Law Firm IT

Hack3rCon in Today's Charleston Daily Mail

2010-08-30T05:48:00.006-04:00

There is a nice story about Hack3rCon in today's Charleston Daily Mail with info about the conference and interviews with me and Rob Dixon. Being a former journalist it is ofter uncomfortable to be the subject of an interview, but Paul Fallon does a pretty good job of not misquoting me.

For more information about Hack3rCon visit http://hack3rcon.org/. A portion of the proceeds will benefit Hackers for Charity.

Welcome to Hack3rCon 2010 from The 304 Geeks on Vimeo.

Hack3rCon

2010-08-21T16:09:00.001-04:00

The 304Geeks will be hosting "Hack3rCon", the first of its kind Information Security Conference in this State!

http://www.hack3rcon.org

Register Now!

Events:
Ethical Hacking Workshops with the guys that created, teach and develop Backtrack, the most widely distributed open source penetration testing toolkit.

We have a full day of special gust discussion on everything from advanced password cracking in 2010 to detecting and stopping intruders to hands on hacking lads.

That is right, we will be holding a hacking village all weekend. Get hands on experience on our private network. Experience mentor will be on hand to guide you through the exercises. Prizes***

We will also be hold a Hacker's Capture the Flag event! Go against other ethical hackers in an attempt to get all the flags first!!!

*****WINNER GETS A NETBOOK PREINSTALLED WITH BACKTRACK!!!

Special Guests:

Dave Kennedy a.k.a. Rel1k Creator of SET
Adrian Crenshaw a.k.a. Irongeek - Security Researcher
Dennis Boas - **Classified**
Martin Bos a.k.a Purehate - Core Developer Backtrack-Linux
Lee Baird a.k.a. LeeRock - Security Consultant, Ciphent
Mark Baggett - SANS Instructor, Security Blogger - Pauldotcom

$10 Hack3rCon All Access Weekend Pass when you purchase a CharCon weekend pass. (requires pre-registration before the event)

Keep an eye out for technology driven events and contest that will be host by the 304geeks!!

The 304Geeks is a local technology group here in Charleston. It was founded in 2009 by Rob Dixon and myself.

More on Hack3rCon to come!!

Appalachian Institute of Digital Evidence First Annual Conference

2010-06-10T13:22:00.002-04:00

Appalachian Institute of Digital Evidence
First Annual Conference
July 27- 30, 2010
Marshall University Forensic Science Center

Seating is limited. To reserve a seat, email John Sammons at sammons17@marshall.edu with name, agency and contact information.

July 27 - 0800 to 1600 Cyber Security & Network Forensics

Schedule coming soon!

July 28 - 0800 to 1600 Law Enforcement

Today's Smoking Gun: An Introduction to Digital Evidence
John Sammons, Assistant Professor, Marshall University

Are you leaving evidence behind? Computers are everywhere and as such, they need to be considered as a vital source of potential evidence. Valuable digital evidence may be discovered in nearly any case, not just child pornography and identity theft. Homicide, robbery, drug violations are just a few of the cases that could be solved with digital evidence.

In this course learn the fundamentals of digital evidence, how it's different, how it's collected and how it could benefit your investigations.

Internet Investigations
Josh Brunty
Marshall University Forensic Science Center

Investigating a cybercrime and/or cybercriminal can be one of the most complex tasks facing the law enforcement professional today and requires a multidisciplinary approach supported by technical expertise that was once not needed with traditional crime. This session will focus on investigations and operations centered on the use of the internet and its many communities that are being exploited for criminal activity.

This session will teach investigators how to retrieve and/or extract such evidence using a variety of tools and techniques.

These two classes have already been submitted and approved for LET credit (4 hrs per).

July 29 0800 – 1600 – Digital Forensics

Windows 7 Forensics and USB Device Tracking

This technically intensive class is designed for the experienced digital forensic investigator. This class will provide an introduction to the Windows 7 operating system from a forensic standpoint. It will also cover the techniques used to track USB devices. The course is taught by Dustin Hurlbut, an Instructor from AccessData. AccessData is the world's largest provider of digital forensic software.

NOTE: LET credit approval pending

July 30 0800 – 1600 – Electronic Discovery

“Zubulake Revisited” - 2010 Guidance on Preservation Obligations and Spoliation
Douglas Crouse
(50 min.)

Tips For Developing an E-Discovery Response Action Plan
Matthew A. Kelly
(50 min.)

“Cull,” “Image,” “Early Case Assessment,” and Other Key Vocabulary
Jill McIntyre
(25 min.)

How to Assess Reasonable Accessibility
Jill McIntyre
(25 min.)

eDiscovery Collection
Dustin Hurlbut
(50 min.)

eDiscovery Analysis
Dustin Hurlbut
(50 min.)

Reforms of Civil Pretrial Discovery on the Horizon
Jill McIntyre
(50 min.)

Data as Evidence: Issues Governing the Admissibility of Electronically
Stored Information at Trial and in Summary Judgment Practice
Douglas Crouse
(50 min.)

Controlling E-Discovery Costs in Litigation
Jill McIntyre
(50 min.)

A Chilling Article About Law Firms Becoming Targets of Cyber Criminals

2010-03-20T10:03:00.003-04:00

I have long said that law firms are lucrative targets for hackers. Today a story appears on page DC - 1 of the San Francisco Chronicle called "Law firms are lucrative targets of cyberscams".

Last spring, a Long Beach law firm received an e-mail from a Hong Kong businessman seeking help collecting debts from American customers. An attorney with the firm saw it as a great opportunity to reel in more business during the economic downturn and agreed to help.

After a month of signing paperwork and exchanging telephone calls with his client, the attorney received word from one debtor who sent a $200,000 cashier's check to pay off his balance. The attorney deposited it in his firm's account, subtracted his $10,000 fee and wired the remaining amount to his Hong Kong client.

An hour-and-a-half later, the attorney's bank called and told him the check bounced. Fortunately, the bank was able to prevent the wire transfer from reaching its destination. He almost had been duped out of $190,000.

"They send me a nice, big, worthless check," said the attorney, who asked to remain anonymous. "Needless to say that was not a fun day. They were the hardest 24 hours of my life.

The threat has been very real for a long time. Scammers have moved from just scamming "rich americans" and have moved on to targeting "rich american lawyers". The best defense against these sorts of scams are a good spam filter and user education.

If you don't have a user education program at your firm, start one. Your IT staff should be trained in security as well. Something like the CompTIA Security+ certification is a good start. Even the MCSE has track has security some great security components to it. You should also probably have a CEH or a CISSP on staff as well, or at least a security professional you can bring in to consult on a contract basis.

...Alex Stamos, a founding partner at iSEC Partners, a San Francisco security consulting firm that recently published research identifying about 100 organizations hit by the attack, said that law firms are on the list of organizations most at risk of being targets in the future.

"Most law firms are going to be in trouble if this is the level of adversary they're going to deal with," he said. "It's impossible even for the largest law firms to have a dedicated security team that can hold their own against these people."

This threat isn't going away anytime soon. Be alert and be careful. The threat is no long the 14 year old in the basement. It's organized crime.

How Cybercriminals Steal Money

2010-02-26T00:10:00.000-05:00

Two Great Novels

2010-02-25T23:55:00.007-05:00

Daemon and its sequel, FreedomTM may be the best novels I have ever read. Below is a video of the author, Daniel Suarez, speaks on "Bot-Mediated Reality".

Bots, or hardware and software robots, are already a large part of human life. Including botnets used to send spam or generally threaten the Internet.

The Internet is Evil John Strand Louisville Infosec Conference Video

2009-10-30T18:59:00.005-04:00

I had to miss Louisville InfoSec, but Irongeek comes to the recuse with videos from the conference.

Below is a talk by Law Firm IT favorite John Strand. John is a SANS instructor and a member of the PaulDotCom crew, called "The Internet is Evil". Thanks to Irongeek for taking the time to record, post and host these on his site.

Zeus, King of the Underground Crimeware Toolkits

2009-08-27T07:39:00.006-04:00

This blog post and video explains how Zeus, currently the world's largest botnet, works.

OWA+Weak Passwords=Big Trouble

2009-08-25T04:28:00.003-04:00

Now's the time to make sure your users are using strong passwords. As pointed out in this post from the RedSpin Security Blog, Outlook Web Access makes getting email on the go very easy for users, but it opens up yet another attack surface that is pretty easy to attack using commonly used tools.

This an another example of why law firm IT folks needs to encourage the use of strong passwords.

What's so interesting about the TJX Hacker Charged With Heartland, Hannaford Breaches

2009-08-23T05:42:00.006-04:00

Here's a few details I find interesting in this story:

* The hackers allegedly stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined.
* Gonzalez and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies.
* The attack vector was SQL-injection
* The hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.
* The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer’s name as well.
* Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.”
* Another hacker linked to the crime committed suicide in 2008.
* Gonzalez goes to trial in New York on September 14th for the Dave & Buster’s hack.
* Next year, Gonzalez faces trial in Massachusetts on the TJX hack and may eventually face trial in New Jersey on new charges levied against him this week for allegedly hacking into five other companies, including Heartland Payment Systems and 7-11, and stealing more than 130 million credit and debit card numbers — the largest data breach prosecuted in the United States to date.

Some are wondering if Gonzalez was hired to do these jobs for the Russian mob. I can find no coverage of such a link.

Two of my debt cards were involved in these breaches. One was replaced. My bank give me one year of free fraud monitoring on the other.

While we as law firm IT don't usually process credit card transactions, most of us have SQL databases, many of them Internet facing or running our websites.

As defenders what can we learn from the breach? Secure your web applications. SQL-injection is a common thread in many recent breaches. It's a quick and easy way to get behind your firewall.

