August 2014 - Top Speed Web Hosting

On the heals of the good news about CryptoLocker decryption keys being found, here's some bad news about another cyber crime group out of Russia called CyberVor who has stolen what is believed to be the largest number of online credentials to date.

The name CyberVor is not as strange as it seems, as vor is simply Russian for thief.  This is not a name they've given themselves, but rather then name given to them by the company that discovered their actions.

It is believed that CyberVor has successfully stolen 1.2 billion usernames and passwords, along with 542 million email addressees from over 400,000 different websites.  That is a nearly unbelievable amount of data.

The information comes to us from Milwaukee company Hold Security who has used DefCon in Las Vegas to announce their discovery of the theft.  As a part of the announcement Hold Security is also promoting it's identity monitoring services.

Hold Security has said, "Hackers did not just target US companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable."  The reason they are still vulnerable per Hold Security is CyberVor used botnets to identify websites with SQL injection vulnerabilities to acquire the data.  In layman's terms they used a flaw in the way certain websites are programmed to gain access to the data.

One of the concerns with this discovery, as outlined by Graham Cluley's blog "Security firm that revealed 'billion password' breach demands $120 before it will say if you're a victim", is that Hold Security is not offering up much detail on the discovery.  Hold Security has not provided information on which sites it's determined where victims of the attack and thereby what online users should be concerned, nor have they provided details about a timeline, other than it was a 7 month investigation.

As an alternative to providing Hold Security $120 and your passwords, which no IT professional I've ever met would recommend, go to HaveIBeenPwned to find out if your account has been part of one of any large data breaches.  Below is an image of what information a breached account will receive. In the end I have to say we all at Top Speed agree with Graham Cluley, there is something not right about this kind of a major disclosure with so little real facts being provided and the only way to find out if you're a victim costs you both money and submitting your passwords.

A couple of fake websites setup to look like Hold Security's password and email submission page and people will just be victimized all over again...

This is some of the best news the world of anti-viruses and anti-malware could have hoped for - FireEye in conjunction with Fox-IT have found and released a potential way to retrieve the private decryption key needed to decrypt files infected by CryptoLocker. We have previously written several articles on CryptoLocker, the ransomware that began infecting computers 3rd quarter of 2013, and demanding payment of originally $300 and up to 10 Bitcoins (which hit a high of over $1200 per Bitcoin) or over $12,000 USD to be sent the decryption key.  For more information on CryptoLocker see this article and this article.

Until now the only way to decrypt your files was to pay the ransom and be sent the decryption key; many companies, without enterprise level backups, found themselves doing exactly that.  Those who had an enterprise level backup in place had more options for restoring backups and filling in any gaps with a relatively small amount of data entry.

Recently law enforcement in association with other groups including FireEye and Fox-IT, had made major breakthroughs against the perpetrators of CryptoLocker during Operation Tovar.  During the operation some of the decryption keys were discovered and those are being made available.  It's not a sure fire solution for those with encrypted files, but it's a chance they didn't have before.

To find out if the decryption key someone needs is available they need to go to the website that's been setup by FireEye and Fox-IT.  Once at the site you'll upload one of your encrypted files and submit it along with an email address for the decryption key to be emailed to.  They will attempt to decrypt your files with one of the discovered decryption keys and if they're successful you'll receive an email with the key and instructions on how to decrypt the remainder of your encrypted files. 

With so many companies still tackling the upgrade or replacement of Microsoft XP computers and Microsoft Exchange 2003 servers, the last thing many want to hear is that another server operating system is also about to hit it's End Of Life.

July 14, 2015 has been given by Microsoft as the end of life date for Windows Server 2003, meaning it will no longer be supported with security updates, other updates or patches.  Wes Miller of Directions on Microsoft says, "There are a surprising number of them (Windows Server 2003 servers) out there, in SMBs, and we're still seeing it pretty regularly in the Enterprise space."

Many users have stayed with Windows Server 2003 for the same reasons they've stayed with XP for so long; it was a good operating system that has served them well, with few issues for many years.  Miller went on to say, "Windows Server 2008 and later editions did change the game quite a bit, but a lot of people were happy with Windows Server 2003 R2.  A lot of businesses are happy with it, so there's no motivation to change it."

