Today I am looking for ways to use technology to improve my life! Actually now that I think of it I do that most every day! I find that if I provide myself the right working environment, so that I enjoy working on something, then the whole process is improved, AND I have more fun doing it!
It might sound like i am trying to justify going out and buying an iPad, but actually I am happy to simply download a free app and save my money! Besides I have a lovely tablet that I have been using for five years. In fact it has been the only thing that made my MAC friends envious!
Several years ago after several family events where the topic seemed always switch to “look how cool my new MAC is”, I pulled out my Motion Tablet and started writing on the screen and as they looked on my handwriting turned to text and the same thing happened when I started speaking to it. They were like “Dang you can do that with WinDOZE and i was like “Nah, this is x64-Vista baby!”.
So today I went searching for Blog Authoring Tools and here is my first test. I am writing this blog entry today using Windows Live Writer, and so far, I am reasonably impressed and the fun level is pretty good.
My next endeavor if I have time before my XENServer 5.0 to 5.5 Upgrade this evening is to try a a Blog Authoring tool on one of my Linux Desktops. (Testing one two three……..)
Every now and then an internal email thread pops up here at the Moose that’s a variant on, “Hey, check this out…” Recently there have been a couple of these threads that were related to Windows 7 tips and tricks. You may know about some of these already, or you may have read about them somewhere else, but I thought it might be useful to gather them into a single post.
So here’s my list of interesting tweaks, stuff that might be helpful to a handful of you, or just stuff that I think is cool. (Cool does not always mean useful – but who doesn’t like cool stuff?)
Most of you have probably seen “Peek” (at least if you have a system that’s “Aero” display capable), but it’s still cool – and if you haven’t seen it, maybe this will be what it takes to get you to splurge on that new video card! If you hover above an application icon on the taskbar, a thumbnail of the app will pop up. If you hover over that thumbnail, you’ll get a “peek” at the full-sized app. And hovering over the “show desktop” icon in the lower right corner (oh, you didn’t know that the unlabeled button at the bottom right would show your desktop?) will temporarily display your desktop.
And have you heard of “shake?” If you have 20 windows cluttering up your screen but only want to focus on one, just click the window’s title bar and hold the mouse button down. Now, shake the mouse from side to side. All other windows will disappear, leaving just the one that you selected. (Yes, you could also click “show desktop” and then select the one window you want to focus on, but that’s not as much fun.)
To open a new instance of a program from your task bar (say you want an entirely separate IE window) you can right click the icon on your task bar and select the app from there, or just hold down shift and left-click the icon.
Toggle between application instances: Ctrl + Click a taskbar icon. Let’s say you have five open Word documents. If you hold down the Ctrl key, you can cycle through them by repeatedly left-clicking on the taskbar icon.
Multitask with multiple monitors: Various combinations of Ctrl, Windows logo key, Shift, and Arrow keys. Do you use more than one monitor at a time? Now you can shift an open window to your other monitor in less than a second by pressing Shift + Windows logo key + left or right arrow. Here are some other combinations that might be handy:
Ctrl + Windows logo key + arrow will move the window to whatever half of the screen you want. (Up arrow sends the window to the top half, right to the right half, etc.)
Windows logo key + Up Arrow maximizes the window, Down Arrow “un-maximizes” it again.
Windows 7 “God Mode” (use with caution): Right-click on the desktop, and choose “New Folder.” Then re-name that folder:
“GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}” The icon will change. When you double-click it, you’ll get a window with direct links to just about every configuration option imaginable. Yes, they’re all available elsewhere, but it’s kinda cool to have them all in one place.
Finally, if you’re missing the old Windows “Quick Launch” area (which Sid prefers over pinning icons to the task bar, because it takes up less space):
Make sure you’ve got Explorer configured to show hidden files and folders
Right-click an empty space on the taskbar, and select Toolbars -> New Toolbar
Browse to C:\Users\%username%\AppData\Roaming\Microsoft\Internet Explorer (Why would this setting be under Internet Explorer? It’s just one of life’s great mysteries.)
Highlight the Quick Launch folder and click the Select Folder button.
To get rid of the title and text associated with your Quick Launch icons, unlock the task bar, right-click your new Quick Launch toolbar, and uncheck Show Text and Show Title. You can also choose View -> Large Icons if you prefer.
Note that Win7 will put the Quick Launch toolbar on the right end of the taskbar (next to the System Tray) rather than on the left.
Recently, my Word 2007 program started experiencing some weird behavior. When I had a document open and would go to close Word, I’d be greeted by this:
Also, since I’m running Windows 7, when I tried to Right-click the Word icon that I pinned to my taskbar and open a recently opened document, Word would open, but not the document. I would have to explicitly open the document from within the application.
