From: Abuse Department [mailto:abuse-uk-irl@ripe.net]

Sent: 24 September 2010 14:32

To: XXXXXXXXXXXXXX

Subject: ISP DISCONNECTION WARNING - ADVISORY ABUSE NOTICE

From: <abuse-uk-irl@ripe.net>

Date: Fri, Sept 24, 2010 at 12:44 PM

Investigation Number: 1171

Subject: ISP DISCONNECTION WARNING - ADVISORY ABUSE NOTICE

For The Attention Of: The Bill payer/Owner of this ISP account.

Our investigations have determined that your Internet Services account has been used to scan, flood or attempt to gain unauthorized access to another computer, (please see the details of the incident(s) attached to this e-mail). This activity is a violation of our Internet Services Acceptable Use Policy and the our Internet Services Account Agreement, under which you have been provided service.

THIS NOTICE IS TO ADVISE YOU THAT FURTHER ABUSE OF YOUR INTERNET SERVICES ACCOUNT MAY RESULT IN A SUSPENSION OR TERMINATION OF YOUR ACCOUNT, WITHOUT FURTHER NOTICE TO YOU. We are empowered to take such action if, in our sole determination, you have violated the terms of our Acceptable Use Policy or our Internet Services Account Agreement.

The alleged incident originated from the local IP address of 192.168.1.100 which, at the time of the incident, was assigned to a device with the unique physical address of 00:13:10:24:45:F8. This address identifies the network adapter or router connected to your ADSL/Broadband modem.

If you are unaware of this type of activity coming from your account, you may wish to inquire with others who may have access to your account and/or change the password to your account to ensure that only authorized users have access to it. IT IS ALSO POSSIBLE THAT YOUR COMPUTER MAY BE INFECTED WITH A VIRUS OR YOUR COMPUTER SYSTEM MAY HAVE SOME OTHER SECURITY PROBLEM SUCH AS AN UNSECURED MAIL OR PROXY SERVER WHICH COULD ACCOUNT FOR THIS ACTIVITY ORIGINATING FROM YOUR SYSTEM.

In the event you are not able to attend to the situation immediately, please disconnect your computer from the ADSL modem to prevent further abuse.

A full description of the incident including realtime IP addresses and web traffic can be found in the attachment.

Any questions of help can be obtained from out staff during office hours 0900-1700 Monday to Friday.

Our complete contact information can also be found in the PDF report.

Kind Regards

The Abuse Team

Attached to the email is a so called 'report' which is a 'RAR' file. Inside of the 'RAR' file is another file which is named 'Incident-Report-201009241171.pdf.exe'. So far it all looks like an elaborate hoax as the network the client is on is not on the range mentioned in the email and since when is a report sent as an executable file?

Any which way I will be putting it through the lab machine later to see what comes out, either way it will be interesting.

If you do hear of anyone receiving this tell them not to open it.

- Rob

So what's the difference? The core difference between the two products is that Microsoft Forefront Security is a centrally managed product which had updates and definitions distributed from a central source which is traditionally the office server. In contrast Microsoft Security Essentials is ideally suited to Small businesses that may not have a server in place, for example when they are using cloud services, or that do not require central management. Either way it is a compelling and interesting move by Microsoft in to a market space which they currently do not have a significant market share in.

Either way this is great news for Small Businesses everywhere!

- Rob

This may seem like a bold move but it is not the first time they have done this. In 2005 they paid $250,000 to two individuals who helped identify the creator of the Sasser worm.  Rewards were also offered of $250,000 for the creators of the other three major computer worms Blaster, MyDoom and Sobig however the authors of these were never caught.

In reality this amount of money is a small drop in the ocean for a company like Microsoft but in doing so they are trying to send out a strong message to the authors of such worms.  They are simply saying that they will not sit idly by while the creators wreak havoc on their clients systems.  In reality the fact of the matter is that regardless of what Microsoft or Microsoft Trustworth Computing Group offer it seems that it will offer very little in the way of a deterrent for such authors as it is a challenge that they enjoy rising to.  What it does do is help their clients to feel that they are doing all they can to try an prevent such hassles returning in the future.

