Security Blog

From Endpoint Protector Canada

Windows XP users: You must upgrade. Now.

Windows XP - Upgrade Now Header

On April 8, 2014, Microsoft will be cutting off all support for Microsoft Windows XP (and Microsoft Office 2003). Don’t misunderstand the significance of this: You must upgrade. Now.

US Robotics v.92 modemWindows XP is very old: it was released in 2001. That’s three years before Facebook even existed and six years before the very first iPhone was announced. At that time, Google was a privately held company with just 400 employees, and US Robotics was excited to unveil its new V.92 dialup modem.

Thirteen years is a long time for any software company to keep a piece of software running. But age is not the key factor here. Since Microsoft is pulling the plug on all Windows XP updates, it is not safe to continue running it. At all. Not on your own computer, not on a computer in the back room.

Windows XP “just works”. Can’t I keep using it a little while longer?

No. When Microsoft cuts off support for Windows XP on April 8th, all users of Windows XP will become targets for hacker attack–more so than ever before.

Up until April 8th, the process goes a little something like this: Microsoft becomes aware of a severe security exploit. Their programmers then create a fix for that exploit and release it to your computer (be it Windows XP, Windows 7, Windows 8) via Windows Updates. Your computer is then protected from that particular attack vector–most likely before it ever becomes an issue.

After April 8th, Microsoft will continue to do the same for Windows 7, Windows 8… releasing patches for all the security issues they find. However, since the patches are no longer released for Windows XP, this gives hackers an “easy alert” system when new exploits are found. They can then download the patch for Windows 7 or 8, reverse engineer it to find the software bug it sets out to fix, and then test Windows XP to see if that exploit exists on Windows XP. If it does, they can create tools, viruses, malware and malicious web code to exploit every Windows XP computer, and there will be next to nothing you can do to protect yourself.

What could they possibly do?

Hackers don’t do what they do just for the fun of it. The most popular motivations involve financial gain or identity theft. If you’re running Windows XP, beginning April 8th it will become progressively easier for hackers to steal your banking information, private company information, lock you out of your online accounts or even destroy all your files (both personal and business) and take over your computer–or worse.

Do I have to buy a new computer?

Realistically, you’re better off buying a new computer. Upgrading your existing computer could cost nearly as much as purchasing a new system, and you’ll still be on the old hardware–meaning chances are you might have to replace it soon anyways.

That said, if your computer is reasonably new (say, less than 3 years old), you may meet the minimum specs for a Windows 7, or possibly a Windows 8 upgrade. If you believe your system may meet the requirements, you can use Microsoft’s Upgrade Assistant [Download] to test whether your system can run the current version of Microsoft Windows.

Keep in mind, meeting the minimum (keyword: minimum) requirements does not mean your system will perform well with the new software. Whether or not this is an economically wise course of action will depend on many factors: do you have a current backup of all your files? Does your hard drive perform at the necessary speed or will you need to upgrade to an SSD? Do you have enough RAM and CPU power to perform well? Will your hardware outlive the warranty period of a new system? Do you require a technician’s assistance to perform the necessary upgrades? Will the downtime of the upgrade process affect your business?

Buying a new computer with Windows 7 or Windows 8 already licensed and installed will mean you’ll be covered by the manufacturer’s warranty, and will have newer specs to run the more modern operating system and software which goes with it. Downtime would also be reduced since you can swap out the old hardware for the new and be up and running fairly quickly.

In conclusion…

If you’re on Windows XP, you need to upgrade. Be it the hardware or just the software, something needs to be done. For your safety as well as the protection of your confidential company and customer data, this has to be done before the cut-off date set out by Microsoft: April 8, 2014.

Our technical team would be pleased to provide recommendations for individual computers or entire business networks. We can help ease the upgrade process by providing for all your hardware and software needs with courteous, knowledgeable on-site service.

Call Positive E Solutions Inc. in Barrie, Ontario today to determine the options available to you and your company: (705) 733-0171.

Stay safe!

– Robbie

CryptoLocker malware destroys your personal and business files. Protect yourself with these tips.

As computer and security specialists, we see a lot of viruses and malware. But more often than not, the removal of the malicious code from a computer system repairs the issue. A new ransomware application has popped up however that raises some real concern, because it in fact destroys your data in a seemingly unrecoverable way, and removal of the malware simply leaves your files in an inaccessible state with no chance at recovery.

