Yesterday, one of our clients received an email alleging to be from the Federal Trade Commission. The email had the FTC logo, it said a fraud complaint had been filed against his company, and he should download a .pdf of the complaint from a link at the bottom of the email. The link as shown on the page and the sending email address as shown had ftc.gov in the address. There were no obvious signs that the email itself was a fraud.

This client clicked on the link, but instead of getting a .pdf document it wanted to install a screensaver. The client wisely chose not to run the program, but when he logged on to his bank this morning he got a pop up with the bank logo asking for basically all of his financial information. He called his bank and they confirmed it was a fraud.

It is our belief that the two events are related. When the client clicked on the link in the email it installed a Trojan virus even though he declined to install the screen saver, and the virus ran when he logged on to the website of his bank. Because the infection might have also captured his logon name and password for the bank, we advised him to change his password and call his bank to inform them that his account may have been compromised.

This is a classic phishing scheme. This kind of scam depends on presenting something to you that will make you act before you can question the authenticity of what you’re seeing. We’re alerting you to this threat specifically because of the effectiveness of the bait, and because of the potential for serious damage even if you don’t install the program it presents to you.

If you receive an email from the FTC saying a fraud complaint has been made against your business, do not click on the link in the email. Delete the email immediately.

The best defense against this kind of scam is skepticism. The email looked official, but it did have some signs that something wasn’t right. The body of the email didn’t include the recipient or his company by name. The salutation was “Dear business owner” and the complaint was against “your company”. Also, no legitimate government or law enforcement agency would notify you of an investigation by email. Finally, if you hover your cursor over any link to download a file or go to a webpage, a small box will appear showing the real address and file name in the link. In this case the link was to a website with a foreign domain, and the file was not a .pdf.

Also, and we can’t stress this enough, if any site asks you to enter personal information like your Social Security number or a credit card number, call them and confirm the site is legitimate before continuing. If they tell you it’s not, your computer has been infected and you should call us immediately.

The battle against the fake antivirus programs has intensified int he past few months, and unfortunately there’s no end in sight. Blair Fritz, ForthPhaze Support Specialist, cleaned up an infection this week on an XP system, and we thought it might be interesting to explain the process we use to fix these infections.

1. The first thing we have to do is stop the part of the attack that prevents installing or opening programs on your system. There are a couple of ways to go about this. The easiest way is to open the startup tab in msconfig (Start/Run/msconfig) and find the part of the virus that loads when you start your computer. The entries on the startup tab can be cryptic, but there are two ways to tell which is the bad program. Under the Command column, look for any entry that points to C:\Documents and Settings. Legitimate programs will be installed in C:\Windows or C:\Program Files. Anything that loads out of C:\Documents and Settings should raise a red flag. Another marker is a Startup Item name that’s just a random collection of eight letters and numbers. If you find these, click off the check mark next to it and click apply, then restart the computer.

If you have a simple infection, this will stop the program that was blocking your other programs. If it doesn’t work, plan B is to restart the computer again but this time press F8 while the computer is restarting. This will load the Windows startup option page. Select Safe Mode with Networking and press enter. Safe mode only installs the basic Windows components and drivers, no add-on software is installed and this stops the infection from loading most of the time.

If this doesn’t work, you’ll need to run a program that kills the blocking program from the desktop. We are huge fans of a program called rKill. Download it on an uninfected computer (only from that page!) to a thumb drive, copy it to the desktop, and then double click to run it. It might take a few minutes to complete, but when it’s finished you should be able to open all the programs on your computer that you weren’t able to open before.

One important note: Once you get to this point, do not restart your computer or you might go back to square one.

Now that we can open programs, it’s on to step two…

2. This one is short and easy. We need to make sure we can get to the internet. Open your web browser of choice. If it connects to your homepage and you can get around the web, you’re ready for step three.

If you can’t get online, the infection has tried to redirect your connection to the web. Fortunately it is an easy fix. Open the Control Panel and click Internet Options. Under the Connections tab, click the button for LAN Settings, and then uncheck the box for “Use a proxy server for your LAN.” Click OK to exit and restart your browser, it should open on your home page and you should be able to visit any website.

