“In a new stunning example of the scale and sophistication of online cybercrime, just before the holidays, DOJ charged two hackers with stealing hundreds of gigabytes of data—including sensitive intellectual property, confidential business data, and personal information from companies and government agencies around the world—as part of a multi-year cyber-espionage campaign that targeted managed service providers (MSPs) directly, bypassing the protections of client systems. This indictment is the latest example of the U.S. government’s use of the criminal justice system to crack down on state-sponsored economic espionage.
As alleged in the indictment, the hackers belong to what is believed to be an elite, Chinese government-sponsored group known within the cyber-security community as Advanced Persistent Threat 10 (APT10). The targets of the hacking campaign included companies in the aerospace, health care, biotechnology, finance, manufacturing, and oil and gas industries, as well as U.S. government agencies, such as NASA and the U.S. Department of Energy.”
The indictment alleges that APT10’s MSP Theft Campaign began in 2014 and involved three stages.
The hackers gained unauthorized access into the MSPs’ computers and installed malware allowing APT10 to remotely monitor the computers and steal login credentials.
The group then used these stolen credentials to move laterally into each MSP’s network and the networks of their clients, further spreading the malware infection.
APT10 identified data of interest on these compromised computers and created packages for exfiltration using encrypted archives, allowing the hackers to move the data from one system to another before ultimately transferring it to APT10’s computers.
This sort of breach calls into question the operating procedures of MSPs everywhere, their security practices, and moral compass. If IT support staff are not trained in best practice and cannot keep from being infected via websites or emails, then what business do they have managing larger network systems with sensitive data.
If you are unsure of your MSPs practices and would prefer a company with transparency, then contact us for assistance.
According to the following Microsoft Support Post published in October 2018, the HomeGroup feature has now been removed from Windows 10. Most people won’t need to worry about this, but recently ran across a business that had relied on this feature to run their network. With HomeGroup removed from Windows 10 they were left without the ability to share properly with a new computer on the network. So here is how to fix the issue:
How to fix Windows Networking after HomeGroup Removal
Turn off all sharing:
Open Network & Sharing Center
Click on Advanced Sharing Settings
Turn off network discovery (Private & Public)
Turn off file and print sharing (Private & Public)
Turn off Public folder sharing (All Networks)
Turn off Password Protected Sharing (All Networks)
Save Changes
Remove old password:
Open Credentials Manager
Change to Windows Credentials
Remove all $HomeGroup users credentials from networked computers on all computers formerly in HomeGroup
AutoStart Services
Open Services
Find Function Discovery Provider Host and set to Automatic Startup then Start service
Find Function Discovery Resource Publication and set to Automatic Startup then Start service
Find SSDP Discovery and set to Automatic Startup then Start service
Find UPnP Device Host and set to Automatic Startup then Start service
Add Users
Get username and password for all computers on network
On each computer on the network, open command prompt
For each username, use the command – net user [username] [password] /add
Turn on all sharing:
Open Network & Sharing Center
Click on Advanced Sharing Settings
Turn on network discovery (Private)
Turn on file and print sharing (Private)
Turn on Public folder sharing (All Networks)
Use 128-bit encryption (All Networks)
Turn on Password Protected Sharing (All Networks)
Save Changes
Recreate Shares (if needed)
Right-click on folder and choose Properties
Click on Sharing tab
Click on Advanced Sharing
Check Share This Folder
Name the share
Click Permissions
Click on Add
Select username and add Full Control then click OK
Repeat for each username
Click OK to return to Properties window
Click on Security Tab
Click on Advanced
Click on Add
Select username and add Full Permissions (or appropriate level) then click OK
Repeat for each username
Check Replace Child Permisssions and click OK
Click OK on all previous windows
Hope this post helps some other techs save the time in fixing Windows 10 networking when HomeGroup is removed.
If your company is still using HomeGroup or needs any help with advanced networking, then contact us for assistance.
It is official – the month of September marks three years in business for Farmhouse Networking. We have been truly blessed by God to have been able to serve the Grants Pass and surrounding business communities by providing exceptional IT managed services. We look forward to many more years of giving you the highest level of support possible so that you can focus on getting business done. With this anniversary we plan on rolling out some enhancements to our monthly service offerings:
Enhanced Monthly Maintenance
Standard Maintenance: For those who are not current managed clients, these basics have always been a part of our service offering:
5-year Technology Plan & Budget
Full Network Inventory
Hard Disk Checkups (Bi-Monthly)
Hard Disk Defragmentation (Monthly)
Temporary File Cleaning (Weekly)
Anti-Virus Software (Constant Monitoring)
Operating System Updates (Weekly)
Error Log Monitoring (Constant Monitoring)
Power Settings Management (Constant Monitoring)
Windows Services (Constant Monitoring)
Continued Improvements: Over the past 3 years we have also added the following features to our service at no additional costs:
Ticketing System Portal
Email Support to Create Tickets
Security Incident Response Plan
Vendor Information Tracking
Third-Party Software Updates (Monthly on Firefox, Chrome, Acrobat Reader, ….)