What is it?

CryptoLocker leaves your files inaccessible and unrecoverable.

CryptoLocker leaves your files inaccessible and unrecoverable.

CryptoLocker is a new and cunning piece of ransomware discovered last month. Its spread is increasing, and we’re starting to see infections in a growing number of unrelated networks here in Ontario.

CryptoLocker needs to be taken very seriously, because it can result in the total and irreversible destruction of all your personal and company files.

What Does It Do?

CryptoLocker places itself on a Windows machine, easily circumventing even the best antivirus protection, at least at the time I write this. It appears to get in by way of an infected web site or possibly an infected email attachment masquerading as a seemingly legitimate file such as tracking data for a courier shipment, a money transfer or other fake electronic money transaction.

Once infected, the malware crawls through all mounted volumes (hard drives, network shares, USB drives, camera cards, etc.) for a variety of filetypes, mostly documents, spreadsheets, PDF files, pictures, etc., and encrypts them. This means the files on your own hard drive, your network mapped drives, and even cloud-based drives are encrypted (destroyed, made unreadable). Because the decryption key is not known, recovery is not an option.

CryptoLocker Alert WindowOnce the encryption process is complete, the software then launches an application window displaying a message that all your files have been locked, and you must pay the ransom ($300 is common right now) in order to recover your files.

Current, up to date antivirus tools detect the trojan and remove the malware software after the damage is done to your files.  This results in the permanent inability to recover your files.

Perhaps the best way to explain the devastating effects of CryptoLocker is with a couple of fictitious scenarios:

Scenario 1

A small business has a two-drive RAID mirror unit in their server as a form of backup. They have one extra drive, and the system features a removable tray caddy. This allows them to swap one of the hard drives each day and take it off-site.

One staff member was working on the system that morning and received an alert that their data had been encrypted after they opened a suspicious email attachment. They closed the alert and left the room.

The manager arrived an hour later and removed the second hard drive from the array, replacing it with the one they brought from home: their morning routine. The drive rebuilt based on the first drive, which now contains only encrypted data, and now all three drives are corrupt.  All files are lost, including their backup.

Scenario 2

A business office with a shared folder on the server uses that share for all their company data.  Every workstation in the office has the share mounted to their Q: drive. This contains Excel spreadsheets, Word documents, PDF catalogues, product pictures and more.

The company feels this is a good way to manage their internal files since it gives all staff access to the files, is a RAID 1 mirrored drive (so if a hard drive crashes, they lose nothing) and it allows them to backup one single folder to the external backup drive on a nightly basis, resulting in the backup of all critical files.

One staff member is wrapping up their shift and quickly uses their computer to search for discounted tickets for an upcoming concert. They do a search in Google and start clicking on all the results to see which one offers the best deal, unconcerned about the fact that they do not recognize even one of the web sites as a reputable ticket source. Unbeknownst to the user, one of those sites is infected with CryptoLocker, which installs itself in the background while they search.

CryptoLocker silently goes through C: and corrupts every document, every spreadsheet, practically every personally-created file. It then finds the Q: drive and gets to work doing the same: corrupting all user files on the network share.

The following morning the user returns to work and finds an alert on their screen saying all files have been encrypted, and they immediately recognize it as being a virus of sorts. They run their virus scanner and it removes the infection without any problem. They go about their day.

All the while, other users on the network start to complain that they can’t access their Q: drive. IT has a look and finds that all files are corrupt and unreadable. They look at the backup drive connected to the server, and it too has been corrupted due to the previous night’s backup. All files are lost, including their backup.

What Can You Do?

If you have already been infected with CryptoLocker and do not have an unaffected backup, unfortunately there is nothing that can be done. It is not recommended that you pay the ransom, nor is there any guarantee that the hacker responsible will actually unlock your files if you do pay (some users have reported having paid the ransom and yet never got their files back).

So it all comes down to preventative measures: protecting yourself from this malware before you get infected.

Backup, backup, backup

I’m not just saying it three times for emphasis. I really mean it: you should have more than one backup solution in place.

Realistically the only true protection against the effects of CryptoLocker and similar viruses is to have a multi-tier backup system protecting the integrity of your files at all times.