What a OS X exploit looks like

2009-06-28T13:54:00.003-04:00

This video helped to convince me that I needed an antivirus program for my Mac. I didn't purchase Sophos since it requires a Windows server to manage the client installation on a Mac. I downloaded and installed ClamXAV. It's free.

Video: Simple Tips to Pick a Strong Password

2009-06-27T10:55:00.002-04:00

Facebook Spear Phishing, New 419 Scam

2009-05-25T09:48:00.008-04:00

I received the follow email via Facebook last night that is a new variation on the old 419 scam:

Wilson sent you a message.

--------------------
Subject: Attn: Bill Gardner

Alexander JLO - Solicitors
11 Lanark Square
Glengall Bridge
London E14 9RE
United Kingdom.
TEL:+44 794 4145 981
Fax:+44 794 4416 262

Good day: Bill ,

This is a personal E-mail directed to you and I request that
it be treated as such.

I am Barrister Wilson Baker, a solicitor at law. I am the personal attorney/sole executor to the late Engr Gerald Gardner herein after referred to as'my client' who worked as an independent oil magnate in my country and who died in a plane crash with his immediate family in December 2003.

Since the death of my client, I have written several letters to the embassy with an intent to locate any of his extended relatives whom shall be
claimants/beneficiaries of his abandoned personal estate and all such efforts have been to no avail.

More-so, I have received official letters in the last few weeks suggesting a likely proceeding for confiscation of his abandoned personal assets in line with existing laws by the bank in which my client deposited a notably high amount of money.

On this note i decided to search for a credible person and finding that you bear a similar last name, I was urged to contact you, that I may with your consent, present you to the "trustee" bank as my late client's surviving family member so as to enable you put up a claim to the bank in that capacity as a next of kin of my client.

I find this possible for the fuller reasons that you bear a similar last name with my client making it a lot easier for you to put up a claim in that
capacity.

I propose that 35% of the net sum will accrue to you at the conclusion of this deal in so far as I do not incure further expenses.

Therefore, to facilitate the immediate transfer of this funds, you need, first to contact me via my private email:(wilsonbaker3@yahoo.co.uk) for better confidentiality, signifying your interest and as soon as I obtain your confidence I will immediately appraise you with the complete details as well as fax you the documents, with which you are to proceed and i shall direct you on how to put up an application to the bank.

However, you will have to accent to an express agreement which I will forward to you in order to bind us in this transaction.

Upon the receipt of your reply,I will send you by fax or E-mail the next step to take.I will not fail to bring to your notice that this proposal is hitch-free and that you should not entertain any fears as the required arrangements have been made for the completion of this transfer.

Like I said, I require only a solemn confidentiality on this.

Best regards,
Wilson Baker Esq
--------------------

I have to admit this version of the scam is compelling enough to make me actually read the email. This version of the scam actually lists an address and telephone number, but why would a lawyer use a Yahoo email address? This is just another example of how far people will go to attempt to get between you and your money.

Lessons learned from the WV State Bar breach

2009-05-15T07:15:00.011-04:00

According to the FAQ released by the WV State Bar yesterday, the data breach reported a couple of weeks ago was the result of a unpatched Linux sever being compromised. The Bar further says it has "an unsupported FoxPro database containing member information" some where on its network that was also compromised.

It's unclear from the FAQ how the hacker or hackers took control of the Bar's webserver and started serving malware. The bar does say, "The State Bar will no longer host its own website internally, it will be hosted off-site at a secure location with a company that specializes in website development and internet security. The State Bar website will be completely re-written in a more secure manner."

Netcraft shows the Bar site was running on Windows 2000 on Apache/2.0.54 Win32 PHP/5.0.4 on 22-Mar-2006. Previously the site ran Windows 2000, Microsoft-IIS/5.07 as of Nov-2004 according to Netcraft.

As far as secruity, they say they had a firewall, "The State Bar's computer system was equipped with a firewall, which previously was believed to be secure. However, the State Bar's forensic computer experts have advised that no firewall would have prevented the sophisticated hack of the website and database. The State Bar is taking extraordinary measures, as set forth in response to question number 1 above, to prevent a security breach from occurring again in the future."

The Bar has pulled the unpatched Linus box off its network, has stopped hosting it's website internally, and has removed social security number from it's databases. Also it says it's website is being rewritten in a more secure manner.

So what can we learn from the breach. First, don't run unpatched servers, Linux, Windows, or any other OS on your network.

Second, attacks on webservers are very much in style by hackers. Since most of us have deployed firewalls, antivirus, patch management, vulnerability scanners, and intrusion detection systems, the webserver is often the weekest link in some networks. As a result, web application security has becoming very important. Secure you web apps and use web application firewalls. Also don't host websites in-house or on the same network as your production network.

Third, know what applicatons, operating systems, and servers are on your network and where they are, and document eveything. The Bar says, "Further complicating matters, there existed no documentation regarding the State Bar network layout, hardware, software and/or legacy applications. As such, the upgrade process has been a cycle of discovery and repair which has taken longer than anyone could have expected or foreseen."

As far as the breach itself, the Bar say, "The State Bar had social security numbers for approximately 4,000 members. Members whose social security numbers are believed to have been contained on the State Bar's database should have received a second and third email notifying them of that fact. Some members do not have an email address on file with the State Bar. For those members, a separate letter was mailed to them through the United States Postal Service."

The Bar has turned hard drives over to the FBI and says it will keep it's member up-to-date on the investigation.

The West Virginia State Bar Has Posted An FAQ on Its Recent Data Breach

2009-05-14T14:43:00.003-04:00

The West Virginia State Bar has posted an FAQ on its recent data breach.

COMPUTER SECURITY BREACH FAQ

By now, most members of The West Virginia State Bar have received either one or two emails regarding the security breach at the State Bar website. If you received only one email, as far as the State Bar is aware, your social security number was not in the State Bar's database. Approximately 4,000 of the 7,000 State Bar members received a second email advising that we had your social security number was in the State Bar's database. As of this date, the State Bar has no knowledge that the hackers have looked at any personal information in the State Bar database and the State Bar has received no reports that any of its members have suffered any identity theft. Nonetheless, and out of an abundance of caution, the State Bar provided an alert to each of its members regarding this security breach. This alert has led to numerous questions which the State Bar has attempted to answer below so that all of its members will continue to be informed about this situation.

1. Does the Bar have any idea of how this could happen?

In late 2006 or early 2007, the State Bar determined that it needed to upgrade its computers, its network, its member database, and its website. All of these were hosted by the State Bar onsite. Since 2007, the State Bar has been working with computer consultants to upgrade the computers, network and security at the State Bar. The upgrade process has been hampered by the existence of an outdated Linux server, and an unsupported FoxPro database containing member information. Further complicating matters, there existed no documentation regarding the State Bar network layout, hardware, software and/or legacy applications. As such, the upgrade process has been a cycle of discovery and repair which has taken longer than anyone could have expected or foreseen.

In working with the computer consultants, it was learned very recently that outside computer hackers were able to enter the State Bar computer system through the Linux server and State Bar website. From there they create access to the remainder of the State Bar network, including the member database. It is not possible for the computer consultants to determine whether the hackers did or did not look at the member database, they can only advise that the hackers had the opportunity to look at any and all computer data on the State Bar's network.

2. What will the State Bar do to make sure this does not happen again?

The State Bar has now shut down its Linux server and its website. The Linux server will be eliminated. All hard drives in the State Bar network and individual work stations were replaced. The hard drives are being turned over to the Federal Bureau of Investigation. The State Bar will no longer host its own website internally, it will be hosted off-site at a secure location with a company that specializes in website development and internet security. The State Bar website will be completely re-written in a more secure manner. These steps combined should prevent similar security breaches in the future.
The State Bar has worked with its computer consultants to delete all social security numbers from the FoxPro database and no records will be kept in the future regarding social security numbers.

3. Why did the State Bar have my social security number and when did it get it?

At various points in time prior to 2007, the State Bar collected social security numbers. Many people provided this information at the time they were admitted to the State Bar. In addition, some social security numbers were collected by the State Bar when the West Virginia Supreme Court of Appeals first considered the possibility of e-filing. More recently, members provided social security numbers at the time they applied for a photo identification card. Beginning immediately, all communications regarding the applications for new photo identification cards will be via U.S. Mail and in paper form. No electronic records will be kept by the State Bar.

4. Did the State Bar have my social security number or not?

The State Bar had social security numbers for approximately 4,000 members. Members whose social security numbers are believed to have been contained on the State Bar's database should have received a second and third email notifying them of that fact. Some members do not have an email address on file with the State Bar. For those members, a separate letter was mailed to them through the United States Postal Service.

5. Why did the State Bar wait so long to notify me of the breach?

The State Bar acted very quickly after the computer consultants advised The Bar of the potential for a security breach. The State Bar Linux server and website were immediately brought down. The Linux server housed the State Bar's listserv which was its prior method of communicating with all members.
The State Bar's Board of Governors was advised of the security breach and it authorized the dissemination of a press release. The Supreme Court of Appeals of West Virginia was contacted and provided technical assistance in sending out a press release advising of the compromise of the State Bar's network. During this time, the State Bar did not have any ability to mail or email its members as its membership database was inaccessible. The State Bar has now created a new email system to communicate with all members of the State Bar that have their emails on file. The State Bar sent an email to its members within a few hours of its membership database and email listserv being reinstated.

6. What information did the hackers get in the security breach?

It is not possible for the computer consultants to advise the State Bar that any information was reviewed during the security breach. The computer consultants can only advise that the outside hackers had access to the member database and all other data on the State Bar network. The computer consultants reviewed the data in the member database. They have advised that it is not infected with any virus.

