As you may be aware the Information Commissioner’s Office (ICO) has begun to issue fines over breaches of the Data Protection Act (DPA). Since there has been a large number of published data losses it cannot come soon enough for the general public.

Last week another set of fines were issue to Ealing Council at £80,000 and Hounslow Council at £70,000, you can read the full story here. What is so special about this case is that it involved the loss of two unencrypted laptops, one from each council, containing the details of around 1,700 individuals from an employee’s home. Ealing Council provides an out of hours service on behalf of both councils, which is operated by nine staff who work from home. The team receive contact from a variety of sources and rely on laptops to record information about individuals. Ealing Council was found to be in breach of the DPA as it had issued an unencrypted laptop to a member of staff which is in breach of it’s own policies. This process had been established for a number of years and insufficient checks were made to ensure that relevant policies were understood and adhered to by employee’s. Hounslow Council were found to have breached the DPA as they had failed to have a written contract in place with Ealing Council, they also did not monitor Ealing Council’s procedures established to operate the service securely.

You may be wondering why this changes everything? As an outsourced IT service provider there may be occasion where you may have to remove a laptop/desktop/server from site in order to action a repair of the equipment, a normal everyday IT activity. What this could mean is that if that device is then lost or stolen while in your possession and it is not encrypted then you will potentially share equal liability for the data loss. Since that liability can include a rather hefty fine of up to £500,000, not too mention the bad press that would go with it, then the impact on your business could be catastrophic.

The question now is, what are you going to do to mitigate your risk? Please feel free to drop a comment in on this as I would love to hear your thoughts

- Rob

From: Abuse Department [mailto:abuse-uk-irl@ripe.net]

Sent: 24 September 2010 14:32

To: XXXXXXXXXXXXXX

Subject: ISP DISCONNECTION WARNING - ADVISORY ABUSE NOTICE

From: <abuse-uk-irl@ripe.net>

Date: Fri, Sept 24, 2010 at 12:44 PM

Investigation Number: 1171

Subject: ISP DISCONNECTION WARNING - ADVISORY ABUSE NOTICE

For The Attention Of: The Bill payer/Owner of this ISP account.

Our investigations have determined that your Internet Services account has been used to scan, flood or attempt to gain unauthorized access to another computer, (please see the details of the incident(s) attached to this e-mail). This activity is a violation of our Internet Services Acceptable Use Policy and the our Internet Services Account Agreement, under which you have been provided service.

THIS NOTICE IS TO ADVISE YOU THAT FURTHER ABUSE OF YOUR INTERNET SERVICES ACCOUNT MAY RESULT IN A SUSPENSION OR TERMINATION OF YOUR ACCOUNT, WITHOUT FURTHER NOTICE TO YOU. We are empowered to take such action if, in our sole determination, you have violated the terms of our Acceptable Use Policy or our Internet Services Account Agreement.

The alleged incident originated from the local IP address of 192.168.1.100 which, at the time of the incident, was assigned to a device with the unique physical address of 00:13:10:24:45:F8. This address identifies the network adapter or router connected to your ADSL/Broadband modem.

If you are unaware of this type of activity coming from your account, you may wish to inquire with others who may have access to your account and/or change the password to your account to ensure that only authorized users have access to it. IT IS ALSO POSSIBLE THAT YOUR COMPUTER MAY BE INFECTED WITH A VIRUS OR YOUR COMPUTER SYSTEM MAY HAVE SOME OTHER SECURITY PROBLEM SUCH AS AN UNSECURED MAIL OR PROXY SERVER WHICH COULD ACCOUNT FOR THIS ACTIVITY ORIGINATING FROM YOUR SYSTEM.

In the event you are not able to attend to the situation immediately, please disconnect your computer from the ADSL modem to prevent further abuse.

A full description of the incident including realtime IP addresses and web traffic can be found in the attachment.

Any questions of help can be obtained from out staff during office hours 0900-1700 Monday to Friday.

Our complete contact information can also be found in the PDF report.

Kind Regards

The Abuse Team

Attached to the email is a so called 'report' which is a 'RAR' file. Inside of the 'RAR' file is another file which is named 'Incident-Report-201009241171.pdf.exe'. So far it all looks like an elaborate hoax as the network the client is on is not on the range mentioned in the email and since when is a report sent as an executable file?

Any which way I will be putting it through the lab machine later to see what comes out, either way it will be interesting.

If you do hear of anyone receiving this tell them not to open it.

- Rob

So what's the difference? The core difference between the two products is that Microsoft Forefront Security is a centrally managed product which had updates and definitions distributed from a central source which is traditionally the office server. In contrast Microsoft Security Essentials is ideally suited to Small businesses that may not have a server in place, for example when they are using cloud services, or that do not require central management. Either way it is a compelling and interesting move by Microsoft in to a market space which they currently do not have a significant market share in.