3. Now we’re ready to install the software we use to remove the virus from a system.

We use three different programs. The first is Combofix. (Again, only download it through that page.) It’s an amazing virus and malware removal tool. Download it, and double click it to run. There will be a pop-up screen warning that it might conflict with your antivirus program, but we always click to continue and have never had a problem.

Combofix will ask to install Microsoft’s Windows Recovery Console as part of its installation. Let it. This is an add-on that should be on every Windows system by default. After that, just let Combofix run. Depending on the infection it might take up to a half-hour to clean the system, and you might be prompted to reboot. (If so, return to safe mode by pressing F8 like before.) When Combofix is finished it will generate a text report that is going to be gibberish unless you’re a security specialist. Don’t worry about it.

The second program we use is Malwarebytes Anti-Malware, or MWB for short. We use MWB as part of a virus infection repair to double check for infections, but it’s really good at removing tracking cookies and other spyware that everyone gets on their computers. Running MWB every couple of weeks is a great habit to get into.

We do a full system scan with MWB after running Combofix. In almost all cases it comes back clean, but there have been a couple of times when it’s found infections that were missed by Combofix.

You can remove these with MWB, but infected files showing up in MWB after Combofix has always meant a deeper infection in our experience. If you delete them with MWB, the infection will probably return the next time you restart your computer.

The fix is in a good antivirus program. We have become big fans of Microsoft Security Essentials for home users. It has yet to let us down on cleaning up an infected system, even when Combofix didn’t work, and it’s tested very well on preventing infections.

You might be wondering, if Microsoft Security Essentials is so good then why not skip Combofix and Malwarebytes and just install MSE? It’s about time. It takes us less time to use Combofix and MWB to clean up a system, and then install MSE (or AVG Network Edition for our business clients) for future protection. Even when we have to use MSE to clean up an infection, we still do a second scan. It’s not clean until you have a clean scan.

4. The final step is doing what you can to prevent another attack.

Use a comprehensive antivirus program. We recommend Microsoft Security Essentials for home systems and AVG Network Edition for business networks.

Make sure your system has the most recent Microsoft, Adobe and Sun/Java updates installed. It’s hard to use a computer without Adobe Acrobat Reader and Flash, or Sun’s Java programming, but all three have been the source of security problems. Keep them updated.

Set your browser to block all pop ups. Firefox and Google Chrome have this setting by default, but it has to be changed on Internet Explorer through Tools/Internet Options/Privacy. Make sure the box for “Turn on Pop-Up Blocker” is checked, then click the Settings button and change the Blocking Level to High: Block all pop ups.

You can use the browsing history to see which site you were at when you got the infection, but it’s not going to be a lot of help in preventing a future infection. These attacks come from a pop-up ad. Most websites use third-party companies to sell and place ads on their site. The ad brokers scan submissions for viruses, but the virus writers get around this by creating an innocent looking fake ad that opens a pop up window when the page loads or you roll your mouse over it. The virus is in the pop up window, and this is beyond the control of the web site and the ad broker. The best defense is a good antivirus program to stop the program before it loads on your computer and setting your web browser to block all pop ups.

If you have tried doing the above steps but are still having trouble cleaning up the system, or you are uncomfortable performing any of these tasks, feel free to contact us. We are here to help! (and our rates are not as high as the Geek Squad)

I’ve read several posts on how to use @DropBox on a Windows Server. The information seems to be fragmented, and not always accurate. I’m going to summarize two things today. First, I’ll cover setting up @Dropbox on a Windows server, and second, I’ll briefly discuss security considerations. I’ll be working with Windows 2008, you can do the same with Windows 2003.

