Security

Office 365: Self Service of Distribution Groups

The ability to self service the creation of distributions groups has been a feature for quite some time in my Exchange experiences.  Now that I am in Office 365 / Exchange Online this functionally is no longer available for synced groups. This now forces the enlistment of the support department to facilitate all mortification for the end user.

Looking into this to get an understanding as to why this is, I’ve learned that if you’re an Office 365 Exchange Online customer and currently utilizing Directory Synchronization (DirSync) between an on-premise Active Directory and Office 365’s Azure Active Directory you will face such incidents as the objects on the Office 365 are in read only mode and are updated via the synchronization that has been put in place

You are even given a a little message when you attempt to make modification to groups:  The action ‘Update-DistributionGroupMember’, ‘Identity,Members’, can’t be performed on the object ‘Group Name’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

Now aware of this limitation that exist around group modification due to them being read only how do I work like this? I have the following two ideas to work with.

One: 

One method is to go old school and use the Use the ‘Find Users, Contacts and Groups’ tool to allow group modification. However there is an issue regarding the fact that the computer used needs to be a member of the domain and at the time of change also connected to the on premise domain network (internal or via vpn).

Note: After changes have been made the condition of waiting for Directory Synchronization (DirSync) to complete its sync cycle must take place.  This can take up to 3 hours time.

 

Two:

The Second method is to change all Directory Synchronization (DirSync) Distribution Group Objects to the Azure Active Directory and make the On-Clound

SOTD: Statement from MARKETING & TECHNOLOGY GROUP, INC.

Another case of Monday morning spam/malware

– message body –

Dear Customer :

Your statement is attached. Please remit payment at your
earliest convenience.

Thank you for your business – we appreciate it very
much.

Sincerely,

MARKETING & TECHNOLOGY GROUP, INC.

– end of message –

 – message also has a file attachment –

docs2015.zip

– inside of the zip file is an executable –

docs2015.exe

Virus Found: Win32/Kryptik.DBCZ trojan

– end –

Please note:  The company associated with the domain used for this email may not have any knowledge of this email being sent out as its clearly forged.

The best suggestion is to delete this if your spam / malware /antivirus solution has not.

 

Microsoft Security Bulletin: Windows, IE, Exchange and Office

Microsoft has released their Advance Notification for the December 2014 security bulletins. There will be a total of seven bulletins, three of which will update critical vulnerabilities. 

Critical update affects Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008

The critical update also affect Exchange Email Product Line as well as Office 2010. Office 2013 and even Office Web Apps.

So it looks like there is a need to patch as soon as these are released.

Don’t forget to patch, and update your  MSRT (Malicious Software Removal Tool)

Source:  zdnet

For more info and details:  Microsoft Security Bulletin Advance Notification for December 2014

https://technet.microsoft.com/library/security/ms14-dec

SHA-1 based SSL Certificates are being Phased Out

Hello friends,

The following post is to advice some of you that run public facing websites which use SSL.  Google Chrome  will start giving users Warning messages when accessing sites that use SHA-1 based SSL Certificates.

By the way – This is scheduled to start happening in under a month form now. And if you are like me and test SSL on sites you manage and visit you would notice that many are now flagging SHA-1 is insecure and lowering your sites ratings on security.

What is SHA-1

The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago.

Why change it now?

Well its not that its new news. SHA-1’s use on the Internet has been deprecated since 2011. However change across the world takes a bit more time.  And with the advancement of computing technology the ability to create  Collision Attacks. So companies such a Google and Projects such as Firefox, oh and Microsoft are all Sunsetting SHA-1.

What do this mean for me?

This means you need to have your certificates re-keyed through your SSL provider using a certificate signing request (CSR) with a SHA-256 signing hash if you don’t want people to get browser warnings.

But IIS doesn’t offer this?

You are correct it doesn’t.  If you are using  IIS,  regardless of what version of Windows OS (2003-2012) you only can generate SHA-1 certificates. So its time to embrace the power of Linux or simply OpenSSL to get the job done.

So my advice is that you start making the change, so that you don’t have to deal with the embarrassment of your customers and site visitors asking you why your SSL enabled site is reporting warnings.