Either way this is great news for Small Businesses everywhere!

- Rob

NOTE: These instructions are intended as a guideline on how to remove this infection. If you are not sure how to do this then please make sure you consult a professional. All such information and related graphics are provided “as is” without warranty of any kind.

The first step is to repair the running of executable files (exe files):

Click on Start, Run and type ‘notepad’ then press enter. Now copy and paste the information below into Notepad.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

Now save this file by clicking on File, Save As; select the file type and set it to “All Files” then enter ‘fix.reg’ into the file name box making sure you save the file to the Desktop and click OK.

Now double-click the ‘fix.reg’ file on the desktop and click Yes to confirm.

There is a second method which you may need to use to stop XP Anti-Malware from running, in both cases I have had use both methods so here is the second method.

Click on Start, Run and type ‘Notepad’ then press enter. Copy and paste all of the information below into Notepad.

[Version]
Signature="$Chicago$"
Provider=Myantispyware.com

[DefaultInstall]
DelReg=regsec
AddReg=regsec1

[regsec]
HKCU, Software\Classes\.exe
HKCU, Software\Classes\secfile
HKCR, secfile
HKCR, .exe\shell\open\command

[regsec1]
HKCR, exefile\shell\open\command,,,"""%1"" %*"
HKCR, .exe,,,"exefile"
HKCR, .exe,"Content Type",,"application/x-msdownload"

Now save this file by clicking on File, Save As; select the file type and set it to “All Files” then enter ‘fix.inf’ into the file name box making sure you save the file to the Desktop and click OK.

Now right-click on the “fix.inf” file on the Desktop and select Install. Now reboot the computer into ‘Safe-mode with Network Support’.

Now download MalwareBytes Anti-malware, install and ensure that it fully updates before running. Now run a ‘Quick Scan’, once it has completed it will display the results. Now click on ‘Remove Selected’ and reboot the computer. Details about how to install and run MalwareBytes Anti-malware can be found on other sites but the important part is the Registry file and INF file above.

- Rob

• First open Internet Information Service Manager on the server and check that the website “OfficeScan” exists. Now close the Internet Information Service Manager.
• Now open a command prompt and change to the “Trend Micro\Security Server\PCCSRV” folder
• Now type “svrsvcsetup.exe -uninstall” and wait for this to complete, it could take a number of minutes.
• Now open Internet Information Service Manager on the server and check that the website “OfficeScan” no longer exists. Now close the Internet Information Service Manager.
• Now type the following commands pressing enter after each one:
  • svrsvcsetup -install
  • svrsvcsetup -setvirdir
  • svrsvcsetup -setprivilege
  • svrsvcsetup -enablessl
• Now restart the following services using the Services Applet:
  • Trend Micro Security Server Master Service
  • IIS Admin Service
  • World Wide Web Publishing Service

Now if you try to access the console you should be able to log on to the console successfully.

This worked for us each time, so I hope it’ll work for others too.

- Rob

This may seem like a bold move but it is not the first time they have done this. In 2005 they paid $250,000 to two individuals who helped identify the creator of the Sasser worm.  Rewards were also offered of $250,000 for the creators of the other three major computer worms Blaster, MyDoom and Sobig however the authors of these were never caught.

In reality this amount of money is a small drop in the ocean for a company like Microsoft but in doing so they are trying to send out a strong message to the authors of such worms.  They are simply saying that they will not sit idly by while the creators wreak havoc on their clients systems.  In reality the fact of the matter is that regardless of what Microsoft or Microsoft Trustworth Computing Group offer it seems that it will offer very little in the way of a deterrent for such authors as it is a challenge that they enjoy rising to.  What it does do is help their clients to feel that they are doing all they can to try an prevent such hassles returning in the future.

The worm itself infects a computer that is not fully up to date with the latest updates from the Microsoft Update website. If you are in any doubt then the best action is to visit the Microsoft Update website and apply all the latest critical updates.  Once this is complete continue to revisit the site until you are told there are no further critical updates. You should also ensure that your Anti-Virus software is fully up-to-date, if you don’t already have one then visit either AVG or aVast who both provide free versions for home use.

Awesome stuff so you’ll have the review as soon as I have it.

Using this wizard you are able to enter your domain name and it will process the DNS record to see what settings exist with regard to mail servers and then guide you through the process of creating the SPF data.  Over the past few years I have using a number of tools but this has to be the easiest to follow.  So check it out, the more people that use SPF the less spam will be possible.

As always thanks for reading and if you have any questions then drop me a line.

