Wednesday, December 12, 2012

Dexter - infecting a point of sale near you

Breaking news - more action steps to be provided later as I can find/collate/analyze it.

Two links for more information:

Dexter - Draining blood out of Point of Sales

"Dexter" malware steals credit card data from point-of-sale terminals

Dexter is stealing the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data. This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system.

Initial action steps recommended:

Check back end servers for unusual outgoing Internet activity. 

Run updated AV deep scans on all equipment in the Credit Card transmit path. (POS terminals, backend, database)

 . . . more forthcoming . . .


Stop using Debit cards (I've said this before).  Credit cards have much better fraud protection and won't cause you to lose your checking/savings account balances overnight if you get hit.

If you have shopped with your credit or debit card at any restaurant or merchant in the last three months, you should carefully check your transaction history for those cards - a good practice to do in any case and even more vital now. 

Friday, November 9, 2012

Dear Mr. President

Tuesday, August 14, 2012

Microsoft Update KB2647753 is broken (Fix it)

Update:  Looks like Microsoft has pulled the offending patch.  Expect it to be released again sometime in the near future - hopefully without further problems.  If you see a repeat update and don't want to apply the manual fix, simply force a new check for updates.  If you prefer to be fully patched, then you can proceed directly to the fix it section below.


One of the Recommended Updates for patch Tuesday of August 2012 is broken.  When you install updates and reboot, you will see the patch for KB2647753 presented.  Installing it (again and again) will not make it go away.  Each time it will claim to have been successful . . . but I'm not certain that's true.  Worse, your system may insist on attempting to re-install this patch every time you shut down your workstation - prolonging the shut down procedure.

Hopefully Microsoft will notice this problem later today or perhaps this week and fix the problem from their end.

Until they do, you have two options.

1) Ignore it, or hide it (not really recommended)

2) Fix the problem manually.

What is KB2647753?

It's a non-critical but recommended update to the printing core components for Windows 7 and Server 2008.  It does not apply to Server 2003 or Windows XP.

 Here's how to manually fix it:

a) Open your Control Panel, go to "Programs and Features" (also known as "Uninstall a program" if you use the Category view in Control Panel)

b) Click the link on the left to "View installed updates"

c) I recommend changing the view to Detailed view and sorting on Name, then scroll down to the Microsoft Windows section and locate:  "Update for Microsoft Windows (KB2647753)"

d) Right click KB2647753 and UNinstall it . . . wait for the process to complete.

e) Reboot your workstation

f) Get over to and download the full installer for this patch - make sure you get the right version for your OS including x86 versus x64.  You will be asked to allow Microsoft to Validate your Windows OS license.

g) Run that installer, let it complete, then reboot your workstation again.

h) Check your Windows Update, force a check for updates, and the repeat offender should now be gone. 

Hope this helps.

Monday, July 16, 2012

Close port 3389 (Remote Desktop) on your firewalls NOW

If you have allowed the Remote Desktop protocol direct access through your firewall (port 3389), and you have an answering RDP server behind it, you may soon be compromised with a very nasty ransomware takeover that encrypts your data files.

Picked up two new clients this week, both were attacked and taken over by a remote entity.  Both lost substantial company data.  One was saved by a rotating backup -- they were able to restore from that after the hack was shut down.  The other did not have an offsite backup, and they lost data that we will never recover.

The hacker did the following:

1) Installed a process that began encrypting all docs, pdfs, jpgs, and several other file formats into a secure RAR archive form.  It then secure deleted the originals.  The encrypted files look like
 yourfilename.txt(!! to decrypt email id 0000000 to !!).exe

2) Installed a Group Policy script that enabled the Guest account, set an unknown password on it, and gave it carte blanche access to all administrative roles including RDP.  That script was set to run on any users login, so disabling the Guest account would only hold until the next time the admin logged in.