The worm itself infects a computer that is not fully up to date with the latest updates from the Microsoft Update website. If you are in any doubt then the best action is to visit the Microsoft Update website and apply all the latest critical updates.  Once this is complete continue to revisit the site until you are told there are no further critical updates. You should also ensure that your Anti-Virus software is fully up-to-date, if you don’t already have one then visit either AVG or aVast who both provide free versions for home use.

Awesome stuff so you’ll have the review as soon as I have it.

Once TrueCrypt is installed then you can create a new secure volume using the wizard which can be launched from the main program screen.

From here click on the “Create Volume” button to launch the wizard.

From here select the “Create a File Container” option the create a new secure volume on your Hard Disk. From here you can also choose to Encrypt the entire system partition which means that the partition that Windows is installed on would be encrypted and require a password to be entered before Windows can boot. You can also encrypt a non-system partition which would be another partition on your drive or a USB memory stick. In this example we will create a “File Container”; once selected click next.

At the next screen you have the option to select a “Standard TrueCrypt Volume” or a “Hidden TrueCrypt Volume”. A Standard volume is simply an encrypted volume which when the password is entered it mounts and the data is visible. The “Hidden Volume” however is a little more sophisticated; what happens is when the volume is created it will create another volume within that one. Both volumes are located as a single file on the disk however the one that becomes visible is dictated by the password entered. This is especially useful if you have to enter your are forced to enter your password under duress; in this scenario you would enter the password for the volume which does not contain the actual secure data but is in fact the “fake” secure data. For this example however we will create a “Standard Volume”; once selected click Next.

Once the next screen you will be asked to “Select File” which basically speaking means that you need to specify the filename and location. The actual filename you use should be a obscure as possible as this will make the file harder to locate to would be attackers. In this example we have called the file “readme.txt” Once you have done this click on Next.

From the next screen you have the option to select what encryption algorithm you want to use for your volume. The algorithm that you use simply dictates how the data is encoded when the file is created and more importantly when data is stored on the volume. For most of us AES will be sufficient so we will select that and click Next.

Now we have to specify the size of our encrypted volume. This will be entirely down to personal choice and will be dictated by the amount of data that you want to carry with you. For simplicity we will enter a value of 100MB and then click on Next.

At this point we are now required to enter a password. It cannot be impressed enough how important it is to choose as strong enough password for this file. Lets face it if you simply enter the password as “password” then it isn’t going to take much to guess it. So no kids names, no pets, no car registration, no spouse’s, nothing that is anything to do with you. Lets face it if you used you favourite nursery rhyme that would be more secure as a password; for example “tw1nkle tw1nkle l1ttle star how 1 wonder what you are” would be completely random, nothing to do with you and yet easy to remember. So think long and hard what you will use and make sure it’s something easy to remember but still strong. Once this is done then click Next.

The next screen is for formatting the volume however before you click “Format” you need to move your mouse randomly within the Window. This is done to help to create a completely random key and the more you move the mouse then more random it becomes.

When you have done this and you are happy with it click on “Format” and wait until a box appears telling you it is complete. Now click on “OK”

When this has finished you can either continue with the wizard to create another volume or you can click on “Exit” to return to the main TrueCrypt screen.

From them main TrueCrypt screen click on the “Select File” button and you will be presented with a screen titled “Select a TrueCrypt Volume”. From here we can select our newly created volume, in our example we will select the file “readme.txt” and click on “Open”.

Now select the drive letter from the top part of the screen that you want to assign the volume to, in our case this will be “F:”, now click on “Mount”. This will then prompt you for the password that you entered earlier as below.

