Login errors after Trend upgrade

Recently, I did an upgrade from Trend CSM Suite for SMB 3.6 to Trend Worry Free Business Security v5.0 on an SBS 2003 R2 Premium system using ISA 2004 as the firewall. The update went fine and no errors were encountered. That was until I received the server report logs the following day.

I got thousands of failed logins and the login process appears to be random junk as you can see above. Turns out that when you do an upgrade to the latest version of Trend, which includes a new feature called Web Reputation, you don’t get prompted for the proxy details for that component.

So previously with SBS 2003 Premium you probably had the proxy settings working under Preferences > Global Settings, problem is, with the new version of Trend you also need proxy settings for the Web Reputation and Behaviour monitoring. Once I had entered the same proxy login settings as I had for the Product updates area above I expected to see no more failed logins.

Oh how wrong I was! I now started seeing tens of thousands of failed login attempts instead of just thousands. What the hell? When I called Trend support they pointed the finger at Microsoft. Ahhhh no, the Trend update was the only thing that has been done to the server. Trend’s response? Sorry, we can’t help, have a nice day.

So after discovering some other SBS people who had the same issue I worked out (through the shared error experience) that the username and password fields for the Web Reputation proxy setting MUST BE less than 14 characters each! Yes, you read right, less than 14 characters for the login name AND the password. Anything over that and there will proxy login failures. In my case I actually had to create a new server user and remove the login domain\username and change it to simply username. The login for the product update area can remain as domain\username and be longer than 14 character but the details for the Web Reputation can’t.

Now really how can this sort of issue happen in this day and age? Clearly it does and it is us poor IT support people who are left to sort the crap out, in my case WITHOUT assistance from Trend. So if you experience the same issue, this solution worked for me and I hope it also works for you. Roll on Trend Worry Free Business Security 5.1.

Another DNS checker

I’ve found an even better site that can check your DNS for recent vulnerability issues.

https://www.dns-oarc.net/oarc/services/dnsentropy

Will produce results like:

Which provide plenty of information in a nice to understand graphics nature. You should run this test to see whether the DNS servers you are using (usually from your ISP) have been patched to overcome a recent DNS vulnerability.

However, I would strongly suggest you consider using www.opendns.com as an alternative DNS resolver for so many other reasons as well.

Do you trust your bank?

No? Neither would I, however they are still out there doing stupid things. Such as? This story from the Sydney Morning Herald details how a server the bank sold on Ebay still had confidential client information. Um, like how is that supposed to happen? An “honest error” and an “isolated incident” according to the bank. Yeah, right.

Being involved in recycling technology myself for worthy causes I can’t tell you how much “interesting” data I have found on machines individuals and businesses have donated. Now I make sure that every machine that I recycle has its information thoroughly wiped to military standards before it is resold, so if I can do that why can’t the bank? It is simply a matter of booting to a CD and allowing to run an erase program. Still, it amazes me how little people value their information.

The problem is, think of all the establishments that have information about you stored somewhere on computer. What do they do with their old systems? Do they have a data destruction policy? What about your home PC’s? What happens after they have served their dues? Do you just throw them out? Ah, what about the data? It doesn’t suddenly become unreadable just because the PC is a little slow.

Value your data. If you want to keep it private – encrypt it. When you are finished with it – wipe it for once information escapes your control all it wants to be is free and like a genie, it doesn’t care who its master is! The real worry is those businesses who “look” after your data. What do they do? If you feel uneasy I’d ask them.

ISP DNS vulnerability checker

If you aren’t aware there has recently been an issue with DNS servers that may allow an attacker to redirect you to a malicious web site. If you interested in some more information about the issues see a recent story in the Sydney Morning Herald.

Unfortunately, this issue needs to be resolved at an ISP level, which basically means your ISP has to patch their DNS servers otherwise all their subscribers could be vulnerable. How can you tell whether your ISP has patched their servers?

DoxPara has been setup to do just that. Go to the site and click on the Test my DNS button of the right hand side. This will then return the results of a DNS query, if the ports are random (i.e. :42039, :54311, :34597, etc) then your ISP has patched. However, if the ports are following an obvious pattern (i.e :1001. :1002, :1003, or :30000, :30020, :30100) then you ISP probably hasn’t patched and you need to ask them why.

The bad guys win again!

Seems like a few people have been fleeced of their money via a bogus Olympic ticketing web site.

As you can see www.beijingticketing.com looks very professional and there really isn’t much to give it away as being a scam. A story in the Sydney Morning Herald gives you some of the dollar figures for people who have been fleeced, and it ain’t small money!

This again demonstrates how sophisticated the bad guys are becoming in the quest to part you from your money. There is no simply solution to overcoming this issue because if you can fool the human at the keyboard you are well on your way to payday.