Since the files on your drives and network are basically destroyed by CryptoLocker—possibly including your backup—the easiest, safest, and most assured way to recover from an infection should it occur, is by having a detached, unaffected copy of your files.

An off-site backup solution is likely the best option. It means your files are safely stored elsewhere, and if done right, they are stored incrementally. This means if you get an infection and CryptoLocker destroys all your files, and then your backup runs, your good backup does not get overwritten, as would be the case with both scenarios listed above. With an incremental backup, you can in fact restore from days gone by—from before the infection took place.

There are many off-site backup services out there, and I don’t want this to seem like a sales pitch—I genuinely just want you to be safe—so feel free to shop around. But all I ask is that you please include us in your list of companies to check out.  We have a very good, fully encrypted off-site backup service with hosting entirely in Canada.  It can be used in conjunction with your existing backup infrastructure to leverage its effectiveness and further protect your critical data. It’s very affordable for either business or home use, and I can even let you try it for free for 30 days to see if it meets your needs. http://positiveesolutions.com/try-now.php

Enable Volume Shadow Copy

Volume Shadow Copy may help you recover from a CryptoLocker attack if it is enabled on the affected folder prior to the corruption taking place

Volume Shadow Copy may help you recover from a CryptoLocker attack if it is enabled on the affected folder prior to the corruption taking place

Windows 7/Server 2008/Vista/Server 2003 have a feature called Volume Shadow Copy. It’s not to be mistaken for a backup, but it is a helpful tool in recovering from this type of infection: essentially a duplicate of the files found on volumes you specified to have shadowed. In the event of a CryptoLocker attack, your files are destroyed from their original locations, but the Volume Shadow Copy is untouched by the current incarnation of CryptoLocker, due likely to the special permissions required to write to the Volume Shadow Copy itself. Therefore, following the removal of CryptoLocker, you can right-click on the affected files or folders and revert to an earlier snapshot.

There are a ton of tutorials out there which teach how to enable Volume Shadow Copy, so I’ll avoid making this one of them. We will gladly activate Volume Shadow Copy on our client’s systems to help reduce recovery time should a CryptoLocker infection take place.

It is a good idea, I think, to enable Volume Shadow Copy at the server level, directly on the volume containing your network share folders. In Scenario 2 above, this would be the RAID 1 which contains the contents of their Q: drives.  That way, the shadow copy could be used to quickly restore to a previous set of files. If that doesn’t work, the backup can be used.

Update Flash and Java, But Disable Java in your Browser

I had a discussion with malware expert Adam Kujawa yesterday about CryptoLocker. He mentioned that Java and Flash are two of the main ways this virus is able to enter a Windows system. An unsuspecting user might conduct a search for something in Google, and click on a few links, and one of those web sites could be infected with the distribution mechanism to install CryptoLocker on your system. The recommendation is to disable Java from your web browser (only enabling it when needed), and absolutely keep both Java and Flash up to date.

Keep Your Antivirus / Anti-Malware Up To Date

The instant they release protection for this, you want to receive it. This is not a replacement for my backup suggestion above, but will save you some headaches.

Be Careful What You Click

We have received reports that CryptoLocker infections originated both from infected web sites and emails. It’s tough to ensure entire staff are cautious, but it’s still important for me to mention. If something appears suspect, don’t click it. If you receive an email you’re not expecting, don’t open it. If “your bank” sends you transaction details for a transaction you don’t remember making, don’t click the links. Just be careful what you click. These infections are able to circumvent the antivirus.

Mac and Linux Users

While CryptoLocker does not directly infect Mac or Linux machines at this time, these systems may have network-accessible file shares open to the network or a virtual machine. Therefore if a Windows computer on the network or a Windows virtual machine becomes infected with CryptoLocker, it is possible to lose the files hosted on your Mac or Linux computer (or NAS device).

Cloud Users Beware

CryptoLocker will crawl through and destroy personal files on cloud-based mapped drives such as Google Drive, PogoPlug or DropBox.

Contact Us For Help

We would be happy to discuss your concerns, and what steps can be taken to protect your data. http://positiveesolutions.com/contact-us.php

Thanks for reading, and stay safe!

Robbie

@ESET Anti-Theft transcends the confines of a laptop and could save your jewellery and other valuables from theft.

