Monthly Archives: January 2010

You are browsing the site archives by month.

I Have Anti-Virus Installed - Why Am I Still Getting Infected?

More and more frequently, we’re hearing the question: “I’ve got anti-virus software installed - why am I [or, alternately, why are my users] still getting infected?”

To understand the answer, we have to understand how the threat landscape has been changing over the last few years. The fact is that malware delivered as an email attachment is no longer the primary threat vector we have to worry about. The MooseGuardTM spam/virus filter for this author’s personal email account blocks anywhere from 300 to 800 spam messages per week. I can’t remember the last time one of them actually contained a virus payload. Instead, the primary threat vector these days is malware delivered over the Web - usually malware that we unwittingly install ourselves.

One of the realities of corporate computing is that it is very difficult to get permission to truly lock down the corporate PC desktop. Sometimes this is because there are legitimate applications that require the user to have some level of local administrative rights in order to function properly. But even when that is not the case, the pushback from users (often users in the executive suite) who want to be able to install their own MP3 player software, their own desktop wallpaper, their own fill-in-the-blank applications, can be extreme. So we end up backing down and giving users local admin rights to their PCs.

The problem is that if you have the necessary rights to install iTunes® on your PC, you also have the rights to install malware. So the game is all about tricking you into approving the installation without realizing what you’re doing. This is generally called “social engineering,” and it’s based on the concept that it’s easier to get people to give up information voluntarily than it is to take it by force.

Here are just a couple of examples that my spam filter caught this week. (Click on the image to view full-size.) First, a bogus credit card alert:

This is obviously designed to scare me into thinking that someone is trying to use one of my credit card accounts. Of course, the first giveway to me is the fact that the email address to which this was sent does not exist at But if this had arrived in someone’s personal email account with their correct email address, I can envision some number of people immediately shifting into “Oh, my God!” mode, and clicking on the link to see what happened.

What is not obvious from the image above is that the link is disguised. What appears on the surface to be a link to is in reality a link to I was not able to track down the owner of “” - in fact, it appears that the domain may have already been de-activated - but I was able to determine that “.vc” is the domain suffix for St. Vincent and the Grenadines. Not a likely place for Visa to be hosting important Web sites. No doubt the “VISA Card Holder Form” would have asked me to provide things like my account number, name on the card, expiration date, in short everything that a criminal would need to start using my card.

The next example plays on simple greed:

IRS Phishing Attempt

It’s telling me that I have a “503.15$” tax refund coming, and I need to submit the “Tax Refund Request Form” to claim it. One again, there are a couple of obvious (to me, anyway) tip-offs. First, “” doesn’t file tax returns. Second, in this country it is customary to place the dollar sign before the amount rather than after it. And, once again, the link is disguised: The “Tax Refund Request Form” is apparently being hosted on a domain called “” - not a domain I would expect to be associated with the IRS. This form would, no doubt, have asked me for my name, address, and social security number.

Unfortunately, there are attack vectors out there that are much more sophisticated than these two examples:

  • “Malvertising” - sometimes the bad guys purchase banner ads on legitimate Web sites and load them with, for example, an Adobe Flash exploit. If the Web site simply accepts the banner ad without somehow checking it for a malicious script, you have a recipe for infection.
  • “Clickjacking” - You may see a page that says something like, “Do you agree with Obama’s Health Care proposal?” with big “Yes” and “No” buttons. What you don’t see is the invisible layer of code in front of those buttons, so that when you click on what you think is a button, you’re actually clicking on a link that you can’t even see.
  • Social Networking exploits - One of the recent classic scams involved compromised Facebook accounts that were used to send direct messages to other Facebook users that said something like, “LOL. You’ve been catched on hidden cam, yo.” If you succumb to curiosity and click through the link, you’ll be taken to a page with what looks like an embedded video, but when you click on it, you will be prompted to download and install a “plugin” so you can view the video. Guess what? It’s not a plugin - it’s malware.
  • CSRF, a.k.a. “Cross Site Request Forgery” - This one should scare the heck out of you. Let’s say you’ve logged into your banking site. The site is probably set to log you out automatically after some period of inactivity, but in the meantime, you can probably even go to a different site and come back and still be logged in. Why? Because the site has set a “cookie” in your browser that identifies your banking session. Now let’s say you’re using a modern browser that allows you to have multiple tabs open to different sites. You have one tab open looking at your banking site, but you’re multi-tasking, and you have another tab open interacting with some forum somewhere. It is possible for malicious code in the forum site to send requests to your banking site without your knowledge - and because you’re legitimately logged into your banking site, the requests will be executed. So don’t multi-task when you’re browsing a site that’s important to you.

