New Microsoft Patch Strategy

Windows Update
Starting yesterday (October 11), Microsoft began rolling out a new way to patch Win7, Win 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 systems. Instead of releasing a bunch of individual updates, they will be pushing out monthly rollups, which will include all fixes from previous monthly rollups. Microsoft apparently feels that too many systems are vulnerable because people choose not to install specific patches, so, for consumers in particular, you will no longer be able to consume updates granularly.

Here’s the scoop on how this will work, taken from the Technet blog:

  • A security-only “quality update” will be released each month on the second Tuesday of the month (commonly known as “Patch Tuesday,” or, in Microsoft-speak, as “B week”). This will be a single update that contains all the new security fixes for that month. It will be pushed only to Windows Server Update Services (WSUS), where it can be consumed by other tools such as System Center Configuration Manager. It will show up in WSUS with the “Security Updates” classification, with the severity set to the severity of the highest-level component of the update.
  • A security monthly “quality rollup” will also be released on Patch Tuesday, which will contain all of the security fixes in the security-only update as well as the fixes from all previous monthly rollups. It will be pushed to WSUS, to the Windows Update Catalog, and to Windows Update, where all consumer PCs will pick it up for installation. Again, it will show up in WSUS with the “Security Updates” classification, with the severity set to the severity of the highest-level component of the update. If you’re using WSUS to distribute updates to your users, you can enable “express installation files,” which will ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed. If you’re picking up the rollup with Configuration Manger and pushing it on out that way, you don’t currently have that option – they’ll get the full rollup.
  • On the third Tuesday of the month (“C week”), Microsoft will release a rollup consisting of a preview of the new non-security fixes that will be included in the next monthly rollup, as well as everything from all previous monthly rollups. This will be published to WSUS as an optional update, as well as being made available via Windows Update and on the Windows Update catalog. This is so you can get a head start on testing the rollup before it’s released for real on the next Patch Tuesday – something that many enterprise shops will do, but probably next to zero consumers will do. Beginning early next year, and “continuing for several months,” Microsoft will start adding older fixes to the preview update. Eventually it will become “fully cumulative,” so that installing the latest monthly rollup will ensure that your PC is completely up to date.

The bottom line is that if you’re an enterprise organization that uses WSUS and/or Configuration Manager to distribute updates to your users, you still have some control over how things get rolled out. You can choose to deploy the security-only update, but you’ll get the whole thing – you won’t get to pick and choose between the fixes included in the update. If you later discover that you need a non-security fix, you’ll have to install the monthly rollup that includes that fix – again, you don’t get just the fix you want, you get the entire monthly rollup, whether you want it or not. Or, you can do what Microsoft recommends, and install the monthly rollup each month as it is released.

But, you ask, what if an update causes a problem? Well, first of all, Microsoft recommends that you use a “ringed” approach to deploying updates, where you deploy first within the IT organization (which presumably is better able to cope with machines that are no longer working properly), and then expanding to one or two pilot groups before rolling the updates out to everyone. Of course, the longer you wait, the more vulnerable your users are to whatever exploits the security fixes are designed to patch, so, like so many other things in IT, designing a rollout strategy is as much an art as it is a science. Microsoft also has a Security Update Validation Program, which allows an organization to get even earlier access to the updates and help Microsoft test them. More information on this is available at

If you’re a consumer, good luck. You’re going to get the monthly rollup, and there’s not a whole lot you can do about it. The good news is that Windows will typically create a restore point before the installation of an update begins, so you probably have the ability to roll your system back to that restore point.

What’s Wrong with SMS Authentication?

Two-Factor Authentication
Back at the end of July, quite a bit of media buzz was generated by reports that the NIST was recommending, in the draft of their new publication addressing digital authentication methods, that using SMS text messages as a second authentication factor was being “deprecated.” So…what exactly does that mean, and why shouldn’t it be used?