End Of Life such as this can be very frustrating for companies where the existing system is running well, or if the option to upgrade is financially prohibitive or could significantly disrupt business operations for a time.  The other side of all those concerns is that without security updates you'll be leaving your server and likely your entire network vulnerable to attack.

As with Windows XP's vulnerability, where recent industry experts have estimated that 20% of all users are still running Windows XP, but over 30% of cyber attacks are being aimed at those XP computers, Windows Server 2003's vulnerability, due to lack of security updates, will be in the sights of future cyber attacks as soon as the security updates stop coming.

The good news is your'e reading this article now and have almost a full year to plan and make the transition.  You have time to consider your options and to check with your software vendors to make sure their software will be compatible with the new operating system you decide to go with.

If you're ready to look at upgrade or would just like to discuss upgrade options get in touch with Top Speed Computer Services today!  

Recently more than 1,000 small to mid sized businesses were surveyed, by Spiceworks, about their data backup and recovery budgets, technologies, and planning.  According to the survey results 45% of the respondents said their business had experienced a data loss and of those data losses 54% were due to a hardware failure, 28% were due to human error.  The average hard cost to recover the lost data was reported at $9,000, but that does not take into account the cost of lost time and productivity while the data was being recovered.

A recent Intel publication shows that the average days to re-enter 20Mb of lost data is 19, the cost of recreating data from scratch is $8,000 per MB of lost data, and that 60% of small businesses that lose data go bankrupt within 6 months of the disaster.

Yet with all this available data the Spiceworks survey showed that 42% of companies don't have a disaster recovery plan and even more concerning the survey showed that only 67% of the companies surveyed were backing up their most important data.  Of those surveyed, who do backup, the average annual cost for those backups were $5,700; backup methods included external hard drives, hosted backup solutions, tape backups, replication, and optical storage (CD / DVD).

What should you be doing now to make sure you're prepared if the day comes and you join the 45% who've experienced a data loss?

First make sure you are backing up all of your critical data at the very least, and likely at least some of the data that you could recreate, but would be time consuming /burdensome to do so.

Next consider how you are backing up.  Are you backing up local to your office - tape drive, external hard drive, etc?  What would you do in the case of a fire or other natural disaster?  Are you backing up to an online service?  Are you comfortable with the service and is it setup to backup company databases, not simply home user files?  Are you backing up to CDs or DVDs?  Are they stored in a secure location?

Lastly do you have a schedule where you check your backups to make sure they are doing their job?  Do you have issues with tapes filling up?  Is your online service backing up only your server and you've discovered employees are saving mission critical data locally to their hard drives?  After doing a backup to a DVD do you check to make sure all files copied properly and are accessible?

Data is now central to all businesses, conversations about procedures for backups and disaster recovery should be had regularly to make sure you don't find your company in a crisis recovery situation!  

So many times we've seen a website owner struggling to manage their domain name registration because best practices weren't used when it was originally registered.  In many cases it was simply not knowing what the best practice is, or having paid a web designer to both create your site and register your domain name.

There are 4 contacts of record, and an optional 5th, with any domain registration.  Whether you have paid for domain privacy or not will determine whether all of these contacts are visible.  Many companies pay for domain privacy simply to stop all of the fake invoices that come in the mail from other registrars trying to get you to pay them and thereby moving your domain to that registrar, but that's another subject.

The first contact is the Registrar, this is the body that maintains your domain's registration information.  They are the company that shows your domain is registered to you and not available for anyone else to take.  The registrar also provides the nameserver information to people on the Internet so people will be able to get the information about how to get to services using your domain. The most common things would be getting to your website or delivering email.

The second contact, is the optional one, and it is the Reseller.  The reseller is who you pay annually, every 5 years, etc, for registration of your domain name, they in turn register your domain through the Registrar.  This is hidden when domain privacy is purchased.  If you purchased directly through a registrar, the Reseller will not be included.

The third contact is the Registrant which is wise to have as you as this contact's authority supersedes the Admin contact, but this is often listed as either the ISP or web developer who initially registered the website for you.

The 4th contact is the most important, and it should be YOU!  This is the location for the Admin contact for the domain name; it's your name, if you want to have control of it this has to be your name and your company information.  You have a falling out with your web developer and want to transfer your domain name to a new Registrar or change nameservers, you may be out of luck if they're the Admin contact.  Because guess who it looks like owns that name, not you.  More about this in a moment.