7. Why wasn't the site secure?

The State Bar's computer system was equipped with a firewall, which previously was believed to be secure. However, the State Bar's forensic computer experts have advised that no firewall would have prevented the sophisticated hack of the website and database. The State Bar is taking extraordinary measures, as set forth in response to question number 1 above, to prevent a security breach from occurring again in the future.

8. Did the State Bar report this to the credit reporting agencies?

The State Bar has notified the credit reporting agencies of this security breach. The State Bar has also provided the contact information for all three major credit reporting agencies to our members and it has encouraged each member to separately contact those agencies.

9. Is the State Bar going to pay for my credit monitoring costs?

Some State Bar members have requested the State Bar to pay for credit monitoring. Unfortunately, the State Bar has no unallocated funds to pay for any credit monitoring services. To put such a program in place could require an assessment of the members as a whole. Given the lack of any reported identity theft affecting any of its members, the State Bar believes that a special dues assessment to pay for this credit monitoring is an unnecessary expense for its members at this time.

10. Has this been reported to a law enforcement agency so I can file a 7 year report?

Yes, this matter has been turned over to the Federal Bureau of Investigation. They are conducting a formal investigation of the security breach. Within the next few days, it is anticipated that the FBI will begin its forensic analysis of the removed hard drives. The FBI has assured the State Bar that it will pursue location and prosecution of the individual or individuals who breached the State Bar's system.

11. Will we be advised of any information the State Bar receives from the FBI?

Yes, the State Bar will keep its members up to date regarding any public results of the FBI investigation.

Since 2007, the State Bar has been working to correct the flaws in the old computer system and to insure that a completely safe and fully operational system is up and running as soon as possible. The State Bar regrets any inconvenience to its members.

The West Virginia Record Malware Problem Fixed

2009-05-08T07:57:00.005-04:00

The problem with ads serving malware at the West Virginia Record was corrected quickly after they learned of the problem, Chris Dickerson, Editor of the Record told me yesterday. He said the issue was with a compromised ad server that was a part of a ad network serving 100s of newspapers.

Attorneys Receiving Individual Notification of Social Security Number Compromise in Recent WV State Bar Data Breach

2009-05-05T15:44:00.006-04:00

Individual attorneys began receiving notices this afternoon that their social security numbers we involved in the resent breach of the WV State Bar website and other computer system.

Important Notice to Members Regarding Social Security Information

From:
The West Virginia State Bar
2006 Kanawha Boulevard, East
Charleston, WV 25311-2204

The West Virginia State Bar has learned that there are two sets of persons whose Social Security numbers were contained on its computer system, which was recently hacked.　The first group of persons are those who recently completed applications to receive the new West Virginia State Bar photo ID card.　 Those persons included their Social Security numbers on the application forms, which were sent to Cheryl Wright at The State Bar, scanned into The State Bar's computer system, and e-mailed or faxed back to the requesting members.

　　
The other group of persons whose Social Security numbers were contained on The State Bar's computer system are those who provided their Social Security numbers to The State Bar at some point in time during their membership tenure.　These Social Security numbers existed on The State Bar's membership database along with the members' names, addresses, telephone numbers, email addresses, and dates of admittance.　It was not until late in the day on May 4, 2009, that The State Bar's retained experts were able to retrieve this information.　

Unfortunately, you are receiving this email because you are among one or both of these groups of people.　Although, as has been explained in the two prior notices, The State Bar has received no evidence or reports of any identity theft, fraud or other unauthorized use of any member's personal information, because your Social Security number was contained on The State Bar's computer system, there is a possibility that it may have been viewed by the hackers.　

The West Virginia State Bar has notified the three major credit reporting agencies of this potential security breach and is working with the FBI to identify the person(s) or entity(s) responsible.　 If you have any evidence that your personal information has been compromised, please contact The West Virginia State Bar immediately.　 In addition, you also may wish to contact the major credit reporting agencies to ask that a fraud alert be placed in your file to notify potential creditors and others that you may be a victim of identity theft.　The contact information for the credit reporting agencies is as follows:

Equifax Information Services
PO Box 740256
Atlanta, GA 30374
1-877-576-5734
www.fraudalerts.equifax.com

　
Experian
NCAC
PO Box 9556
Allen, TX 750131-888-397-3742
www.experian.com/fraud

　
TransUnion
Customer Disclosure Center
TransUnion Consumer Relations
PO Box 2000
Chester, PA 19022-2000
1-800-680-7289
www.transunion.com

The West Virginia State Bar deeply regrets any concern or stress that this has caused you.　If you have any additional questions, please send them to Anita Casey, Executive Director of The West Virginia State Bar.　Ms. Casey will work with The State Bar's Ad Hoc Technology Committee to respond to your questions as quickly as possible.

WV State Bar Sends Member Notice of Data Breach

2009-05-05T08:27:00.005-04:00

The West Virginia State bar sent notice of the breach of it's site and internal servers by hackers yesterday. The notice, posted below, shreds no new light on what happen or if person data was compromised, but it does disclose the FBI is now involved.

Important Notice to Our Members

From:
The West Virginia State Bar
2006 Kanawha Boulevard, East
Charleston, WV 25311

Using a sophisticated computer hack, an unknown person or entity gained unauthorized access to The West Virginia State Bar website and internal computer network, potentially compromising certain personal information The State Bar maintains about its current and former members.

The security breach was discovered recently during an upgrade of The State Bar's website. The website was taken offline on Friday, April 17, 2009. The State Bar has retained forensic computer experts to help investigate the suspected security breach. The State Bar is also working with the FBI to investigate the breach and attempt to locate the responsible party(s).

The West Virginia State Bar's Ad Hoc Technology Committee met with its retained forensic computer experts and learned that the security breach extended beyond the web server to the Bar's internal computer network. Given the sophistication of this security breach, and out of an abundance of caution, the Committee is considering all personal information on The State Bar's network as potentially compromised.

The State Bar provided notice to all of its members regarding this security breach through a press release issued on April 28, 2009, with the assistance of the West Virginia Supreme Court of Appeals as The West Virginia State Bar did not have computer access to its member lists until May 4, 2009. This second notice is being sent to all members at this time because the State Bar's listserv capability was reinstated late this afternoon.

Members of the Ad Hoc Technology Committee, representatives of the company which has been working with The State Bar's computer system for the past several years, and the forensic computer experts worked all last week and over the weekend to remediate the problem.

While the website itself contained no personal data, the website was connected to The State Bar's internal database server which houses the membership data. Membership data includes names, mailing addresses, email addresses, birth dates, lawyer identification numbers, and some members' and former members' social security numbers. The State Bar Ad Hoc Technology Committee also has just obtained a list of the names of its members whose social security numbers were on the system. Those members will receive a separate e-mail communication from The State Bar.

Importantly, the Ad Hoc Technology Committee has confirmed that information provided by clients to their attorneys has never been maintained on The State Bar's computer systems and, therefore, such information is unaffected by this recently discovered security breach.

The Ad Hoc Technology Committee has been advised by its forensic computer experts that it is impossible to determine exactly when the security breach occurred. The State Bar has no evidence and has received no reports of any identity theft, fraud or other unauthorized use of its members' personal information at this time. If any members of The West Virginia State Bar have any evidence that their personal information has been compromised, they should contact The West Virginia State Bar immediately. Members may also contact the major credit reporting agencies to ask that a fraud alert be placed in their files to notify potential creditors and others that they may be victims of identity theft.

Equifax Information Services
PO Box 740256
Atlanta, GA 30374
1-877-576-5734
www.fraudalerts.equifax.com

Experian
NCAC
PO Box 9556
Allen, TX 75013
1-888-397-3742
www.experian.com/fraud

TransUnion
Customer Disclosure Center
TransUnion Consumer Relations
PO Box 2000
Chester, PA 19022-2000
1-800-680-7289
www.transunion.com

All questions should be directed to:

The West Virginia State Bar
2006 Kanawha Blvd., East
Charleston, WV 25311
c/o Anita Casey, Executive Director

Problems with the State Bar website go back to September 2009, and I've posted previously about problems with the Bar's website hosting malware.

Another West Virginia Law Related Website Compromised

2009-05-04T11:08:00.003-04:00

The WV Record, a local newspaper that covers state legal matters, is server ads containing malware. It doesn't appears the site itself, www.wvrecord.com, is compromised this morning. The site is serving compromised ads. Until they get this problem cleared up, I wouldn't go there.

This is the second WV law related site to be compromised recently. The WV State Bar reported last week that its webserver and a number of internal servers were compromised.

FDA Rule on Appying Windows Patches on Medical Devices Could Put Human Life at Risk

2009-05-03T06:20:00.006-04:00

One of the scariest uses of Windows OS is that it is installed on medical devices. As a result, every piece of malware coming down the pike can infect this medical devices, putting human life at risk. SANS announced last week that it had discovered Conficker worm infections on medical devices, including MRI machines.

A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker," said Marcus Sachs, director of the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute.

Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the Internet to get instructions — presumably from the programmers who created Conficker.

The researchers dug deeper and discovered that more than 300 similar devices at hospitals around the world had been compromised. The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet — and yet they were. And because the machines were running an unpatched version of Microsoft's operating system used in embedded devices they were vulnerable.

Normally, the solution would be simply to install a patch, which Microsoft released in October. But the device manufacturer said rules from the U.S. Food and Drug Administration required that a 90-day notice be given before the machines could be patched.

Yes you read that correctly. Windows patches for medical devices must be approved by the FDA, and the FDA must receive a 90-day notice to apply patches. The result is epic fail that could put human life at risk. This FDA rule needs to be revisited.

WV State Bar Data Breach

2009-04-29T08:09:00.004-04:00

The WV State Bar reported yesterday that the Bar's website and servers on its internal network have been compromised. The compromised data might include members' names, mail and email addresses, lawyer identification numbers, and the Social Security numbers of some members and former members.