First of all, if you want to actually read what the draft says, you can find it in section here:

If you don’t want to plow through the actual verbiage of the draft standard, you can read Paul Grassi’s explanation on the NIST blog site instead. But the main takeaway is that “deprecated” does not equal “don’t ever use this under any circumstances.” A two-factor authentication approach using SMS is still way more secure than most single-factor authentication methods. It just may not be the best approach. Here’s why…

  • Some VoIP services (e.g., Skype or Google Voice) can deliver text messages without the need for possession of a physical device. In such a scenario, the classical definition of multi-factor – something you know (typically a password) + something you have (typically some kind of authentication token or smartcard) or something you are (some kind of biometric authenticator) – becomes just two different things you know (your primary password and the password you use to access the VoIP service). So right away you’re stretching the definition of multi-factor.
  • The next concern is that it is easier to intercept these kinds of communications than it is to track you down and physically steal your smartphone. So the draft standard states that if you’re going to use text messages, you must verify that the phone number you’re sending to actually corresponds to a physical telephone and not a VoIP line or other software-based device.
  • Some smartphones display a portion of an incoming SMS message without requiring you to unlock the phone. I personally have SMS authentication enabled on my Google account. But the SMS message is short enough that if I’m watching my phone when it comes in, I can pick up the passcode from the message preview without the need to unlock my phone. So if you did steal my phone, you wouldn’t have to bother cracking my unlock password. Still better than single-factor, but you see the problem.
  • As mobile devices proliferate, and more and more of us use them to access sensitive information like our bank accounts, more and more malware is being written that targets mobile devices. Given that trend, it’s questionable whether it’s a good idea to send a one-time authentication code to the same device that you’re using to access the site that’s sending you the one-time authentication code…because if your device has been compromised, then whoever compromised it may well be able to access your messaging app as well.

Again, all of that said, an SMS authentication approach is still better than single-factor, password-only authentication. Even better would be an authentication app on your smartphone that cannot be accessed without unlocking the smartphone and that uses an encrypted channel to communicate with the authentication service…such as ESET’s Secure Authentication app.

If you need help selecting or installing multi-factor authentication to protect your business assets, give us a call. Your security is important to us.

eFolder’s Anchor Can Also Help Fight Ransomware

We’ve written a lot about security in general and ransomware in particular, because our customers’ security is a major concern to us – and we hope your own organization’s security is a major concern to you as well – and because ransomware has proven to be a very difficult thing to guard against. We’ve written about tools such as CryptoPrevent and WinPatrol. We’ve talked about innovative approaches such as OpenDNS to try to block the "phone home" communication between malware and command & control servers. But once you’ve been infected and your files have been encrypted, you really have only one of two choices: either pay the ransom, or restore from a backup. The latter, of course, assumes that you have a recent backup, and that it’s in a location where the ransomware can’t encrypt it as well.

In the good old days, we could perhaps rely on "My Documents" redirection, and try to force all our users to store stuff on file server shares that could be administratively backed up. But we now live in a cloud-first, mobile-first world. We no longer have file servers in our office, and neither do many of our customers – all our corporate data is in the cloud. My business laptop is no longer joined to a domain – there is no server to which my "My Documents" folder can be redirected. And many of your mobile users, although they may still have domain-joined laptops, may also be mobile enough that they frequently create important documents that have to live on their mobile computing devices for several days before they reconnect with the network so you can copy those files to a file server. So how can you protect that data from a ransomware infection? Here’s how to protect it with the Anchor enterprise file sync & share tool.

There are three primary ways to use Anchor:

  1. File Sync & Share – Like most other products in this category, you can create a folder on your PC that is synchronized with your personal Anchor folder. You can also leverage this function to send large files by using the Anchor plugin for Outlook to simply send a recipient a link to download a large file instead of attaching the large file to a mail message.
  2. Team Shares – You can create Team Share folders, and control which individuals have rights to those folders. Optionally, you can use the "File Server Enablement" feature to populate a Team Share folder from a folder on an on-prem file server, and keep them synchronized with each other.
  3. User Backups – Users who have personal Anchor folders can also use the Anchor agent to back up specific folders on their PCs…not just the special Anchor sync folder. I use this function myself – there are two folders on my laptop that I use for storing all of my business-related documents. They are both backed up to the Anchor cloud. The last time I got a new laptop, all I needed to do was install the Anchor agent, restore those two folders, and I was back in business.

In all three of these cases, Anchor maintains a revision history of files as they are changed. By default, past revisions are retained until they are either manually deleted or automatically deleted by organization policy, e.g., you can set a limit for the number of days prior revisions will be retained.