Initial reports I read pointed to a recently installed patch, but instead of going through my “Programs and Features” uninstalling patches one-by-one, I found an even easier solution on Ed Bott’s blog.
NOTE: The following instructions deal with editing the Windows Registry, which is not for the incautious or faint of heart. It would be a good idea to back up your Registry and/or create a restore point before trying this.
If I haven’t scared you off, open Regedit, navigate to HKCU\Software\Microsoft\Office\12\Word and delete the “Data” Key. (I did export the “Data” key first, just to be on the safe side.) After deleting the key, Word appeared to open and close properly. I right-clicked the Word icon on my taskbar, chose a document to open and it opened right up. So far, so good.
I then merged the backed-up reg key back into the registry and tried opening that same recently-used document from the task bar – Word opened, no document. Then upon closing Word, it crashed again.
From the information in Ed’s blog entry, the cause appears to be related to having Word running at the time a particular “Important” update is applied to the system. Removing this reg key fixed it right up! I saved at least 30 minutes by avoiding having to uninstall and reinstall Office.
Last October, we published a three-part series on SSL certificates: what they are, how they work, and how they’re used to secure transactions over the Web. You’ll find the series listed in our “Security” category. For most of us, this process has worked pretty well for a long time. But I recently ran across a paper by Christopher Soghoian and Sid Stamm that points out a vulnerability that, frankly, hadn’t really occurred to me before.
NOTE: I’ve chosen to place a copy of this paper on our own Web site, because I believe that the material is important enough that I wanted to ensure that it would be available even if the link I used to find it should no longer be valid. I believe that this is permissible under the Creative Commons Attribution license cited by the authors.
As we discussed in the previous series, the security of the public key infrastructure (“PKI”) that we’ve come to rely on ultimately depends on the trustworthiness of the Certificate Authorities (“CAs”) that grant the certificates. In general, a public CA (e.g., VeriSign) assumes some responsibility for verifying the identity of the person or organization requesting an SSL certificate. The level of verification performed depends on the type of certificate purchased. A small business purchasing a certificate that will be used to secure their Outlook Web Access site can get one pretty cheaply, and typically the issuer will only require that the requester be able to reply to an email message sent to the domain in question. On the other hand, Bank of America will go through a much more detailed process to get an “Extended Validation” certificate for one of their on-line banking servers (as well they should).
But if a bad guy could somehow obtain, from a trusted CA, a certificate for a Bank of America server, and then trick a user into visiting their fake BofA Web server, there would be no easy way for the user to know that something bad was going on – because the browser would indicate that a valid SSL session had been established.
Of course, any CA that knowingly issued such a certificate would risk irreparable harm to its reputation, punitive lawsuits, and potentially have its trusted status revoked by the major Web browser manufacturers. But, as Soghoian and Stamm point out in their paper, there are no technical restrictions that would prohibit a CA from doing so. So the integrity of the entire PKI and the security of millions of users’ communications ultimately depends on hundreds of CAs around the world choosing to do the right thing.
Now, I’m not particularly worried about VeriSign or GoDaddy, because I’m pretty sure they’re not going to cooperate in something like this without a court order (more on that later). But I didn’t realize that Microsoft, Apple, and Mozilla (Firefox) all include a number of national government CAs in their default “trusted root certification authorities” databases. For example, Microsoft’s program includes the governments of France, Korea, Latvia, Serbia, Tunisia, Turkey, and Uruguay, just to name a few. I’m sure that these government CAs are included for all the best reasons. But I’m not sure that I’m particularly comfortable with the idea of having my browser, by default, trust the government of Turkey with the blanket power to issue SSL certificates for any Web site. Correction – I’m sure that I’m not comfortable with that!
Why? Because the possibility is very real that some government, somewhere, might compel a CA to issue a false certificate that can then be used to perform a “man-in-the-middle” attack for surveillance purposes. In fact, as Soghoian and Stamm point out, there is evidence that this has already been done. (If you want the details on that, read their paper.)
As a result, they are working on a Firefox add-on that is currently known as “CertLock.” Certlock will keep track of the country of origin of the root CA of each Web site you visit, and if, on a return visit, it detects that the certificate being presented chains up to a root CA in a different country, even though your browser may trust that CA, it will warn you. For example, if your banking site uses certificates issued by VeriSign, which is a US-based CA, CertLock will store that information the first time you go to your banking site. If, on some future visit to that banking site, the Web server you hit presents a certificate that – although it appears to be valid – is chained to a root certificate issued by Etisalat in the United Arab Emirates, you’ll get a warning, and a chance to abort the connection.