The Bar says there is no evidence that the information listed above has been used for identity theft or fraud, but that members who have concerns should check their credit reports.

The WV State Bar site remains offline this morning. The Bar has called in data forensics experts to try to determine the extent of the breach. They are in the process of rebuilding the site from scratch.

The Bar's website first showed signs of problems back in September when it was blocked by Google's Safe Browsing feature for serving malware. And I' ve posted about the Bar's website hosting malware earlier this month.

Elite User Conference 2009 coming up Jun 9-11

2009-04-23T08:16:00.004-04:00

Just saw a thread on the FWMI ProLaw Yahoo Group about the Elite User Conference 2009 coming up Jun 9-11 at the Hilton San Diego Bayfront in San Diego, CA. As in past years, Thomson is rolling Prolaw into the Elite Conference.

Thomson is offering Individual and Multiple Registration discounts:

Receive a $100 discount off the $1,495 Standard Registration Fee when you register before May 8th. That means you attend for just $1,395.

Multiple Registrations: Register multiple employees before May 8th and receive even more discounts. The second person you register pays only $1,095 and the third person pays just $795!

It would be nice to see Prolaw have its own user conference again. I'm not sure how useful the Elite Conference is to Prolaw users.

WV State Bar Site Remains Offline After Last Malware Infection

2009-04-23T05:54:00.007-04:00

The WV State Bar site remains offline today. The site was taken offline last Friday, four days after it was discovered the site was hosting malware yet again.

In an email, the Bar published information the site would be offline for maintenance:

“SPECIAL EDITION BAR BLAST”

* wvbar.org is currently offline for maintenance
* For Casemaker access, click here - https://demo.lawriter.net - login and password are westva (lowercase)
* For registration & other inquiries regarding the 2009 Annual Meeting, please contact Cheryl L. Wright at
cheryl@wvbar.org or 304.558.0828
*For Information regarding pro hac vice admissions, please contact Cheryl L. Wright at cheryl@wvbar.org or
304.558.0828

This is the same information currently on the website at http://www.wvbar.org/. It appears the site has been taken down to fix whatever problem was causing the site to be compromised on an almost monthly basis.

While my firm has not reported any infections that can be traced to the Bar's website, it remains to be seen if others firms have been so lucky.

Microsoft April 2009 Security Bulletin Webcast Video

2009-04-18T05:39:00.003-04:00

In case you missed it, here it is. I signed up for it, but had to miss it.

Video: Gozi trojan

2009-04-18T04:30:00.003-04:00

A member of my team forwarded this video to me last week. (I'm sorry I can't embed the video. Embedding disabled by request) The video shows the Russian Business Network (RBN) partners HangUP Team and 76service subscription-based data mining service for stolen data gathered by the Gozi trojan.

It's another fascinating look a tool build for hacker by hackers for profit rather than fun. For another fascinating look at a current hacking tool, take a look at the GhostNet video I previously posted.

Microsoft Releases Patch Tuesday Advisory

2009-04-14T15:07:00.002-04:00

There are eight patches on tap for tonight. Five are listed as Critical. Two are listed as Important. One is listed as moderate. They all may require restarts.

WV State Bar Site Infected with Malware

2009-04-13T12:18:00.002-04:00

Google Safe Browsing is blocking access to www.wvbar.org this morning. The diagnostics pages lists 9 scripting exploit, 8 trojan.

Malicious software is hosted on 3 domain, including v3i9.cn/, nvi3.cn/, said7.com/.

One domain appear to be functioning as intermediaries for distributing malware to visitors of this site, including tejary.net/.

This site was hosted on 1 network(s) including AS7795 (NTELOSINC).

This is not the first time the WV State Bar site has been infected with malware. It happened the first time back in September of 2008.

Update: This issue got resolved overnight. The site isn't hosting malware now.

Twitter "StalkDaily Worm" (Updated)

2009-04-11T21:39:00.009-04:00

Twitter is buzzing tonight with news of a fast spreading worm.

Here is a Postmortem of what's being called the “StalkDaily Worm” by Damon Cortesi: "What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com."

The Twitter security team has deployed a patch to stop the worm.

Update: F-Secure has a great update including screenshots.
Another Update: Mikeyy Mooney, the 17-year-old creator of StalkDaily.com claims responsibility for the worm. (Yes he spells his name with two y's).
Yet Another Update: Twitter Mikeyy Hack - How to fix & avoid

Understanding IPSEC

2009-04-11T13:14:00.000-04:00

A piece of hacker history?

2009-04-08T22:22:00.005-04:00

If this video is what it claims to be, it is truly a piece of his history. The poster of the video writes: "Steals a copy of SATAN, Dan's remote network security probing tool.

In the course of tracking the attacker(kevin), a great deal of network traffic was captured by a specially modified version of tcpdump (here's information on the legality of the acquisition of this evidence), and then a program written by Tsutomu was used to produce playable logs."

Kevin is Kevin Mitnick the famous hacker. Dan is Dan Farmer, one of the developers of SATAN (Security Administrator Tool for Analyzing Networks) and Tsutomu is Tsutomu Shimomura, the security researcher credited with tracking down Kevin Mitnick in 1995. Shimomura and New York Times reporter John Markoff wrote a book about Shimomura's pursuit and assistance in the arrest of Mitnick. The book is called Takedown and is a pretty good read, although most Mitnick supporters say the book is mostly a work of fiction and that Shimomura broke into his own computer in order to have an excuse to go after Mitnick.

This footage appears to be from Feb. 1995 while Tsutomu Shimomura was monitoring Mitnick and shows Mitnick actually breaking into Farmer's computer to steal a copy of SATAN.

It should be noted that Kevin says he simply copied software and that he never used any software he copied for any financial gain.

Symantec Video: Using Backdoor.Ghostnet Toolkit for Attacks

2009-04-05T08:01:00.010-04:00

Once the exe is built using Backdoor.Ghostnet and installed on the victim computer, it can be controlled using the toolkit built into Backdoor.Ghostnet. One of the tricks being used by attackers is to view the webcams of the victim computers and view the users actually sitting in front of their keyboards. Rather creepy. It doesn't appear there is anything keeping the attacker from turning on the victim computers built-in microphones as well.

Tonight on 60 Minutes: Conficker and cyber-crime

2009-03-29T14:49:00.001-04:00

In this video, Lesley Stahl previews her report on computer viruses and cyber crime which airs tonight.

Watch CBS Videos Online

XPAntiVirus2009 Morphs Into FileFix Professional 2009

2009-03-26T17:50:00.004-04:00

I've had a couple of incidents involving Vundo over the past six months. Vundo once posed as antivirus software. A new version of Vundo has a new trick up its sleeve. It now extracts money from the infected user by encrypting the user files and asking $40.00 for the tools to decrypt their data.

There is some good new. There's a free service called the FileFix File Decrypter will decrypt the data for free. Score: Bad Guys 1/Good Guys 1.

Video: Basic Nessus

2009-03-22T03:54:00.002-04:00

Another great video by John Strand. I use Nessus on my home network to find and fix vulnerabilities.

Basic Nessus from John Strand on Vimeo.

Efforts to combat Conficker worm an arms race

2009-03-21T06:35:00.003-04:00

Combating malware continues to be an arms race. The bad guys are always one step ahead. The majority of malware writers are often well educated, well funded and supported by large criminal organizations like the Russian Business Network . The days of teenagers writting malware in their parent's basement are far gone.

Yesterday came word that Conflicker has evolved again, and continues to find ways to confound and frustrate security researchers. A new analysis of Conficker by SRI International reports: "In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis."

Related Story: Conficker/Downadup Evolves

Basic Wireshark Video

2009-03-20T23:23:00.001-04:00

Here's another good video from John Strand

Basic Wireshark. from John Strand on Vimeo.

New Fake AntiVirus warning screen

2009-03-18T07:50:00.003-04:00

With looking at this screen closely you might not recognize this is a web page rendered in Firefox. Once gain the bad guys have upped the ante in the high stakes poker game of malware. This particular trick attempts to make the end user believe they are looking at a Windows Explorer screen with warning messages of a large number of trojans and virus infections. It next presents a popup box to entice the user to download the fake antivirus, probably our old friend Antivirus2009.

Click on the picture of a better view.

This is another example of how malware writers continue to excelerate the arms race in the battle of keeping users from clicking on things.

If you see a screen like this kill it from the process viewer. There has been reports clicking anywhere on this screen will cause infection. In this case the user was looking for NCAA brackets using a Google search. Thankfully he called to report the incident before taking any other action.

Related Story: NCAA March Madness Malicious Blog Links

Another video on wireless security

2009-03-15T14:12:00.004-04:00

How easy it really is to crack WEP 128bit encryption?

DojoSec Monthly Briefings - February 2009 - Jesse Varsalone from Marcus Carey on Vimeo.

Basic Nmap Video

2009-03-15T09:01:00.003-04:00

Here's a basic video on how to install and run nmap from SANS instructor and PaulDotCom Security Weekly co-host John Strand.

Basic Nmap part 2 from John Strand on Vimeo.

British Law Firms Increase Employee Surveillance

2009-03-13T06:11:00.002-04:00

Some British law firms have increased employee surveillance in light of economic presures. Many IT managers fear data loss as they fear some employees might be temped to steal data to sell to competitors, Legal Technology Journal reports.

IT heads at the top 20 firms admit that they are particularly wary of confidential material being downloaded into a transportable form now that the credit crunch has begun to bite and is costing jobs both internally and among their top financial institution clients.

