RSS Feed
News
May
22
Office 365 accounts being actively attacked
Posted by Rubin Bennett on 22 May 2017 05:03 PM

Password security bulletin

We’ve seen a recent uptick in compromised accounts recently across our customer base.  Last week alone we saw 2 separate Office365 accounts get ‘hacked’ and fraudulent emails sent out impersonating the account owner.

The account owners were vigilant and fairly immediately recognized that something was wrong, notified us, and we helped them regain control over their account.  However, before we regained control of the account, thousands of emails were sent to everyone in their contact lists with a malicious Word document as an attachment.

What was the “Hack”?

We had 2 separate customer report fraudulent access of their Office 365 Email accounts, likely via Outlook Web Access.  Both customers had reasonable, but not very long, passwords.  We suspect that the account password/ email combinations were used on other sites, and may have been included in one of the many password leaks in the past year or so.

What did you do?

We reset their passwords, enabled login auditing on their accounts for the entire domain, and enabled 2 factor authentication (when a new device logs in to the account, a text message is sent to the user’s cellular phone with a numeric code that they type in after they enter their username and password).

How can I protect myself/ my organization from this attack?

You can proactively do the same steps we did to mitigate the attack:

  1. NEVER use the same password in multiple places.
  2. Use Strong Passwords. We recommend a *minimum* of 15 characters.  We really like passphrases with some extra seasoning: “$My st1nky d0g h4s fl34s!” (Easy to remember, very, very hard to crack)
  3. Enable 2 factor logins – this is possible on both G-Suite (Google Apps) and Office 365.
  4. Enable login auditing (logging) in O365. We’re mildly horrified that this is not turned on by default in O365 (it is the default in G-Suite), but it’s trivial to enable and then you can see where/ when accounts log in and the IP addresses it’s accessed from etc.
Obviously if you use different passwords for every site/ system you access, you'll never be able to remember them all.  We strongly recommend using a password manager like the Free and Open Source Keepass, LastPass, or similar to keep them all straight.  LastPass also has a mobile app so you always have access to your passwords even if you aren't in front of your computer.

Next steps?

Calling your favorite I.T. Company is always a good step if any of the above sounds like Greek to you.  We’re specialists in geek (erm, we mean Greek…).


Read more »



May
15
WannaCrypt malware update
Posted by Rubin Bennett on 15 May 2017 10:18 AM

As many of you are aware, last week saw the outbreak of the most serious malware worm in recent history.  The virus spread across the globe, mostly targeting networks in Europe and also causing damage to networks here in the US.

What is WannaCrypt?

It’s a virus/ worm that exploits a vulnerability in the Microsoft Windows Server Messaging Block service, and allows remote code execution.  It installs malicious code that encrypts your data, and probes your network for additional vulnerable systems, crawling the network until it runs out of exploitable systems.  The vulnerability exists in all versions of Windows from XP through 2012r2, but there is a patch available for all versions of Windows back to Windows 7 and Server 2008.

The Microsoft patch for the vulnerability was released on March 14th, 2017.  If you’re a Perception Managed Services customer with our Professional service level on your devices, you received the patch as soon as it was released by Microsoft on your workstations, and shortly thereafter for Servers (server updates go through a review and approval process before they’re released to Client systems).

What’s the current status of the worm?

This weekend, a researcher in Europe found code that the virus runs that connects to a specific URL to see if it should stop running.  The Domain in the URL was not registered, so the researcher did that and effectively disarmed the spread of the virus by enabling a built-in ‘kill switch’ in the code.

It is highly likely that new variants of the exploit will be released in the wild without the kill switch component.  However they’ll likely exploit the same vulnerability.

What can I do to protect myself and my systems?

This is a common refrain that every one of our customers has heard from us over and over again:  Keep your systems up to date, and run current, managed Antivirus software.  And install a proper firewall on your network edge, and enable the built-in firewall on your workstation and server systems.

This threat is a non-issue for properly patched and protected systems, but is a major disaster for improperly managed networks, or networks running obsolete or unsupported software (Windows XP or Windows 2003 server).