By adding in the ADM template at the bottom of this article you will be able to restrict access to USB storage devices as well as CD/DVD Drives.  Once you have the downloaded file then on your server go to the %SYSTEMROOT% folder this is typically "C:\WINDOWS" and copy the ADM file into the "INF" folder.  Once you have done this go into the "Group Policy Management" tool.  Once there if you create a new group policy or edit an existing policy then navigate to "Administrative Templates" under "Computer Management".

Right click on "Administrative Templates" and select "Add/Remove Templates"

Click on "Add" and from the list of files select "ext_storage.adm" and click on "OK", now click on "Close"

Now from the "View" menu select "Filtering" and unselect the "Only show policy settings that can be fully managed" option and click "OK"

Now from the main group policy window under "Administrative Templates" you will see "Custom Policy Settings" and below this you will see "Restrict Drives".  Once selected on the right hand pane you will see the options to disable USB, CD Rom, Floppy and High Capacity Floppy.

Once these are enabled the users which have this policy applied to will no longer be able to use these facilities.  This gives small businesses a means of securing their data without spending the earth.

Attachments: ext_storage.adm

Once TrueCrypt is installed then you can create a new secure volume using the wizard which can be launched from the main program screen.

From here click on the “Create Volume” button to launch the wizard.

From here select the “Create a File Container” option the create a new secure volume on your Hard Disk. From here you can also choose to Encrypt the entire system partition which means that the partition that Windows is installed on would be encrypted and require a password to be entered before Windows can boot. You can also encrypt a non-system partition which would be another partition on your drive or a USB memory stick. In this example we will create a “File Container”; once selected click next.

At the next screen you have the option to select a “Standard TrueCrypt Volume” or a “Hidden TrueCrypt Volume”. A Standard volume is simply an encrypted volume which when the password is entered it mounts and the data is visible. The “Hidden Volume” however is a little more sophisticated; what happens is when the volume is created it will create another volume within that one. Both volumes are located as a single file on the disk however the one that becomes visible is dictated by the password entered. This is especially useful if you have to enter your are forced to enter your password under duress; in this scenario you would enter the password for the volume which does not contain the actual secure data but is in fact the “fake” secure data. For this example however we will create a “Standard Volume”; once selected click Next.

Once the next screen you will be asked to “Select File” which basically speaking means that you need to specify the filename and location. The actual filename you use should be a obscure as possible as this will make the file harder to locate to would be attackers. In this example we have called the file “readme.txt” Once you have done this click on Next.

From the next screen you have the option to select what encryption algorithm you want to use for your volume. The algorithm that you use simply dictates how the data is encoded when the file is created and more importantly when data is stored on the volume. For most of us AES will be sufficient so we will select that and click Next.

Now we have to specify the size of our encrypted volume. This will be entirely down to personal choice and will be dictated by the amount of data that you want to carry with you. For simplicity we will enter a value of 100MB and then click on Next.

At this point we are now required to enter a password. It cannot be impressed enough how important it is to choose as strong enough password for this file. Lets face it if you simply enter the password as “password” then it isn’t going to take much to guess it. So no kids names, no pets, no car registration, no spouse’s, nothing that is anything to do with you. Lets face it if you used you favourite nursery rhyme that would be more secure as a password; for example “tw1nkle tw1nkle l1ttle star how 1 wonder what you are” would be completely random, nothing to do with you and yet easy to remember. So think long and hard what you will use and make sure it’s something easy to remember but still strong. Once this is done then click Next.

The next screen is for formatting the volume however before you click “Format” you need to move your mouse randomly within the Window. This is done to help to create a completely random key and the more you move the mouse then more random it becomes.

When you have done this and you are happy with it click on “Format” and wait until a box appears telling you it is complete. Now click on “OK”

When this has finished you can either continue with the wizard to create another volume or you can click on “Exit” to return to the main TrueCrypt screen.

From them main TrueCrypt screen click on the “Select File” button and you will be presented with a screen titled “Select a TrueCrypt Volume”. From here we can select our newly created volume, in our example we will select the file “readme.txt” and click on “Open”.

Now select the drive letter from the top part of the screen that you want to assign the volume to, in our case this will be “F:”, now click on “Mount”. This will then prompt you for the password that you entered earlier as below.

Enter your password and then select “OK”. If you need to you can check the “Display Password” box so that you can see what you are typing but obviously make sure no-one is around to see it.

That is basically it, you can now go into “My Computer” and you will see your newly create volume as shown below.

I hope this is of help to some of you and if you have any questions then please post them up and I will try help where possible. The program is just one of many that are around and each of these vary in the way that they work however this all work towards the same end result which is that they all try to make your data more secure.