Email Blacklist Checking (Daily)
Warranty Checking (Monthly on All Major Brands)
Operating System Intrusion Detection (Constant Monitoring)
Support for MacOS & Linux (Constant Monitoring)
Server Applications (Constant Monitoring)
Hardware Events (Constant Monitoring)
Enhancements to Come: In September, we will be adding these new exciting features to our service:
DNS filtering – this will further protect your network from external threats by stopping accidental surfing to malicious sites. It also can increase productivity and network speeds by limiting wasteful frivolous surfing during company time.
Dark Web Scan – Each monthly client will have the “Dark Web” scanned to see if any email addresses connected to the company have been involved in a previous password breach.
Weekly Security Newsletter – Farmhouse Networking is partnering with a national security non-profit to deliver up-to-date news and information about how to stay safe online. These weekly newsletters will be packed with valuable information and delivered to everyone in your organization.
As our service offering has expanded, we have deepened our ability to monitor our customers networks to proactively respond to alerts before they become problems. We have continued to add levels of protection to make sure that our clients systems are safe from the ever-expanding list of threats. All this has been done at no additional cost, despite inflation, up to this point. To continue offering this high level of service, Farmhouse Networking is making a couple small changes to its prices that will be effective September 1st, 2018.
Monthly Maintenance Clients – our services are based on a per device basis and the cost per workstation will be $25 per month for remote maintenance and $50 per month for full service maintenance. All other prices will remain the same for every other device on the network. This will only effect clients whose contracts are renewing after September 1st, 2018 – any renewed before that will keep their prices the same for the next 12-month term.
Small Business Clients – those who do not have a server and have less than 5 workstations, our hourly rate will be $80 per hour for on-site service and $40 per hour for remote service (billed in 15-minute increments). That is only $10 more for on-site support and $5 more for remote support.
Standard to Medium Clients – those with a server or more than 5 workstations, our hourly rate will be $120 per hour for on-site service and $60 per hour for remote service (billed in 15-minute increments). That is only $10 more for on-site support and $5 more for remote support.
Tier-3 Clients – those technology companies that utilize our advanced expertise to better serve their clients, our hourly rate will be $40 per hour for remote service (billed in 15-minute increments). That is only $5 more for remote support.
Charity Clients – those non-profits that pay for support, our hourly rate will remain at $70 per hour for on-site service and $35 per hour for remote service (billed in 15-minute increments).
For all our monthly maintenance clients, we will be calling to schedule our semi-annual meeting to check-in with you during the month of September. At that time we will be performing another network inventory to insure that all network assets are covered properly under your current contract. We cannot thank all our clients enough for your continued use of our IT services. We look forward to continuing to serve you.
Know the state of your flocks, and put your heart into caring for your herds, for riches don’t last forever, and the crown might not be passed to the next generation. After the hay is harvested and the new crop appears and the mountain grasses are gathered in, your sheep will provide wool for clothing, and your goats will provide the price of a field. And you will have enough goats’ milk for yourself, your family, and your servant girls.
Proverbs 27:23-27
Here are a couple recent SPAM emails that were received by clients and myself. They are explicit in nature but they a good lesson about the scare tactics of SPAMMERS. The first message seems to be the better SPAM message as it has better English and is even tries to be humorous, while the second is more direct and extortionary. Time to dissect these messages.
SPAM Message #1
Password – This message starts by stating that it knows your password. How can this be? There have been several information breaches from the government, retailers, healthcare, etc over the past couple of years. The majority of these breaches are eventually posted online with emails and passwords – hence the reason Farmhouse Networking has started offering Dark Web scanning and advises passwords be changed often.
Remote Access – The SPAMMER then goes on to provide a detailed explanation of how they got into the computer. It sounds convincing but deeper analysis by someone who is in the IT Security industry would reveal that their explanation is flawed. To do what they proposed would take several different exploits of various portions of the computer and would likely take longer than video would be playing.
Contacts – For their “computer software” to get contacts from all these various sources would require that the password mentioned earlier in the email be the same for all these services. It is recommended by Farmhouse Networking that different passwords be used for each service so that if one is compromised then the rest are not in jeopardy. It might be asked how to keep track and the answer is a password keeping software like LastPass.