Is this a perfect solution? No. Admittedly there are some scenarios that won’t be caught – but those are arguably not that significant anyway, with the possible exception of #4 below. To use a few of the examples cited by Soghoian & Stamm:
Assume that the US government compels VeriSign to issue a certificate for use by a law enforcement agency wishing to intercept communications between a suspect located in the US and his/her US-based bank, which uses VeriSign certificates on all its Web servers. CertLock won’t detect that, because the CA issuing the fake certificate is the same CA that issued the legitimate certificates.
However, if the government can get a court order compelling VeriSign’s cooperation, it could just as easily – and probably more easily – get a court order directly compelling the bank to disclose the suspect’s account information. So there’s little point in the exercise.
The same holds true if the bank’s legitimate certificates were issued by, say, GoDaddy instead of VeriSign. They’re both US-based CAs, so CertLock won’t detect the attack – but, by the same reasoning, it’s still a moot point.
Assume that a resident of China is accessing his/her online account with a Chinese bank that obtained its legitimate SSL certificates from VeriSign. Assume further that the Chinese government is interested in intercepting the suspect’s online transactions, and compels the China Internet Network Information Center (“CNNIC” – a domestic Chinese CA) to issue a false certificate for the operation.
In this scenario, CertLock would detect the attack – although, again, it’s an improbable scenario because the Chinese government could just as easily compel the Chinese bank to provide the suspect’s account information.
Assume that a US executive is on a business trip to China, and is attempting to access his/her gmail account from a hotel Internet connection. Once again, the Chinese government could compel CNNIC to issue a false certificate to employ a man-in-the-middle attack, since they have no leverage to compel the assistance of VeriSign, which issued the legitimate SSL certificates. This attack would be detected by CertLock.
Assume that a Chinese executive is on a business trip in the US, and attempts to access his/her Chinese bank account from a hotel Internet connection. If the Chinese bank was using legitimate VeriSign SSL certificates, and if the US government obtained a false certificate from VeriSign, there would be no way for CertLock to detect the attack.
Since American CAs dominate the certificate market, and are used by many foreign organizations, that last scenario is far from hypothetical, and would seem to give the US an edge in potential intelligence-gathering.
So the bottom line is that the approach taken by CertLock is not perfect. But it’s a step in the right direction, and I’ll be downloading it as soon as I can get my hands on it. In the meantime, particularly if you’re interested in security issues or if your job includes security-related responsibilities, I’d heartily recommend that you download and read the entire paper. Although it’s a bit complex, it’s only 19 pages long, so it shouldn’t take you more than two cups of coffee to get through it.
A while back we had a couple of posts talking about application virtualization and server virtualization as part of our “What is Virtualization” series. We continue with our series now with the exploration of storage virtualization.
Storing data has been and will always be an issue for most companies, particularly given the rate at which storage requirements are increasing. Data storage is much more difficult than, say, storage of your own personal physical stuff.
To help me understand a bit better how storage virtualization works I go back to my condo reference. Assume that I live in a condominium complex with a bunch of other people. Since the units are a bit small, the complex offers storage units for the tenants’ use…a place to hold that extra bookcase, the leaf to your dining table, or your velvet Elvis painting. Unfortunately, each tenant gets only one storage unit. This means that if your unit is full it does you no good to know that your neighbor’s unit has nothing in it, because you have no access to it.
Now I like to travel, and when traveling I tend to pick up some knickknacks and tchotchkes from wherever I end up. I get back to my condo and find that my storage unit is already so full there is a note on my door from the fire marshal. So what do I do? I do what most folks do: No, I don’t get rid of anything (are you kidding?) – instead I rent a storage unit from the self-storage guys down the street. Now I have stuff in 2 different places. After a few years I have to get a third unit – but the unit down the street is full so I have to rent yet another storage unit across town. Clearly I have a problem: Aside from the obvious problem of being a pack rat, I have 3 storage units in 3 different locations. What happens if I need to find something that I’ve stored? Will I even know where to look? (Clue: Probably not, because if I was sufficiently organized to keep a record of what stuff is in which storage unit, I probably wouldn’t be the kind of person to accumulate that much stuff in the first place!)
How does this apply to your business data? Well, one of the biggest problems we run into when trying to organize data in the traditional way, where each server has its own local storage, is that Murphy’s Law dictates that free storage space never exists in the server that needs it. If my Exchange Server is running out of disk space, it does me no good to have 200 Gb free in my file server – just as it does me no good to know that your condo storage space is empty if mine is full. In fact, it’s even worse. If my condo storage space is full, and I really trust you, I might make a deal with you to use some of your condo storage space – but there’s just no way to make that free space in your file server available to your Exchange Server.
“Storage virtualization” refers to the process of taking a bunch of physical disks and turning them into a central “storage pool,” portions of which can then be allocated back to your individual servers in such a way that they believe that the storage is local to them when, in fact, it is not. This separation of the drives from the individual servers is the key to storage virtualization and its benefits.
