[G13net]

Being in the Healthcare industry; my company has a need to be able to send confidential information over email.  To do this, obviously, we must encrypt the data.  Since we used PGP for our whole disk encryption, we went with their Gateway Email solution to handle our secure email.

Installing PGP Gateway Email was simple.  We fired up another VM and installed PGP Universal Server 3.0.  I created a policy to allow only certain users to send encrypted email(licensing issues).  I also specified in the policy to allow outside users to only access the secure email via a web portal.

PGP Gateway Email had everything we wanted.  Our employees simply put a certain phrase into the subject line of an email and it will be encrypted by our server.  So far everything has worked well and our staff has welcomed the ability to email the information instead of fax!

G13 Cryptography, Security

The company I work for has an office in shared space in a county building.  Previously they have been using VPN client software to connect back to our main office to access our main application.  They shared this internet with the rest of the building and was very slow.  We were able to convince the IT Dept to allow us to bring in our own internet access and our own equipment.

The goal was to provide a secure connection back to our main site instead of have several VPN connections.  We purchased a Sonicwall TZ210, a Dell Switch, and a server for the location.

Since it is a shared office space, we needed to be sure that only our equipment would have access the network we set up.  I found several documents on 802.1x configuration for wired networks and decided that this would be our best bet.

I configured the Windows XP SP3 clients with Wired Authentication.  These clients, when connected to the switch, ask to be authenticated.  The switch takes the requests, using RADIUS, and passes them to the server.  If the machine or user part of our AD domain, they will be granted access on our network.

I installed Windows Server 2008 R2 Standard to act as the RADIUS server.  I had to install Certificate Services, Active Directory Services, and Network Policy and Access Services in order for this to work.

I created a Connection Request Policy to accept RADIUS requests from the switch.  The server was also configured to accept PEAP and EAP-MSCHAPv2 requests for network access.  The Network Access Policy I created allowed any Domain User or Domain Computer to be granted access.

For PEAP to work, there needs to be a RAS Certificate issued by a Certificate Authority.  This was throwing me for a loop for awhile until I got this to work.  Since we didnt have a Certificate Authority, I installed the Role as a stand-alone server.

The switch was very easy to configure.  Under management I had to specify our RADIUS server and under Port Based Authentication I specified to use RADIUS to authenticate.  I then set the node ports to Auto, which sets the state of either Authorized or Denied based on the RADIUS response from the server.

On the switch I also had to set the ports to be Multi-Host.  We had a few weird issues on a couple PCs and that fixed the problem.

The nodes were even easier to configure.  The Wired Autoconfig service needed to be started and set to automatic.  Then in the network properties for the LAN adapter, had set PEAP to not validate the server certificate.  This was because we used self-signed certificates.

After this all was done everything worked quite well.  The staff were also very pleased with the improvements we had made!

G13 Security

Well it looks like Symantec bought PGP and Guardian Edge; two very popular encryption suites.  As a user of PGP’s products, I am very worried about what will happen to the functionality of the product, but also to the brand as well.

PGP has a long history of turmoil.  I fear that symantec will treat PGP like they did Backup Exec; make it huge and bloated.

While many say that they plan on taking Guardian Edge’s products and putting them under PGP’s management structure; I will wait to see what comes of this.

I’m sure licensing costs are about to go up as well.

G13 Cryptography, Security

Recently McAfee released an update that crippled many Windows XP machines running SP3.  The update caused svchost.exe to be flagged as a virus.  I am just in shock that such a large company didn’t do thorough enough testing to stop this from happening.

I’m glad I stayed away from McAfee’s products.

http://www.betanews.com/article/One-very-false-positive-McAfee-in-full-damage-control-mode/1272040662

G13 Malware, Security, Windows

It seems that my site has popped up on the radar for Russian spam bots.  I have been getting several “comments” posted on my site for a variety of different sexual enhancement pills and other pharmaceuticals.

The spam is coming from many different IPs but one email address is used most often: kuchkonaru@gmail.com.

Damn Russians.

G13 Security

*This post will detail an account I had with a customer while working at the ISP*

We were alerted that a certain IP of ours was spitting out spam and malware traffic like crazy.  When we pulled the connection history, all of their outbound traffic was port 25(SMTP) leaving the country.  We located the client and attempted to contact them.