At magic circle giant Allen & Overy (A&O), which last month announced jobs cuts affecting 9% of its workforce, IT director Jason Haines said: “Most law firm employees are bound by a professional conduct code but we would be careless if we weren’t being a bit more vigilant.”

The pressure is arising not only out of concerns that disgruntled employees may download firm precedents and other closely guarded intellectual property, but out of the need to meet a higher security bar imposed by many clients in relation to confidential material.

Addleshaw Goddard’s head of IT Graham van Terhayden said: “Clients want to do extra audits and are asking more questions about our capability and redoubling their questions.

“The more clients ask the question, the more we will focus on it.”

While many of the top firms have long banned access to social networking sites such as Facebook, the majority allow lawyers to use mobile media such as USB keys.

But where some firms are still monitoring activity on an ad hoc basis, others have rolled out constant surveillance of all employees.

Malware is big money

2009-03-13T05:05:00.005-04:00

My users often ask why people write malware. The simple answer is money. There are huge illegal businesses behind this type of cyber-crime and criminal organizations are making a huge profit from identity and data theft. Many of these organizations are based in Russia and China. The days of teenagers writing viruses in their parent's basement to impress their online buddies are over. Malware is big money now.

Conficker/Downadup Evolves

2009-03-13T04:09:00.002-04:00

Researchers at at Symantec reported last week that they have found a completely new variant of Conficker, AKA Downadup, last week. The new variant has the ability to disable antimalware tools, switch domains more frequently.

Dark Reading further reports:

The new variant, which Symantec calls W32.Downadup.C, appears to have defensive capabilities that weren't present in earlier versions. While it spreads in the same manner, "Conficker.C" can disable some of the tools used to detect and eradicate it, including antivirus and other antimalware detection tools.
W32.Downadup C also can switch domains at a much greater rate, Symantec said. "The Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm," the researchers reported. "The new domain generation algorithm also uses one of a possible 116 domain suffixes."
A report from CA about Conficker.C confirms Symantec's findings, although the CA researchers said the jump from 500 to 50,000 domains will not occur until April 1.
The ability to quickly switch domains will make it difficult for Internet security organizations, such as ICANN and OpenDNS, to block the domains used by the worm, industry experts note.
The new variant emerges just as some vendors have come out with tools they say will eradicate the worm. today issued a new, free toolz that it says will remove Conficker.A and Conficker.B from infected machines. A spokesman says the company has begun work on the new variant. And BitDefender also is offering a free tool it says will remove all variants of the worm.
Perhaps the most disconcerting aspect of the worm is that although it has reportedly infected hundreds of thousands of machines, it does not, as yet, seem to have a purpose. Although it has been contacting domains and spreading itself through various means, security experts say it has yet to be given a task -- such as distributing spam or launching a DDoS attack -- and researchers are still uncertain as to what it might be used for.
And some experts say there may be other exploits that behave like Conficker/Downadup. "BitDefender Labs has been seeing an increase in worms, like Downadup, that have a built-in mathematical algorithm, generating strings based on the current date," says Vlad Valceanu, BitDefender's senior malware analyst. "The worms then produce a fixed number of domain names on a daily basis and check them for updates. This makes it easy for malware writers and cybercriminals to upgrade a worm or give it a new payload, as they only have to register one of the domains and then upload the files."

The AV vs virus writer arms race continues. The bad guys always seem to be one step ahead, but with a worm as big as Conficker/Downadup AV researchers are watching this situation closely.

ARP spoofing attacks on web sites

2009-03-11T07:30:00.002-04:00

SANS reports attackers are using ARP spoofing to inject malicious JavaScript into content served off other web sites. Using ARP to inject packets is common in cracking wifi keys. In this attack ARP is used to send packets containing fake data to the target.

This is exactly what happened in both incidents I was involved in. A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).

The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed).

This is another example of how we cannot depend on antivirus programs to protect against all threats.

Scary video: Cracking your WPA/WPA2 catchphrase no clients.

2009-03-08T16:36:00.004-04:00

This is only for whitebox testing. Cracking WEP or WPA key is illegal.

No patch coming on Tuesday for Excel zero-day

2009-03-05T21:21:00.002-05:00

Microsoft has released the Security Bulletin Advance Notification for March 2009, but a patch for the recently discovered Excel zero-day is not included. The security4all blog has complete coverage.

All my Virut/Virux links in one place

2009-03-05T21:19:00.001-05:00

All my Virut/Virux links can be found here.

WORM_KOOBFACE.AZ worm spreading via Facebook and other social networking sites

2009-03-03T10:41:00.002-05:00

Beware of messages from friends on social networking sites saying “Take a look of this picture of you” or “Check out this video I found of you.” The links lead to a malicious website that looks like YouTube. You will then bee asked to install a viewer or a new version of flash which is actually the WORM_KOOBFACE.AZ worm. The worm will then use your contact list or friends list to send the same fake message to all your friends. The message will look legitimate to them because it will say it’s from you.

The TrendLabs Malware Blog has a very good description of what these fake messages look like and how this thing spreads.

Mass mailing worm delivers Trojan.Vundo payload

2009-03-02T20:33:00.004-05:00

Symantec Security Response reports that W32.Ackantta.B@mm and Trojan.Vundo infections are on the rise. They also report that Symantec has released more aggressive heuristics that detect and block hundreds of Trojan.Vundo variants as a response to the threat.

They have a nice graph of how the attack vector works.

Update on compromised adservers serving malware (eWeek/other Ziff Davis Enterprise sites)

2009-02-27T04:58:00.004-05:00

Websense reports the recent eWeek PDF attack via adservers took no user interaction.

eWeek.com is the online version of the popular business computing magazine.

When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp://[removed]inside.com/

Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server.

With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads.

The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed]-site.info/ which has been setup to collect payment details.

Security4all says this isn't the recent 0-day Adobe Reader PDF exploit also served by compromised adservers, but a previous one reported last November. This attack hit eWeek and other Ziff Davis Enterprise site ad servers this week. The goal of this attack is to install fake antivirus software.

Microsoft released a patch to correct the "disable autorun registry key" enforcement.

2009-02-26T12:03:00.000-05:00

The details can be found at this link: http://support.microsoft.com/kb/967715

This patch is in response to the Jan. 20 US Cert advisory that Microsoft Windows does not disable AutoRun properly.

The Conficker worm spreads via autorun and many other pieces of malware spread via autorun. Disabling autorun is a first line of defense against these sorts of attacks.

Google, DoubleClick and Akamai hosting malware

2009-02-26T07:14:00.004-05:00

I received word yesterday via various sources that Google and DoubleClick are serving malware via ads.

Here's the Google diagnostic page for DoubleClick.net:

Of the 230717 pages we tested on the site over the past 90 days, 24 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-02-25, and the last time suspicious content was found on this site was on 2009-02-24.

Malicious software includes 25 scripting exploit(s), 13 trojan(s), 8 adware(s). Successful infection resulted in an average of 9 new processes on the target machine.

Malicious software is hosted on 7 domain(s), including auctlva.com/, advancedantivirusproscan.com/, liteantivirusproscan.com/.

3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including fitnessfactory.com/, me9x.cn/, www-union.com/.

This site was hosted on 22 network(s) including AS15169 (GOOGLE), AS6432 (DOUBLELCICK), AS20940 (AKAMAI).

Maybe it's time to block all ads in our environments.

OS X , iPhone, and malformed JBIG2 streams

2009-02-25T08:32:00.005-05:00

SANS Internet Storm Center has an interesting look at the recent Adobe 0-day and platforms most of us assume are safe: OS X, iPhone, and Linux.

The current version of the pos t shows some concerning results when viewing PDFs with a malformed JBIG2 streams with OS X and iPhone PDF viewers.

SANS promise Linux results soon.

Attackers using unpatched Acrobat flaw for spearphishing

2009-02-24T09:49:00.005-05:00

Security Focus reported yesterday that attackers are using an unpatched Acrobat flaw to target high-ranking people including CEO's. The exploit reported last week is still a 0-day since Adobe is yet to release a patch.

The best defense is not to open PDFs from unknown sources.

Symantec and ZDNet report a new Excel 0-day

2009-02-24T06:29:00.005-05:00

ZDNet reported yesterday that Symantec has discovered a remote code-execution vulnerability in Excel 2007 and Excel 2007 SP1. It looks like it is being actively exploited in the wild by a variant of the Mdropper trojan. Attackers can exploit this issue by tricking victims into opening a maliciously crafted Excel file.

The only defense at this point is not to open Excel files unless you trust the source.

CA says the souce of Virut for some infections might have been MySpace

2009-02-23T08:46:00.013-05:00

The CA Security Advisor Research Blog says a new infectious version of Virut might have come from MySpace. This blog post is the best technical analysis of Virut, also called Virux by Trend Micro, I've seen. I've posted a number of other bookmarks for information on Virut/Virux on delicious.

There really should be a common naming scheme for viruses and worms. Virux has a number of different names depending on the antivirus vendor: Symantec call it W32.Virut.CF, McAfee calls it W32/Virut.n, Sophos calls it W32/Scribble-A, Microsoft calls it Virus:Win32/Virut.BM, and Trend Mirco calls it Virux. Could this be any more confusing for IT folks and IT security professionals, not to mention non-technical managers?

By the way, it should be noted that Virux is also a Linux distro.

Adobe Zero-Day, Symantec says they've got it covered

2009-02-23T03:52:00.007-05:00

SANS Internet Storm Center and Shadowserver report Adobe Arobat 0-day in the wild. Our friends over at Symantec say they've got our back. Estimated time for Adobe to patch is a couple of weeks.

Larry Pesce over at PaulDotCom has an interesting post on how to use metadata as a tool for secuity for auditing this zero-day exploit. He also points out that this problem affects not only Adobe Reader, but also Adobe Standard, Abode Pro, and Adobe Pro Extended releases of versions 7, 8, and 9.