Setting Up @DropBox

1. Logon to the Widows Server as administrator
2. Download and install DropBox from their website
3. Copy contents of C:\Users\Administrator\AppData\Roaming\Dropbox\bin to a new folder C:\Program Files\Dropbox
4. Obtain the Windows 2003 Resource kit files instsrv.exe and srvany.exe. It is perfectly safe to install the Windows 2003 Resrouce Kit on Win2008.
5. Copy instsrv.exe to C:\Program Files\Dropbox
6. Copy srvany.exe to C:\Program Files\Dropbox
7. Open Command Prompt
8. Execute “C:\Program Files\Dropbox\instsrv.exe” Dropbox “C:\Program Files\Dropbox\srvany.exe”
9. Execute REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters /v Application /d “C:\Program Files\Dropbox\Dropbox.exe”
10. Execute REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters /v AppDirectory /d “C:\Program Files\Dropbox”
11. Delete or move the shortcut to Dropbox away from the startfolder (Start -> All Programs -> Startup) on the startmenu
12. Launch Services.msc
13. Right-click DropBox service, logon tab, check the Allow service to interact with desktop option
14. Execute net start Dropbox
15. Move your shared folders you need to share with outside users into your DropBox folder location, and reset sharing permissions. NTFS permissions should be maintained

One thing that is a “quirk” I’ve found so far, despite the interact with desktop option in Services, you may need to execute dropbox.exe to get the System Tray icon to appear. This does cause a second DropBox process, though, so you should kill one of them.

Security Considerations

The biggest question to be asked in setting this up, from the Network Administrator’s point of view is “Does the convenience of this service create a less secure computing environment?”

There are a few things that are well documented in regards to security of @DropBox. Here are their statements in regards to security:

1. Shared folders are viewable only by people you invite
2. All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password
   
3. All transmission of file data and metadata occurs over an encrypted channel (SSL)
4. Dropbox website and client software have been hardened against attacks from hackers
5. Online access to your files require your username and password
6. Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable
7. Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)

In regards to @DropBox security standards, it does meet the minimum encryption standards for industry compliance, such as HIPAA and SARBOX. The one well documented problem with the security implementation is that you, the enterprise and owner of your data, have no access to or control of the encryption key.

The main question that is asked by Network Administrators is, is it as safe as a VPN? The answer is more a policy answer than a technical answer. I would say technically, yes, as far as the encryption in place. However, policy plays a big role here as well:

1. How secure are the devices that are accessing the data through DropBox?
2. What are the password policies
3. What are the lockdown/wipe policies of mobile devices, such as laptops, netbooks,and smartphones?
4. Who has access to the account credentials for DropBox?

Just as an employee can walk out the door to the office and leave it unlocked at the end of the day, similar security breaches can be made with a cloud computing service, or a local computing service. Any security that is put in place is only as good as the policies and practices of company employees to protect the enterprise. To provide the best security possible, at a minimum:

1. Only Network Administrators and authorized management level employees should have access to the credentials for the DropBox account(s).
2. Authorized personnel should install and setup the service
3. Security harden all devices that will be accessing company data from outside the company network.
4. Ensure your Acceptable Use Policies and Procedures up to date

Training is also important. Ensure that employees know how to work within @DropBox and manipulate files. Make sure they have learned and understand the ramifications of sharing folders and files.

These are a few considerations that need to be made. There are many more, such as using TrueCrypt or Windows BitLocker to enrypt files at the source and local cache, or how to create a secure publishing mechanism within @DropBox to publish files to your clients. For these considerations, a professional IT firm should be consulted. If you have any questions on this topic, feel free to contact us, and we’ll be happy to assist.

–Chris Dickens, Systems Enginner and Owner, ForthPhaze Technology, LLC

We’ve seen a big surge recently in fake antivirus attacks. These virus and malware programs have been around for a couple of years but they’ve recently become much more dangerous and more difficult to remove from infected systems.

If you’re not familiar with this kind of attack, it uses a pop up window telling you that your system is infected with multiple viruses or that you no longer have antivirus protection. Google has images of dozens of different examples that you can look through here.

The point of this attack is to create a moment of panic and get you to click on the link to repair the problem. If you do that it will install malware on your computer and take you to a page where you hand over your credit card number to “fix” it.

Most users are smart enough to avoid falling for that, but that doesn’t mean you’re out of the woods. The creators of this pop up lied about your system being infected, they’re lying about fixing it if you click on their link - and they’re lying that clicking the “X” in the top right corner will just close the window. Clicking anywhere on the pop up will install its malware and virus programs on your computer.

