Author Archive

Meltdown / Spectre

Posted January 8, 2018 By admin

Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It’s really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on our network, including your workstation and all our servers.

This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.

So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.

So, What Are We Doing About This?

We need to update and patch all machines on the network. This is going to take some time, some of the patches are not even available yet. We also may have to replace some mission-critical computers to fix this.

In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click.

If you haven’t already heard of the hardware vulnerability recently discovered, here are a couple of articles: http://mashable.com/2018/01/04/spectre-meltdown-explained and https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html .

We are currently waiting on our antivirus applications to have their compatibility confirmed (actually most clients are on a compatible version of Vipre) before Microsoft’s patch can be installed. On January 9th Vipre (and hopefully Bitdefender) will set a flag that will allow Microsoft’s patch to install.

The good news is there are currently no known exploits and a user must still run code (like though a rouge website). The bad news is that the patch may hurt computer performance by up to 20 percent (testing has been mixed from no impact to 40 percent). We fully understand the frustration this may cause but there’s nothing that can be done at this time and it may mean some computers must be replaced.

Also, we have seen a handful of computers have all their files completely erased due to what we think are compromised websites.  This has required a full reload of the computer. Unless we specifically have a backup in place for your computer, as always, please do not store data on the the local hard drive. If you have questions about your computer please send a help request or call. We absolutely can setup a backup for local data.

Phishing Test sent 20171207

Posted December 11, 2017 By admin

On Thursday, December 7 we sent a phishing test appearing to come from “CITS Support”. At first I was fairly happy with the results but then I found out only about 72 emails were actually delivered. I would imagine the spam filter saw the bulk of mail coming in from a single IP and closed it off or started throttling it (which is good but I need to do something different in the future). So, out of the 72 emails that were delivered 30 (41%) were opened (tracking image was downloaded), nine users (12%) clicked the link, of those six users (8%) submitted their username and password (although, for security, we did not capture passwords), and of those two users (2.7%) ran the program (end users should not be downloading and running software). The program did nothing but email us to notify us that it was run.

Only two users used the Phish Alert button to report the email (not all clients have this option), two users called us (which is great), and two users emailed me directly (please don’t email me directly and especially don’t forward spam/scams).

Clearly there is room for improvement. Even though our program was harmless, a real phishing email could have started encrypting the users’ data files and if the website had captured passwords (and they were accurately entered) then the phisher would have probably had at least some access to the client’s network (for example, Outlook Web Access).

In the next few weeks we will be delivering posters for our clients and their users that point out things to look for in emails but in the meantime, here is the email with comments in red.

From: CITS Support [mailto:citssupport@ns-cits.xyz== this domain was setup specifically for this test. We would not use a “xyz” top level domain name and this email address (citssupport) has never been used. The email is also not from cits.*** – it’s from “ns-cits” . A “whois” search (a little more advanced) shows this domain was registered just over a month ago.
Sent: Thursday, December 07, 2017 9:07 AM
To:  *********** <*****@*****>
Subject: Security Upgrade – your timely action is required! == phishing emails demand action

*******,

Due to the increase in the numbers of security breaches with other clients, Certified I.T. Solutions (we almost always include LLC) has launched preventative measures to ensure that your computer account remains secure. We have upgraded your office’s security to keep your personal details safe. To do this in the most secure and timely way possible we have temporarily limited access (phishing emails make you want to act) to applications that may contain sensitive data.  == If we really needed to do something like this we would have made all users aware well ahead of time.

To begin your security upgrade and reestablish full access to your account please follow this link. Failure to do so will result in limited access to your profile. == Link is not to our domain.

Certified I.T. Solutions, LLC == Just FYI, this block was pulled straight from our website so it is legit but is not our usual signature.
PO Box 335
Euless, TX 76039
817-354-2487
fax 817-391-4094
https://www.cits.us

<Image not shown> == This image was stripped from our website and not our correct logo.

Administrator name is not mentioned in this email – red flag.

Going to ns-cits.xyz would have redirected the user to cits.us – red flag

Going to backend.ns-cits.xyz (from the link) would have shown a 404 Error – red flag

8:23 PM Update: I have confirmed two clients are up (one using Outlook and one using OWA). If you are still having issues please restart Outlook and if you continue to have issues after five minutes please open a ticket by sending a help request.