SPAM Message #2
Threats – The message starts immediately with the intimidating remarks and threats. It may be true that alerting the authorities will not bring any immediate assistance, but if we are all upstanding citizens then there is nothing to worry about their threats. It is always good to submit these messages to the authorities (FBI) for analysis so they can take these guys down over time. I do find it sad that this SPAMMER did not take the time to explain how they gained access to my computer.
Webcam – It is very possible that if your computer is infected properly that the hacker could gain access to your webcam, but again if we are upstanding citizens and don’t do anything inappropriate in front of our computers then there is nothing to worry about here.
Bitcoin – The demands continue with a sense of expediency in the matter giving only 28 hours before the big reveal. This particular SPAMMER either knows the value of the first SPAMMERS creativity in producing a video or are selling themselves short at the $400 ransom in Bitcoin. Finally, they even try to give a bit of legitimacy to their claim by stating that they can send the video to a partial list of contacts.
If your company is interested in Dark Web Scanning for on-going breach protection or worried about SPAM, then contact us for assistance.
Working with a webhost to tighten their security settings to get PCI compliant. In doing so we ended up breaking many of their clients email access by turning off SSLv3 and TLSv1.0. I was given the task of helping all the clients fix this issue (see seperate blog post for the fix). One in particular ended up not having issues beyond the normal problems with TLS and it turned out being ESET Antivirus. Here is the story:
Unable to Access Website:
The client first mentioned that they could not access a particular website that they needed to submit government paperwork. The error was related to the certificate being out of date. I checked the site on my own computer and it came up just fine, so looked at their certificate and it was current with plenty of time left before expiring. Cleared the cache and all the normal troubleshooting steps to no avail, so had to dig deeper. Remembered that some antivirus programs scan HTTPS traffic by putting their own certificate in place of the actual certificate from the site. Looked inside ESET Antivirus and found the culprit. Under Internet Protection > Web Access Protection I turned off the HTTPS Scanner. Restarted the browser and was able to surf to the site without issues.
Hidden Messages Stuck in Outlook Outbox:
The client then mentioned that some messages weren’t sending, so looked into it and found a couple messages that were 2MB+ which I told them were too large to send. We got rid of those but then messages were still stuck but were now hidden from view. I used the typical fix for read receipts that are hidden using the MFCMAPI tool but found nothing there. Tried removing the account and re-adding it to Outlook. After the clients 8,000+ emails downloaded via IMAP the same problem began occurring again. Remembering the issues with ESET Antivirus web filtering, I decided to take a look at that again. Under Internet Protection > Email client protection I turned off all the Email Clients, Email Protocols, and Antispam Protection. Restarted Outlook and the problem persisted. Had to remove the account and re-add it to Outlook. After the clients 8,000+ emails downloaded via IMAP the problem was fixed.
All that being said, these kinds of problems are another reason that I recommend Webroot to my clients for their antivirus protection. I prefer to have the Website filtering happen at the DNS level via a company like DNSFilter.com and the SPAM / Email filtering to happen via the email provider or an email protection service like Mailprotector.com.
If your company is interested in using a real layered approach to security not just putting a software band-aid on it, then contact us for assistance.
Thought that I would share a recently received new phishing email variant that could easily be overlooked and possibly cause damage to your network. The email appears to have come from Dropbox as a user sharing a folder with me, but a closer look shows many obvious signs that the email is a fake.
Starting from the Top
Look closely at the From portion of the email:
The lettering is actually another language where the font makes it look like English lettering. There is also the fact that the email is form someone that I don’t do business with. Always fight the urge to look at things that are not yours.
Stick to the Subject
Now to take a look at the Subject line of the email:
This has different lettering but it is again a different language used to look like English lettering.
And now the rest…
The final thing that caught my eye was the “button” in the middle of the email:
It actually looked fuzzy. It turns out the entire body of the email is a single image that is a link to their malicious site. Clicking anywhere in the body of the email would send you on your way to infection or account compromise. Hope this little tutorial helps you detect other phishing attempts in the future.
If your company is having trouble with SPAM or phishing, then contact us for assistance.
Had a client that repeatedly had troubles with network drives disconnect happening randomly. I did explain that this would happen normally if they kept their workstations logged into the server, but they did not want to change their habits. I performed the usual registry fixes on the workstations and the server, but these did not seem to work. Finally I got to look at the error and figured out the Group Policy Object that was causing the problem.
Usual Registry Fix:
The default method for this is to edit the registry as follows on both and run a command on the server to lengthen the disconnect time on the workstations and disable disconnect on the server.
Workstations:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following key in the registry:
In the right pane, click the autodisconnect value, and then on the Edit menu, click Modify. If the autodisconnect value does not exist, follow these steps:
On the Edit menu, point to New, and then click REG_DWORD.