One way to close the window without infecting your computer is with the ALT-F4 keystroke, which closes the active window. However, a safer method is to press Control-Alt-Delete (at the same time) and click on the button to open the Task Manager. A small window should open with tabs for Applications, Processes, Performance, etc. Click on the Applications tab and then close all of the applications running in that window, by clicking on each application once to highlight it and then clicking the End Task button at the bottom. Run a virus scan on your system immediately after the pop up closes.

The one bit of good news with this kind of attack is that it is easy to prevent. It works through a pop up window and most commonly comes through your internet browser. If you can prevent the pop up, you can prevent the fake warning from ever appearing on your system.

To prevent fake antivirus attacks, FIRST you should update to the latest browser of choice. If you are still using Internet Explorer 7.0 or older, update it immediately to IE8. Or, switch to Firefox. Both Internet Explorer and Firefox have good pop up blockers, but Firefox has a couple of advantages. First, the pop-up blocker in IE is set by default to “block most automatic pop-ups” and this has allowed the fake antivirus pop up to get through. (You can change this to block all popups in IE’s Internet Options/Privacy settings.) Second, the pop-up blocker in Firefox has been more effective at the default settings, but the big advantage Firefox has is a plug in available from their website that blocks practically all internet ads.

NEXT, you should also make sure your Windows version is kept up to date. Microsoft now includes a very good malicious software removal tool that can stop these infections before they get on your system, but it only works if your system is kept up to date.

LAST, make sure you’re using a good comprehensive antivirus suite. The variations in these viruses makes it impossible to recommend one brand as the best, but any antivirus and security suite from a reputable company (AVG, Norton, Trend, Microsoft) will give you much better odds of being protected than a basic antivirus program that only scans your email.

If you do get infected, contact us. A simple infection can be cleaned up quickly, and if you have a bad infection we’ll clean it up and help you with the next steps to protect yourself and your identity.

-Brian Igo, IT Support Specialist

Last week, I was trying to solve a few technical problems on the job. One was an issue with a Watchguard firewall device. I won’t bore you with the details. My other problem was figuring out a great way to do time tracking on a smartphone that easily integrates with Quickbooks.

On Twitter last week, I posted a few questions regarding my Quickbooks problem, seeking advice or input from my followers on any suggestions they may have. I even sent a comment @Quickbooks so that Intuit would respond. Their response was lackluster, but in the posting the questions, I received a recommendation on @Tsheets. Within a day I also had a response from Jen Harris, from Tsheets.com and also received a phone call from her. We talked about their service, but also spent about 10 minutes talking about the power of social media for brand development engaging your target consumer.

On my Watchguard problem, I wasn’t necessarily searching for an answer on Twitter. I posted a rhetorical question, perhaps seeking sympathy from a fellow IT person, or a suggestion on how to find an answer. What happened next was interesting. Later that evening, I received an e-mail from Tracy Hillstrom, a product manager for Watchguard. Someone who knew tracy saw my pondering question on Twitter, and forwarded it.

The lesson to be learned here is this:

1.) The outsourced India-based call centers are dead.

2.) Companies are watching their brand image on social media.

3.) Because most social media is public, companies are much more responsive to questions, complaints, and customer service inquiries to keep the public opinion of the brand experience positive.

If you have a customer service issue with a company or product, try using a social media platform like Twitter to get some help. Even if the appropriate people are not following you, companies can monitor their brands through advanced search tools, because of the public nature of Twitter.

But there are some protocols that should be applied.

1.) Be honest, but be tactful. If you are frustrated, be frustrated, but don’t flame the brand, unless there’s no hope to correct the issue. A backlash can occur if you are too negative on these types of services.

2.) Be timely. Things happen quickly on social media, so if you post a question or inquiry, check back often for responses. If a customer service person or fellow “Tweep” (Twitter Peep, or friend) tries to help, but your trail goes cold for a few days, the desire to assist will fade quickly.

2.) Praise the action. If a business or a person comes through for you, be sure to give them their props. Online brand management is all about managing the image, so if you get good service, let everyone know.

Here is a list of companies and brands that are known to be on Twitter. Next time you have a customer service issue with any of these companies on Twitter, give them chance online to resolve your issue.