10/30/17 – 20:01 – Hosted Exchange and Hosted SharePoint services in Everett, Washington are restored. Power remains partially restored

10/30/17 – 19:24 – Power in Everett, Washington has been partially restored. Some customers may still be experiencing disruption, and all power service remains in UPS bypass. We are working to restore remaining services and will post an update soon.

7:04 PM Update: Our own monitoring is showing mail servers are responding so issue should be resolved shortly. This is the latest post:  10/30/17 – 18:56 – Network disruption in Bellingham, Washington should be resolved at this time. Please submit a ticket if you are still experiencing issues. Power issues continue in Everett, Washington. Electricians and UPS Technicians are en route to resolve the issue.

5:56 PM Update: Email from Green House Data: Outage Start Time: 10/30/2017 5:14 PM Our Everett facility is currently experiencing a power event, which may be affecting internet service in the Bellingham facility as well. We are currently working to restore service in all facilities and will update as soon as we have a resolution.

Our provider may have had a fiber line cut outside of the data center and we are aware this is affecting multiple clients. I am waiting on a call back and will keep this post updated. For now, clients that have mail continuity through MSPMail should use https://mail.maxfocus.com to get inbound messages and you can also reply/send emails though MSPMail.

 

CITS is implementing a Phish Alert Button (PAB) in Outlook (provided by KnowBe4). Reporting emails will help clients stay safer. Because the emails they report are sent for analysis, CITS will now be aware of which phishing attacks are able to reach client inboxes. Once we are aware of possible vulnerabilities, we can better defend against them. The end user is an important part of the process of keeping their companies safe from cyber criminals. Stop, Look, and Think!

Phish Alert Button in Outlook

Posted May 15, 2017 By admin

How To Use The Phish Alert Button

CITS is pushing out a Phish Alert Button (PAB) in Outlook (provided by KnowBe4). How does this work, and how can you use it to help keep your organization safe?

When do I use it?
Click the PAB anytime you believe you have received a phishing email, or any potentially dangerous email. Any emails you report using the PAB will be automatically deleted from your inbox. The emails you report will also be forwarded to us for analysis.

How do I use it?
You’ll see the Phish Alert add-in at the top of your Outlook client. To report an email as a phishing email, simply click the button while you’re looking at the email. The email you reported will be forwarded to CITS for investigation and reporting and then will be deleted from your inbox. If you report an email in error, you can retrieve the email from your Trash/Deleted Items.

Why should I use it?
Reporting emails will help your organization stay safer. Because the emails you report are sent for analysis, we will now be aware of which phishing attacks are able to reach your company’s inboxes. Once we are aware of possible vulnerabilities, we can better defend against them. You are an important part of the process of keeping your organization safe from cyber criminals.

Stop, Look, and Think!

Wireless Install at Big Heart Orphanage

Posted December 31, 2016 By admin

Our family has returned from Reynosa, Mexico where my son and I replaced the wireless infrastructure at Big Heart Orphanage over two days. Using all Mikrotik equipment, the router was replaced with a RB2011UiAS-2HnD-IN. Two existing CAT6 cables carry the traffic to a wAPac and a PowerBox that feeds another wAPac and a NetMetal 5. The NetMetal sends a backbone signal out that is picked up by two SXT Lite5’s, each powered by a PowerBox, and feeds and powers their own wAPac. One SXT is across the street and one is at a dorm on the other side of the campus. The wireless has two networks – one for staff use and one for guests. The guest wireless is limited so the office will have guaranteed bandwidth. Another SXT will be installed for a new building being worked on.

Domain registrar and DNS moving

Posted December 9, 2016 By admin

My DNS/Registrar host sold out and accounts were moved to a new host which I am not really pleased with. I will be migrating client DNS over the next few days and registrations over the next few weeks (possibly longer depending on expiration).  You should not see any changes (although I picked a very fast DNS provider so it should be even better) but please send a help request right away if you have any issues with your website, email, etc. If changes are needed outside of my control I will reach out to the appropriate person by opening a ticket.