At its simplest the way to protect yourself is to follow best practices around network management and security: Use current, supported Operating Systems (No Windows 2003 or XP).  Use a managed update service that not only releases updates to your machines but verifies that they're installed and lets us know if they're missing.  And use a Managed Antivirus service where updates and upgrades are pushed to workstations, and issues are reported to your managed services provider.  And when in doubt, call a professional to ensure that you're covered.

Further reading:

Microsoft Security Advisory MS017-010:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft bulleting re: Wannacrypt:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Further reading:
https://www.theregister.co.uk/2017/05/14/microsoft_to_spooks_wannacrypt_was_inevitable_quit_hoarding/
http://www.zdnet.com/article/windows-ransomware-wannacrypt-shows-why-nsa-shouldnt-stockpile-exploits-says-microsoft/
https://www.forbes.com/sites/leemathews/2017/05/13/microsoft-update-wannacrypt-ransomware/

 


Read more »



Apr
6
Things about Passwords you never knew. Number 3 will SHOCK you!
Posted by Rubin Bennett on 06 April 2017 11:32 AM
Passwords:  You hate them.  We hate them.  We make you choose strong ones, and then we make you change them.  You get frustrated.  We get frustrated.  We all agree that passwords, and managing them, suck.

There's an XKCD that we often quote:
https://xkcd.com/936/

It talks about the importance of entropy in passwords, and how what we think of as 'best practice' for passwords, isn't.

In the past year or so, we've done some experimenting around passwords, and as a result of our experimentation, we've adapted the approach in the XKCD comic slightly.

We love passphrases, but the problem with dictionary-word-only passwords is that rainbow tables and other modern password cracking tools are getting better and better.  It's a constant cat-and-mouse game.

Here's our current best-practice for passwords that are strong and easy to remember.  Use a phrase you'll remember, and do some simple letter substitutions.  Sprinkle in some special characters (see footnote about those!). Length trumps complexity, and by extension, complexity is just a tool to stop crackers from compiling lists of common phrases, like "The quick brown fox jumps over the lazy dog".  Here's an example:
"this is my super secret email account"
According to Keepass, that has 96 bits of entropy.  Pretty good! But let's make it more secure.
"This is my super secret email account."
OK, we're up to 105 bits now, and we didn't make it appreciably harder to remember at all.
Now, if you use *consistent* substitutions, it makes it slightly harder to remember, but significantly more secure.
"!Th1s 1s my sup3r s3cr3t 3mail 4cc0unt."

We're now up to 138 entropy bits according to Keepass, which by the XKCD formula would take... well, 2^138/31,536,000 seconds in a year = 1.104924986450535852950582185471e+34, which equates to, roughly, a very long time.  Effectively uncrackable, by today's standards.

Here's what makes the above so hard for crackers: Computers are very good at matching strings.  But entropy is a function of exponents, meaning that the number of possibilities goes up exponentially (squares, to be precise) with each additional character.  There are tools that crackers can use to cut that by a bit, but the simple fact is that unless you use a very common phrase, a long password is exponentially harder to guess than a shorter one.  Add in some special characters to cut down on substitution success, and you're golden.

Unless your password is stored in clear text or with reversible encryption somewhere (LinkedIn, I'm looking at you), and that brings us to our last words of advice for password management and security:

1. NEVER use the same password in multiple places.
2. Use a password manager. Keepass is free, Open Source, and cross platform.  It rocks.
3. Change your password, at least occasionally, particularly on websites where you don't have any way to know how they're being stored.
4. Did we say NEVER use the same password in multiple places?

A footnote about the entropy measures in Keepass: They're imperfect, much like anything that humans are responsible for.  By Keepass' measure, "correct horse battery staple" has 99 bits of entropy, where Randall (the author and artist behind XKCD) only gave it 44 bits of entropy.  I have no opinion on which is right or wrong - in my opinion they're really only useful as comparative scores.  So don't compare Randall's 44 bits to Keepass' 99 bits, they're the same.  But it is useful to compare 99 bits to 138 - there's a significant increase in entropy there.  And if you're really nerdy, we can argue about the effectiveness of case changes and other nuances of randomness somewhere else :)

A word about special characters:  We've decided that referring to the @sign as the 'commercial at' is boooooring.  And no one can agree whether the # is a pound, number sign, or hash.  So we came up with a new nomenclature for them:  @ is a capital 2.  # is a capital 3. etc..  We may or may not have actually invented this convention, but since we've never heard anyone else use it we're going to take credit for it anyway!