Since the drives are now managed as one large pool it is possible to perform tasks that previously were not possible, such as the migration of data between drives without down time, or being able to allocate storage on demand to the servers that need it. Storage virtualization allows you to perform these helpful tasks from a single management point. We generally refer to this kind of storage virtualization system as a “Storage Area Network,” or “SAN.”
“Thin-provisioning” makes it even better. Instead of trying to guess in advance how much storage to allocate to each server, and then potentially having to adjust things later, I can tell each server that it has way more storage than is actually available. For example, I might tell ten different servers that they each had access to a terabyte of storage when, in fact, I only had a total of two or three terabytes of physical space in my storage pool. I then let my SAN dynamically allocate the physical storage to the servers that need it – but only allocate as much physical storage as necessary to store the actual data. The SAN will then alert me when I get close to running out of physical space so I can increase the size of my storage pool.
If my condo implemented storage virtualization, I imagine it would work like this. I would have one key and one drop off spot for all my storage items. Once I drop off my velvet Elvis I wouldn’t have to worry about where it would be stored and how much space it would take up. The storage management elves would find a place for it, and fetch it for me again when I requested it. Since I have so much stuff and my neighbor hardly has any we may end up sharing a storage closet, but neither of us knows, or cares. Heck, our stuff may be scattered across every storage closet in the complex.
After a bit of traveling, I may have enough stuff to fill up 2 storage closets all by myself. But I can still bring it to the general drop off location and not need to worry about which closet it goes in…because to me it looks like there is only one big closet. If management decides it would be easier to manage my stuff if it was all together in one room, they may elect to put all my stuff in a new, larger storage unit. All this would happen without me knowing or caring where my stuff is physically located.
Storage virtualization is not the newest technology out there – in fact, people were deploying SANs for all of the reasons listed above long before server virtualization became a big deal. But storage virtualization enables many of the coolest server virtualization features, such as live motion – the ability to migrate a running VM from one virtualization host to another. And we haven’t even begun to talk about the additional tools you may have for data protection, backup, and disaster recovery, such as the ability to leverage SAN replication to automatically send a copy of your critical data off-site. At the end of the day storage virtualization is great tool to save time, improve hardware utilization, increase agility, and most importantly save you money.
Your data needs to be organized and secure…just like my personal stuff. In fact, protecting your data is arguably more important, because the condo burns down I can probably get an insurance check for my physical stuff. But simply monetary damages may not be sufficient if you lose your data. (Can you even put a price tag on your data? Hint: How much is your business worth? Hint #2: What’s it worth to stay out of jail for violating laws on record retention?) Storage virtualization gives you another big toolbox full of tools to help you organize and secure it.
However it is still not an excuse to not throw a few things out every now and then.
Yesterday, I received what just may be the lamest phishing attempt ever. I’m not sure whether the originators of this particular attempt were just plain lazy, or whether they were too dumb to properly disguise what they were trying to do. Regardless, this is a good object lesson in the kinds of things to look for to spot bogus email messages. Here’s the message (click to view larger screen cap):
Pathetic Attempt At Phishing
Let’s just walk through all the things that are wrong with this:
It has my own email address in the “From” field. If I had sent myself a message about this, I’d remember – wouldn’t I?
Grammatical error #1: “has just be released”
Grammatical error #2: “Dear use of the mooselogic.com mailing service”
You really expect me to believe that my own corporate support team is going to ask me to go to some Web site in Europe and run an executable file? Really? And you didn’t even bother to disguise the link?
The whole message is self-contradictory – if the security settings of my mailbox have been changed, and I need to apply new security settings, how is it that I was able to get to my mailbox to see this email message?
This message could have been made a lot more believable by doing just a few simple things – and it’s worth noting what they are, because a lot of other phishing messages that are turning up in your users’ mailboxes are doing these things already.
First, they could have used an email address other than mine as the “From” address. Lots of companies have fairly predictable email aliases, such as “support@,” “webmaster@,” etc., that would be more likely to be associated with a support team.
Second, they could have been a little more careful about grammatical errors. It’s worth noting, however, that because a lot of phishing expeditions originate outside of the U.S. (the “ruhlmann.eu” domain happens to be registered to someone in France), and are put together by people whose first language is not English, it is not unusual to see grammatical or spelling errors, and this is, in fact, one of the best ways of spotting phony messages.
Third, they could have used a graphic that they lifted from my own corporate Web site. It’s not hard, all they have to do is create a dynamic link. The following HTML code:
Will yield this (unless Wells Fargo has moved the location of the logo file):
All I had to do was go to the Wells Fargo home page, right-click on their logo, choose “Copy image location,” which gives me the exact URL of the image file, and paste it into the HTML code of my page. I didn’t copy the logo graphic – I’m pulling it dynamically from their site. This is a very common practice in phishing emails that pretend to be from your bank, or from PayPal, or from eBay.