Malware these days is all about money. Sometimes the people who gather your information aren’t out to use it themselves. Rather than run the risk of being caught and arrested for being directly involved in fraudulent activity, they compile and sell the information to others. There’s a robust marketplace on the Internet for stolen data. According to Symantec, it’s possible to buy:

  • Bank accounts for $10 - $1,000 each
  • Credit cards for $0.40 - $20 each
  • Full identities for $1 - $15 each
  • Email passwords for $4 - $30 each
  • “Malware-as-a-Service” - some folks will host your malware for between $2.50 and $50 per week.

According to MessageLabs, you can get paid for infecting other people’s computers. In the US, you can get as much as $50 per 1,000 downloads.

Check out the video below. It’s a 10 minute excerpt (because 10 minutes is the maximum limit for a YouTube video) of a talk given last year by Lenny Zeltser. Zeltser is an incident handler at the SANS Internet Storm Center. He’s also a SANS faculty member, a member of their Board of Directors, and he leads a security consulting team at Savvis - so he knows what he’s talking about:

If this caught your interest, I would strongly recommend that you invest an hour and watch his complete presentation. You can find it on the Wolf’s Lair blog site. (Note: We have no affiliation whatsoever with the author of this blog, but we’d like to thank him for making these videos available!)

So…what can you do to protect yourself?

First of all, recognize that humans and their behavior are still the weakest links in the security chain, and the most sophisticated anti-malware software in the world can’t protect you against people doing dumb things. It is critical to educate your users. (Hint: Ask them to read this blog post.)

Second, if you’re still running Windows XP, you should be planning to migrate to Windows 7 as soon as you possibly can. Microsoft’s “User Account Control” really can help protect you against “zero-day” exploits and careless surfing. Yes, the implementation in Vista was annoyingly intrusive and heavy-handed. The implementation in Windows 7 is customizable at a more granular level. The point is that having a window pop up and ask, “Are you sure you really want to do this?” can be the difference between being compromised and not being compromised.

Third, find ways to lock down your users’ desktops. Yes, this will in some cases be politically difficult. But you really need to do it. In some cases, moving to thin clients on the desktop can help. You may also want to take a good look at XenDesktop 4, since a desktop OS that’s being provisioned from a common, read-only image is not as vulnerable as a traditional, locally-installed desktop.

Finally, understand the need for a layered approach to security. The threats to your organization are many and varied, and one point solution (like anti-virus software on the desktop) simply cannot protect you from all of them.

The Internet is a dangerous place, and we will, for the foreseeable future, be locked in an arms race between the people who write malware and the people who come up with defenses against it. Most of all, you need to stay informed about security issues. We’ll do our best to help you do that.

Edit 2/4/10: Just saw an article on that talks about this very subject. It’s worth a read.

Quick Tip For Your WatchGuard Service Renewal

As all IT professionals are aware, most hardware and software companies offer some type of support/maintenance renewal, WatchGuard Technologies is no different.

They offer a variety of subscription services with their WatchGuard XTM or Firebox X appliances. These services are either sold separately or as a bundle of services for one, two, or three year terms. Services available include:

  • SpamBlocker - with virus outbreak detection
  • WebBlocker - with HTTP and HTTPS inspection
  • Gateway AntiVirus - for signature-based protection from known threats
  • Intrusion Prevention Service - with comprehensive attack and spyware protection
  • LiveSecurity® Service - hardware replacement warranty, free software updates, 24/7 telephone support

For more information about what each service is please contact us here at

The main objective of this post is not about the services themselves but rather about the renewal process. Each WatchGuard system we sell comes bundled with LiveSecurity Service for the first year. Since customers who own multiple WatchGuard systems have often bought them at different times, and since it is possible to renew LiveSecurity for multiple years, it is often the case that a customer can have different WatchGuard units whose coverage expires at different times of the year. Some companies prefer to keep these renewals separate to spread out their renewal costs over the year while others prefer to have a single renewal date for all of their WatchGuard units.

