Author: Making IT Right PTY LTD

Wannacry Ransomware..what is this?

Some of you may have heard of this virus.  On May 12th, 2017 this Virus attack began.  It infected almost a 1/4 of a million computers in around 150 countries.

Windows XP and Microsoft Server 2003 were the most vulnerable but since there are not many computers running those operating systems.  Most of the computers impacted were running Windows 7.  Since the outbreak (in fact within 4 days) patches were applied to windows computers which slowed further infections down dramatically.

A infected computer will have a message displayed on their computer stating that their files have been encrypted.

A demand is made for a payment in “Bitcoin” to the value of $300 and if not paid within 7 days, this amount is raised to $600.  By the end of May 2017, around a little under $130 thousand dollars had been transferred to the Bitcoin Wallet or address.

What can you do to protect yourself?

  1. Backup your data
  2. Backup your backup  (Keep multiple backups)
  3. Keep an “Airbridge” between your computer and your backup.  i.e disconnect the backup once it is complete.
  4. Test your backups work.
  5. Get some decryption tools. There are available for most of the main antivirus companies.  The issues here is that sometimes they need a copy of for example a image file that was encrypted to have as a comparison to the encrypted file.  See what has changed on this file and then work out how to decryped the image file.  This does not always work but worth having.

Apple IOS 10.3.1 Update

Released only 7 days after the 10.3 update.

Make sure you backup your device before performing any update “Just in case” something goes wrong.  You have a recovery point to go back to.

Apple has released the 10.3.1 update for IOS devices.  Iphone 5 and later, iPad 4th generation and later and iPod 6th Gen and later

From the Apple Support Website:

Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip

Description: A stack buffer overflow was addressed through improved input validation.

CVE-2017-6975: Gal Beniamini of Google Project Zero

10.3.2 is already being tested by apple.

Telstra Business- Digital Office Technology (DOT) Department – New Modem Request

Wow. what a drama this has been.  Last week Tuesday the 17th of January 2017, I went to a customer who has a DOT ADSL service to his home.  I was delivering a new laptop for him.  I expected to be able to connect to his Telstra Netgear modem via WiFi.  Well I saw the SSID (signal Name) and new the password and tried connecting.  NO LUCK.  I tried connecting to the modem using my iPhone, again no luck.

Rebooted modem a few times, still no luck.

All the setup work on the laptop pre-delivery was done in my office via WiFi, so I knew the laptop WiFi worked.  I could connect the laptop to my iPhone using my personal hotspot.

I removed all security from the modem WiFi to see if would connect.  No connection permitted.  I simplified the security password.  Again no luck.

At this point the felt that the modem was the issue, so I called Telstra support 132000 to get some advice on what to do.  They suggested everything that I had already tried.

Well after 45minutes to an hour, after speaking initially with Tech support and then to billing to get a new modem ordered, they asked that I stay on the line to make sure that the Modem order was correct and that it would go through.  $20/month for 24 months for the new 7610 Modem, or $480 one off payment.

3-5 business days I am told  OK!!  I get sent a callback link/SMS to my phone from billing, should I need to contact them directly.  These links can only be used once.

I then arranged to return this week (today) to install the newly ordered modem.  Surely this would be enough time.

I received a call from my customer yesterday 23-1-2017 to say that the modem had still not arrived, so I used my call back link to get in touch with Telstra again.  I spoke again to billing, who informed me that the order was rejected by the warehouse because it was incomplete.  They bounced the request back to billing who failed to respond to the return email.  So nothing was ordered.

“NOT HAPPY JAN”

I was then told last night that they are so sorry, and would put through an urgent request to get the modem out ASAP and look to compensate my client for their stuff up.  I was told by the current billing contact to contact her directly using the link she would send me.  I got one of these SMS message last week, so I foolishly though I would receive it again.  My bad.  I hung up before receiving the SMS.  I got no message at all.

Today I called again, but this time was forced to call the 132000 number again, no shortcuts via a SMS link.

