Your Mac will not boot after an update.

Most updates to the OS X operating system are trouble-free. However, a number of clients have recently contacted us informing us of a “blank screen and cursor” problem after they downloaded an update for OS X Sierra. Upon rebooting their iMac or MacBook they were greeted by a cursor and a blank screen. Not a sight you want to see when you just want to get some work done. The problem appears to be related to some “plist” and “Apple Upgrade” files going corrupt. Apple have not yet released a fix for this issue nor have they documented the issue in their knowledge base, but our solution is quite easy to implement.

1) Start your MacBook or iMac while holding the “Command” and “S” keys simultaneously.
2) After a minute or two you will be presented with a command line terminal screen. (This is a black screen where you can input commands)
3) Now type in the following commands in sequence.

/sbin/fsck -fy
/sbin/mount -uw /
rm -f /Library/Preferences/com.apple.loginwindow.plist
rm -f /var/db/.AppleUpgrade
reboot

Press enter after each command. After you’ve entered all commands successfully your MacBook or iMac should reboot and you should be back in business!

RealClear @ 44Con London and Advanced Persistent Threats

Last month RealClear IT Support attended the 44Con IT security conference in London. There were lots of interesting talks given, including those on threat intelligence, network security, application security, operating system attacks and hardware hacks.

But one of the consistent themes of the conference and one of the areas which is keeping CIOs awake at night is that of the Advanced Persistent Threat. APTs are targeted, persistent, multi-phased and sophisticated threats which operate in stealth mode on the modern computer network. Their ultimate goal is to exfiltrate data back from a business or organisation to the attacker’s “command and control” centre. This might sound all very X-files-like, but APTs have become a reality in today’s threat landscape. With traditional security defences in place, they can go unnoticed in your network for years.

One of the first high-profile APT attacks was discovered in 1998 when a computer technician at an American-based company ATI Corp identified a remote access connection on their network to a US Air Force base. The RAT (remote access Trojan) was initiated every morning at 3am. The technician reported his findings to law enforcement. A specialised team of military and information security specialists from the US government was mustered. After months of research, “Operation Moonlight Maze” found that several businesses and universities were being used extensively as proxies for attacks. Proxying RAT connections from local businesses and universities is much less suspicious than those from emanating from Russia or China. The attackers used Telnet and FTP to exfiltrate thousands of classified documents from US military sources.

Since these attacks, several other high profile APTs have been discovered including those which infected RSA (ironically a computer security company) and the New York Times. In 2011, RSA a leading provider of two-factor authentication security tokens to banks, finance and healthcare organisations, got hit by an APT. Like with Moonlight Maze, the FTP protocol was used exfiltrate files which compromised their SecureID system.

The New York Times was attacked by an APT in 2012 when their journalists started investigations into the relatives of Win Jiabao, the then Chinese prime minister. The threat went unnoticed for months. Corporate passwords for every journalist were stolen. Over 45 pieces of custom malware were installed. Their Symantec endpoint security software which the company was using to protect their PCs only identified one of these (which it quarantined).

Vectors of attack

One worrying aspect of the APT threat is the simplicity of their initial attack vector. For example, the RSA hack was traced back to just one phishing email sent to a member of their administrative staff. It contained an Excel worksheet which was completely blank except for an “X” letter in one of the spreadsheet’s cells. Out of curiosity the employee clicked on it, but nothing appeared to happen. Unbeknownst to them or the firm’s security team, the Excel sheet had an embedded Flash exploit called “Poison Ivy” which, when clicked, got activated and then connected to the attacker’s command-and-control server. A payload was then surreptitiously downloaded. This seemingly innocuous action gave the attackers the keys to the kingdom as it were. The compromised system was used as a launch pad for other attacks across the New York Times computer network.

There are several other examples of how APTs exploit a seemingly small vulnerability. The “Duqu” malware strain, discovered in September 2011 exploited a vulnerability with True Type font in a Microsoft Word document as the initial attack vector. The payload installs malware which subsequently connects to the attacker’s control and command servers via TCP ports 80 and 443 using a custom protocol. For port 80 bound traffic, Duqu uses steganography for encoding and attaching data to JPEG files. It uses XOR encryption to encrypt data captured by it’s keylogger. “Flame” is another piece of malware used in APT attacks. Discovered in 2012, it propagates via USB devices and a bogus Windows Update Service (a favourite strategy of the NSA also…). Having a paltry size of just 20MB, it can take screenshots, intercept email and activate PC microphones. It communications back to its command and control server over HTTP, HTTPS and SSH. Using such prosaic protocols makes it easy to slip under the radar of even the most sophisticated firewalls. Or consider “Red October” which steals information from iPhones by using SNMP brute forcing. Once installed, it collects data via a plugin for Microsoft Office and Adobe Reader. It evades detection by encrypting its main executable with XOR encryption. For initial infection, Red October uses infected Word and Excel documents for initial infection. These are then propagated via phishing attacks.

Implications for your business

Initially, most of these attacks did not use highly sophisticated approaches to hack their victims. They used what could be described as “everyday software” coupled with social engineering (phishing) to launch. In your business environment, there are some simple steps you can take to counter such threats.

Office and Adobe PDF documents should be opened with extreme prudence. Users should be trained to spot anomalous emails, attachments and know how to manage them securely.

You should be using the recent versions of Microsoft Office for maximum protection. For Microsoft Office 2010 (and later) each version has included “protected view” functionality which acts as a sandbox and allows documents from untrusted sources to opened in a safer way. Alternatively, you could use the free Libre Office suite, but this does not suit every business environment.

