Cerrado

After several months of somnolence, I figure it's time to wake up my blogs. This will be my last post to Extension 437, since I left CompuMentor at the end of 2005 to work for myself. Keep in touch with what I'm up to on my technical blog, Tangled Cables.

News from Baton Rouge

Almost a week ago I was deployed to Baton Rouge, Louisiana, by the American Red Cross as a disaster relief volunteer. For the first few days I provided logistical support and muscle on the loading dock at the River Center shelter.

I would like to add that since 100 recycled computers (complete with MAR stickers) arrived a couple of days ago, I have been working with the Communications and the Welfare Inquiry departments at the River Center Shelter.

Communications provides support to Red Cross disaster operations, and in recent years has also become the IT department in the field. In situations like the one I am attending to, Communications also provides telecom services to the shelter residents. We are setting up a PC lab and we are looking into offering voicemail boxes for the residents.

Welfare in

I am providing project management support and technical support

--
Zac Mutrux

CompuMentor's Healthy and Secure Computing Campaign
"Because you can't save the world if you can't open your email."
http://www.compumentor.org/hsc/

SFNTUG June Meeting

General

PC Power and Cooling is the ultimate resource for old power supplies and parts.

Doug has a garage full of Exchange Server 2003 Administrator's Companion books from Microsoft Press. Normally around $60, he's offering them for $20. E-Mail info@sfntug.org for more info.

Calltower offers a hosted PBX service, but the fellow who mentioned it said their pricing structure seemed aimed at smaller organizations.

The Cisco users' group in the East Bay is supposed to be good. I may check it out.

Software

Kern Sutton gave an extensive demonstration of Windows Sharepoint Services and Windows Sharepoint Portal Services. I have notes from that if you're interested.

Eval copies of Virtual Server 2005 were handed out. I didn't get a copy, but it sounds intersting. Apparently you can get an entire test environment preloaded. I didn't get the details on that.

Microsoft CRM offers nifty interoperability with Cisco Unity/Callmanager, such as a window pop upon receiving a phone call.

Mindmapper was demonstrated. It can export the result of a mindmapping session to Word as an outline, among other features.

MyWallop.com was mentioned. It is experimental blogging, file sharing, social networking software from Microsoft.

Service Pack 2 for Microsot Exchange Server 2003 is coming. One chief enhancement is that it will increase the storage limit for Standard Edition to...uh...something big.

 Security

Microsoft Baseline Security Analyzer is looking for beta testers for v. 3.

Richard Lindberg announced a Grey Hat security conference in San Francisco. SFNTUG members can get a discount.

Mark mentioned that Symantec is offering a free download that adds antispyware capability to Norton Antivirus. I think he was referring to SAVCE. The downloads are only accessible if one has a support contract. Do note that an existing installation of the antivirus software must be uninstalled before deploying the update.

There is a Security Symposium at UC Davis this month. The registration fee is only $85--seems like a great value.

Anatomy of a blended threat

Trojan.Ascetic.C

This is the first virus I have had to deal with at a Scheduled Support client.

It is a good example of a blended threat--that is, it's not a hacker, not a worm but a little of both. Here's how I think it worked at my client:

Part 1: Vulnerability is created.

1. Hard drive crashes on PC.
2. Office manager replaces hard drive and reinstalls Windows along with any needed applications--except for antivirus software.

Part 2: Security incident occurs.

1. Some time later user receives spam-type message, possibly innocuous-looking, possibly purporting to be from a friend.
2. User clicks through to the Web site linked from the email. Web site exploits a vulnerability in IE to install a trojan horse spam engine on her PC.
3. Constituents, board members, staff, receive tons of spam messages from PC. Complaints flood in.

Part 3: Response to security incident.

1. Office manager spot-checks computers and discovers this one does not have anti-virus software.
2. She tries to install the anti-virus software from the installer located on the server, but could not because she was confused by the options in the installer menu.
3. She uses the free online Trend Micro online virus scan, which consistently mis-identifies the infection and declares each time that it has been removed.
4. Upon installing SAVCE and running a scan, no virus is found. But we're still suspicious.
5. Using Autoruns from Sysinternals we check the programs that are set to start up automatically and find one that looks legit but is not. The process cannot be killed from the Task Manager.
6. Removing the autorun from the list and restarting kills the process (pskill.exe from Sysinternals would also do it).
7. Now running the scan with SAVCE locates and quarantines the virus.
8. Now that we know what the virus really is we're able to get more information from the Symantec Web site.
9. We discover that the trojan normally would have made some changes to the HKEY_LOCAL_MACHINE portion of the registry, but since this user (like most of the people on networks I administer) did not have admin rights on her computer, those entries were not created. For all the good that did. But it still is a good example of why I recommend users run with reduced rights.

Part 4: Remediation of security measures

There are a few things that could be done to prevent a recurrence of an incident like this.

1. Regular audit of anti-virus installations to ensure complete coverage.
2. Implementing a filtering web proxy (such as Websense) to prohibit visits to malicious sites.
3. Improving the security of Internet Explorer through Group Policy, or moving to a less-targeted browser such as Firefox.
4. Behavior modification and training for end users to reduce liklihood of clicking through to malicious Web sites.

We'll try to implement the first one. Whether the other steps are taken or not is up to the client.

Verizon Foundation - Resource Center

The Verizon Foundation has launched a new web site to help nonprofit organizations be more effective in their communication, fundraising, evaluation, and use of information technology.

Link: Verizon Foundation - Resource Center.

Welcome to Fundable — Fundable

This new online service facilitates collective fundraising. Pretty darn neat.

Link: Welcome to Fundable — Fundable.

Desktop Security article at Microsoft

Microsoft offers a TechNet article on managing desktop security.

"Set up a digital defense that will help you enhance the security of a primary gateway to your company: its desktops. Find information on how to better protect your company's desktops against external and internal threats."

Link: Desktop Security.

CryptBruce Schneier on Safe Personal Computing

Bruce offers an intimidating list of challenges faced by home users. Comments by other readers offer further insight:

"I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually "Nothing; you're screwed." But it's really more complicated than that."

Link: Crypto-Gram: May 15, 2001.

Heller's "new Paradigm" for conferences

Gregory Heller says "enough with the sessions!" (my quotes, not his). Surely this is inspired by our fantastic experience at Penguin Day New York. The way Gunner and Katrin set up Penguin Day, it's all about building connections with peers--and isn't that the main reason people go to professional events anyway? I agree with Gregory. I'm in favor of giving the keynote the axe altogether.

Link: A new Paradigm for the tech conference - Gregory Heller.

Free security training from Microsoft

Microsoft is offering free training on how to use their products in a secure fashion. Both online clinics and hands-on labs are available.

Link: Security Clinics & Labs.