Example of Cerber Ransomware

Posted December 6, 2016 By admin

I had a client fall for a ransomware email yesterday so when I got a similar one I thought I would post it. Don’t open attachments unless you know what they are and are expecting them. I was about to say “I don’t know why you would think about opening this attachment” but then I realized since someone did I should explain why it’s suspicious on the face of it without even looking at the headers or tracking information:

  1. It says Fwd: timlanders – but it’s not a forward and most people would take the time to actually put my name.
  2. I don’t know a Jeanene Celenza which isn’t a deal breaker but it’s at least a small yellow flag considering its for almost $2,500.
  3. That’s one crazy email address.
  4. It was sent using a generic/free account – outlook.com, gmail.com, yahoo.com, etc. – it didn’t come from a business (one of the reasons I tell clients they should not be using gmail for business accounts).
  5. Hello timlanders – again, a legit email would most likely say “Tim Landers”.
  6. “You will be charged “- well, I guess this is the hook. Normally though you would have already been charged and they would have sent the receipt as a PDF so this is kind of strange.
  7. I do have a personal Visa so they got me there – but “on your personal Visa balance” – who would say that?
  8. To avoid the charge I have to open an attachment? Why don’t you just put in the body?
  9. You password protected the document and included the password in the email? What’s the point of that?
  10. “Faithfully yours” ? But I don’t know this person – seems a little personal in that case.
  11. What’s missing? A business name, contact information, some more info, a real subject?

Fortunately, the client sent a help request right away and I immediately got on and restarted the computer then got on and removed the script. Because we caught it early it had not hit the server and we were able to restore the few files it hit (he did not have much local data).

20161206-crypto-example

My church goes regularly to Reynosa, Mexico to help build homes for local residents. Volunteers stay at an orphanage in Reynosa. It came to my attention that the orphanage has internet connection issues, security concerns with their wireless, and a desire to increase wireless coverage for guests and staff. I volunteered to purchase and install about $1,000 worth of wireless equipment to connect five buildings together, secure the network, increase the wireless coverage and setup bandwidth allocation between the office staff and the guests. My son and I are going down the day after Christmas for a week to install and configure the equipment.

You can help us a couple of ways. First of all, be patient with us while I’m in Mexico. I’ll do my absolute best to take care of issues and help requests in a timely manner and Juan will be in the office. Second of all, consider sponsoring my son and I. In addition to the equipment, I’ve also purchased about $800 in tools and supplies and the trip is over $250 for each of us (fuel, food, lodging). Checks can be made out to “Bear Creek Bible Church” with Landers in the memo. You can send them to the CITS address (PO Box 335, Euless TX 76039).

CITS Help Request version 2.0

Posted October 30, 2016 By admin

We are pleased to announce we are rolling out version 2 of the CITS Help Request. The old version should get uninstalled but if you have any issues after a couple of days of getting the new version please let us know. We won’t push it out to everyone right away so don’t be concerned if you don’t get the new version for a week or two.

After install you will need to launch the Help Request from an icon (or restart) before its’ placed by the clock.

Changes:

  • The program has been completely rewritten.
  • Icon has been changed to our logo (mainly so there is a difference between the two icons).
  • The installer will now put an icon in the start menu, the CITS folder of the start menu and the desktop.
  • You can now use any icon to bring up the form instead of just the icon by the clock (other icons reported that the program was already running).
  • Out of Office message will now be reported even without sending a help request (click the OoO tab).
  • We can push out alerts and notices to users on a global level, domain level, user level or computer level. You will be notified via brief popup and then the icon will notify you of unread message(s). Once you read the message(s) you will not be notified again. Messages are updated every five minutes.
  • Filled out information (name, phone, email) is now stored. Fields are initially completed from active directory if information is available but after that it will use information entered.
  • Field validation has been changed to tell users that phone number is required (as opposed to just turning it red).
  • Better error handling of situations where the alert could not be sent (instead of just crashing).
  • Response reports if alert is being sent outside of business hours or during a time when the alert is limited.
  • The program now sends the alert directly to the alerting platform and the ticket directly to the service desk platform (old version sent message to a server that then sent message to alerting platform that then sent message to ticketing system).
  • You will now get a ticket number in the response window (if you don’t attach a screenshot – one minor thing to work on).
  • The font should be a little larger (user requested).
  • You can now resize the form.
  • You can now use carriage returns in the issue field.
  • The resulting ticket will now have a little more descriptive titles.
  • Added balloon popups for help.
  • You can now send a screenshot of the primary monitor – this should be a huge help to us as we were getting a lot of requests that said “I’m getting this message” which required us to access the computer. It often took longer to get on the computer than it did to simply reply to the help request with an “ignore it”, “click yes” or whatever the correct answer was.
  • Version has been moved to top left and is v2.0.0.
  • The request box now stays on top of other windows.
  • Response and message are now rich text as opposed to plain text.

11/08/2016 change

  • version 2.0.1
  • Found issue where email addresses had to be lower case to validate.
  • Emails will now be made lower case when exiting field and will validate regardless.