I know hindsight is 20/20 but if you read the About us page you do find some grammar issues like:

“We are special for providing sold out event tickets in very economical prices.”

and

“For being in the ticket market since a long time we have become very popular in football fans and music lovers”

Now I admit that bad grammar on a sophisticated web site does warrant concern but I don’t think it would have mattered in this case. Simply because most people would have been taken in by the professional look of the web site and secondly most would not have bothered to check the About page. Finally, grammar issues could have been put down to the site being converted from Chinese (maybe).

So all in all a very hard one for even the most vigilant computer user to pick. I suppose the only adage that can be applied is “if it seems to good to be true, then chances are it is”.

Bad guys 2 – Internet users 0

Why the bad guys will always win

Seen an email like this lately? Now to most techie types we would know that this certainly smells like some form of malware, but what about to a “normal” user? The following scenario really happened, the names have been changed to protect the innocent.

User – “My machine says that it is infected with spyware”
Techie – “Where does it say that?”
User – “Down the bottom right hand side of the screen. It says Windows has detected you machine is infected with spyware”
Techie – “Do you have anti-virus and is it up to date?”
User – “Yes, I have PC-cillian and it is up to date”
Techie – “Ok, I’ll remote in and have look”

Sure enough the machine appears to be infected with spyware, however after running a full system scan with PC-Cillian nothing is detected.

Techie – “Did you open email attachments today?”
User – “Yes, I opened one from UPS”
Techie – “Why? Did you send a parcel via UPS?”
User – “No”
Techie – “Are you expecting a parcel from UPS?”
User – “No”
Techie – “So, why did you open it?”
User – “I thought I was getting a surprise package”

Well, ladies and gentlemen the user sure did get a surprise package. For when they opened and ran the attachment it installed a hidden service in multiple locations on the disk, in the registry and so on. Thus, the machine was now infected.

Techie – “What did you do after you ran the attachment?”
User – “I went and did my Internet banking”

This story just keeps getting better and better doesn’t it? Firstly, the user gets their system infected with spyware by actually RUNNING an unknown attachment, which infects their system. Then, even though the system warns them there is an issue they simply ignore that fact and go and do Internet banking. We pick up the story again….

Techie – “I think you had better go and check your bank balances because there is chance someone has stolen your passwords”
User – “They can do that?”

Sure enough, checking the bank balances on a “known” clean machine, it turns out the maximum daily withdrawal amount has been transferred to an unknown account today, strangely not that long ago.

Techie – “You had better go and change all your Internet banking passwords”
User – “I don’t want to do that it is such a pain”
Techie – “Well if you don’t they are going to keep taking money out of your account”
User – “They can do that?”
Techie – “They have your password remember?”
User – “Better go and change my password eh?”
Techie – “Very good idea and in the meantime I’ll try and clean up this machine”

Very interesting that this UPS_service.exe spyware had completely slipped through PC-Cillian. After searching the web there didn’t appear to be much about how to clean up the infection. So it had to be manually removed from the registry, the disk system and then the system restored to a previous time. After running multiple scans on the machine it WOULD APPEAR to be clean, but you can never now be 100% sure.

User – “Whatta you mean you can’t be 100% sure”
Techie – “Look, I have done everything I can think of to remove it but if PC-Cillian isn’t even detecting it how can you be 100% sure?”
User – “But I want to be 100% sure?”
Techie – “Wipe the disk and start again”
User – “WHAT???”
Techie – “Sorry. Once a bad guy has control of your system, it ain’t yours anymore. You can try and throw them out but who knows what other tricks and back doors they have created for themselves”
User – “All that because I opened an attachment?”
Techie – “Yup”

This is why the bad guys are ALWAYS going to get around any technological protection you put in place. If they can fool the human being to over ride all these safe guards then why even attempt to try and circumvent the technology? Go straight for the human weakness because you know it will work EVERY time.

Education is the key. NEVER EVER trust something unsolicited from the Internet and THINK before opening ANY attachment.

You have been warned!

PC-Cillian and Windows default profile

Just updated a stand alone machine to Trend Micro PC-Cillian Internet Security 2008 and when I logged it in I got a message saying there were not enough system resources and I would be logged in with the default profile. Huh? Stand alone machine, not enough resources? My ar@#! A reboot didn’t fix the problem so it was off to Google.

The result was this article:

http://support.antivirus.co.uk/trendmicro/kbresolution.jsp?hmid=46365&appId=11

which basically tells you that PC-Cillian is a resource hog and you need to make some registry changes to allow more page pooled memory. The above article contains a link to a Microsoft KB article that did the trick for me.

It seems that a few other people are getting the same problem now. Phew, it wasn’t me after all!

Video 42 – Wireless security

I’ve just uploaded Video 42 to YouTube. To view it simply click here.

In this video I’ve focused on why implementing Wireless Security is important. All it takes is a single opening for someone to potentially gain complete access to your network and Internet. The video concludes with some recommendation about how to make sure your Wireless Network is kept secure.