Security

Did Network Solutions Have a Massive eMail Breach?

Not sure, but this past few days gave me some strange indications that something was up on more than my client’s accounts. It all began with his hard drive (the actual hard drive assembly) having a complete failure. All data lost for regular recovery methods, this is one where the drive has been sent to a specialist that can possibly bring a dead drive back to life. Lesson all too well learned: Have backups.
Net impact of the failure of the drive: Time to upgrade to a new computer that supports RAID 1 (mirroring), so there is a completely redundant drive in place at all times. Next, reload Windows 7 and all the programs. Run updates (over 200 of them) and, from a drive replaced from last summer, get as much data as possible to use as a jumping off point. Done!
Now: Set up Outlook 2010 and configure for the emails. After digging out the server settings, they are there and the “Test Account Settings” are working. Check the Inbox. Nothing. Look in the Sent box. Nothing. Rinse, wash, repeat. Nothing, nothing, nothing. Of course, I checked, double checked and triple checked. Mail was coming in to Outlook, but the odd thing was a regularly sent email would appear to process through and show in the Sent box after moving via the Outbox, but no one was receiving anything. Set one of the accounts up on a separate computer. Same results. Disabled all the security systems in case I had a firewall issue in the new installation that may be blocking ports needed that I had set before. Still nothing. Swirling all around this were other things to get the business back to full capability. The end of the first day, I hadn’t figured it out, but I still believed it was on our end.

Day 2 came and in between the rest of the work to get moving forward, I had time to pick up the phone and contact Network Solutions provider for eMail support, Webs.com. The tech and I checked the settings and verified the account testing built into OutLook was working. He “reset the server.” Told me to wait about 15 minutes, then try again. I did….same results.

Day 3: Convinced it wasn’t me causing the problem, we contacted the support line. This time I went to the web based mail and was able to send and receive mail without problems. After some discussion of the settings, the testing, the POP3 accounts (about 20 minutes), the tech said the email accounts was suspended. Of course I wanted to know why, but, since I wasn’t the account owner, they said they couldn’t discuss it with me. Unfortunately, the owner was out at meetings, unable to get on the phone. I hung up and called later. One of the interesting things greeting me as I began the wait on hold was an announcement that if you’re using the web mail, your server might periodically go down and to try logging back in. Interesting. So not only am I having issues, sounds like someone else is. In this session, the tech told me that the passwords for the email accounts weren’t strong enough (from a security standpoint) and they had to be changed. Good reason to do so anyhow, so I did, following the direction to use at least one capital, one number, and one special character and have a length between 8 and 14. I did so, told the tech it was done and he said he’d lift the suspension, but had to call me and verify the account administrator was who he had been talking with (I had been added to the account by now). I told him I wasn’t at the office (since I had gone home) and asked if he had the number (assuming caller ID got recorded) and told him I wasn’t at the office. He acknowledged, hung up and my phone never rang.
About 20 minutes later, I checked the mail email account for incoming and there was one, saying no one answered the phone for validation. The number listed in the email was the office line. First I went to log back into the management account and a warning came up on the screen saying account management wasn’t available and to try again in about an hour. Seems to me more significant technology issues.
I called and the greeting message was that they were doing an emergency server replacement. This was the global message on the support line, before it even took you to the push this number prompts, so now I sense something is amiss. Add to this that the time from the earlier call to this one was about 4 hours. I gave up, it being about midnight by now.
Got up early, picked up the phone and called the support line, after logging into manage the account. This time there was no warning about the management function being down, so in I went. I will admit I was, let me say, terse with the tech who answered. I rapid fired the problem that began, the steps that had been taken and the dis-connect from the evening before, and added that it was now the fourth day of my client not being able to use the mail accounts, that were paid for and receiving. The answer was the password had to be strong when the scanners checked it, otherwise it couldn’t be unsuspended. I responded that the passwords had been changed last night, then summarized the correct implementation of their guidelines, and clearly stated they had suspended the accounts with no notice to the client, and now had kept him offline for 4 days. At that point she said she would lift the suspension, and it should be cleared in about 10 minutes. She added a warning that if the scanners saw it didn’t meet the specs, it would suspend them (note: automatically) again.
Analysis from my intelligence gathering training:
Network Solutions, for some reason, most likely as another barricade to email accounts on their servers being hacked into, has instituted an automated process to ensure email account passwords meet a minimum security standard. I agree. What bothers me is the client had no notice from them when the automated system injected itself into the process.
Network Solutions was making emergency replacements of servers, telling me either a major physical disaster happened (fire?), or they had been compromised so badly, they had to take them offline.
The observed issue of the notice that if you’re using webmail, you might be logged off, combined with the emergency server replacement tells me the issue happened in the email department.
I did a search as soon as I got off the phone this morning and checking the unsuspension. No indication of a breach at Network Solutions, but…sounds like something happened if a company that size, something happened for sure.