Let’s assume that I am unlucky enough to get nailed with a ransomware infection that not only encrypts my local hard drive, it also ends up corrupting my Anchor files, because the encrypted versions of all my files will be faithfully replicated up to the Anchor repository. But – Anchor still has the prior revisions of those files from before they were encrypted. So, worst case, I reformat my PC, reinstall Windows, go to my Anchor Web interface, and roll back my files to the revision just before the ransomware infection. I can restore that to my PC, and I’m once again back in business.

In the newly-released v2.5.2 version of Anchor, an administrator can also manually create a snapshot of a user’s files or of a Team Share – either for safekeeping, or for restoration purposes. It can be a full snapshot, or it can be a snapshot of everything prior to a specified point in time. So, once again, if a Team Share has become corrupted, the administrator can create a new Team Share that is a snapshot of the old one just prior to the point at which the corruption occurred.

So you can protect those mobile users – as well as those users who just can’t seem to remember to save things on the "H:" drive (or whatever your network home drive is) – by setting up Anchor synchronization and sleep better at night, assured that the data is being backed up to the Anchor cloud whenever they’re attached to the Internet. Automatically – no additional user intervention required.

ESET Adds Data Leakage Protection

Sensitive data being stolen
ESET recently announced the addition of Safetica Data Loss Prevention (“DLP”) products to its Technology Partner Alliance. These are tools that are designed to prevent the accidental – or intentional – transmission or leakage of sensitive data outside the enterprise network. If you’re concerned about protecting your organization’s sensitive data, you’re not alone – Gartner predicts that almost $800 million will be spent on DLP technology in 2016, and that demand will grow by roughly 10% per year over the next three years.

DLP can be a difficult matter to address, because data leakage can happen in many different ways. Some security vendors attempt to address it at the network boundary – either at the firewall, or in a separate appliance alongside the firewall – by looking for keywords or data patterns in email or file attachments that are being sent to external destinations. E.g., a string of numbers in the format xxx-xx-xxxx is likely to be a Social Security number, a string of numbers in the format xxxx-xxxx-xxxx-xxxx is likely to be a credit card number, etc. But that doesn’t block all leakage vectors, particularly if an employee is determined to steal company data.

Most of the news stories these days are about data loss from malicious actors outside of an organization who have somehow gained access to sensitive data. But studies have indicated that almost 80% of businesses have had some kind of internal data leak. 60% of employees do not consider downloading an employer’s sensitive data to be an issue. 50% of employees take away internal data when leaving an organization, and 40% plan to offer this data to their new employer. So how do you protect against that?

You can create policies that prevent users from writing data to USB devices, but then you’re impacting the many legitimate uses for USB devices. You can also create policies that disable the Windows built-in CD/DVD burning functionality…but that won’t prevent users from using third-party software to burn them, unless you lock the workstations down so that third-party software can’t be installed. And again, as you probably know from experience, the more restrictions you put on user functionality, the more push-back you get from users who complain that the restrictions are hurting their productivity.

And there’s always the danger posed by a lost or stolen laptop or USB drive.

Safetica addresses these issues at the endpoint, where the action happens. This endpoint agent, managed from a central console, covers all major data leak channels: you can restrict clipboard copy, email attachments, file sharing services, USB device copy, CD/DVD copy, and printing – including printing to virtual devices such as printing to a PDF file. You can track exactly who accessed what information when. You can restrict access to non-business-related Web sites. You can ensure that drives on portable computers are encrypted. You can get real-time alerts of suspicious activities. And you can generate management reports that give you granular visibility of what your employees are actually doing.

Here’s a four-minute video overview of how Safetica can help protect your company’s data:

Change the Danged Passwords!

Internet of Things
Have you heard about Shodan? It’s the search engine for the “Internet of Things,” and it is simultaneously fascinating and terrifying. It was spotlighted in an article on Ars Technica a few months back which focused specifically on the number of unsecured Webcams the search engine has found – the latest count of Webcams in the U.S. from which Shodan has captured a screenshot is 101.