When renewing a WatchGuard subscription, Moose Logic will place an order with WatchGuard and typically within 48 hours an email is sent to us as well as to the customer contact who was in charge of the renewal. That email will contain a license key for each renewal. The customer is responsible for logging in to their WatchGuard account and entering those license keys. This will result in the display of a feature key. At this point the customer needs to copy and paste that feature key into the actual WatchGuard unit, only then is the renewal complete - and the services the company has paid for will become available.

(Note that if you don’t have the time or skills to perform these tasks when you renew, Moose Logic will be happy to do it for you. Yes, we will bill you for our time - although if you are a MooseGuardTM Gold or Platinum customer, that work effort would be covered by your plan.)

Now there is a twist to this. If we change the date of the renewal (e.g., in order to synchronize renewal dates for multiple units) that change is implemented directly by WatchGuard, and NO LICENSE KEY WILL BE SENT TO YOU. Since no new license key is made available to the end user, no email is sent to remind you that you need to log into the WatchGuard online portal and retrieve the feature key to be copied and pasted on the physical unit.

So the important lessons of the day are:

  1. If you chose to synchronize your WatchGuard renewal dates it will take a little longer to get the renewal done (usually 4-5 business days) since someone at WatchGuard has to manually update your renewal dates, and
  2. It is important to mark your calendar so that you log in to your account after 4-5 days and see if the feature key is available.

If we’re handling the process for you (either because you’re a MooseGuard customer or because you’ve asked us to) it’s not an issue, because we know what the process is. But if you’re handling the renewal yourself…don’t just sit back and think that you’re done just because you’ve placed the renewal order. If the new feature key doesn’t get entered in your unit, the features you’re subscribing to are going to stop working - and that would be what we call, in technical terms, a “bad thing.”

Licensing Office in a Remote Desktop Environment

Judging from the questions we continue to be asked, lots of people are confused about how to license the Microsoft Office Suite if you are accessing it via Microsoft’s Remote Desktop Services (a.k.a. Terminal Services) and/or Citrix XenApp. Hopefully, this will clear up the confusion.

First of all, it is important to keep in mind that desktop applications such as the Office Suite are licensed per device, not per user. The following comes directly from the Microsoft “Product Use Rights” document dated January, 2010: “You must acquire a license for each device on or from which you access or use the software (locally or remotely over a network)…You may access copies of the software installed on a network device only from a device that has a license for the software.”

In other words, if you can walk up to a device and use it to interact with an Office application, you must have an Office license for that device. It doesn’t matter whether that device is a PC or laptop that has the Office bits installed on its local hard drive, or whether it is a thin client device that allows you to connect to a XenApp server, you need to have “assigned” a license to that device.

That begs the question of what “assigned” means, and the answer - particularly for devices like thin clients, where you couldn’t install the application locally if you wanted to - is that you are on the honor system. You decide, in the privacy of your own conscience, which licenses you are assigning to which devices - with the caveat that, if you’re ever audited, you’d better be able to produce a license for every device people are using to run Office apps. You can reassign a license from one device to another, but not more often than every 90 days.

But that’s not all. Quoting again from the Product Use Rights document: “The device you use to remotely access software must be licensed for the same or higher edition, but not a lesser edition.” That means that if you have Office Professional Plus installed on your XenApp server, you are not entitled to access it from a device that only has an Office Standard license assigned to it (because it’s a “lesser” edition); but you are entitled to access it from a device that has an Office Enterprise license assigned to it (because it’s a “higher” edition). Likewise, if you have Office 2007 installed on your XenApp server, you are not entitled to access it from a device that is only licensed for Office 2003 (or any other earlier edition).

You do not, never have had, and probably never will have the right to access Office on a XenApp server from a device that has an OEM Office license installed on it. If your PC or laptop came from the manufacturer with Office pre-installed on it, then you have an OEM license, and you do not have “network storage and use” rights. There is an excellent blog post over on the Microsoft SMB Community Blog that explains this in detail. Yes, it’s an old post (from July, 2005). No, the policy hasn’t changed.

Basically, it comes down to this: Why do people tend to purchase Office bundled with their new PC? Because it’s less expensive. Why is it less expensive? Because the license you’re buying contains fewer usage rights than more expensive licenses. You do not have the right to transfer that license to a different PC - it dies when the PC you bought it with dies. You typically do not have the right to downgrade it to an earlier version. And you don’t have the right to access the application over a network.