After a lengthy wait I again got through to billing who since I did not connect with them using a SMS link, needed to speak to my customer to get authorization.  That was a drama to get again.  I was not onsite this time.

When they managed to get authorization again from my client, they tell me that the order was not place last night.  WHY NOT!!  I am spewing at this point.

Again they said they will place the order and again it will take around 5 days to process and get shipped.  I was sent a one time link SMS, from billing but was also asked, “do you want to stay on the line while we process the order or shall we call you back?”.  HMMM!!  Each time I get asked to stay and wait on the line for 2-3 minutes the clock actually shows more like 20-20 minutes.

I said she could call me back rather than me wait for her call.  I have other work to do.

Well 45 minutes now as I am writing this, and still no call back.  4:45pm now.  Finished call at around 4pm.

Where has customer service gone.  Overseas I expect.

Ransomware Impact

A week or so ago a client of mines office was attacked by a new variant of the Ransomware Virus.  This Virus spread across multiple office computers and also all USB drives connected to the infected computers.

Not all the computers had current anti-virus protection.  (Mcafee was running on one of the computers while another had an expired antivirus subscription ).

There was no backup in place on any of the computers.

End result is.  Most of the companies important data was lost.  MYOB data could be recovered from 2 months ago from the accountant.  Managed to recover around 10 gig worth of data from one infected computer.  This consisted of Excel Files, Work Documents, PDF Documents, Images.  Over 16,000 files were encrypted on 1 of the computers.

Even drop box started to sync the encypted files to the cloud.

The files were changed by having a 6 character random suffix added to the end of each encrypted file after encryption.

A warning message was displayed on screen as a changed desktop wallpaper image.

Where each file was encrypted a text file explaining what had happened was saved together with a HTML file providing links to get your data decrypted providing a ransom was paid in BITCOIN currency.

ransomware-cerber-message

I attempted to get data decrypted using a number of online tools from the major antivirus companies.  None of them could fix the data.  Since each file had a different suffix name added to the file, it was next to impossible to decrypt based on the name of the extension.

Cerber Virus description

cerber

 

BACKUP BACKUP BACKUP!!!

 

Contact me and I can put something in place to minimize the risk to you or your business.

0414405007  (Natan)

Sonos Wireless Sound System

sonos  Note the name allows the system to be inverted and still read correctly.

A few months ago, I was contacted by a gentleman who was in his late 70’s/early 80’s.  He had an existing LG Soundbar and woofer connected to his TV but was unable to get the sound quality he needed to be able to hear the dialogue from the TV.

I did some research on what options were available and finally suggested he try the Sonos sound system.

He went into the stores (Bing Lee/JB Hifi/ Harvey Norman) and tested out a few that I had mentioned (Bose/Samsung/Sonos/B&O) etc and agreed that the best sound appeared to come from the Sonos system.

So he agreed to purchase the soundbar  sonos-playbarand two Play 1 sonos-play-1speakers.

We the initial installation went OK and appeared to go without a hitch with the playbar connecting to the TV via a Optical Cable optical-cable.

The two play 1 speakers were connected as a stereo pair and then grouped with the Playbar to get the TV sound playing out of all three speakers.

The sonos App had to be installed on his iPad mini which acted as a controller and allowed the volume of the Playbar and the Play 1 Pair to be controlled together or separately.  It also allowed the existing TV remote to control the volume.

After having resolved a few issues with setup using Sonos support, I was called back by the customer a few hours later when the play 1 speakers were no longer getting sound, only the playbar had sound.

I chased this issue down with the Sonos Rep who was very helpful.  He told me about a previously unmentioned setting in Sonos which if selected (DEFAULT), will un-group the speakers when the TV s turned off.  Support had not mentioned this feature nor was it in any manual?  Go figure!!

I changed this setting and the connection grouping was retained even when the TV was turned off.

The home where this system was installed was using a Asus Wifi ADSL 2+ Modem Router.  This appears to be less stable than using a Sonos Bridge suggested by Harvey Norman Sales Rep.

