Feb 16, 2016

Two Easy Things You Can Do To Protect Yourself From CryptoLocker

It finally happened, I saw my first case of a CryptoLocker variant on one of my users laptops. If you are not familiar with it, Wikipedia describes it as:
...a ransomware trojan which targeted computers running Microsoft Windows, believed to have first been posted to the Internet on 5 September 2013. CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin.

Although CryptoLocker itself is readily removed, files remained encrypted in a way which researchers considered infeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.

The attacker's goal here is to have you pay a ransom to get your files back. It is estimated that 41% of people first hit by it paid the money to get their files back. That is ridiculous! The only thing you really need is a decent backup to get your files back.

Sure, you can use something like CrashPlan to backup your files to the cloud, but if you don't want to pay money for backups, and have a local NAS device or a USB drive you can use the built in File History tool to create backups of your files.  To turn it on:
  • Click Start, Click Search and search for File History


  • Click the button to turn it on.
What if you don't have a local storage device or network share to store your file changes to? No problem, just download and install Shadow Explorer! From their page:
ShadowExplorer allows you to browse the Shadow Copies created by the Windows Vista / 7 / 8 Volume Shadow Copy Service. It's especially [made] for users of the home editions, who don't have access to the shadow copies by default, but it's also useful for users of the other editions.
This is my preferred method as it acts just like the old Shadow Copy feature in previous version of windows and saves changes to files periodically so you can restore to previous versions. Plus it doesn't take up a lot of disk space. Not to mention that if you have laptop users that travel a lot, their local files can still be recovered.

With these two methods, you can recover files that were encrypted by RansomWare, and you won't have to pay those criminals one red cent!

Feb 15, 2016

Check your antivirus reports for false positives

The other night my email blew up because we use ClamWin on all of our servers. We do this because it has a decent detection rate, it can email out alerts, and it doesn't bog down the system with on-access scanning. We schedule it to scan once a week during off-peak hours.

Well the latest scans produced an epic ton of false positives. Pretty much any exe, or dll on the system was flagged as having been infected with Win.Trojan.Bancos-2115. I wasn't the only one that felt the impact of this. Apparently people who use Barracuda's felt it too because ClamAV is what Barracuda uses for virus detection engine.

Here's how my report log looked:


Well in my research over this false positive, I learned of a tool one can use to verify if the file is really infected or not. It's called VirusTotal!

From their page:
VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners. 

I selected a handful of the files reported and scanned them with VirusTotal and they all came out clean. Here is a report of another user from 2/11/2016 that apparently got hit with the Win.Trojan.Bancos-2115 false positive too. ClamWin was the only one that detected it. All other scanners reported that the file was clean:


I'm going to be using this tool quite a bit going forward I think!

Have you ever used VirusTotal? What do you like about it? Let us know in the comments!

Feb 9, 2016

Designing Smart Sites for Smartphone Users

Last May, U.S. mobile search queries passed desktop queries for the first time, confirming a long-anticipated trend, according to Google. Smartphone usage grew 394 percent between December 2010 and December 2014, while tablet usage increased 1,721 percent, with the two devices combining to account for 60 percent of time spent on social media, according to comScore.

As the growth of mobile changes the dynamics of Internet access, web design is changing accordingly. Here are some of the design trends that are transforming websites into smart sites for smartphones.

Defining Smart Sites

A smart site is a website midway between a traditional multi-page website and a one-page landing page. A traditional site has multiple pages of content that are accessible by clicking. In contrast, a sales-oriented landing page using a "squeeze page" format employs a single page that is designed to boost sales conversion rates by minimizing options for clicking away from the page. This means the only on-page option is clicking a buy button.

A smart site combines the one-page nature of a landing page with the content-oriented characteristics of a traditional website. The structure of a smart site steers users through a narrative that is digested by scrolling down the page rather than clicking off the page. The story is told visually and emotionally, with the plot guiding the readers toward some desired action at the conclusion. A smart site is also designed to be intuitive. Traditional analytics provide raw numbers from multiple pages that must be analyzed in context to translate results into meaningful performance metrics. In contrast, smart site analytics measure whether or not the site's single-page design achieved its intended goal, using tools such as heat maps, that measure which part of the page drew the reader's activity. Finally, smart sites are designed to work on all devices. Smart sites use responsive designs that adapt to the user's device and screen size in order to provide optimal experience for all users.