And, of course, I could link that graphic to any site I wanted, and if you weren’t paying attention, you might not notice that the site I’m linking it to is not really a Wells Fargo site. I might even further disguise the link by creating something like “banking.wellsfargo.com.myphishingsite.eu/pathtomalware/malware.exe,” hoping, of course, that you’ll see “wellsfargo.com” and not look any closer, and not spot the fact that the actual link is not to a Wells Fargo Web site at all.
This is also a very common practice. And if the originators of the email above weren’t so dumb and/or lazy, that’s how they would have disguised the link. Or, if they didn’t want to bother with a graphic, they could have at least disguised the text. Remember, you can have any words you want link to any URL you want. The HTML code is easy. Just do something like:
<a href=”http://myphishingsite.com/malware.exe”>Come look at the fluffy bunnies!</a>
And you’ll get text that says “Come look at the fluffy bunnies!” but that is actually linked to the malware executable.
Fortunately, many email readers, including Outlook, will pop up the actual HTML destination if you hover your mouse over the link, so that’s a good habit to get into before you click on any link in an email message.
Bottom line: this particular phishing message was fairly easy to spot. There are a lot of other messages that your users will receive that are much more cleverly disguised. But if you know what to look for, you can usually spot them. Your best defense will be to help your users learn what to look for. A good start might be to share this post with them.
Today, I’m not going to focus on pressing business issues, Microsoft licensing, or the latest news from Citrix. Instead, I want to share a couple of software utilities that have made my computing world more pleasant. Both have free versions as well as “Pro” versions that cost a modest amount of money and give you more functionality. Both are Windows 7 compatible.
Managing Desktop Icons
First, I’m one of those users who puts a lot of icons on the desktop. I want my most frequently used programs (and even some of the less frequently used) right there where I can double-click them without having to navigate through the Start menu tree. (Yeah, I probably never entirely outgrew Windows for Workgroups v3.11 in that respect.) But the desktop can get, um, rather cluttered. Sometimes the icons don’t want to stay where I put them. I can use the “auto arrange” feature, but I don’t always like the way they get arranged.
I was delighted to discover “Fences” by Stardock. All you have to do is hold down the right mouse button and drag on your desktop to define an area, and a little context menu will pop up that says, “Create New Fence Here.” Click on that, and you’ve just created a defined area on your desktop that you can name, resize, drag to whatever position you want, and then fill with desktop icons just by dragging them inside the “fence” (see below – click to view larger picture):
"Fences" Screen Capture
Double-click anywhere on the desktop, and all the icons disappear for that nice, clean, uncluttered look. Double-click again and they come back. Create a “snapshot” of your current fence configuration, so that if things do get scrambled by a random cosmic ray, you don’t have to re-create everything from scratch. I love it!
Multiple Monitors
Second, I have become highly dependent on multiple monitors. My primary business computer is a Motion Computing LE1700 Tablet. I have docking stations in both my work office and my home office. When I dock it, my desktop is automatically spread across a large external monitor as well as the screen of the tablet itself. My multi-media studio PC at home has two widescreen monitors that are essential when I’m doing multi-track hard disk recording. My personal desktop PC has multiple monitors simply because I reached the point where I found a single monitor to be annoyingly limiting. But I was always annoyed by not having an easy way to have different desktop images on the different monitors.
The answer for me was “DisplayFusion” from Binary Fortress Software. DisplayFusion can do a number of cool things, including random “slide show” changes of your wallpaper, and multiple taskbars on your multiple monitors. But the key thing for me was that I finally had an easy way to put a different picture on each of my monitors.
DisplayFusion Example
You’ll notice that the two pictures aren’t the same size. The one on the right is the screen of my tablet, which is only 1024 x 768, whereas my external monitor is 1280 x 1024. DisplayFusion doesn’t care about the size mismatch.
And in case you’re curious, yes, I took both of those pictures. Both were taken last summer in the Mountain Loop Highway area of Washington State. The one on the left was one of many incredible views on the way from Barlow Summit to the old, abandoned mining town of Monte Cristo. The one on the right is of Perry Creek just above Perry Creek Falls – about 2 miles in and 3300 feet up on the Perry Creek – Mount Forgotten trail. Yes, I’m lucky to live in such an awesome part of the country.
But I’m sure you have some awesome pictures of your own, and now you know how to put them to use with multiple monitors and how to manage that desktop icon clutter.