However, there is a way for you to obtain those rights if you buy an OEM license. Microsoft allows you to purchase Software Assurance for your OEM license within a 90-day window of acquiring the license. (It’s one of only two cases where you can purchase Software Assurance as a stand-alone purchase - the other case is when you’re renewing it.) Software Assurance will do a number of things for you:

  • It removes pretty much all of the OEM license limitations, e.g., you now have the right to transfer the license to a different PC, the license will survive the demise of the hardware, and you gain network use rights.
  • You get upgrade protection for the term of the Software Assurance coverage (two years if purchased on an Open Business agreement, three years if purchased on an Open Value agreement).
  • You gain “Home Use Rights.” For each Office license covered by Software Assurance, you have the right to designate one employee who can install Office on his/her home PC. (Which, by the way, would then give them the right to access Office on your XenApp server when they’re working from home.) These Home Use Rights evaporate if you allow your Software Assurance coverage to lapse. Also, the employee loses his/her right to run the software if they leave your employ.
  • You probably qualify for some e-learning benefits as well.

Bottom line: Volume Licensing is your friend. If you’re planning to deploy Office via Remote Desktop Services (with or without XenApp), the right thing to do is buy your Office licenses through a Microsoft Volume License agreement. In fact, last time I checked, you couldn’t even install Office on a Remote Desktop Server unless you were installing from Volume License media. If, for convenience, you want to buy OEM licenses with your new hardware, you should also budget for adding Software Assurance to those licenses, or you’re probably not going to be happy with the limited license rights.

One final item: The license terms for Volume License editions of Office include something called “Portable Use” rights. Quoting again from Microsoft: “You may install a copy on a portable device for use by the single primary user of the licensed device.” In other words, if you have purchased an Office license for Joe’s or Mary’s desktop PC, and Joe (or Mary) also has a laptop, you are entitled to install Office on that laptop (the “portable device”) without having to purchase an additional license. By extension, since that laptop is now legally licensed, it could then be used to remotely access the Office apps via XenApp from wherever Joe or Mary may happen to be.

Disclaimer: I do not work for Microsoft, nor do I define their license terms, which are subject to change, particularly when new product versions are released. I have, however, worked with them for a very long time, and had lots of discussions about what is, or is not, legal under the terms of various license models. The foregoing is my own interpretation of information that is publicly available on the Microsoft Web site - and I have helpfully provided you with links to that information. I highly recommend that, if you have any questions, you download the Product Use Rights document and read it for yourself.

XenDesktop Trade-Up Extended to XenApp Advanced

Citrix has announced that, effective immediately, the XenDesktop 4 trade-up offer has been extended to customers who have XenApp Advanced Edition. This is great news for those customers, because, under the terms of the original trade-up offer, XenApp Advanced customers would have had to first upgrade their XenApp licenses to XenApp Enterprise, and then do the trade-up.

The table below shows the pricing grid for the trade-up program, depending on which version of XenApp you currently own, which version of XenDesktop you want to trade up to, whether you’re trading up all of your XenApp licenses, and whether or not your Subscription Advantage is current (click on the graphic to view full-size):

XenDesktop 4 Trade-Up Pricing

Because the part numbers for the trade-up from XenApp Advanced have not yet been released, customers who want to take advantage of it will need to request a special quote. Two other points to remember:

  • If you trade-up 100% of your XenApp licenses, you get two XenDesktop licenses per XenApp license. Otherwise it’s one-for-one.
  • The trade-up offer runs through June 30, 2010. And as much as I hate to say this, that date will be here before you know it, so please don’t wait until the last minute!

The on-line trade-up calculator has been updated to include information for XenApp advanced.

Why You Need Good Backups

A few days ago, in the post entitled “Seven things you need to do to keep your data safe,” we were talking primarily about some simple things that individuals can do to protect their data, even if (or especially if) they’re not IT professionals. In this post, we’re talking to you, Mr. Small Business Owner.

You might think that it’s intuitively obvious why you would need good backups, but according to an HP White Paper I recently discovered (which you should definitely download and read), as many as 40% of Small and Medium Sized Businesses don’t back up their data at all.