Malware and Virus attacks get more “life-like”

I spent a few hours pulling a serious malware infection, actually a set of 8 different ones, off a client’s main system yesterday. He contracted the mess at 5:40 PM last Monday.

My contention os these attacks are getting more “life-like” is based on the manner in which he identified the moment of problems: He has a major customer and he ships mountains of product to them via UPS. On Monday afternoon (consider what else was going on in the Post-Christmas days and UPS), he received and email indicating an updated delivery status for his UPS shipment. His comment was it appeared to look very much like others he had received via the major customer, so he clicked on it. He said it didn’t have fancy graphics, but it certainly was a detailed looking email, not a one liner with a link.

It also reminds me of the 1-3 emails I get a day into one of my other blogging emails that obviously some scraper picked up off that site. They tend to be advertisements, but they are mixed in with emails that are my accounts at (fill in the banking institution) suspended, blocked, etc. Some of them actually are all dressed up with HTML graphics layouts, too. I stay away, but then I deal with this daily. For others, like my client, when one comes that makes sense to their work flow/life/personal business/social networking, there is a likelihood they will allow the malware in, and their firewalls may not stop it.

For the user: You have to be wary of things that look kinda true , but something still tells you it’s not kosher and look closer before clicking.

Be careful out there and practice safe computing!

For you techs, looking how to get rid of this:

Anyhow, it really embedded itself within his system, flagged as a Win32 password stealer by Microsoft Security Essentials. The good news, in early Tuesday, I convinced him to take the rest of the year off and reward himself for a great year, and I’d be over Thursday morning (since the malware would allow a network connection for a few moments, then cut it off, so a remote session was out of the question.

I used MalwareBytes, Microsoft Security Essentials, Kaspersky TDSS Root Killer and old school digging through the entire registry, after seeing the names in the user appdata roaming and local files under nonsense random lettering named .exe files and folders.

I called this one a “repeater,” as MSE would identify it, clean it, then it would fire itself back up about 30 seconds later. I would see 8 different start up program listings named BitNefender 2016, turn them off, and they would be back, activated in the next reboot. Interestingly enough, searching for that name in the registry never found anything, even after several tries.

It was the searching for the keys and values in the registry and manually deleting them) that, in combination of the MSE and MalWareBytes scans that finally got things working normally, including restoring a constant network connection.

Your Digital World is a complex place, really.

The weekend was interupted by a call from a client who’s computer wasn’t booting. A little bit of over the phone troubleshooting indicated the hard drive was, possibly toast, or maybe just some settings at the basic computer system level had gotten altered. I hoped for the former, but prepared for the latter.

Luckily, the client’s laptop is the same as mine, and can use my restore DVDs. That was the first major hurdle. If the drive was, in fact, non-functional, even the factory restore partition was out of the question. DVDs to the rescue!

Next, I grabbed a utility program that does some heavy lifting for data recovery, so ling as the drive has any ability to be detected by the computer.

A 500GB laptop drive was in the spare parts drawer, matching the size of the potentially dead one.

The “tool box” backpack always has the USB external drive adapter, so it was a matter of grabbing my two working backpacks and heading to the client’s office.

Upon arrival, it quickly became apparent that the hard drive had had a failure that didn’t let it move the read heads into aposition. Because I’ve listened to literally 10s of thousands of drives being tested, I knew wishing it worked and trying over and over to boot, hoping it might come up one more time was a waste of any one’s time.

I pulled the bad rive, put in the spare 500GB and began a factory restore. That went fine, seeing as how I had taken the time to burn a set of restore DVDs. Pretty much every computer comes like that these days, and rarely do I find users who have heeded the nag screen to do it, as they finish the set up on their new system. If you don’t then you’re reasonably certain, if you need your system back today, to have to spend a bit over $100 for a copy of Windows 7 Home Premium. More if you have Professional installed.