New WV State Police site infested with malware

2009-01-10T16:09:00.007-05:00

The Charleston Gazette-Mail reported this morning that the WV State Police is in the process of launching a new site to report crime.

CHARLESTON, W.Va. -- It won't replace calls to 911, but the West Virginia State Police soon will launch a Web site that it hopes will make reporting crimes easier.

The Web site, www.wvcrime.com, will allow the members of the public to submit an anonymous tip or a full-blown crime report, said State Police Sgt. Christopher Casto.

The site will be ready "in the next few weeks," he said. "It's in the finals stages of testing and setting up."

The site will cut down on phone calls to the State Police and will allow people to make complaints without talking directly to a trooper, Casto said.

"We're hoping that people will be more comfortable reporting crimes if they can do it anonymously through their computer," he said.

Readers report when they visit the site that get a message, "Your computer might be infected and to click OK to install Antivirus2009." Hackers have inserted javascript that links to the site that holds the actual malware.

Antivirus2009 is a very bad piece of malware that affects computers running Windows.

I was able to load the site in OS X and Linux earlier this afternoon, but now Google is on the case. When I visit the site now I get a Google Safe Browsing warring that the site is infected with malware.

Back in September the WV State Bar site was blacklisted for containing malware.

Update: The malicious java script redirected to a blank page for about a day. It's now redirecting to the malware again. Thanks to my buddy, and former law firm IT director, Paul McNeely who has kept his eye on this and has provided updates.

Secure your social networking passwords

2009-01-10T13:04:00.000-05:00

It amazes me that an 18-year-old hacker can break into a Twitter admin account and start changing the passwords of famous users with a dictionary attack script. Creating complex passwords is Security 101. Some, including Michael Arrington of TechCrunch, say this breach is proof that Twitter isn't ready for prime time. I disagree. It's not a Twitter problem. It's a problem of not having a strong password policy and users not picking strong passwords.

In general strong passwords:

should be at least seven characters long
should not contain your user name, real name, or company name
should not contain a word you can find in the dictionary
should contain a combination of uppercase and lowercase letters, as well as numeral and symbols

Also when changing a password, the new password should be significantly different from the pervious password. Passwords that increment (Password1, Password2, Password3...) are not strong. And passphrases are more secure than passwords. A passphrase is a sequence of words rather than just one password.

If strong passwords aren't required by the service in question, weak passwords are a user problem and are probably just as much of a problem on other social media sites. One way to address this is to require users to use secure passwords. LiveJournal is an example of a service that now requires strong passwords. In fact, LiveJournal has a stronger password policy than my bank.

Facebook, on the other hand, doesn't appear to have any sort of strong password policy at all.

The other way to address this problem is education. The press that the Twitter data breach have generated will hopefully let the general public know that weak passwords dangerous.

The Mac turns 25

2009-01-03T14:36:00.003-05:00

As Dave Winer points out, we are nearing the 25th anniversary of the introduction of the Macintosh. In 1984 I was a undergraduate at Marshall University and I spent hours typing papers on electric typewriters and going through gallons of Liquid Paper Correction Fluid. When I first got to use a Mac when I entered graduate school in 1990 it was truly a life changing event.

At the time we were using the Mac Plus to write and edit our college newspaper. If I remember correctly there where 13 of them in the newsroom, including the one at the news editor's desk. When I became managing editor I got to inherit the powerful Mac SE 30 which also had an external hard drive. The Mac Plus booted from a floppy and all your work had to be saved to yet another floppy.

My first law firm IT job in 1999 was working at a firm who used only Macs. The machines where mainly iMacs and PowerBooks. This was in the days before OS X. OS 9 was a simple system to administer, but not without it's faults.

Below is a young Steve Jobs introducing the Macintosh on January 24th 1984.

Disgruntled ex-employee takes JournalSpace offline for good

2009-01-03T10:33:00.009-05:00

There are posts from TechCrunch and Slashdot this morning about the blogging service JournalSpace being completely taken offline as a result of a malicious act from a disgruntled ex-employee. According to the JournalSpace blog the employee in question decided to depend on RAID as the only backup of the SQL database of users posts. As pointed out the the Slashdot headline, Mirroring is Not a Backup Solution, and any IT employee worth their salt should know this.

The Slashdot story says:

The site had been in business since 2002 and had an Alexa page rank of 106,881. Quantcast said they had 14,000 monthly visitors recently. No word on how many thousands of bloggers' entire output has evaporated.

According to the JournalSpace blog and also reported by TechCrunch:

It was the guy handling the IT (and, yes, the same guy who I caught stealing from the company, and who did a slash-and-burn on some servers on his way out) who made the choice to rely on RAID as the only backup mechanism for the SQL server. He had set up automated backups for the HTTP server which contains the PHP code, but, inscrutibly, had no backup system in place for the SQL data. The ironic thing here is that one of his hobbies was telling everybody how smart he was.

This story should be a reminder that every organization should have a backup, disaster recovery and business continuity plan. It is also important to have a plan to deal with insiders threats and not let one person make all the decisions about backup, disaster recovery, and business continuity.

Snap: iPhone app that will scan your wireless network for hosts

2008-12-10T00:42:00.004-05:00

Ever wondered if someone has cracked your WEP key and is using your wireless network? Ever wondered if who else is using the free wireless at the local coffee shop? Snap is an iPhone app that will scan a wireless network and tell you who else is using the wireless access point, which can be very useful for network administrators.

Below are some screenshots of my home wireless network.

Scanning Wireless Area Network

Host List/Scan Results

Host Information

Host Services

Snap is $1.99 for the iTunes App Store

December Black Tuesday Overview

2008-12-09T19:39:00.003-05:00

SANS has issued its December Black Tuesday Overview. Microsoft is will be hosting a webcast to address customer questions on these bulletins on December 10, 2008, at 11:00 AM Pacific Time. Click here to register for the December Security Bulletin Webcast

West Virginia e-Discovery Conference

2008-10-07T22:31:00.001-04:00

The West Virginia e-Discovery Conference is on the campus of the Marshall University Forensics Science Center in Huntington, WV on Oct. 28 from 8:30 a.m. to 4:30 p.m. Second Creek Technologies LLC and Marshall University are offering a full day of training focusing on electronic discovery and forensics topics.

John Sammons, CEO of Second Creek, says, "This is the first of an annual event that we plan to put on every year. We plan to bring in experts and practitioners from around the state to help keep the legal community -- and their clients -- up to speed on the growing field of electronic discovery and computer forensics. We also view this as an opportunity for academia as well. Students and professors can also benefit.

"This event will provide a bridge for the students and faculty to the front lines of electronic discovery and computer forensics. They will get to hear, first hand, from practitioners in the field about the current challenges they face and how they are conquering them."

The cost of the event is $180 per person. Lunch and a ticket to the Thundering Herd's football game against Houston later that day are also included.

Topics include:

* E-Discovery Response Teams - Brian M. Peterson Esq., Bowles, Rice, McDavid, Graff & Love LLP

* An Introduction to Internet Evidence - Sammons and David Irvin, COO, Second Creek Technologies LLC

* E-Discovery Costs - Mathew Nelson, Esq., Jackson Kelly PLLC

* Ethical Duties of Attorneys in e-Discovery - Jill McIntyre, Esq., and Erin Stankewicz, Esq., Jackson Kelly PLLC

* E-Discovery Case Law Update - Ray Shepard, Esq., Corporate Counsel, Second Creek Technologies LLC

* Digital Evidence Collection, Transport and Storage: Getting It Right - Dr. Terry Fenger, Director, Marshall University Forensic Science Center

* Getting the e-Stuff: Using the Rules in e-Discovery - David Duffield, Esq., Duffield & Lovejoy PLLC

The West Virginia CLE credit is pending for this training.

For more information or to register for this conference, call (304) 736-5454 or (877) 523-3253 or go to www.2ndcreek.net/discovery/ediscoveryconf.html

Help Wanted -Application Support Specialist

2008-10-02T09:47:00.000-04:00

Flaherty, Sensabaugh & Bonasso, PLLC, a law firm with offices in West Virginia is seeking a service-oriented individual to fill the position of Application Support Specialist in our Charleston, WV office.

The position will provide software training and support to lawyers and staff, and will work closely with other IT positions to troubleshoot and resolve problems. The successful candidate will be a friendly self-starter who enjoys supporting users of various skill levels in a busy work environment.

A high level of proficiency with the MS Office Suite and Windows XP, and the ability to quickly learn and support other legal applications, including document management, case management and litigation support software is required for this position.

Please respond by submitting a cover letter, resume and salary history to Human Resources, P.O. Box 3843, Charleston, WV 25338 or via email to rdayfield@fsblaw.com.

General Policy - Virtualization of Elite Products

2008-08-14T15:31:00.003-04:00

Thomson Elite has released an official policy regarding - Virtualization of Elite Products including Prolaw.

1.1 General Policy
Thomson Elite generally recommends against using virtualization environments (e.g., Virtual Machines from VMware or Microsoft Virtual Server) for primary production servers hosting Thomson Elite products.

Thomson Elite makes no performance warranties in relation to Thomson Elite applications hosted on Virtual Machines.

The use of Virtual Machines for test and disaster recovery (DR) environments may be appropriate, provided customers understand and accept sole responsibility for any performance issues related to virtualization.

1.2 Behind the Policy
While use of Virtual Machines can be an excellent way to consolidate server functions onto fewer boxes and reduce the time hardware is idle, the effectiveness of such consolidation relies, in part, on the functions consolidated either not requiring full CPU utilization or requiring it at different times. Since many Thomson Elite applications tend to share the same peak load times (e.g., month-end accounting), it is difficult to capitalize on the strengths of Virtual Machines without at least as much hardware as is recommend by Thomson Elite.