Read more »



Sep
6
Nifty 19th annual Open House and Customer Appreciation day!
Posted by Rubin Bennett on 06 September 2016 03:57 PM

 

 

Open House Flyer

It's that time of year again, we hope we'll see you here at the nerd-plex!

September 14th, 2016 from 1:00PM - 4:00PM!


Read more »



Jul
29
Happy Sysadmin day (July 29th)!
Posted by Rubin Bennett on 29 July 2016 10:29 AM

Obligatory IT Crowd referenceThis day 17 years ago was deemed to be the first annual System Administrator Appreciation day!

We have an amazing team of engineers here who do their absolute best every day to ensure that your systems and networks are running smoothly and just get the heck out of the way so you all can do what you do.  I know that I'm unbelievably appreciative of our team and the work they do.

One of the paradoxes of I.T. work is that when everything is running smoothly, our customers wonder what we do all day.  And perversely, when things go wrong our customers wonder... what we do all day.

So today we'll peel back the veil of secrecy around I.T. and admit that several years ago we actually programmed robots to do our work, and most days we sit around the office eating pizza and drinking beer, with the occasional coffee or Frisbee break in the hangar (can't be outside too much or people will catch on!).

If only...

The reality is that our jobs are interesting, demanding, and occasionally deeply frustrating.  We manage ever more complex systems and networks, and our users have more and more complex requirements from a technological perspective.  We spend enormous effort on staying current on our skills, anticipating what's coming, and ensuring that we're consistently delivering the absolute best quality support and customer service that we possibly can.  And while we're human and by definition imperfect, we do a pretty darn good job overall.

So, as a team of nerds and sysadmins, we demand cake.  And Ice Cream.  And gifts, and words of gratitude. But mostly gifts.

 

Further reading if you're so inclined (No links to Amazon wishlists, we promise!)
http://sysadminday.com
http://www.theregister.co.uk/2016/07/29/happy_sysadmin_day/
https://en.wikipedia.org/wiki/System_Administrator_Appreciation_Day

Lastly, the photo above is a screenshot from the BBC sitcom 'The IT Crowd', which is required watching if you have any contact with nerds:
https://en.wikipedia.org/wiki/The_IT_Crowd

 


Read more »



Jun
27
Trouble with Microsoft update KB3161608 for Windows 7 and Server 2008
Posted by Rubin Bennett on 27 June 2016 09:57 AM

Hi folks

We've had a handful of reports of issues with a recent patch (released last week).  It's a Windows 7 and Windows Server 2008 "optional" rollup that includes among other things a fix for the Poodle vulnerability. It's causing issues with Outlook when used with certain mail server software and has also caused issues with credit card processing software.  Removing a patch for a known vulnerability is usually a Bad Idea and we tend to be very reluctant to do it.  However, there have been a handful of sites where the business impact of the update created a critical stoppage, and removing the update was warranted as a temporary fix as we work with outside vendors to update their TLS and SSL handling routines.

If you're experiencing issues like the ones described above, please contact the team.  If you're under our Perception managed services program, we can automatically remove and decline that patch from all of your systems in a matter of minutes, and functionality will be restored.

If you have any questions, please get in touch!
Rubin & the rbTech team

 

Sources:

Technet KB article describing the update: https://support.microsoft.com/en-us/kb/3161608

Microsoft support forums thread about the issues: http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/problems-with-kb-3161608-and-kb-3161639/2cd5ffb3-c203-4080-872f-73de1a96e080

Issues with vSphere inventory service: http://www.techezone.com/question/kb3161608-kb3161639-breaks-vsphere-client-inventory-search-2/

 

Further reading:

Poodle vulnerability CERT posting: https://www.us-cert.gov/ncas/alerts/TA14-290A

Google results about Poodle: https://www.google.com/?q=poodle%20vulnerability


Read more »