Type autodisconnect, and then press ENTER.
On the Edit menu, click Modify.
Click Decimal.
In the Value data box, type 0, and then click OK.
Finally the following command should also be run:
net config server /autodisconnect:-1
Group Policy Object Fix:
Even though I changed the systems as above, it still disconnected regularly. The clients were getting this message when disconnected -“The system has detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.” Some research found that Windows Small Business Server created a Group Policy Object that by default times out authentication to the server after 10 hours. Here is how I changed it:
Open Group Policy Management
Look for Default Domain Policy
Click on the Settings tab and then Show All
Under Account Policies/Kerberos Policy look for Maximum lifetime for user ticket which by default was 10 hours.
Right click on the policy and choose Edit
Dig down to Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy
Change the Maximum lifetime for user ticket to 100 hours (>4 days)
Change the Maximum lifetime for user ticket renewal to 4 days
This combination will keep the ticket lifetime timeout longer than the time for renewal which will cause the renewal to happen before the timeout. Problem solved.
If your company is having issues with Network Drive Disconnect, then contact us for assistance.
Ransomware has become a serious epidemic affecting businesses of all sizes, and protecting your company is more essential than ever before as the number of ransomware attacks continues to rise. A recent U.S. Government inter-agency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 — a 300-percent increase over the 1,000 daily ransomware attacks reported in 2015.
As ransomware spreads, it continues to evolve and get more sophisticated — and more lucrative. In fact, according to Internet Crime Complaint Center, ransomware victims paid more than $24 million to regain access to their data in 2015 alone.
What does all this mean for small to medium-sized businesses?
Just got done cleaning up after a security breach (aka hacking) of one of my client’s accounting workstation. They had an older method of remote access called Microsoft Remote Desktop that has known vulnerabilities without additional security measures in place. The hacker did not touch their Quickbooks data (super surprising), but installed software to send SPAM, mine bitcoin crypto-currency, and running fraudulent credit card transactions. Since there was no compromises of Primary Account Numbers (PAN) or customer data there was no need for notifying customers, but the FBI Cyber Crime division was still notified to help share with them the intelligence from the breach. This then lead to me reading through the PCI DSS regulations again and making the requisite recommendations to mitigate the current issues with the client’s network and protect against future attempts. Here is a list of applicable PCI Compliance Regulations:
Requirement 1.1.2 – Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks. Requirement 1.2 – Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Requirement 1.3 – Prohibit direct public access between the Internet and any system component in the cardholder data environment. Requirement 4.1 – Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
• Only trusted keys and certificates are accepted
• The protocol in use only supports secure versions or configurations
• The encryption strength is appropriate for the encryption methodology in use Requirement 5.1 – Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). Requirement 5.2 – Ensure that all anti-virus mechanisms are maintained as follows:
• Are kept current,
• Perform periodic scans
• Generate audit logs Requirement 5.3 – Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period Requirement 6.2 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. Requirement 8.2.3 – Passwords/passphrases must meet the following:
• Require a minimum length of at least seven characters.
• Contain both numeric and alphabetic characters. Requirement 8.2.4 – Change user password/passphrases at least once every 90 days.
If your company has PCI Compliance Regulations that you need consulting for, then contact us for assistance.
Entrepreneurs face the same cybersecurity challenges and threats that larger businesses face but with limited resources, capacity, and personnel. Cybersecurity is especially important for entrepreneurs because they have the unique opportunity to integrate cybersecurity practices at the onset of their investments and business development.
DID YOU KNOW?
Approximately 77 percent of small firms believe their company is safe from a cyber attack, even though 83 percent of those firms do not have a written security policy in place.
Unlike larger firms that can absorb the cost of a cyber attack, the consequences can be catastrophic for smaller ventures and entrepreneurs.
SIMPLE TIPS
Use and regularly update anti-virus software and anti-spyware on all computers. Automate patch deployments to protect against vulnerabilities. (Our monthly maintenance takse care of this.)
Secure your Internet connection by using a firewall, password protecting your Wi-Fi network, and changing default passwords for your wireless network and router. (Most businesses who buy a router from a local office supply store don’t take the time to change the default password and don’t know these devices are rarely updated by vendors.)
Establish security policies and practices (e.g., using encryption technology) to protect sensitive data, including customer information and intellectual property.
Use strong passwords and change them regularly. (Minimum recommended password length is 10 characters with upper and lower letters, numbers and symbols. Changing passwords should be monthly or quarterly if possible.)
Protect all pages on your public-facing websites, not just the sign-up and checkout pages.
Invest in data loss prevention software and use encryption technology to protect data that is transmitted over the Internet.If your company is concerned about cybersecurity and wants to take the needed steps to protect yourselves, then contact us for assistance.