1.3 Production Use Against Recommendation
Customers running virtual environments for primary production use, against Thomson Elite’s recommendations, and who require support for performance issues related to using Virtual Machines, will be charged at standard support rates.

Thomson Elite will not be responsible for the performance of products running on Virtual Machines, since they fail to meet the requirements established by Thomson Elite.

1.4 Virtualization Performance Concerns

1.4.1 Processor Performance
In addition to the hardware that Thomson Elite recommends for an appropriate level of performance, software which allows the use of Virtual Machines imposes an additional overhead which can reduce performance by 15-20 percent or more in some cases.

1.4.2 Disk I/O Performance
In addition to processor cycles that may be consumed as overhead by the use of Virtual Machines, Disk I/O performance is also impacted by the added layer of virtualization. As a point of reference, using Microsoft’s SQLIO tool, limited testing on directly attached storage consisting of a six (6) spindle RAID 10 array, revealed the following:

* VMware ESX Server 2.5.2 imposed approximately a 15% sequential read performance penalty using a virtual SCSI disk.
* VMware GSX Server 3.2 imposed approximately a 20% sequential read performance penalty using a direct connection to the physical array.
* Microsoft Virtual Server 2005 imposed over a 30% sequential read performance penalty using a virtual SCSI disk.
* Microsoft Virtual Server 2005 imposed nearly a 70% read performance penalty using a virtual IDE disk.

1.5 Virtualization Products
While Thomson Elite recommends against Virtual Machines in primary production use, those customers who choose to proceed with virtual environments where “Not Recommended,, may find the following virtualization products more suitable than desktop versions, such as VMware Workstation or Microsoft Virtual PC: VMware GSX Server 3.2 (or VMware Server, the free successor to GSX Server expected in Q2 2006)

* VMware ESX Server 2.5
* Virtual Server 2005 Standard Edition
* Virtual Server 2005 Enterprise Edition

1.6 Future of Virtualization
Thomson Elite is aware of the growing popularity of virtualized solutions and will continue to evaluate it as the market, technology, supporting hardware and underlying platforms mature.

I've been told by other users that if you go ahead and run Prolaw on a virtual platform and have any sort of performance problem, the first thing Prolaw support will do is tell you to move the server from the virtual platform back to a physical server.

Does anyone have any experience running Prolaw in a virtualized environment?

System Administrator Appreciation Day

2008-07-25T12:15:00.000-04:00

Happy System Administrator Appreciation Day to all you law firm IT and other IT folks out there.

Check you DNS server

2008-07-24T08:31:00.001-04:00

Is the DNS server you use safe?

Recently, a significant threat to DNS, the system that translates names you can remember (such as www.doxpara.com) to numbers the Internet can route (66.240.226.139) was discovered, that would allow malicious people to impersonate almost any website on the Internet. Software companies across the industry have quietly collaborated to simultaneously release fixes for all affected name servers.

You can run a check at on this page.

ISP operator need to patch their recursive DNS servers now

2008-07-22T15:24:00.000-04:00

SANS reports information about the DNS bug discovered by security researcher Dan Kaminsky is now public knowledge and recursive DNS server should be patched immediately.

Internal Threats: the Disgruntled Employee

2008-07-15T11:53:00.005-04:00

The strong passwords and other security measure will not keep out the most danger threat to network security will not keep out the most dangerous threat: disgruntled employees.

SFGate, the web home of the San Francisco Chronicle has the scary story of how a disgruntled city computer consultant has taking over San Francisco's new multimillion-dollar computer network by changing the admin passwords and refusing to had over the new passwords.

(07-14) 19:23 PDT SAN FRANCISCO -- A disgruntled city computer engineer has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.

Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city's new FiberWAN (Wide Area Network), where records such as officials' e-mails, city payroll files, confidential law enforcement documents and jail inmates' bookings are stored.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.

He was taken into custody Sunday. City officials said late Monday that they had made some headway into cracking his pass codes and regaining access to the system.

~~I though it was interesting that the guy actually lives in Pittsburgh. I'm sure that make this incident, as bad as it already is, a federal crime as well.~~ Oops wrong Pittsburg, as pointed out in the comments, "Pittsburg (no "h") is a town about 40 miles east-northeast of San Francisco."

Legal IT vs. Corporate IT

2008-07-09T15:58:00.002-04:00

Here's a very interesting post from Prism Legal that explores the difference between Legal IT versus Corporate IT. The content is the result of a panel discussion at the Strategic Technology Forum in Lisbon, hosted by LegalWeek last month.

Here's the panelist list of differences:

* In legal it’s about words; in corporate it’s about numbers. This makes a big difference in how CIOs present business cases to management.
* Lawyers resist change, industry embraces it.
* Corporate management asks “what’s the business case?” Law firm management asks “what are other firms doing?”
* Legal market software suppliers are few; corporate many. A corollary: legal software vendors are less innovative.
* Corporations do zero-based budgeting, meaning CIOs have to justify items each year. In law firms, budgeting is a continuous and incremental process without the need to justify each year.
* “There is no PowerPoint in law firms.”

The panelists were David Coates, IT Director of Bond Pearce and formerly of UBS; Jason Haines, Director of IT, Allen & Overy LLP and formerly of PricewaterhouseCoopers (PWC); and Malcolm Simms, IT Director, Eversheds LLP and formerly of Disney/ABC Television Group.

I think they did a great job of pointing out the differences, but I didn't understand "There is no PowerPoint in law firms."

The Prism Legal, Ron, goes on to say:

All of these resonated with me. One comment on “no PPT in law firms.” I think this difference has a deeper meaning than many may think. Presentations are not just about content; they are about guiding or controlling a conversation. When I started as a manager in a large law firm, I met frequently with the management committee to discuss tech projects. Discussions wandered and were, as a consequence, often unproductive. So I decided to use a presentation as a way to help guide the discussion. The resistance to my doing so was palpable. I wish I had had a chance to pose this hypothesis to the panelists for confirmation or rejection.

Testing Sazell

2008-07-07T11:29:00.001-04:00

For more information see this TechCrunch story.

Social Media in Law Firms

2008-07-03T13:47:00.001-04:00

Why are there no large law firms listed on this list? Are large law firm's engaged in social medial beyond blogging?

Jeremiah Owyang of Forrester writes:

Understanding how companies staff, organize, and prepare for social media/computing is one of my top interests personally and professionally. Having been a former Online Community Manager at Hitachi Data Systems, I want to make sure companies do it right. I’m often asked which companies have one of the two emerging roles, (companies love to benchmark against their peers) so I’ve decided to start a list.

The first role is the Social Computing Strategist, the second is the Community Manager, although the titles vary, and sometimes it’s a part-time function, there’s clearly a trend as corporations staff.

It’s important to note, that in the end, these skills (the ability to communicate online) will disperse and grow to many employees. Generation Y comes to us with these abilities built it as a “digital natives”– yet the need to organize will still occur, it’s a knee jerk reaction to every corporation.

Is there room for social media in law firms, both large and small?

Microsoft Remote Desktop Connection 2 is now out of beta

2008-07-01T20:37:00.001-04:00

The Unofficial Apple Weblog reports Microsoft Remote Desktop Connection 2 is now out of beta.

This is news that is certain to make Mac based Windows Admins (of which I am one) very happy: Microsoft Remote Desktop Connection 2 is finally out of beta. The final release includes all the new features that Microsoft added, some of the highlights include:

* The ability to open multiple instances of Remote Desktop without resorting to a hack (though I do believe that each connection spawns a new instance of the app itself).
* Redesigned UI
* Support for Network Level Authentication (which makes connections more secure)

You can get more info about this release from the MacBU blog post.

Practice Management goes Web 2.0

2008-06-26T13:13:00.003-04:00

Practice Management moves into the cloud with a product called clio. The service is currently in private beta. Depending on the level of service you sign up for, clio offers client and file management, timesheet and activity tracking time reporting and exporting, performance analysis and reporting, calendaring and reminders, multi-user access, SSL encryption and secured data storage, client billing and invoice generation, and document management.

LEXBLOG soft launches LexMonitor

2008-06-22T18:00:00.001-04:00

LEXBLOG has soft launched LexMonitor, a US blawg portal, according LEXBLOG chief Kevin O'Keefe on Real Lawyers Have Blogs.

Pulling from nearly 2,000 sources and 5,000 authors, LexMonitor will hopefully shine a light on the ongoing conversation among thought leaders in the law for the benefit of the legal profession and the public at large.

SolarWinds Free Exchange Monitor

2008-06-13T23:51:00.001-04:00

I've downloaded and installed SolarWinds Exchange Monitor yesterday. It works great. Is anyone else using any of the SolarWind products?

iPhone 3G: What we didn't get

2008-06-10T21:28:00.001-04:00

This piece is more about the consumer end of things that the enterprise. I still would like copy and paste. I'm sure we would all find it useful. The lack of MMS really doesn't bother me. I think developers might be able to fill some of these gaps.

Apple iPhone Enterprise Integration

2008-06-09T22:53:00.001-04:00

Apple has posted a page that details enterprise integration. Included is a pdf that details step by step directions on how to implement Exchange ActiveSync Setup. ActiveSync for the iPhone is supported on Exchange 2003 and 2007. We will all have to wait for the iPhone 2.0 software to be released before we can begin testing.

Yes there is a $200 iPhone but...

2008-06-09T18:02:00.001-04:00

TechCrunch reports, "Unlimited data plans for iPhone 3G customers will be $30/month while business users will have to pony up $45/month."

This is in line with the current Blackberry data plans. It is also unclear if you need the new iPhone 3G to use the business plan, or if you can use it on edge what the cost will be.