This was the cheapest component at under $100  sonos-bridge  Currently, all Sonos speakers communicate via the SonosNet peer-to-peer mesh network, which must be connected directly to a router via the Bridge device. The firmware update will work with all existing Sonos products, but there are a few limitations to the new “wire free” Sonos setup.

The bridge connected to the Modem via a Ethernet cable and the sonos system then talked to the bridge.  Things appeared to be stable for a few months but now again the Play 1 Speakers are having issues.  The sound appears to alternating between the the left and right speakers.

According to Sonos rep, this is probably caused by wifi interference.  They have suggested calling their Melbourne Support line and seeing what they can do or suggest.

Wifi interference can the the modem itself, or even a new wifi signal being turned on nearby(Nearby Apartment) generating a interfering signal, or a cordless phone which also has wifi.

Let me know if you need help with purchasing and implementing a SONOS system.

Swapping your conventional Hard Disk Drive (HDD) to a new Solid State Drive (SSD)

I recently received a call from one of my customers that one of their computers in their office was performing very slowly.  It was an older computer which was using a conventional Hard Drive with a capacity of 500GIG.

Option 1:  Replace the computer with a new computer which would come with a SSD drive installed.  The cost of such a machine could be between $1100 and $1600.  On top of this we would have to setup the machine to work in the office by adding networked printers, mapped network drives, configure standard antivirus software, install Office 2013 again etc.  All this will take a few hours and add to the overall cost.

Option 2:  Clone the contents of the existing drive onto a new SSD drive of the same size and and then unplug the old drive and connect the new.  Under the covers there is a change to the drive, but nothing appears to have changed on the PC except for the boost in performance.  Cost here would be 1-2 hours in labour plus the cost of the drive.  Drives vary in cost depending on the brand, quality and capacity of the drive in GIGABYTES.  It is always recommended to cleanup the drive and remove all unnecessary data to speed up the cloning process.

SSD drive are 2.5″ drive sizes which are normally the size put into laptops.  The capacity of the drives start as small as 120GIG and go up to 1 Terabyte or 1000GIG and can cost from around $100 up to $500.

I finished cloning of the drive and the computer performance was as the customer put in  and I quote “computer booted-up ‘like lightening’…thanks”

The drive rating using the Windows Experience Index went from a 5.9 to a 7.4 out of a possible 7.9.  Vast improvement.

UPS (Uninterruptible Power Supply) and Laser Printers

UPS (Uninterruptible Power Supply) and Laser Printers

I found out an interesting bit of information today about UPS devices.  UPS is Uninterruptible Power Supply.

 

I installed a 850Watt Eaton device at a client and connected a HP Desktop all-in-one  and a Multi-function Laser Printer.  That’s all.  Well after charging the unit for the prescribed 6 hours, I turned off the computer, and then plugged it and the Printer into the UPS.  I turned on the UPS and after a short while, a loud continuous beep sounded and did not stop.  I checked the manual (2 page document) and the only mention was the beep could be caused by a fault in the UPS.  I went back to my supplier who stated that he would loan me another unit to test to see if it was the UPS at fault.  It also had the same issue.

After calling the Australian Supplier of these units, I was asked if I was connecting a Laser Printer.  I told them that I was.  He said that I should try not to connect the printer, but to only connect the PC.  I returned and did this, and the unit did not beep.    Very strange!  Well I researched this a little further and found the following article in http://superuser.com/questions/466642/why-shouldnt-i-attach-laser-printers-or-scanners-to-a-ups/466645

In summary it states that one should never connect a laser printer to a UPS.  I guess that should be in the manual in bold lettering!!

When turned on, Laser printers draw a high current to heat up their fuser roller.

A typical UPS cannot cope with such a spike.

Descriptions of the problem by UPS manufacturers do not go into details.