“VSS,” or Microsoft’s “Volume Shadow Copy Service,” provides a means of requesting a “snapshot” of a data volume. In very basic terms, a snapshot captures an image of the data volume at a particular point in time. This can be useful, for example, in allowing backup software to back up a volume even though it is still in use and data may be changing while the backup operation is under way. It can also be used to facilitate a roll-back of the data volume to the point in time when the snapshot was taken.
You typically don’t want your snapshot to consist of a complete copy of your data volume, though. That would be a waste of disk space, and could take a long time to complete – and I/O operations on the data volume have to be suspended for the length of time required to take the snapshot, so we want that time to be as short as possible. Therefore, most products that use snapshots, including VSS, use a “copy on write” approach. Here’s how it works:
First, a table is created that initially contains nothing but pointers back to the physical data blocks in the original volume. This can be done very quickly, will take up very little space, and can immediately be used as though it was a complete copy of the data volume. As long as nothing has actually changed in the original volume, any read request that’s made to the snapshot for a specific block of data will simply be redirected back to the original volume.
When a write operation takes place on a block of data in the original volume, the existing data is first copied to a “recovery area,” and the pointer for that block in our snapshot table is changed so it points to the recovery area instead of to the original volume. The snapshot can continue to be accessed as though it was a complete copy of the original volume, because the point in time at which the snapshot was taken can be reconstructed by merging the unchanged blocks of data in the original volume with the blocks that were copied to the recovery area before changes were made.
As time goes by, and more and more changes are made to the original volume, the storage space consumed by the snapshot will continue to grow as more and more data is copied to the recovery area. Eventually, it will approach the size of the original volume. For this reason, snapshots are generally not retained forever – they’re kept until the purpose for which they were created has been fulfilled, e.g., until the backup operation has been completed, and then purged to release storage space.
More and more frequently, we’re hearing the question: “I’ve got anti-virus software installed – why am I [or, alternately, why are my users] still getting infected?”
To understand the answer, we have to understand how the threat landscape has been changing over the last few years. The fact is that malware delivered as an email attachment is no longer the primary threat vector we have to worry about. The MooseGuardTM spam/virus filter for this author’s personal email account blocks anywhere from 300 to 800 spam messages per week. I can’t remember the last time one of them actually contained a virus payload. Instead, the primary threat vector these days is malware delivered over the Web – usually malware that we unwittingly install ourselves.
One of the realities of corporate computing is that it is very difficult to get permission to truly lock down the corporate PC desktop. Sometimes this is because there are legitimate applications that require the user to have some level of local administrative rights in order to function properly. But even when that is not the case, the pushback from users (often users in the executive suite) who want to be able to install their own MP3 player software, their own desktop wallpaper, their own fill-in-the-blank applications, can be extreme. So we end up backing down and giving users local admin rights to their PCs.
The problem is that if you have the necessary rights to install iTunes® on your PC, you also have the rights to install malware. So the game is all about tricking you into approving the installation without realizing what you’re doing. This is generally called “social engineering,” and it’s based on the concept that it’s easier to get people to give up information voluntarily than it is to take it by force.
Here are just a couple of examples that my spam filter caught this week. (Click on the image to view full-size.) First, a bogus credit card alert:
This is obviously designed to scare me into thinking that someone is trying to use one of my credit card accounts. Of course, the first giveway to me is the fact that the email address to which this was sent does not exist at mooselogic.com. But if this had arrived in someone’s personal email account with their correct email address, I can envision some number of people immediately shifting into “Oh, my God!” mode, and clicking on the link to see what happened.
What is not obvious from the image above is that the link is disguised. What appears on the surface to be a link to something.visa.com is in reality a link to something.visa.com.sucipa.vc. I was not able to track down the owner of “sucipa.vc” – in fact, it appears that the domain may have already been de-activated – but I was able to determine that “.vc” is the domain suffix for St. Vincent and the Grenadines. Not a likely place for Visa to be hosting important Web sites. No doubt the “VISA Card Holder Form” would have asked me to provide things like my account number, name on the card, expiration date, in short everything that a criminal would need to start using my card.
The next example plays on simple greed:
IRS Phishing Attempt
It’s telling me that I have a “503.15$” tax refund coming, and I need to submit the “Tax Refund Request Form” to claim it. One again, there are a couple of obvious (to me, anyway) tip-offs. First, “info@mooselogic.com” doesn’t file tax returns. Second, in this country it is customary to place the dollar sign before the amount rather than after it. And, once again, the link is disguised: The “Tax Refund Request Form” is apparently being hosted on a domain called “state-ri.us” – not a domain I would expect to be associated with the IRS. This form would, no doubt, have asked me for my name, address, and social security number.
Unfortunately, there are attack vectors out there that are much more sophisticated than these two examples:
“Malvertising” – sometimes the bad guys purchase banner ads on legitimate Web sites and load them with, for example, an Adobe Flash exploit. If the Web site simply accepts the banner ad without somehow checking it for a malicious script, you have a recipe for infection.