Apple said to release enterprise iPhone software on Monday

2008-06-07T16:17:00.001-04:00

It has been reported in various places that Apple will release the enterprise software that will let the iPhone work with Exchange in the same way that Blackberry BES does now. With that said IT departments should expect a flood of questions who currently own or plan to buy iPhones.

Windows XP SP3 breaks some routers

2008-06-07T16:08:00.001-04:00

Broadband modem/router maker Billion says XP SP3 causes it's BiPAC 5200-series of routers to constantly crash and reboot.

A graph of where spam, viruses and worms come from

2008-06-01T21:12:00.000-04:00

They come from these countries.

Live from D: Gates and Ballmer preview Windows 7

2008-05-27T21:57:00.001-04:00

Live from D: Gates and Ballmer debut Windows 7 - Engadget

I'm not sure if they will tell us anything, but it will be interesting to watch.

Leaked Screen Shots of Windows 7

2008-05-27T19:04:00.000-04:00

This leaked screen shots of Windows 7 concerns me. For those of us that skipped Vista in hopes that Microsoft would deliver a usable OS in Windows 7, there seems to be too much eye candy with superfluous processes, like a weather report, running in the task bar.

I still hold some hope that will deliver an OS close to the simple, usable design of Server 2008, which has been my favorite version of Windows Server so far, and not more crap like Vista.

More on the $199 iPhone

2008-05-01T20:16:00.002-04:00

$199 iPhone is cool, but possibly imaginary. MacWorld weighs in.

Hope for XP extension?

2008-05-01T07:27:00.000-04:00

Ballmer offers glimmer of hope for XP extension but, "Later on Thursday, however, a U.S.-based spokeswoman for the company said that Microsoft's plans remain 'unchanged.'"

I think there is a lot of wishful thinking going on from consumers. If MS does give an extension, they won't announce it until the last minute.

$199 iPhones?

2008-05-01T07:10:00.001-04:00

Fortune reports AT&T plans to reduce the cost by chipping in $200.00 on each iPhone sold.

When the 3G iPhone is introduced this summer, AT&T, the exclusive U.S. iPhone sales partner with Apple, will cut the price by as much as $200, according to a person familiar with the strategy.

AT&T is preparing to subsidize $200 of the cost of a new iPhone, bringing the price down to $199 for customers who sign two-year contracts, the source says. Apple is expected to have two versions of the new iPhone, an 8-gigabyte-memory and a 16-gigabyte-memory model with price tags widely expected to be $399 and $499.

AT&T and Apple declined to comment.

It would be nice, but AT&T is already losing money on the iPhone. I guess we will find out in June.

Your help desk career: Dead end or launching pad?

2008-05-01T06:33:00.000-04:00

Help Desk: Dead end or launching pad?

In my opinion every admin should have experience working with end users.

Because Tuesday is Black Tuesday

2008-03-10T22:22:00.001-04:00

Microsoft Security Bulletin Advance Notification for March 2008

US Daylight Savings Time starts this weekend

2008-03-08T03:19:00.004-05:00

Just a reminder this is the weekend that Daylight Savings Time starts in the US at 02:00 local time Sunday morning. This is the time change where we set our clocks one hour ahead, and we lose an hour.

On August 8, 2005, President George W. Bush signed the Energy Policy Act of 2005. This Act changed the time change dates for Daylight Saving Time in the U.S. Beginning in 2007, DST will begin on the second Sunday in March and end the first Sunday in November. Under the old system DST would have started this weekend. Next week we gain an additional week of DST under Energy Policy Act of 2005.

Microsoft and other software vendors recommend you pay close attention to your calendar doing this extending DST period. Problems with other nonrecurring events might still happen.

iPhone Enterprise Features Comming in June

2008-03-06T15:31:00.002-05:00

The new features include:

- Push email
- Push calendar
- Push contacts
- Global address list
- Certificates and Identities
- WPA2 / 802.1x
- Enforced security policies
- Device configuration
- Remote wipe
- Active Sync and Microsoft Exchange support

There is a beta program, but you must apply and meet the requirements.

“iPhone Software Roadmap” Event March 6th

2008-02-27T20:48:00.003-05:00

Date Apple has set March 6th for the “iPhone Software Roadmap” event. Along with a peek at the iPhone SDK, Apple promises “new enterprise features”.

I hope they announce full Microsoft Exchange support. Many attorneys I talk to say they would dump their Blackberrys for iPhones, if the iPhone has email push and would sync with their Exchange calendars and contacts.

Windows Server 2008

2008-02-27T20:37:00.002-05:00

Windows Server 2008 was officially launched today.

Whether IT admins follow along with Microsoft's reasoning is, of course, another matter. But Server 2008 certainly contains desirable features in its own right. Server Core is a new installation option that enables Windows Server 2008 to be deployed in a cut-down mode to serve one of eight specific server roles: file, print, DNS, DHCP, Active Directory, LDAP, virtualization, and web (IIS); there is also a ninth streaming media server role that is an optional download.

Server Core mode omits much of the GUI and interactive parts of the OS, as well as those services not essential to the chosen role. Management of Server Core systems will be remote, typically through MMC. In this first version of the functionality, some of those roles may be a little too cut-down; the web server mode lacks .NET (and hence ASP.NET), and since ASP.NET is one of IIS's major features, its omission may prove a little hard to stomach. The other options are more appealing, and they should be very welcome for administrators looking to streamline resource usage and cut down attack surface area.

Hyper-V, the new virtualization platform, isn't actually finished yet; it's still in beta, with a final release expected within 180 days. It's also an optional feature; you can save about $28 from the license fee by opting to eschew it, and it'll be available to purchase—for about $28—if you wish to add it to a non-Hyper-V version later on. Hyper-V uses the virtualization features on Intel and AMD processors (64-bit only) to, in principle, provide high-performance reliable virtualization.

The version of Windows 2008 server I played with looks very promising.

What's the deal RIM?

2008-02-12T08:21:00.000-05:00

While the Great Blackberry Outage of 2008^TM is over, most people are left to wonder what the problem is at RIM. Bloomberg reports:

"Research In Motion Ltd. said that a disruption in its Blackberry e-mail service in North America was ``fully and quickly'' restored and no messages were lost.

``It was pretty focused and isolated and we recovered well,'' Co-Chief Executive Officer James Balsillie said in an interview at the Mobile World Congress in Barcelona today. ``We apologize for any inconvenience.''

My first question is where are these emails that news outlet keep taking about. I've never gotten one, and my firm is a BES customer.

My second question is how much can we trust RIM to provide key services when we have seen outages time after time. I just glad that my iPhone can do IMAP to my firm's Exchange server.

Microsoft is set to push IE 7 out via WSUS on Tuesday

2008-02-09T20:31:00.000-05:00

From a technet update email

Volume 10, Issue 3: February 6, 2008

"On February 12, 2008 Microsoft will release the Windows Internet Explorer 7 Installation and Availability update to Windows Server Update Services (WSUS). Windows Internet Explorer 7 Installation and Availability Update is a complete installation package that will upgrade machines running Internet Explorer 6 to Windows Internet Explorer 7. Customers who have configured WSUS to "auto-approve" Update Rollup packages will automatically upgrade machines running Internet Explorer 6 to Windows Internet Explorer 7 after February 12, 2008 and consequently, may want to read Knowledge Base article 946202 to manage how and when this update is installed. For more on the Windows Internet Explorer 7 Installation and Availability Update, read Knowledge Base article 940767."

Microsoft Security Bulletin Advance Notification for February 2008

2008-02-08T10:22:00.000-05:00

Microsoft Security Bulletin Advance Notification for February 2008

Microsoft has listed seven critical updates, and five important updates that will be released next Tuesday.

Disable or turn off UAC in Windows Vista

2007-11-22T07:35:00.000-05:00

How to disable or turn off UAC in Windows Vista.

The feature was put in to place to prevent unwanted applications, such as viruses and spyware, from self-installing onto the operating system. That’s great, but does one really need to enter a password or click OK every time they want to open a Control Panel applet? That’s a bit annoying, especially if you like to customize and configure your computer the way you want.

However, disabling UAC altogether is not the best idea in the world. It’s amazing how many times spyware installs itself when you are browsing the Internet or when you insert a floppy disk or USB stick into your computer. So how does one not getting annoyed all the time, but still protect their computers?

TweakUAC is a freeware application that you can run on Windows Vista to control how User Account Control (UAC) works. You can set it to Turn Off UAC, Turn On UAC, or put UAC into Quiet mode.

You will need to disable UAC to run ProLaw in Vista.

Fun with Darknets

2007-07-09T11:45:00.000-04:00

Fun with Darknets is an interesting read from them team over that the SANS Internet Storm Center.

Google to acqure Postini

2007-07-09T11:41:00.000-04:00

Google announced today that they have greed to acquire Postini.

Too much information?

2007-03-21T20:19:00.001-04:00

Mike Mcbride asks How much is too much?:

One was this whole DST mess. If there was one constant in all the things we did it was this. Every communication we sent to users in the hope of limiting some help desk calls by supplying information ahead of time, only resulted in more help desk calls. Instead of people reading the email, following the directions and going about their lives without the need to involve tech support folks, they called to ask questions about the email. Even people who didn't actually need to do anything different from what they always have been, called to make sure they didn't need to do anything. It seemed like the more we tried to educate people about the issue, and what to expect, the more it just confused them. A handful of people literally just took to ignoring any emails that came from the IS department, figuring we'd fix whatever needed to be fixed later for them.

Here was a case where our attempts at sharing information backfired completely. It illustrates to me that when it comes to technical information, there is a saturation point where users simply tune you out.

Technorati Tags:
law firm IT