The problem may be one or other of

  • The initial inrush current at start-up, This can be seven or more times the average operating current of the printer.
  • Initial power-on when the fuser is heated to the temperature needed to fuse toner. Subsequent re-heating of the fuser may be periodic or may occur when the printer switches from and idle state to full-power to satisfy a print request after a period of inactivity.

Fuser temperature is up to 200 °C (392 °F).

Odin Ransomware

Odin Ransomware

On the 3rd of October 2016 I received an urgent call from one of my customers. They had started one of their computers in the office and this triggered what landed up being the “ODIN RANSOMEWARE Virus”.  It quickly spread to their Server infecting files on both computers.  It appeared that a file called payment_receipt_contact_235142.zip contained a java script file (js) which contained the virus.

Read this article from   Sophos ODIN Ransomeware Virus article

payment-receipt-file

I immediately told them to disconnect their backup drive which was connected to the server in the hope that it had not yet spread to this device.  Fortunately the drive was not infected.  Very lucky!!

I determined once I was able to pickup the two infected computers, that the Antivirus that was “Running” on the first computer had been a trial version which had expired so was not updating itself.

expired-trial-tm

Computer 1 had over 3000 infected files and the server had over 9000 files infected.  Infected files were renamed  filename.odin.  Like the Viking God.

In addition when the computer started up, the following message was presented.

locky-virus

So, what had to happen from here.

The two infected computers did not have recovery disc’s or any record of the windows software licenses.  I did determine that there was, what is called a recovery Partition on the computers hard drive.

recovery-partition

I triggered a rebuild of the computers using this recovery partition which resulted in windows being reloaded.  (No windows 10 pro product key required)

All other software would now need to be reinstalled.  Office, Adobe, Chrome, Firefox etc.

I downloaded and installed a 30 day trial copy of Trend Micro Maximum 10 antivirus which could be activated within 30 days.  This protected the two newly rebuild computers until activation would happen.  The Workstation (i3 CPU) took over 10 hours to perform the rebuild and the Server (i5) took closer to 4 hours.

I have recommend that multiple backups be implemented with there always being a current backup which is not connected to the system/network.  This is what is called a “Air Bridge” to prevent it from getting infected.

I have also recommended having a Full Image taken of each computer in the office and stored on a separate drive (Ideally two drives) to cover for a system crash or a drive failure where you would lose the recovery partition also.  Easier to recover from this image.

It might be strange to say this, but it would have been so much worse.

  • No backup or infected backup.
  • Corrupted recovery partition or recovery partition.
  • More computers could have been infected in the office if not detected as soon as it was.  Other machines were turned off so not impacted.

Windows 10 Updates

Recently Windows 10 released its new update called the Anniversary Update version 1607. The previous version was 1511. What does this version offer?

Take a look at these articles for a detailed listing.

http://www.zdnet.com/article/what-to-expect-from-the-windows-10-anniversary-update/

http://www.howtogeek.com/248177/whats-new-in-windows-10s-anniversary-update/

  1. Cortana has become smarter. This is like Windows version of Siri
  2. There are more Apps
  3. You can interact with android and windows phones
  4. More themes
  5. Microsoft Edge (new windows 10 browser) supports extensions
  6. Fingerprint Authentication with Windows Hello and unlock PC with companion devices
  7. Start menu redesigned

There are many more features.

If you are running windows 10 and don’t know what version you are running then

Hold down the windows key and press the R key and in the entry field type winver and press enter.  This should show you the windows version you are running.

Windows 10 Start Menu windows-10-menu and the Anniversary Menu looks like windows-10-anniversary-menu

 

The update itself is around 3.5gig in size so unless you have a fast internet connection, this will take a while.

Telstra Bigpond email change

If you have a Bigpond email account, you might be impacted by a recent change that has been rolled out.  

If you stop getting emails suddenly, (Late July 2016) then you may be part of a group who’s mailboxes with Telstra require a change to the mail server settings from where you access your email from a Mobile Device, Outlook or similar mail software.

Let me know if this has happened to you.