Enter your password and then select “OK”. If you need to you can check the “Display Password” box so that you can see what you are typing but obviously make sure no-one is around to see it.

That is basically it, you can now go into “My Computer” and you will see your newly create volume as shown below.

I hope this is of help to some of you and if you have any questions then please post them up and I will try help where possible. The program is just one of many that are around and each of these vary in the way that they work however this all work towards the same end result which is that they all try to make your data more secure.

The fact is that almost every business today owns at least 1 notebook computer and typically that will be taken out to meet clients, to work from home etc. On that notebook there will typically be a great deal of data regarding either your own business or possible about your clients data so do you encrypt your data? The answer is almost certainly no, so how on earth can we complain when other organisations do they same. While I understand that these organisations should know better as they have much larger funding budgets to get people onboard that should be telling them this but the fact of the matter is that very few businesses do this themselves. Recent figures show that the public is 80% more cautious with their personal data than before the HMRC data loss which is a positive move for security. You may think that the data on your notebook is of no value to anyone else but lets just assume for one minute that you loose your notebook and you have the following on it:

• On it is the payroll figures as you needed to work on them tonight
• You also have the sales figures for your clients
• Details of a new proposal for a potential client
• Documentation regarding a client(s) site, not including passwords

So what is the value of this to anyone else:

• The payroll data would be invaluable to a headhunter for example. If you had a member of staff who had some very coveted knowledge then they would be able to know where to start with pay offers
  • If the payroll figures included home addresses of employees then this would also be of interest to criminals for identity theft.
• Sales figures would be of great interest to your competition as they would be able to ascertain the financial value not only of your own company month in month out but also the value of each of you clients each month.
• Details of a new proposal would again be of interest to your competition as they would then know what you are proposing but more importantly what you are planning to change for this fantastic service. If this proposal is for an IT system this may also be of use to a potential hacker as it may provide information regarding internal systems or security information.
• Documentation regarding a clients site would almost certainly hold value to a potential intruder if it was technology documentation as it would provide valuable insight into what internal systems they had. If it related to equipment such as phones, plant machinery then again it would have value to competitors or companies in that field.

The fact of the matter is that whatever data you have it will be of use to someone and simply putting a password on Windows is just not going to cut it. By simply booting of a CD such as UBCD4WIN you don’t even need to crack the password for Windows, it will let you access the data on the hard disk and transfer it off and with the price of notebooks so low now (from £299) the data is often worth many times the value of the notebook.

So what can you really do to stop this? Well quite simply encrypt the data, this can be done a number of ways.

1. You can use Windows XP EFS (Encrypting File Service) to encrypt data and lock it to the individual user account. This means that should anyone who is not logged in with the user account that encrypted the files then they will not be able to access the data.
2. There is also Bitlocker Drive Encryption which available to Windows Vista (Enterprise and Ultimate) and Windows 2008 server. This system uses full disk encryption to encrypt and entire volume rather than individual files. It requires an area of the disk to be created as a Bitlocker volume.
3. There are also a host of third party application which will either encrypt individual files or create PSD’s (Personal Secure Drive) which is essentially a encrypted file on your hard disk that is mounted up as a volume (Drive letter) so that you can save your files. While it is mounted it is unsecured but once it is dismounted or the system is shut down it becomes encrypted again.

One such package that I have found to be a very good product for this particular task is TrueCrypt, it’s an open source package for on-the-fly encryption. While you can encrypt the entire drive you can also create encrypted volumes which can be mounted up as disks on your system by using a password. I personally like this method as it allows me to create a volume to store all of my “data” in rather than being mixed up with the rest of the system.

There are a great many package which do the same or similar and they are all equally able to secure your data whether using a password, keyfile or a hardware USB key combines with passwords etc. Some are certified for government users while others are not but in the end it is personal choice however whatever the case it is something that should definitely be looked at.

For more information on using TrueCrypt then please read Better safe than sorry (Part 2)