Pageless Design

Single-page smart sites use an approach to web design known as pageless design or scroll-oriented design. Pageless design arranges the elements of the site to be read vertically down and across the page in a story sequence that resembles the acts of a play or the chapters of a book. For instance, Driving-Tests.org places its most essential features on a page where the top of the page is dominated by a banner graphic with an image and word balloon arranged in cartoon-style configuration, which is meant to be read from left to right and down. As the reader's eye travels from left to right to follow the word balloon, his or her gaze is guided toward a call-to-action button that invites visitors to take a DMV practice test.

For readers who do not immediately click on the practice test button, the story continues in a second row that reinforces the call to action. All the essential elements of the story are contained on a single page. The site also includes supplementary pages that perform functions such as answering FAQs, illustrating that a pageless design does not have to be literally one page in order to incorporate scrolling-oriented principles. The key feature is that the page design is guided by a scroll-through narrative structure rather than a click-oriented menu structure.

Bounce Rates

Traditionally, analytics tools such as Google Analytics have measured bounce rate in terms of what percentage of visitors left a site after visiting only one page, with a high bounce rate indicating lack of user engagement. But with a one-page site, a user can be engaged even if they only read one page. To factor this in, Around Analytics recommends that one-page sites should define a timeout range, which represents how long a user has to stay on a page in order to be considered engaged. Use Javascript to set up a timeout counter that starts when the page code finishes loading, and execute a Google Analytics event when the timeout expires to let Google know the visitor is not a bounce.

Feb 8, 2016

Get notified via email when your VPN connection drops in Windows

Last Friday I mentioned a tool that lets me kill my Bittorrent client if my private VPN connection drops so the fuzz can't catch me in the act of *gasp* downloading my favorite TV shows. Today I will tell you how you can get notified via email if that connection drops so you know when to check on your media server.

This method is similar to my method for notifying you when someone in Active Directory gets locked out. It uses a PowerShell script and a scheduled task that looks for a specific event in the event log, and when that event happens the script is ran and an email is sent off. You can look at my Active Directory script post to see how to setup the scheduled task. For VPN being dropped, the event you want to use as your trigger is:
Log: System
Source: Rasman
EventID: 20268
You can use the following code and tailor it for your environment:



Save the code as vpnfail.ps1 and you should be good to go.

Obviously the above code is for secure email servers that use TLS encryption over port 587 (Like Gmail does). If you're SMTP server doesn't require it you can remove the SSL options.

You can easily test the script first by running it manually via PowerShell, and then again with your scheduled task by disconnecting from VPN.

Feb 5, 2016

Automatically kill your torrent client when your VPN drops in Windows

Well, it happened again. I received another warning letter from my ISP for downloading one of my favorite TV shows. The really sucky part is that I've been using a VPN service to hide my torrent activities for a while so I shouldn't have been detected.

The problem is that occasionally the VPN connection will drop for some unknown reason. Maybe the issue is with the VPN company, maybe the issue is with my home router, maybe the issue is with my ISP. Who really knows, But the VPN connection will drop. When it drops, I'm exposed!

For a while I tried using the SOCKS5 proxy service my VPN company offers, but for some reason RSS feeds don't work right with that so I had to turn it off in order to get my latest show downloads. When that is off, and the VPN goes down the torrent client keeps running and my real IP address is, once again, exposed!

I decided I needed a kill switch to stop my torrent client from working if the VPN fails for some reason. There are a couple of clients that have that built in. Vuze for example lets you bind to your VPN network interface, and if that connection goes down it stops working. My client of choice, qBittorrent, has this feature too, but in Windows it won't detect my PPP interface for my VPN, so it won't work for me. I don't want to use Vuze because I don't like how it handles RSS feeds.

Well, I found a solution. It's called VPNWatcher!

From TorrentFreak:
VPNWatcher is pretty straightforward. It monitors whether a VPN connection is active, and when it’s not it shuts down uTorrent or any other application it is configured to kill.
When users first start the application they can pick the network interface that matches the VPN (it appears when the VPN connects) and list the applications it has to shut down. The settings can then be saved and the user has the option to run VPNWatcher minimized.
By default the applications VPNWatcher is looking for are uTorrent and Firefox. You can change these applications in the VPNWatcher.exe.config file. I have mine set to look for qbittorrent and it works like a charm.


If for some reason my VPN gets disconnected, qbittorrent is immediately closed down! Boom! No more notices from my ISP!

What do you do to ensure your privacy when your VPN fails? Let us know in the comments!



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam