10. July 2008 by admin.

I feel kinda lucky I am able to write this blog entry… or at least to upload it to this site… This morning I woke up, fired up the old laptop, clicked on IE7 … and …. nothing.  Everything just kept timing out.
Huh… what to do…what to do… I tried different browsers…Firefox, Opera, Safari, Polstergeist… same ole … same ole…

The first troubleshooting step I tried was ipconfig… Yep… I did indeed have a valid IP address all right, and in the right range too…huh… Let’s try…  ipconfig /release;  ipconfig /flushdns;  ipconfig /renew… I got the same IP address I originally had and the same problem too… No web browsing happening here.

Then I tried pinging one of the web sites for my Delaware network support company;  good old www.adminassociates.com …. Huh… weirder and weirder… no lost packets… ping works, so apparently the DNS server is servin’ too but still, browsers don’t work.

Then I tried disabling my Zonealarm Pro Firewall (but turned on the Windows firewall, just in case).  Wow… the browser now works fine… so what’s up with Zonealarm?  I looked at everything and nothing seemed out of  spec. I felt it was odd since this particular firewall has never a problem for me… very reliable; very easy to configure…very trustworthy.  I re-enabled  Zonealarm, disabled the Windows firewall, moved the “Internet Zone” slider down from high to medium and the browser started working again. Move the slider back up and the browser stopped working again.

Like I said… weirder and weirder…so it’s definitely a Zonealarm problem, but why…What could have happened?   Aha… yes… two days ago was patch Tuesday. I’ll have to Google this, but first, what else I need to find out what else is happening in my world.

I went back to my working combo of Windows Firewall on and Zonealarm off and started my email client.  About the third message I received was from Microsoft talking about a major bulletin revision … not a patch revision mind you, just the bulletin:

Bulletin Information:
=====================

* MS08-037 - Important

- http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
- Reason for Revision: V2.0 (July 10, 2008): Bulletin revised to
inform users of ZoneAlarm and Check Point Endpoint Security
of an Internet connectivity issue detailed in the section

So, in the final analysis, downloading a newer version of Zonealarm (that apparently wasn’t available before today) solved my problem, but can you imagine if this happened at a corporate office with a couple hundred workstations?

I know not too many offices use Zonealarm, but what if they did?  What a pain to update 200 workstations, in emergency mode (read pressure), and probably with the expectation that it would (could) be completed in one morning.

This is just another example of why all patches should be thoroughly tested on a lab unit before being put into a production environment.

Now, I became a victim by not following my own advice, but that was on my personal laptop.  I create an image of the drive at least every couple of days and sync important files to my basement server so I am never in danger of losing too much, but it’s a real balancing act when you are responsible for for than your own machine.

On one hand, you want to wait for version 2 of all the patches… let someone else report the pain…and at the same time you know “Day Zero” is a real threat and today might just be that day.

I always make sure I get a really good full backup, especially on Monday nights… just in case.

Good luck and good networking !

From way down in the trenches…. I’m Tom

Custom Search

Posted in Patch Tuesday, patch testing, drive imaging, Patches, Worm, Malware, Trojan, Virus, Networking | No Comments »

27. June 2008 by admin.

I just read an article about another 51,000 credit card numbers going into the wind… See the article here…

These stories scare the bejeebies out of me… I guess it’s a “there, but for the grace of  God, go I” kind of thing.  How would I know if someone has my credit card information?  Apparently the company that bought the rights to the Montgomery Ward name didn’t feel it was important enough to let their unlucky customers know.

I wonder if someone has any of my financial information.  I am pretty sure there is no key-logger installed on any of my own computers…make that 99.999% sure, but not 100% sure.

Since I constantly work with other people’s data, I am especially sensitive to the possibilities and careful to stay as infection-free as humanly possible.  But since I am human, I can’t be 100% certain… No one can. Firewalls, anti-virus, anti-spyware, and Trojan remover software…all of these things stand guard between me and thee, but is it enough?  Who knows?

As we move out from my semi-controlled environment and into the technological wilderness of my client’s accounts, I become more and more concerned.

At my Wilmington Delaware network support company, we always spend extra time stressing to our clients just how important safe surfing and safe-email practices can be.  We spin a lot of  “what if” tales to illustrate just what can happen if you let your guard down for even a minute.

We’ll take a computer with a new, unpatched installation of XP and set it in the client’s DMZ, then check it a couple of hours later. Almost every time you’ll find that the available free drive space has shrunk by 2 to 3 gigs. This is  a great argument for when a client thinks they are too small to be of interest to a hacker. There just “ain’t no such animal” as an installation that is of no interest to a hacker.