The White Paper is entitled Impact on U.S. Small Business of Natural and Man-Made Disasters. What kinds of disasters are we talking about? The White Paper cites statistics from a presentation to the 2007 National Hurricane Conference in New Orleans by Robert P. Hartwig of the Insurance Information Institute. According to Hartwig, over the 20-year period of 1986 through 2005, catastrophic losses broke down like this:

  • Hurricanes and tropical storms - 47.5%
  • Tornado losses - 24.5%
  • Winter storms - 7.8%
  • Terrorism - 7.7%
  • Earthquakes and other geologic events - 6.7%
  • Wind/hail/flood - 2.8%
  • Fire - 2.3%
  • Civil disorders, water damage, and utility services disruption - less than 1%

If you’re in Moose Logic’s back yard here in the great State of Washington, you probably went down that list and told yourself, with a sigh of relief, that you didn’t have to worry about almost three-quarters of the disasters, because we typically don’t have to deal with hurricanes and tornadoes. But you might be surprised, as I was, to learn that we are nevertheless in the top twenty states in terms of the number of major disasters, with 40 disasters declared in the period of 1955 - 2007. We’re tied with West Virginia for 15th place.

Sometimes, disasters come at you from completely unexpected directions. Witness the “Great Chicago Flood” of 1992. Quoting from the White Paper:

In 1899 the city of Chicago started work on a series of interconnecting tunnels located approximately forty feet beneath street level. This series of tunnels ran below the Chicago River and underneath the Chicago business district, known as The Loop. The tunnels housed a series of railroad tracks that were used to haul coal and to remove ashes from the many office buildings in the downtown area. The underground system fell into disuse in the 1940’s and was officially abandoned in 1959 and the tunnels were largely forgotten until April 13th, 1992.

Rehabilitation work on the Kinzie Street bridge crossing the Chicago River required new pilings and a work crew apparently drove one of those pilings through the roof of one of those long abandoned tunnels. The water flooded the basements of Loop office buildings and retail stores and an underground shopping district. More than 250 million gallons of water quickly began flooding the basements and electrical controls of over 300 buildings throughout the downtown area. At its height, some buildings had 40 feet of water in their lower levels. Recovery efforts lasted for over four weeks and, according to the City of Chicago cost businesses and residents, an estimated $1.95 billion. Some buildings remained closed for weeks. In those buildings were hundreds of small and medium businesses suddenly cut off from their data and records and all that it took to conduct business. The underground flood of Chicago proved to be one of the worst business disasters ever.

Or how about the disaster that hit Tessco Technologies, outside of Baltimore, in October of 2002? A faulty fire hydrant outside its Hunt Valley data center failed, and “several hundred thousand gallons of water blasted through a concrete wall leaving the company’s primary data center under several feet of water and left some 1400 hard drives and 400 SAN disks soaking wet and caked with mud and debris.”

How could you have possibly seen those coming?

And as if these disasters aren’t bad enough, other studies show that as much as 50% of data loss is caused by user error - and we all have users!

One problem, of course, as we’ve observed before, is that it’s difficult to build an ROI justification around the bad thing that didn’t happen. Unforeseen disasters are, well, unforeseen. There’s no guarantee that the big investment you make in backup and disaster recovery planning is going to give you any return in the next 12 - 24 months. It’s only going to pay off if, God forbid, you actually have a disaster to recover from. So it’s no surprise that, when a business owner is faced with the choice between making that investment and making some other kind of business investment that will have a higher likelihood of a short-term payback (or perhaps taking that dream vacation that the spouse has been bugging you about for the last five years), the backup / disaster recovery expenditure drops, once again, to the bottom of the priority list.

One solution is to shift your perspective, and view the expense as insurance. Heck, if it helps you can even take out a lease to cover the cost - then you can pretend the lease payment is an insurance premium! You wouldn’t run your business without business liability insurance - because without it you could literally lose everything. You shouldn’t run your business without a solid backup and disaster-recovery plan, either, and for precisely the same reason.

Please. Download the HP White Paper, read it, then work through the following exercise:

  • List all of the things that you can imagine that would possibly have an impact on your business. I mean everything - from the obvious things like flood, fire, and earthquake, to less obvious things, like a police action that restricts access to the building your office is in, or the pandemic that everyone keeps telling us is just around the corner.
  • For each item on your list, make your best judgment call, on a scale of 1 to 3, of
    • How likely it is to happen, and
    • How severely it would affect your business if it did happen.

You now have the beginnings of a priority list. The items that you rated “3″ in both columns (meaning not likely to happen, and not likely to have a severe effect on your business even if they did) you can push to the bottom of the priority list. The items that you rated “1″ in both columns need to be addressed yesterday. The others fall somewhere in between, and you’re going to have to use your best judgment in how to prioritize them - but at least you now have some rationale behind your decisions.

The one thing you can’t afford to do is to keep putting it off. Hope is not a strategy, nor is it a DR plan.