But that’s not all. You can search for industrial control systems, and drill down within the results to see the specific devices that run a particular manufacturer’s communication protocol. You can search for printers, refrigerators, TVs, wind farms, Minecraft servers, and wireless access points. You can search for devices that are running the VNC remote access protocol with authentication disabled. You can search for Roku video streaming devices that are directly on the Internet (2,113 in the United States at last count, and they don’t have any authentication on their API). You can discover that there are currently 8,760 LaserJet printers in the U.S. that are directly exposed to the Internet, and you can see their IP addresses and often a rough idea of where they’re located. In short, Shodan is a search engine that crawls the Web looking for devices that are directly connected to the Internet, not for information contained in Web pages.

So what’s the big deal? The big deal is that many of these devices either don’t require any authentication, or their default admin credentials have never been changed…and it isn’t difficult to discover default admin credentials – just about every manufacturer has user documentation on line that will tell you what they are. Now, having someone remotely reboot your Roku device while you’re in the middle of your favorite Netflix series may be annoying, but not particularly damaging. It’s a little scarier to think of someone being able to access a Webcam in your child’s bedroom or perhaps an external security camera at your home or business. But the stakes are even higher for other kinds of devices.

Universities are notorious for having printers that are directly exposed to the Internet. They account for a large percentage of those 8,760 LaserJets in the U.S. referenced above. Many universities have IP addresses to burn – they were assigned large blocks of addresses many years ago – so they assign them to printers and just NAT the traffic through their firewalls so faculty members can send print jobs to them when they’re working from home. Unfortunately, if there’s no security, anyone else can send print jobs to them as well. Earlier this year, a white supremacist sent anti-Semitic fliers to networked printers at several universities in California, Illinois, Massachusetts, Maryland, and New Jersey, including Princeton, DePaul, and Berkeley. Apparently the lesson wasn’t learned, because just last month there was another report of offensive flyers showing up on printers at UC Santa Cruz.

In July of 2015, a pair of hackers demonstrated to Wired Magazine that they could not only remotely mess with the air conditioning, radio, and windshield wipers of a 2014 Jeep Cherokee, they could completely disable it while it was driving down the freeway. Now, a year later, they’ve announced that they’ve found ways to disable the steering, and even digitally turn the wheel themselves. To their credit, Chrysler has moved to tighten up security, and has launched a “bug bounty” program that offers as much as $2,500 to hackers who inform the company about vulnerabilities in their vehicles. But as more and more functions in more and more cars are being computerized, there’s a lot at stake here. The thought of a bad actor taking over a self-driving vehicle is the stuff of nightmares.

And we’ll leave it to you to imagine the havoc that could be caused by a breach in a critical industrial control system.

As more and more devices get connected to the Internet of Things – smart TVs, refrigerators, thermostats, lighting systems, home security systems, etc. – the security risks will increase substantially if we’re not very, very careful about how systems are implemented. Some issues rest squarely on the manufacturers themselves – to write secure code and patch security flaws as they’re discovered, and to insure that there is a reasonable level of authentication required for administrative access. But one of the most important things we can do is also one of the easiest: change the danged default passwords on your Internet-connected devices. And then help your family and friends do the same thing.

Beware of .DOCM File Attachments

In a blog post dated August 17, FireEye is reporting a huge increase in “Locky” ransomware distribution via maliciously-crafted .DOCM email file attachments (macro-enabled Word files). The health care industry seems to be the hardest-hit in this campaign, and the U.S. and Japan top the list of affected countries.

The takeaway here is to be extra careful about opening email attachments. And, if you still have the “hide extensions for known file types” option enabled on your Windows systems, for heaven’s sake, disable it! Then, if someone sends you a .DOCM file attachment, at least you’ll recognize it!

Finally, consider the OpenDNS service we wrote about in our recent blog post entitled "Beating Malware by Disrupting Command & Control."

ESET Introduces Hardware-Encrypted USB Drive

Encrypted Drive

It seems that data security is a never-ending battle, and it has become obvious that we need multiple layers of protection to deal with the proliferation and constant evolution of security threats. Today’s security topic is the ubiquitous USB “thumb drive.”

USB drives are a really convenient way to transport and share data. Unfortunately, they also represent a really easy way to lose sensitive data, and can act as an infection vector to spread malware from one computer to another. Now, ESET® and Kingston® have teamed up to address this security hole.