After getting through the standard Windows new installation set up, we where now faced with re-installing programs. This is another tough point: Many people can’t remember where their CDs/DVDs are. Also, it’s more common to pay for and download programs right away. If you don’t copy them off your hard disk before such an event, many places limit the time you can return and download the copy at no charge, usually I’ve seen 30 days, unless you pay a fee to have access for a year or more. You need to look around and make sure, especially for the programs you need for your business (QuickBooks, Office, Outlook, etc) and ensure you have the originals and the key codes for them in a safe (and rememberable) place.

The client had the installed programs, so we went right to work restoring those.

Next was data recovery. Having both an online backup system (Digital Life Boat and a 500GB Seagate external drive provided a way to recover most of the data. It was time consuming, just to grab the OutLook mail files, and the basic financial records, but that got the client back to work.

Today I called and we bagan diggin into the files in the cloud and on the backup external drive, which brings me to the title of the post: It really is a detailed thought process you have to go through to make sure you really back up your data. While they had ensured the .pst files for OutLook were on the list, they had a large, large folder of records, dating back far enough to when the computers in use for this client were running Windows 3.1. The file holding a massive amount of word documents, many of which are searched regualry, had been kept at the top level of the heard drive, and never mover into the user document folder area, which began to be a part of digital life with Windows 95. Here’s the bad news: Consumer based backup programs are generally useful for the very basic computer user, and you will see your pictures, videos, music and documents, and usually the items on your desktop all assumed to be what to backup. Things like the OutLook .pst files, profiles for FireFox browsers, and, as in this case, a folder of data sitting outside of the Documents and Settings or User folders not looked at. You must ensure you figure out how the backup system you use will see and backup those files that are important at any level to you. That hadn’t happened.

ensuring your mission critical documents, programs and operating system information is safeguarded against catastrophe is something that is well worth spending some money with an experienced consultant who has had to deal with real world information safety, not just a tech that knows how to install a basic backup program and tell you it’s running. The difference is one will look over your equipment and tell you to back it up, the other will ask what information you use, which programs are crucial to your business and where is the information stored, and also backed up. The answers you give will allow them to provide a coherent and effective answer to help you protect the business you’ve built.

The good news, while not all that good, is many of the most recent files needed are still in the email files as attachments, so the current projects can continue reasonably smoothly.

The bad news is, there isn’t an archive to go dig in to pull old data forward, which, in the client’s industry is a valuable thing.

We can take the almost dead drive to a data recovery service, and I know, without asking for a quote, it will be very expensive. As I told the client, you need to make a business decision as to the approximate value the many Word files are to you, so that can help make the determination to go forward with exactly, laborious data recovery, or if it’s more cost effective to just begin rebuilding from what has been recovered and go from there.

Very much like the cost of insurance: Can you afford a few hours of consulting time more than you can a drive recovery for several thousands?

Concerned you’re not covered? Call your technical business consultant and ask for an assessment to ensure you are, or to make sure you get that way.

Do you have a strong password? Do you use it a lot?

Here’s the reality of our digital lives: We have lots of online accounts and they need passwords. Many people use ones that are easy for them to remember, and tend to use sometimes only one.

How does that affect you? Well, think about this: Once “they” get the one, then you’re life can be laid wide open to those interested in digging further. Since it’s not uncommon for sign ins to be your email address….someone (or a programmed crawling robot) could just travel the known email universe and common places like FaceBook and give it a whirl with your email and a common, made once, used always password of yours.

That’s bad enough, if you are in this category, but even if not, there is now an article that brings to light the technology that allows gamers to get really life like graphics, and for scientists to explore climatology, cancer, and signal from space, is also being exploited by hackers.

I invite you to take this introduction, and read as much of the ARS Technica “Why passwords have never been weaker—and crackers have never been stronger” and read it until you are sufficiently convinced you need to take action to protect yourself by putting some effort into your password selections.

Yes, this will take some mental energy, and changes to your daily digital operations, but….I’m sure you wouldn’t want to wake up to a screen full of mail, indicating your email has been exploited and your bank accounts have been emptied, etc, etc, etc.

Please help protect yourself!