The 5th contact is the Tech contact and this should either be the ISP you're hosting with or your web developer. This is the person that is often contacted when there are technical issues with the domain. This can include spam complaints, compromised web script reports, etc.

Back to what happens when you aren't the Admin contact.  See an example below.

The domain in question doesn't matter, do a few whois searches and you're bound to find this kind of situation.  What matters is this domain was registered by the ISP, not using best practices and now as a result of a billing dispute (that has nothing to do with the domain itself) this domain is locked.  (Domain transfers can be denied by the current Registrar for, "Non payment for previous registration periods..."   Making it clear that this is a very narrow reason for refusing a transfer.)  This company would like to transfer their domain away from Utility Webhosting Websites, but they have locked the domain from Transferring.  Worse, by appearances, the company does not own the domain name because they are not the Admin contact, nor are they the Registrant.

So what do they do now?  Typically this process would have a Form of Authorization (FOA) obtaining authorization from Registrant or Admin contact to transfer the domain.  Well that isn't going to help here, the Registrant/Admin are the ones who put the lock on the domain in the first place.  This is your domain, your company's website, you've been paying for both for years, but you're stuck with what would seem to be more of a clerical error, your name doesn't list you as the owner.  The owner as it's registered is Utility Webhosting Websites.  This is the heart of the problem!

From ICANN (Internet Corporation for Assigned Names and Numbers), the governing body who handles domain name disputes including transfer disputes and Intellectual Property disputes, "The Administrative Contact and the Registered Name Holder...are the only parties that have the authority to approve or deny a transfer request to the Gaining Registrar.  In the event of a dispute, the Registered Name Holder's authority supersedes that of the Administrative Contact."

Let's say a billing dispute had arisen that had nothing to do with the domain name, and the ISP had used that as an excuse to lock the domain, but the Registrant and Admin contacts were the company who registered the domain name, this becomes a fairly easy filing with ICANN to get the domain named transferred.  An FOA has been completed and the complaint against the loosing Registrar is filed.  The Registry Operator who reviews the documents will issue the decision within 14 days and as long as the t's are crossed and i's dotted the transfer will be forced to the new Registrar.  This process is fairly simple as ICANN is clear, that as far as issues of billing, domain transfers can be denied by the current Registrar only for, "No payment for previous registration periods (including credit card charge-backs) if the domain name is past it's expiration date or for previous or current registration periods if the domain name has not yet expired."  ICANN goes on to say that "Nonpayment for a pending or future registration period" is not an acceptable reason for the change of Registrar to be denied.

However, without the proper contacts in the Registrant and Admin contact there is no FOA and without an FOA the resolution is much more complicated and may in the end still be denied as it requires finding a way to prove you are the legitimate registered owner of the domain name in question.  ICANN reiterates time and again " If the Gaining Registrar is unable to provide a complete FOA with data matching that contained within the authoritative Whois database at the time of the transfer request..." the transfer shall be denied or reversed depending on how events occurred.  This makes the next steps taken, in conjunction with appealing to ICANN, other court proceedings to prove your domain name is indeed your Intellectual Property and not the property of the existing Registrant / Admin.

Before you find yourself in a difficult situation needing to prove you are indeed the owner of your domain name(s), make sure you Registry information is correct and you are listed as the Registrant and Admin contacts.  If you're not sure how it's currently listed do a Whois on your domain name.  From there if you need to make any corrections or updates get it taken care of right away!  It's not a headache worth having when it's a simple fix right now!

Another group has made a copycat of CryptoLocker, and they've gone so far as to even use the CryptoLocker name.  Although recently some users are now seeing the infection as TorrentLocker, perhaps the original creators of CryptoLocker are feeling territorial about use of their name.  Beyond stealing the name and being a ransomware infection, these two infections are not the same.

This new CryptoLocker works to encrypt all of your data and renames the files with a .encrypted file extension; although this version does not delete shadow volume copies which in some cases can be used to recover files. You then receive a ransom note, so to speak, giving you a link to purchase the decryption key for your files.  The cost for the decryption key is 1.8 Bitcoins and interestingly is posted as AUD, Australian currency.  1.8 Bitcoins may seem like an odd amount, but at the time of this CryptoLocker's release it was equal to 1,000 AUD.