The first few calls were unsuccessful.  After you leave a few messages and the staff says “the owner is not here right now, but I will leave this message” it smells of a small shop.  I called later in the day and was finally able to reach the manager.  I explained to him the traffic we were seeing and that he should contact his tech support.

I asked him about his setup and he said he had only one PC connected to our network with no router in between. All of our connections were bridged so that PC was full blown on the internet.  He said it was an old windows 98 machine; to make matters worse!  He then told me that this is his only POS(Point of Sale) machine and it handles all of his credit card transactions.  What he told me next made my jaw drop; his IT support told him not to worry about the virus!

So we have a machine, spitting out tons of spam and stealing who knows how many credit cards and the guy he PAYS for support told him not to worry!  His IT support told him not to worry about it because there is nothing he can do and even if he does fix it a problem will just show up again; viruses are everywhere!

I couldn’t believe what he told him.  It took a lot of convincing to get the owner to even understand why this was such an issue.  At the end of the day I still couldn’t get him to take it seriously and deal with the issue.  We ended up turning off his internet connection to save his customers.

Always keep in mind when dealing with smaller merchants; they usually don’t have the money or training to even care about security for their credit card transactions.  They are using software that *may* be secure and who knows if their computers are maintained.

If you see something fishy or if the staff is having a hard time with their computer; just pay cash!

G13 ISP Stories, Security

I recently came across this post at the Iowa Technology Blog about security in small businesses.  I wanted to add a few stories of mine to demonstrate the importance.

For a short while, I worked at an ISP in their Internet Abuse Dept.  We were responsible for responding to alerts and notifications of spam and other malware coming from our network.  All of our clients were on Static IPs, so we were able to identify our clients and give them details about the kinds of traffic we were seeing.

Our main offenders were always small businesses.  These were companies that had less then 10 computers, no full time IT staff, and had no idea about computer and network security.  These were often the most difficult clients to deal with as when I called no one in the office had an idea as to what I was calling about.

In the next few posts I will detail a few cases that I dealt with while working at that ISP.

G13 Security

I was tasked with coming up with a solution to allow people to securely access our network.  We did not want to have a client, so IPSEC VPNs were out.  We currently use Cisco’s SSL VPN but were unhappy on how it operated.  It is not very user friendly.

I was torn between using Sonicwall or Barracuda’s SSL VPN appliance for this task.  Either would allow us to have a public web page which users would have to enter their credentials and have access to the network.  We went with the Sonicwall due to price and features.

After some initial configuration headaches, I am really coming to enjoy working with this appliance.  I wish that making bookmarks for services can be done at the server end; this would help when configuring new users.

G13 Security

We are in the process of migrating to a new domain.  We are first migrating our field staff.  Each field staff needs their own “home” folder to store documents.  To keep this secure; we need to have read permission for everyone on the root folder and then only allow the user to view their individual issue.  I had to accomplish the following:

• Create the folders by username
• Remove inheritance from the parent folder
• Remove “Domain Users” permission from each folder
• Add the user with change permissions on the folder

I had to do this for about 190 users; doing it manually would have been a pain.

To create the folders, I had a list of all the usernames by login.  I put the names into a text file and used the following commands in a batch file to create the folders:

@echo off

for /f %%i in (file.txt) do mkdir %%i

Once the folders were created, the next step was to work with the permissions.  I found a utility called SetACL.  I replaced the “mkdir %%i” in the batch file with the following commands to complete the rest of the tasks:

• setacl -on %%i -ot file -actn setprot -op “dacl:p_c”    (Remove inheritance)
• SetACL -on %%i -ot file -actn trustee -trst “n1:domain users;s1:n;ta:remtrst;w:dacl”  (Remove Domain Users)
• setacl -on %%i -ot file -actn ace -ace n:%%i;p:change   (Add the user with change permissions to their folder

G13 Windows

I am increasingly seeing cases of infection from Rogue AV software.  My company is currently working on phasing out our old Symantec 10 and replacing it with Kaspersky, but in the mean time we keep getting these infections.

Luckily the infections have not been very destructive.  They are only in one user profile and are usually just an EXE in either Application Data or Local Settings/Application data.

Kaspersky’s viruslist.com has a good article talking about why these are so prevalent and how they are getting past some AV products.  The article can be found here.

G13 Malware, Security, Windows