Warning Example:  This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.

– Jermal

Ref Links:

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

https://blog.digicert.com/what-is-sha-2-and-how-it-affects-you/

Online Tool(s)

Check your SSL Sites – https://www.digicert.com/sha1-sunset/

Using built in Windows tool to secure wipe free disk space

So your working and had to make a backup copy of the CEO’s outlook data file onto your local computer. After your work on his or her mailbox you delete the backup.  So you think!

Now  we know this isn’t the true.

There is where CIPHER comes in.

Cipher is a command-line tool (included with Windows) that you can use to manage encrypted data. It can also be used to clean the white space (unused space) on your hard drive.

Let’s get to using this shall we

First open an command prompt as Administrator.

Type cipher /? to list the optial syntax for the command.  As you can see there is a lot this little tool can do.  More on this at another time.

So in my case I wanted to wipe all the free space in volume d:\ of my Windows system.  By typing cipher.exe /w:d <press enter> and I am now able to wipe the free space and any trace of my CEO’s backed up mailbox.

Now just sit back and wait until completed and your done.  Simple and effective.

Let’s recap

I wanted to delete the free disk space on my computer to remove the ability of data being recovered.

To do this I opened a command prompt (as administrator)
While in the command prompt typed in cipher /w:d (d being my drive)

Ref: http://support.microsoft.com/kb/298009

Man-in-the-Middle (MITM)

You are on vacation or spending the weekend at the beach. Like normal your using your laptop or smartphone.  You may be computer savvy; so you don’t allow onlookers view you typing your secure passwords.

But its not those that you can see you need to worry about.

Its the person watching your network activity; logging every site you visit, logging you bank credentials,  email, home address , contacts (friend lists), and anything else s/he can obtain. The ultimate eavesdropper.

This persons mission; to steal data from you, about you. This is the man(or woman) in the middle (MITM).

The man-in-the-middle will use many tools and security vulnerabilities which are exploited to allow them to see your data as clear as looking at it on your screen.  More so they can see your passwords even when they are all dotted out from the naked eye.

The MITM can inject code into your session to redirect you to fake sites, they can even see what you are viewing in real time.

Attackers use non-secured log-ins to apps on your phone and web sites you visit to obtain data about you.

So how do I protect myself from this?

There are many solutions; the best methods are to always use applications (apps) on your phone that use secure connections to the services it connects to.  This may be a shock to you; many do not, and this is part of the problem.

Always use sites that are secured with HTTPS from start to finish.  Again, many do not, and this leaves you exposed.

If and when possible use a VPN (virtual private network) solution.

This is another form of protection as your communication is sent encrypted threw a network you trust to be more secure than the one you are presently on.

So best advice I can offer you is

  • Be aware of the sites you visit
  • Ensure the sites you use , are using SSL
  • Be sure the apps you choose to use, are using SSL
  • Get a VPN Solution
  • And change your passwords often
  • And don’t use the same password for everything

 

 

How to submit malware / virus to antivirus and malware companies

So you got yourself infected with a virus and hopefully you got rid of it before it did any serious damage.  If it had you may wish you had something like “CrashPlan” to get your files back.

And while a backup solution is always the best tool to recovery today we are going to talk about what to do once you have identified a suspected virus  or malware component that you want to share so others are free from such an issue.

This fight isn’t just on you, there is a large community made up of experts and everyday people who wan’t to help one another get rid of malware and computer viruses.

Here are a few sites I often submit the little bugs to for review:

For additional tools in scanning and verifying an infected file I often use VirSCAN.org

VirSCAN.org is a FREE on-line scan service, which checks uploaded files for malware, using antivirus engines, indicated in the VirSCAN list. On uploading files you want to be checked, you can see the result of scanning and how dangerous and harmful/harmless for your computer those files are.

Another Online Scan Tool: https://www.virustotal.com/
By the way VirusTotal is owned by Google

Best of luck to you all, and stay safe

 

Set SharePoint Content Database in Read-Only Mode

This weekend I am working on a SharePoint 2010 to 2013 upgrade.

One of the steps; the beginning steps I will do is set the databases I am upgrading into read only mode to prevent users or automated process from upgrading the database during the upgrade window.

Now I could have taken the system offline for this; but that would be simple and inconvenient for anyone looking for information.  And in IT its all about the Information now isn’t it. You can find my steps below.

SharePoint Application Server

  • I first logged into my central administration of my SharePoint Server (SharePoint 2010).
  • Under Application Management, Select Manage content databases
  • Chose your web application  and select the database
  • You will notice that there isn’t a location to set this database into read only mode; however you do see that its status indicates its not in read only mode.
  • Keep this page open, as we will reload it later.

SharePoing SQL Database Server

  • Log into your Microsoft SQL Database Server (Or use SSMS).
  • Launch SQL Server Management Studio (SSMS)
  • Connect to the SQL Database Server instance
  • Select the database in question
  • Right click and select Properties
  • Under properties select Options
  • Scroll down to the area that reads “State”
  • You will see Database Read-Only
  • Change the value from False to True, then click OK
  • You will see a notification that it will momentary kick active users.
  • Click OK to continue.

Now you can revisit the SharePoint Application Server and reload the page and you will now notice that the status has changed and is in read only mode.

Congrats, if you followed these steps you did it right.

Tech Short: CryptoLocker

CryptoLocker is a type of “ransomware” that encrypts the data on an infected computer so that it can’t be read and then demands payment to decrypt it.

A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers.

After the initial infection a message is normally displayed to the computer user informing them to pay to gain access to their files.

At this point your files; Normally the target files are office document files and photos as they are deemed very important to individuals.

It targets files with the following extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

When it finds a file matching that extension, it encrypts the file using a public key and then makes a record of the file in the Windows registry under HKEY_CURRENT_USER\Software\CryptoLocker\Files

CryptoLocker typically propagates as an attachment or, it is uploaded to a computer already recruited to a botnet by a previous trojan infection.

To protect yourself you should always keep your systems up to date, be vigilant when opening email attachments and when dealing with sites that attempt to download these infections to your computer.

Most CryptoLocker infection do not require a user to have elevated rights on the machines as it targets anything the local users has access to.

The only way to recover form being infected is to restore the machine and its files from a clean backup.

I suggest using a real-time backup solution such as CrashPlan for something such as this as it supports version controls and point of time backup restoration.

I also suggest using Malwarebytes : Free Anti-Malware to aid in cleanup of the infection; however this does not give you access to files that have already become compromised.

Additional Notes:

CryptoLocker does not need Administrator privileges to run so don’t think you’re safe just because none of your users are domain/local admins. The CryptoLocker.exe is placed in the user’s %appdata% and/or %localappdata% folders which runs under the user’s context and doesn’t require privilege escalation.

What could be done here is to add restrictive policies on the %appdata% and/or %localappdata% folders.

To do this

  • Open the Group Policy Editor
  • Computer configuration
  • Windows settings
  • Security settings
  • Software Restriction Policies
  • Right click and create new
  • Go tin click additional rules

Create new path rules for the following

%appdata%\*.exe – Security Disallowed
%localappdata%\*.exe – Security Disallowed

Also message to my fellow systems admin’s:

If you are smart you will also block all executable attachments along with zips that are in emails. This will effectively reduce the footprint of possible infections, via email.

Communicate this with your management;

If they choose not to entertain alternative ways for transfer files then you can rest that you know you’ve taken the proactive and security measures you know, and are confident are best.

Links:

Ransomware Information Guide

CryptorBit Ransomware Guide

 

Tech Short: Data Encryption

Data Encryption is the intentional scrambling of information into unreadable form – until it is later converted back into its original form by the intended recipient.

Looking for data encryption tools or info have a look below:

GNU Privacy Guard – GNU Privacy Guard (GnuPG) is an open-source implementation of the famed Pretty Good Privacy (PGP) encryption

TrueCrypt – TrueCrypt is a free, powerful, and on-the-fly disk encryption tool. This happens to be my very favorite tool.

Pidgin-Encryption – Pidgin-Encryption transparently encrypts your instant messages with RSA encryption. Its simple and very secure.