Upon clicking the link you're sent to a website that, at least in some screen shots, provides a Buy It Now price and a Buy It Later price as well as the total number of files encrypted.  Clearly wanting to make sure you are able to buy the decryption key you are also offered information on how to register a Bitcoin wallet and how to purchase Bitcoins. This infection is using a static Bitcoin address so anyone can go see the payment activity associated with those purchasing the decryption key.  As of this morning total Bitcoins received stands at 77.52790304 BTC or roughly $36,876 USD since late August. The cyber criminals haul is over $35k USD in just over 2 weeks.  Looking at booty like that and it should become clear to everyone why this kind of crime isn't going anywhere and why having a quality enterprise backup solution is a must have for any business. Call or email Top Speed today to learn what an Enterprise Backup Solution will do to protect your company's valuable data. 775-852-1811 or This email address is being protected from spambots. You need JavaScript enabled to view it. 

UPS Stores have reported that malware has been found on Point of Sale (PoS) systems in 51 stores around the country including one locally on Keystone Avenue.  Twenty-four states are reported to have stores affected by this malware.

This particular malware went undetected for quite sometime as it was not caught by anti-virus software.  The malware found is believed to have compromised credit and debit card information, as well as postal and email addresses.

The breach includes approximately 100,000 transactions between January 20, 2014 and August 11, 2014, dates vary by specific location.  UPS spokesman Chelsea Lee has said the company is not currently aware of any fraud related to the attack.

If you or anyone you know has shopped with a credit card at the Keystone Avenue location or any other UPS Store make sure you take necessary steps to protect yourself and pass the information on to others who may also be affected.  Currently the UPS Store's advisory says they do "not have sufficient customer information to contact potentially affected customers."  So it is now to the communities and social media to spread this information so anyone who may have been affected can act before they experience any kind of credit / debit card fraud.

From Tim David, President of The UPS Store, "Please know we take our responsibility to protect customer information seriously and have committed extensive resources to addressing this incident. We understand this type of incident can be disruptive and apologize for any anxiety this may have caused."

If you shopped at The UPS Store and are concerned you're at risk make sure you make use of the free credit monitoring being offered.  For a full list of affected stores, see below.  For the Data Security Incident Information or All Clear ID protection being offered click here.

This is another example of the kind of PoS malware previously seen in the Target breach.  It seems clear that PoS malware is becoming a larger and more serious threat to retail stores and it is important companies take steps toward securing their Point of Sale systems.        

PastaLeads is one of the most annoying Adware out there.  This isn't the kind of infection that just slows down your computer, this nasty piece of Adware creates a Windows service that constantly runs in the background and as if that weren't bad enough if also configures your web browser to use a proxy server.

What does that mean for my computer?  PastaLeads generates leads typically for outbound sales companies, for instance let's say you need auto insurance so you do a search.  Suddenly a window pops up with a form where you enter your information and then the program will send that "lead" to auto insurance sales people who will contact you.

Wait, you say, that seems helpful, not harmful.  As helpful as this program seems the problems caused are two-fold, first you will be inundated in pop-up advertisements, all kinds of insurance, tech support (which are often scams that will try and get you to spend a fortune for a non-existent problem, see this article for more details), home cleaning services, lawn care, etc.  Second any information you enter, consider what you enter whenever applying for any kind of insurance, is immediately shipped off to unknown 3rd parties to use for marketing or other more nefarious purposes.

How does your computer end up with PastaLeads or PastaQuotes installed?  This is one of those infections that piggy backs on top of free software you download and install off of the Internet.  Remember the old adage, "There's no such thing as a free lunch", there's also no such thing as free software off the Internet.

It is very important you pay attention when installing any software onto your computer!  Sure it looks easy to just click through and select the Recommended install when you get to the screen that has installation choices like "Standard (Recommended)" or "Custom" sometimes also "Advanced", but if you want to know what 3rd party crud is being installed along with your software you should typically choose Custom or Advanced as that will often allow you to opt out.

Additionally when you read the license agreement (yes you should read it) or the installation screens and you find them telling you that they will be installing a toolbar or other addon along with the desired software now would be the time to cancel the install and go find another option.

Or more generally speaking simply avoiding "free" software is the best way to go, because if that free software includes something you have to pay a computer company to remove, then it really wasn't free in the first place.