Introducing the Kingston DataTraveler® Vault Privacy 3.0 with DriveSecurityTM anti-virus powered by ESET. It’s a USB 3.0 drive with built-in 256-bit AES hardware-based encryption to safeguard your data, plus a pre-paid 5-year subscription to ESET’s DriveSecurity anti-virus protection, which is pre-installed and pre-activated to ensure that malware doesn’t infect the drive. It’s available in capacities of 4 Gb, 8 Gb, 16 Gb, 32 Gb, and 64 Gb, with prices as low as $39.99 for a single, 4 Gb drive.

The drives are customizable to meet specific corporate requirements, such as minimum password length and the number of incorrect password attempts allowed before the drive locks down and reformats itself. They can also be co-branded and serialized for businesses who purchase multiple drives.

Contact us today for more information.

Beating Malware by Disrupting Command and Control


One of the key strategies in modern warfare is disrupting the enemy’s command & control infrastructure. It can also be an effective strategy in the ongoing war against malware. One of the first things that usually happens when a PC is infected with malware is that the malware “phones home” to a command & control server to check in and get further instructions – which may be to take some specific action such as downloading additional malware or encrypting all the files on your computer, or to simply go to sleep until further notice. If we can prevent that communication from taking place, we have a shot at stopping the infection in its tracks. But how can we do that?

Nearly every communication transaction that takes place across the Internet involves, at some point, a DNS query. For the non-technical in the audience, DNS, which stands for “Domain Name System,” is the naming system that matches names, like “,” to IP addresses, like, which the routers in the Internet need to know in order to properly route the traffic. Part of the network configuration of your computer, and every other computer that’s connected to the Internet, is a setting that tells the computer where it should send its DNS queries. Corporate networks will generally have one or more DNS servers as part of the network. Individual home users, in most cases, simply use a DNS server provided by their Internet Service Provider. When you, dear reader, typed “” into your browser, or clicked on some other link that brought you here, your computer sent a DNS query to a DNS server. If that DNS server didn’t know what IP address corresponded to this Web site, it forwarded the request on to another server in the hierarchy of DNS servers, until ultimately, several fractions of a second later, the answer came back that if you want to talk to, you need to send your data packets to

The communication between a piece of malware and a command & control server also, nearly always, involves a DNS query. Moreover, if one of your employees clicks on a link in a “phishing” email message that leads to a malicious destination, it will nearly always generate a DNS query. And if someone is tricked into clicking on a “malvertising” link (which have now, believe it or not, surpassed porn sites as a malware infection vector), it will nearly always generate a DNS query.

You’re probably way ahead of me by now, and thinking, “Wait a minute, if we can block those DNS queries, we can prevent the infections from taking place, or, if the initial infection has already taken place, we have a chance of stopping it in its tracks.” And that’s exactly what the OpenDNS service is all about.

OpenDNS, which is now a part of Cisco, maintains a global network of DNS servers that process over 80 billion DNS queries every day. Using a variety of innovative techniques, they maintain a database of malicious destinations. By simply directing DNS queries to OpenDNS, we can block as much as 70% – 80% of the attempts to contact malicious destinations. And while we’re at it, we can create policies that will also block traffic to sites with objectionable content (e.g., porn, violence, racism, etc.), and give businesses a dashboard that will reveal exactly where their users are going (or attempting to go) on the Internet. There is also a roaming client for Windows, Mac OS X devices, and iOS mobile devices that will protect them when they’re not attached to the corporate network.

The OpenDNS subscription service is surprisingly affordable – particularly when you compare it to the cost of recovering from a malware attack. Contact VirtualQube for more information on putting this tool to work as part of your security strategy.


Are you safe and secure in the cloud?

Six Ways Cloud Can Increase Your Risk

Every day, more businesses are looking to the cloud because it delivers cost-effective productivity, collaboration, efficiency and more. But, even as its popularity continues to grow, the Cloud Security Alliance warns that businesses that embrace the cloud without fully understanding the environment and its associated risks are more likely to encounter a myriad of commercial, financial, technical, legal and compliance risks.

Read more


Do You Have Peace of Mind That Your IT is Safe & Sound?

Imagine a world where your technology didn’t cause headaches, required updates didn’t interrupt your business, and downtime was a word you’ve never heard of, let alone experienced. This may sound like a fantasy but a reliable managed service provider can make it a reality.

Read more