“Clickjacking” – You may see a page that says something like, “Do you agree with Obama’s Health Care proposal?” with big “Yes” and “No” buttons. What you don’t see is the invisible layer of code in front of those buttons, so that when you click on what you think is a button, you’re actually clicking on a link that you can’t even see.
Social Networking exploits – One of the recent classic scams involved compromised Facebook accounts that were used to send direct messages to other Facebook users that said something like, “LOL. You’ve been catched on hidden cam, yo.” If you succumb to curiosity and click through the link, you’ll be taken to a page with what looks like an embedded video, but when you click on it, you will be prompted to download and install a “plugin” so you can view the video. Guess what? It’s not a plugin – it’s malware.
CSRF, a.k.a. “Cross Site Request Forgery” – This one should scare the heck out of you. Let’s say you’ve logged into your banking site. The site is probably set to log you out automatically after some period of inactivity, but in the meantime, you can probably even go to a different site and come back and still be logged in. Why? Because the site has set a “cookie” in your browser that identifies your banking session. Now let’s say you’re using a modern browser that allows you to have multiple tabs open to different sites. You have one tab open looking at your banking site, but you’re multi-tasking, and you have another tab open interacting with some forum somewhere. It is possible for malicious code in the forum site to send requests to your banking site without your knowledge – and because you’re legitimately logged into your banking site, the requests will be executed. So don’t multi-task when you’re browsing a site that’s important to you.
Malware these days is all about money. Sometimes the people who gather your information aren’t out to use it themselves. Rather than run the risk of being caught and arrested for being directly involved in fraudulent activity, they compile and sell the information to others. There’s a robust marketplace on the Internet for stolen data. According to Symantec, it’s possible to buy:
Bank accounts for $10 – $1,000 each
Credit cards for $0.40 – $20 each
Full identities for $1 – $15 each
Email passwords for $4 – $30 each
“Malware-as-a-Service” – some folks will host your malware for between $2.50 and $50 per week.
According to MessageLabs, you can get paid for infecting other people’s computers. In the US, you can get as much as $50 per 1,000 downloads.
Check out the video below. It’s a 10 minute excerpt (because 10 minutes is the maximum limit for a YouTube video) of a talk given last year by Lenny Zeltser. Zeltser is an incident handler at the SANS Internet Storm Center. He’s also a SANS faculty member, a member of their Board of Directors, and he leads a security consulting team at Savvis – so he knows what he’s talking about:
If this caught your interest, I would strongly recommend that you invest an hour and watch his complete presentation. You can find it on the Wolf’s Lair blog site. (Note: We have no affiliation whatsoever with the author of this blog, but we’d like to thank him for making these videos available!)
So…what can you do to protect yourself?
First of all, recognize that humans and their behavior are still the weakest links in the security chain, and the most sophisticated anti-malware software in the world can’t protect you against people doing dumb things. It is critical to educate your users. (Hint: Ask them to read this blog post.)
Second, if you’re still running Windows XP, you should be planning to migrate to Windows 7 as soon as you possibly can. Microsoft’s “User Account Control” really can help protect you against “zero-day” exploits and careless surfing. Yes, the implementation in Vista was annoyingly intrusive and heavy-handed. The implementation in Windows 7 is customizable at a more granular level. The point is that having a window pop up and ask, “Are you sure you really want to do this?” can be the difference between being compromised and not being compromised.
Third, find ways to lock down your users’ desktops. Yes, this will in some cases be politically difficult. But you really need to do it. In some cases, moving to thin clients on the desktop can help. You may also want to take a good look at XenDesktop 4, since a desktop OS that’s being provisioned from a common, read-only image is not as vulnerable as a traditional, locally-installed desktop.
Finally, understand the need for a layered approach to security. The threats to your organization are many and varied, and one point solution (like anti-virus software on the desktop) simply cannot protect you from all of them.
The Internet is a dangerous place, and we will, for the foreseeable future, be locked in an arms race between the people who write malware and the people who come up with defenses against it. Most of all, you need to stay informed about security issues. We’ll do our best to help you do that.
Edit 2/4/10: Just saw an article on pcworld.com that talks about this very subject. It’s worth a read.
A few days ago, in the post entitled “Seven things you need to do to keep your data safe,” we were talking primarily about some simple things that individuals can do to protect their data, even if (or especially if) they’re not IT professionals. In this post, we’re talking to you, Mr. Small Business Owner.
You might think that it’s intuitively obvious why you would need good backups, but according to an HP White Paper I recently discovered (which you should definitely download and read), as many as 40% of Small and Medium Sized Businesses don’t back up their data at all.