3) Locked the login screen for all users on the server with a ransomware scare tactic screen claiming to be from the FBI.  The ransom was listed at $1,000.  Judging from a few forum posts on the topic, paying the ransom does not guarantee recovery of the lost data.  This criminal is laughing all the way to the bank with the victims money and not actually delivering their locked data.

4) Uninstalled anti-virus products.

5) Deleted any backups that were connected to the server via USB or LAN. Also deleted any online backups through the service application (Carbonite in this case.)

6) Disabled the F8 start up key to prevent booting into safe mode.

7) Turned off Shadow Copies on all shares - and deleted the historical stored revisions of files.

8) Several other configuration settings were damaged to make the system more vulnerable to future attacks.

None of this was flagged by Anti-Virus protection because guess what?  It looked like a virus but was not . . . it appears to be a direct hack to the system by an outside person(s).

If you need remote desktop access, reduce your risk;  
 - use a secure VPN connection to get to your LAN from the outside 
 - make sure your security policy includes strong passwords
 - change the name of the default Administrator account
 - check group policy and set the system to lock out failed passwords after 3 attempts for a minimum of 15 minutes (longer is better if your user base can stand it)
 - confirm that the server patch MS12-020 was installed successfully earlier this year.

More info here:

Monday, May 14, 2012

Update: Travelers alert concerning fake update alert popups

Recently the IC3 released an advisory containing sparse detail that travelers abroad are being infected via fake update alerts for unnamed products that were being delivered over compromised hotel connections.  I wrote a speculative article about this, and wanted to provide some clearer detail about what appears to be happening.

First:  It does not appear that the "real" update mechanisms for any of the likely products are compromised.  I still can't recommend you do *any* updates while traveling.  Do them before, or after.  Besides, who want's to download a large update over what is typically a slow connection at that overseas hotel?

Second: Through either captive portal DNS, or via Javascript injection delivered by the compromised guest connection, these popups are being delivered primarily through the browser - just like "normal" malware popups.  I speculate that there may also be a class of these threats that try to take advantage of unpatched systems -- just like the ones you see from compromised websites or from clicking the wrong spam email link.

In the former case, the sample I recently observed looked like a browser popup, mocked up to resemble (poorly) an actual update alert from Adobe. An unwary traveler might be fooled by this, it scares me to think how many . . .

In the latter case, the attack could exploit known vulnerabilities in either Java, Flash or the OS to deliver a small software stub that does a much better job of presenting the intended victim a realistic looking (but still fake) update alert.  This is much like the numerous examples of fake anti-virus infections that have plagued the Internet for the last few years.  Your best bet to prevent this is -- as always -- to stay on top of your system updates for the OS, Java, Flash, etc.

Third:  Some reminders of safe guest connection usage to prevent ID Theft, infection etc.

  1. Never, ever, click on a popup window while browsing the Internet.  Close it via Task Manager or by using ALT-F4.
  2. Never access secure websites like your bank while on a guest connection unless you are also using VPN or similar safeguards to prevent snooping.
  3. Don't leave your computer unattended while connected to a guest connection.  Let it go to sleep, or hibernate, or disconnect it for localized work, or shut it down when you are done with your session.
  4. Pay careful attention to the guest connections usage instructions (if the hotel or facility provides such) . . .  in particular make sure you are connecting to their actual hotspot, not a fake one with a similar name in range.
  5. When you first connect to a guest connection, Vista and Windows 7 will ask you if this is a Home, Work or Public connection.  ALWAYS select Public - this tells your OS to use a higher security level on its built in firewall.  Other third party software firewall solutions generally also prompt you on the trust level you want to give a guest connection, always choose the most restrictive profile available.
  6. Assume that any guest connection, whether at a hotel, coffee shop, truck stop, conference center, airport, etc, is suspect.  Also don't assume that the IC3's advisory should only be taken for overseas travel.  Similar attack methods have occurred in the past in the US, Canada and elsewhere. They can take place on both wireless and wired connections.