We monitor our clients’ anti-malware installations and make sure the signature files get updated daily. We check the status of the firmware of the hardware firewalls daily. We make sure that all available patches are up-to-date (after checking them for unexpected results).  We run Snort intrusion detection on our larger clients.  We train.  We explain. We do pen testing.  And still, I worry if some client is giving away the keys to the kingdom… right now.. this very minute.

Posted in Virus, Worm, Trojan, Malware, Networking, Troubleshooting, Computers | No Comments »

7. June 2008 by admin.

For quite some time now, hackers have been infecting web sites with malicious code by using SQL injection and iframe injection attacks. This operation is usually performed at, or right before the times when traffic is historically at a high for the day, thereby infecting the greatest number of visitors.

Unfortunately, you do not have to do anything particularly dumb to become infected.  If you navigate to one of these infected sites you will get an infection from embedded malware scripts.  This is commonly referred to as a “drive-by” infection.

I say you don’t have to do anything dumb because the sites I am discussing here aren’t porn sites, or ‘warz and serialz” sites…going to those sites would definitely qualify as dumb. No, they are often  some of the most popular and well known sites on the net… even news, weather, and public information sites

I provide Delaware Network Support all over the state and the surrounding areas. When you have this kind of business, you run into all kinds of infections.  Sometimes the users know they are infected, but most times I only find the infection when looking for reasons for poor performance or odd happenings.

This is where a really good anti-malware program comes in,   AVG 8, for instance, installs a component called “link Scanner” that blocks infected websites and checks links on search engines for these threats.

I suggest you check it our, and sooner than later.  Who knows… your favorite site may be next to fall to the black hats.

Good Luck and Good Networking

From way down in the trenches… Tom

Custom Search

Posted in Worm, Software, Virus, Trojan, Networking, Malware, Computers | No Comments »

23. May 2008 by admin.

I was recently reading about yet another security breach that has been discovered. This time, a supermarket chain in the Northeast says that in excess of 4 million credit card numbers have been exposed… Here’s the story.

However, stories like this are no longer a big surprise… through newspaper headlines and the six o’clock news, we have been made aware of such breaches happening to the likes of TJ Max, Google, and the United States Navy. I am just amazed that it doesn’t happen more often… or does it?

Malware today is focused on financial gain. Long gone are the days when virus writers simply tried to outdo each other for big glitzy headlines. Today, stealth and guile are the more important attributes of a successful attack. By not making its presence known, the malware just sits there, day in and day out, communicating with the bot master, sending him, or her, our credit card numbers, bank account information, passwords, Social Security numbers and everything else we hold dear.

I wouldn’t be at all surprised to find that 90% of the fortune 500 systems are infected by bot-net Trojans and worms.

If I were the author, I would go about it a little differently. I would write a multi-tiered Trojan with dozens of versions that are significantly different; much like a polymorphic virus.

My hypothetical Trojan would just sit there until a specific date and time, synchronized through NTP, then activate all copies at once. This concerted effort would be intended to initially overwhelm the system. As the victims became aware of the Trojan, and a method became available to remove it, the next tier would discover that fact and start its own activation timer.  That way, by not activating immediately, it wouldn’t be as likely to be discovered in the recheck that inevitably follows a disinfection process. People forget quickly, it seems.  When a certain time had elapsed the process would start all over again until all tiers had fired and delivered their payloads.

How do these units get infected in the first place? Who knows?  While the most expected method is email delivery and removable media, there are so many other avenues of attack it is almost impossible to defend against them all. Not every infection comes from visiting porn sites or pirating software and serial numbers. There are now traditionally legitimate websites that have been hacked and infected. Just browsing to one of these sites can result in a “drive-by” infection.

The way most infections are discovered are by traditional signature-based anti-malware programs, due mostly to their prevalence in the marketplace.. Unfortunately, by the time the malware is discovered, the signatures written and the updated signatures distributed and installed, much of the damage has already been done. This is commonly referred to as a “Zero Day Attack” and accounts for more and more malware damage.  That’s why I usually suggest anti-malware programs that work on the so-called “whitelist” principle of allowing known clean programs to run and denying those that can not be validated, whether infected or not. It may be a little more inconvenient, but then again so is identity theft or having your bank account drained.

Go here to download an ebook on malware.

Next time… What IS the best defense?

Good Luck and Good Computing.

From way down in the trenches… Tom

Custom Search

Posted in Virus, Worm, Trojan, Malware, Troubleshooting, Computers | No Comments »