  • Keep your anti-virus products up to date.
  • Restrict permissions on shared folders.
  • Consider removing local admin rights from users.
  • Consider using a prevention tool like “CryptoPrevent” from the folks at Foolish IT, LLC. This is a tool that is free for both private and commercial use – although there is a paid version that will automatically update itself and offers additional features like email alerts when applications are blocked. When installed, it will, silently and automatically, lock down a Windows system by, among other things, preventing executables with double extensions (like “something.pdf.exe”) from running, and preventing executables from running if they’re located in folders where you wouldn’t expect legitimate programs to be located. It implements over 200 rules that will help protect you from other forms of malware as well as CryptoLocker.

    It should be noted that, if you’re running a Professional version of Windows that is joined to a Windows domain, all of these rules could be set via group policies, and there are even pre-packaged prevention kits, such as CryptolockerPreventionKit.zip, available at www.thirdtier.net/downloads that will make it easier to set those group policies. But if you’re not comfortable with the whole concept of group policies and/or you’re not in a Windows domain or you’re running a home version of Windows, CryptoPrevent is a fast and easy way to deal with the issue.

Please do not assume that the latest law enforcement announcements mean that we don’t have to worry about CryptoLocker anymore. It’s estimated that CryptoLocker raked in as much as $30 million just in the first 100 days after it appeared in the wild. With that much money in play, it – or something else like it – will inevitably reappear sooner or later.