Wednesday, May 9, 2012

Add system updates to your travel preparation list

Update: Travelers alert concerning fake update alert popups

It's come to this, a problem that I first thought of several years ago (that blog is dead or I would link it) has finally come to pass.

Updates for certain common plugins are being spoofed on guest connections at hotels, airports and probably other Wi-Fi hotspots. And you should not assume it's just Wi-Fi, it could also be an Ethernet cable connection in the hotel room, or at the guest services room at the conference center.

Travelers to (for now*) undisclosed foreign countries have become victims to malware being presented in a popup window that claims to be a well known and frequently updated plugin. I would guess Adobe Flash, could also be Adobe Reader or Oracle Java.

It's become serious enough that the IC3 and the FBI have posted a travelers advisory about the issue.

Malware Installed on Travelers' Laptops Through Software Updates on Hotel Internet Connections

Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms.

Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.

* I'm going to extrapolate into the future a bit: It's only a matter of time before this a) spreads to the US and b) expands to include Windows Updates and other popular updates.

What should you do to protect yourself?

Remembering that it's become vitally important to stay patched for all MS products, Adobe products and Java - and that you should be as current in your updates as possible, it may be better to delay patches if they come out during your travel.

Better yet, add system maintenance to your list of things to complete just before you depart for your trip! Do it from a trusted Internet connection: home or work.

And a short reminder of the top four items to check at least monthly:

1) Microsoft Updates: released every second Tuesday of each month.

2) Adobe PDF and Flash updates at no set release schedule, but check monthly. (I do this for manual patched systems on the same day I deploy MS patches.)

3) Java (now from Oracle) at

4) Firefox (if you are a fan).

And during the trip? From now on: IGNORE update reminders when connected to a guest Internet service.

Monday, January 30, 2012

Business Online Banking Safety: A strong recommendation from the FBI

I present two topics on this subject for your reading pleasure.

1) Why small and medium business owners should be concerned about online banking, and what action steps the FBI, US Secret Service, the Internet Crime Complaint Center and the FS-ISAC recommend you take to reduce your risk exposure.

2) The specific steps for one method to lock down a secure workstation along with how you should use and respond to alerts once that machine is configured for safe use.

Unsafe Online Business Banking

Some time ago a recommendation by the FBI and the Banking Association was circulated to small and medium business owners. It never received much attention from press, but should have.

Banking fraud on business accounts has become rampant. Aside from insider crime, it's happening when the workstation you use to conduct banking via your browser is infected with malware that captures your account log-in credentials and transmits those credentials to an Internet server run by criminals. (It can also happen if you fall for email phishing attempts, but that's another story for another time.)

The really nasty part is if your computer -- the one that you used to access your bank -- was infected then the bank that serves your business accounts may not be willing (and depending on the judge, you might not succeed in compelling them) to cover your losses if criminals drain the account dry.

Go on now please, read this article. I'll wait . ..

Information Week: Who Bears Online Fraud Burden: Bank Or Business?

Back? Onward to the details then.

Here is the FBI press release:
Fraud Advisory for Businesses: Corporate Account Take Over
(Opens in new window, PDF format.)

Cyber criminals employ various technological and non-technological methods to manipulate or trick victims into divulging personal or account information. Such techniques may include performing an action such as opening an email attachment, accepting a fake friend request on a social networking site, or visiting a legitimate, yet compromised, website that installs malware on their computer(s).


Minimize the number of, and restrict the functions for, computer workstations and laptops that are used for online banking and payments. A workstation used for online banking should not be used for general web browsing, e-mailing, and social networking. Conduct online banking and payments activity from at least one dedicated computer that is not used for other online activity.

In short, they are telling us that the risk of malware on a business computer that is used for both online banking and normal web surfing has become too high to afford.

Their recommendation is that you set aside a special workstation that is ONLY used for online financial transactions, to known safe web banking addresses, and that it NEVER be used for email or web surfing anywhere but at your banks.