ESET Anti-TheftESET Anti-Theft is a great new feature of ESET Smart Security 6.  As the name implies, ESET Anti-Theft offers protection against the physical theft of your Microsoft Windows device by allowing you to notify your installed ESET Smart Security 6 product of a system being missing.

Let’s say someone steals your laptop computer.  It happens.  It happened to me; someone broke in through our basement door a couple years ago, so I know first-hand that it happens.

With ESET Anti-Theft, you login to a web site specific to this feature, and click on “My Device is Missing”.

From that moment on, ESET will notify you through the special web site of any computer activity that is recorded.  When the thief connects to the Internet to check out their newly acquired hardware, your laptop will take a picture of them with the webcam, and log the approximate location of the criminal by way of sophisticated geolocation technology.

It will even let you post a message to the user.  “Give me back my laptop, you filthy animal”, or maybe it’s a teen living at home, and while his parent is looking at the new system he apparently bought from a friend with the allowance he’d been saving, you pop up a message “This laptop is stolen. Please call 555-5555.”  Boy, oh boy, Jimmy is in trouble.

A customer called me today and explained, “My computer isn’t worth anything really… I don’t care if someone steals it.  How do I disable this feature?”

“I’m happy to show that to you, and it’s very easy to disable.  But let me ask you one thing.  If a break-in happened at your house, yes, they’ll probably take your laptop. It isn’t worth anything notable, as you say.  But will they also take the jewellery? Perhaps the TV and power tools?”

I explained that using ESET Smart Security 6 and it’s new ESET Anti-Theft feature isn’t just about recovering your computer in event of theft, but all those other items too.

At the beginning of this post I mentioned that I had experienced a break-in at my home.  Talk about a violating feeling.  But we had no way to track the thief down.  The police found no fingerprints, and the place was ransacked.  Yes, they took the laptop.  But they also took our video camera, and an assortment of valuable electronics which could be grabbed easily.  Had I had ESET Smart Security 6 on my laptop, even though the laptop wasn’t really valuable to me, I could have very possibly recovered everything.

Some Friday food for thought.

Have a nice–and safe–weekend.

– Robbie

Why am I receiving virus emails from old friends?

A customer emailed me, puzzled by why they’re suddenly receiving a bunch of virus emails from friends they haven’t spoken to in a number of years.

These types of mass-mail viruses can be very confusing, since they nearly always appear to come from someone you know.

Here’s why and how that happens…

Let’s say someone who you haven’t talked to in a few years (we’ll call him “Bruce”), who is part of the same “circle of friends”, caught a virus. So the virus goes into their address book and starts mass mailing everyone in the address book, and spoofs who it is from.

Bruce’s address book:

  • John
  • Betty
  • Doug

Bruce gets a virus. The virus sends an email to John pretending to be Betty, and an email to Doug pretending to be John.

Doug replies to John and says “You have a virus!” But John doesn’t have a virus; Bruce does.

It’s often difficult or impossible to track down the true culprit, and that’s why it’s imperative that everyone on Microsoft Windows have an up-to-date Virus Scanner such as ESET Smart Security 6. It is also important on any platform (Windows, Mac, Linux, or even Smart Phone) that you be familiar with phishing scams, and be extra cautious what you open or click.

– Robbie Ferguson

Should you avoid external hard drives that boast built-in encryption?

I got thinking about this question today. Why do hard drive manufacturers add useless hardware encryption to external drives?

“Why, that should be obvious, Robbie; it’s because we are security conscious and want to protect our data from prying eyes,” you say. “And you call yourself a bald nerd!”

First of all, I don’t like your tone.

But second of all, exactly who are we protecting here?

Somewhere inside the chassis of your external hard drive, there is an integrated encryption/decryption chip. It boasts “256-bit AES Encryption”. Wow, sounds safe! So you plug in the drive to your computer, and place your private stuff on there, and feel safe. “It’s encrypted.”

Who is it safe from?

Continue reading →

Data leak of Personal Information for 1/2 Million Canadians could have been prevented.

As reported in The Vancouver Sun Friday January 11, 2013, a federal agency in Canada has lost an unencrypted external hard drive which contained the private information (names, social insurance numbers, date of birth) of more than a half million Canadian loan recipients; the very information which can be used in identity theft schemes.
Continue reading →