The White Paper is entitled Impact on U.S. Small Business of Natural and Man-Made Disasters. What kinds of disasters are we talking about? The White Paper cites statistics from a presentation to the 2007 National Hurricane Conference in New Orleans by Robert P. Hartwig of the Insurance Information Institute. According to Hartwig, over the 20-year period of 1986 through 2005, catastrophic losses broke down like this:
Hurricanes and tropical storms – 47.5%
Tornado losses – 24.5%
Winter storms – 7.8%
Terrorism – 7.7%
Earthquakes and other geologic events – 6.7%
Wind/hail/flood – 2.8%
Fire – 2.3%
Civil disorders, water damage, and utility services disruption – less than 1%
If you’re in Moose Logic’s back yard here in the great State of Washington, you probably went down that list and told yourself, with a sigh of relief, that you didn’t have to worry about almost three-quarters of the disasters, because we typically don’t have to deal with hurricanes and tornadoes. But you might be surprised, as I was, to learn that we are nevertheless in the top twenty states in terms of the number of major disasters, with 40 disasters declared in the period of 1955 – 2007. We’re tied with West Virginia for 15th place.
Sometimes, disasters come at you from completely unexpected directions. Witness the “Great Chicago Flood” of 1992. Quoting from the White Paper:
In 1899 the city of Chicago started work on a series of interconnecting tunnels located approximately forty feet beneath street level. This series of tunnels ran below the Chicago River and underneath the Chicago business district, known as The Loop. The tunnels housed a series of railroad tracks that were used to haul coal and to remove ashes from the many office buildings in the downtown area. The underground system fell into disuse in the 1940’s and was officially abandoned in 1959 and the tunnels were largely forgotten until April 13th, 1992.
Rehabilitation work on the Kinzie Street bridge crossing the Chicago River required new pilings and a work crew apparently drove one of those pilings through the roof of one of those long abandoned tunnels. The water flooded the basements of Loop office buildings and retail stores and an underground shopping district. More than 250 million gallons of water quickly began flooding the basements and electrical controls of over 300 buildings throughout the downtown area. At its height, some buildings had 40 feet of water in their lower levels. Recovery efforts lasted for over four weeks and, according to the City of Chicago cost businesses and residents, an estimated $1.95 billion. Some buildings remained closed for weeks. In those buildings were hundreds of small and medium businesses suddenly cut off from their data and records and all that it took to conduct business. The underground flood of Chicago proved to be one of the worst business disasters ever.
Or how about the disaster that hit Tessco Technologies, outside of Baltimore, in October of 2002? A faulty fire hydrant outside its Hunt Valley data center failed, and “several hundred thousand gallons of water blasted through a concrete wall leaving the company’s primary data center under several feet of water and left some 1400 hard drives and 400 SAN disks soaking wet and caked with mud and debris.”
How could you have possibly seen those coming?
And as if these disasters aren’t bad enough, other studies show that as much as 50% of data loss is caused by user error – and we all have users!
One problem, of course, as we’ve observed before, is that it’s difficult to build an ROI justification around the bad thing that didn’t happen. Unforeseen disasters are, well, unforeseen. There’s no guarantee that the big investment you make in backup and disaster recovery planning is going to give you any return in the next 12 – 24 months. It’s only going to pay off if, God forbid, you actually have a disaster to recover from. So it’s no surprise that, when a business owner is faced with the choice between making that investment and making some other kind of business investment that will have a higher likelihood of a short-term payback (or perhaps taking that dream vacation that the spouse has been bugging you about for the last five years), the backup / disaster recovery expenditure drops, once again, to the bottom of the priority list.
One solution is to shift your perspective, and view the expense as insurance. Heck, if it helps you can even take out a lease to cover the cost – then you can pretend the lease payment is an insurance premium! You wouldn’t run your business without business liability insurance – because without it you could literally lose everything. You shouldn’t run your business without a solid backup and disaster-recovery plan, either, and for precisely the same reason.
List all of the things that you can imagine that would possibly have an impact on your business. I mean everything – from the obvious things like flood, fire, and earthquake, to less obvious things, like a police action that restricts access to the building your office is in, or the pandemic that everyone keeps telling us is just around the corner.
For each item on your list, make your best judgment call, on a scale of 1 to 3, of
How likely it is to happen, and
How severely it would affect your business if it did happen.
You now have the beginnings of a priority list. The items that you rated “3″ in both columns (meaning not likely to happen, and not likely to have a severe effect on your business even if they did) you can push to the bottom of the priority list. The items that you rated “1″ in both columns need to be addressed yesterday. The others fall somewhere in between, and you’re going to have to use your best judgment in how to prioritize them – but at least you now have some rationale behind your decisions.
The one thing you can’t afford to do is to keep putting it off. Hope is not a strategy, nor is it a DR plan.