Do that, plus more:

I'm going to take that a step further and outline how you can further lock down any workstation to mitigate the risk of infection. This method works at home or work and - if your IT department does not already do it -- you should insist they consider the method.

Of note is that this works best with Windows 7, any flavor (Home, Pro, Ultimate).

1) On the designated workstation (or on all workstations if you want to increase safety for all users) create an Administrator account and grant it Administrator access in the Users Control Panel. I don't recommend you name the account Administrator. Call it some variation of AdminXYZ - make it unique to your company. This account MUST have a password, and if you feel safe in your office and trust your peers then it doesn't really have to be a super secure password, but of course . . . I do recommend you consider a strong password. If this is for a local domain, you should create a shared domain account and grant it local administrator permissions on all the member client workstations, but NOT on the server.

2) If you are setting up a new machine, install ALL your required software from that Administrator account. At a minimum, get decent Anti-Virus protection installed at this point.  You should also make sure the operating system is fully patched through current critical updates and service packs.  Finally, in Windows 7 at least, turn on Automatic Windows Updates and turn on the setting to "Allow All Users to install updates on this computer."

3) Log in as AdminXYZ and create your user accounts. Be certain to make the regular user account - the one you will use for work - a "Standard User." If your user accounts already exist, get into the Users Control Panel and DEMOTE all other users to "Standard User." Don't demote the AdminXYZ account . . . bad things may happen.

4) Open User Account Control Settings and make sure the slider is set to the highest level. I know you'll hate this, and you might have to back off a notch if you're running very old applications on Windows 7, but at least for your financial workstation this should be a requirement. For others, the second or third notch from the bottom may suffice.

5) That's it. When you use your workstation, always log into the machine with your normal user account. Only use the AdminXYZ account when you need to install something, or update an application.

Now if you do this on Windows 7 - there's a very cool feature that makes doing an occasional application update relatively easy. When you get the notice that your update requires permission, you'll be presented with the option of entering in an Admin account and password. No need to log off or switch users, Windows 7 will open a shell under that admin account to run the update. Other applications (like your browser) that are open will still be protected by your limited access account.

Usage and preventing social hacks to your system:

Once you have this setup correctly - use your system as recommended for its role. If this is the workstation from which you will access your banking/credit accounts then I strongly recommend you restrict its use as described by the fraud advisory notice I linked above. If this is your normal workstation, then practice safe surfing and smart email habits. Otherwise use as normal for your work.

Once a month or so you might see a request for admin access pop for Windows Update. You might also see such an alert for other updates to your specific applications.

If you know you are updating something, it's generally okay to grant that permission.

But here's where the protection kicks in. In almost every case if you inadvertently land on a malicious website, or open that ill-advised email hosting a virus, you'll see this alert asking for admin level permissions pop up in your face.



Terminate that sucker!

Be mindful of what you're doing when that alert pops. You KNOW you were not installing something. If you see that alert while browsing the web, you can be certain it's something uninvited trying to install itself. But you've got your system set to TELL you before it happens. Click NO. Close your browser or email, and don't go there again.

There are some viruses that can still cause minor damage on a protected account though, what about those?

If you suspect/know that your limited account has been compromised, and you did NOT allow the infection admin access (you did say no to that alert, didn't you?) then the virus is restricted to your profile. Here's what to do:

Restart the machine.

Log into the AdminXYZ account - NOT your user account.

Run a full anti-virus scan and let it clean things up.

Now try logging into your account, should be in good condition again.  If not, then you might have to backup all the documents under the infected profile, erase the profile, and restore the data.  So far at least - in those rare cases where something does infect a profile on a prepared workstation -- this method has prevented me from having to completely reformat and reinstall the infected operating system on that workstation.

Thursday, January 26, 2012

Colorado Secretary of State launches password protection for business filings and reports

In April last year I wrote about a serious deficiency in the system used by the Colorado Secretary of State for businesses that use their online service to register with the state and to file annual reports.

I have good news, and bad news.

The good news is that as of today you have the option of securing your business registration with the State of Colorado with your email address and a password.

In May 27, 2011 Bill HB-1095 was signed, allowing the Secretary of State’s office to implement a password protected business filing system.

On January 26, 2012, the Colorado Secretary of State announced that the "Secure Filing" system is up and running.

Here is the state's description of the password system:
Colorado: Secure Business Filing

And instructions for setting it up plus a short FAQ:
Colorado: Create a Secure Business Filing Account

Colorado: Secure Business Filing FAQ

All good and - while overdue - appreciated.

Now the bad news.

I'm sure arguments raged over the conference tables on this topic, but the fact is they've gone and rolled this out the wrong way.

First, it's optional. You can ignore this feature and bet that you're not enough of a target to be worried. That might be a very expensive mistake.

I never saw any notification of this new feature, beyond their website. Which I - like most of you - only check when it's time to file my annual report.

So here's the problem as I see it. Someone is going to go after their target by filing an amendment (same problem of Corporate ID Theft as before) to change your business address of record. Then they'll have the state send the PIN notification that starts the conversion of your "open" account to a secure account system -- to that address they just used to update your record. Now the crooks OWN your account with the state, and I would imagine it might be painful, time consuming and perhaps expensive to wrest control back to you should this happen.

What they should have done is make this mandatory, by mailing out snail mail with temporary accounts/passwords to current record holders.

Since they did not, it's up to you to act fast and get your registration with the state locked down before the ID thieves do it to for you.

Wednesday, January 25, 2012

Disable PCAnywhere from Symantec / Norton

If you have Symantec pcAnywhere installed on any of your workstations or clients, Symantec would like you to disable (or at least patch) it immediately to protect your system from attack.

They are supposed to contacting all known registered customers about the issue, but I know that many people might not have updated their contact info with Symantec in the last few years -- and may not get the notice.

What happened?

Short answer, the source code for part of this product was stolen by hackers and may be used to reverse engineer an active exploit into any systems running pcAnywhere.

From: Symantec tells customers to disable PCAnywhere
PCAnywhere 12.0, 12.1, and 12.5 customers are at increased risk, as well as customers with prior, unsupported versions of the product, according to Symantec.

More info:
Symantec: Anonymous stole source code, users should disable pcAnywhere

Symantec Web Site: Claims by Anonymous about Symantec Source Code

Our investigation continues to indicate that the theft is limited to only the code for the 2006 versions of Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.
Based on our analysis, the Norton Antivirus Corporate Edition code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product.

The Symantec Endpoint Protection 11 product – which was initially released in the fall of 2007 – was based upon a separate code branch that we do not believe was exposed. This code branch contains multiple new protection technologies including Heuristic Protection, Intrusion Prevention Security, Firewall, Application Control, Device Control, Tamper Protection, redesigned core engines, as well as our Symantec Endpoint Protection Manager (SEPM). Customers on Symantec Endpoint Protection 11.x are at no increased security risk as a result of the aforementioned code theft.


Our current analysis shows that all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers using prior versions of the product. pcAnywhere is also bundled with numerous Symantec products.

Disable pcAnywhere

Safest and Easiest Method: Uninstall the product, be sure to save your product keys for later re-installation once the program has been patched.

If you have to have it regardless: Be certain you are on version 12.5 and use LiveUpdate to get the most recent patches as of today.

Expert Level: Disable the service from starting automatically with your system and turn it off for now until patched.

Detailed and specific information is available for administrators on Symantec's blog.
Important Information on pcAnywhere


More patches for V12.x are forthcoming from Symantec. My personal advice is to not use pcAnywhere until those patches are delivered. I'll keep this post updated as they roll out.

Future customers considering pcAnywhere. There are competitive alternatives if you need this functionality now, or wait for version 13.