Antivirus products alone cannot be trusted as most of these still use signature-based scanning, which cannot detect zero-day vulnerabilities. The New York Times hack has shown us that 44 out of 45 strains of malware went undetected by their Symantec endpoint security software. Ancillary software like Java and Flash player should always be kept up-to-date.

All your operating systems should be fully patched and updated. This includes users of Mac OS X (many of whom still believe that “only Windows users get viruses”). Be suspicious of update requests that appear out-of-the-blue. You can manually update your OS or if you want to automate it a little you can use software like Personal Software Inspector from Flexera Software (Windows).

A stateful application-layer firewall should be used. These can be effective in detecting connections from anomalous servers and can detect custom protocols. Moreover, this type of firewall will drop encrypted traffic, which cannot be decoded.

A host-based intrusion detection (HIDS) will be much more effective than anti-virus solutions for detecting more sinister threats. These can perform log analysis, Windows registry monitoring and rootkit detection. Moreover, a HIDs will be more likely to detect malicious process injection from Office documents.

There is no magic bullet for IT security, but having a layered approach greatly enhances your security and reduces the risk of your systems being compromised.

Concerned about IT security? You can contact RealClear IT support in Dublin on 01 – 685 4833. Fast remote IT support nationwide. On-site IT support for the Dublin area. Practical and no-nonsense advice.

10 essential things to remember about data backup

backup-system-installation-dublin

It has been said ad infinitum on this blog that data backup is one of the most important IT tasks you will ever perform in your business. Servers, desktops, laptops and tablets are all replaceable. Your data is not. But we keep seeing the same fundamental backup mistakes again and again. These leave your business wide open to data loss.

So, let’s get down to the brass tacks and look at some mindsets, assumptions and scenarios which lead to data loss.

1. The “I don’t have time to back-up” mindset held by some SME owners is short-sighted. If you perceive data backup taking up too much time, wait till you see how long it takes to recover from a catastrophic disk failure or a ransomware attack. A properly configured backup system should not take up any of your time. It will just run in the background automatically – minimal human intervention needed.

2. “We’re using mostly new computers here we don’t need to back-up”. Having the newest and shiniest IT equipment does not exempt you from backing up. Hard drive failure rates follow what is known as the “bathtub curve” of failure where the probability of failure is elevated in the first 12 months of a disk’s life. Moreover, cryptographic ransomware does not care how new your equipment is.

3. “Our IT support guy said all the data was being backed up to that box over there” We’ve been hearing this old chestnut for years. When you do check the timestamps of backups of “that box over there”, which is normally a server, NAS or external hard drive, you sometimes find that their backup is months out-of-date. The only thing “the box over there” was amassing was cobwebs.

4. The same phenomenon happens with the Cloud backup solutions, some SME owners will say “our data is being backed-up to the Cloud” as if some divine intervention is spiriting their data safely into the clouds. Your data needs to be verified, no matter how reputable you think your Cloud back-up service is. And on the subject of Cloud backup, it would be a good practice that on some idle Friday afternoon to perform a mock restoration of data. We have heard several horror stories of SMEs restoring from Cloud backup services only find all their data corrupted.

5. There are some still SME owners in Dublin who still are only performing local (i.e. not off-site) backups. While Dublin might not get tornadoes or severe lightning strikes, the risk of fire, burst pipes, flood, sabotage, theft and ransomware attacks is ever present.

6. With the multiplicity of data-holding devices such as smartphones, tablets, desktops, laptops, external drive and USB memory keys, data sprawl sets in. This results in many office environments having a hodge-podge of different data sets. This is why your data need to be categorised, prioritised and centralised.

7. Once you have your data categorised, your back-up plan should endeavour to back-up all data to a central file-server (hosted or local). Some SME owners (and some IT admins, alas) make the mistake of backing-up each system to a direct attached storage device. These devices (such as USB external drives) are then used to back up other systems. What results is a messy data sprawl, making reliable off-site back-up more difficult and data restoration processes more time consuming.

8. Some backup software vendors make a virtue of how comprehensive their backup products are. For example, their software might offer one hundred different ways to back-up. Complexity does not make backup software better or more reliable, it just elevates the risk of human error. Complex backup software is anathema to best backup practice simply because users hate using software that is designed like a tax form. Simple, easy-to-use backup software will trump complex software any day. Apple Time Machine is a classic example of this. When software becomes too complex to use, some users stop using it and will resort to drag n drop backup strategies with a USB memory stick…argh.

9. Encryption-based ransomware attacks have been a real game-changer in terms of backup system configuration. Some of the recent variants of ransomware have been extremely agile in propagating across networks from just one infected Mac or Windows system. Good backup systems are designed with such eventualities in mind and support versioning and backup set isolation.

10. Finally, it is important to remember that every IT set-up is constantly changing. Employees leave and new employees arrive. Hardware gets changed. Software gets changed. A good backup system should be flexible enough to be easily re-configured to allow for such changes.

Don’t have nightmares about data backup. RealClear IT Support is based in Dublin, Ireland. Our (local and hosted) backup systems are easy-to-use, reliable and secure. We also support Apple and Windows systems via our remote and on-site service. Call us on 01 685 4833 for some professional, experienced and practical advice.

How to access your Mac or Windows PC remotely from your iPad

access-windows-pc-remotely-using-ipad

The iPad has been a great boon for mobile computing, but unfortunately, it might not have all the files or applications needed to run your business. While it might do everything from web browsing to email, it will not run your Sage accountancy package or your AutoCAD design suite. This can be an inconvenience.

Picture the scene. You’re away from your office and for the sake of traveling light have only brought your iPad with you. But when on-site with a client you discover an important file needed for a presentation or meeting is residing back in your office on your iMac (or MacBook or Windows PC). This could mean making an SOS call to a colleague or family member to email you the file. Worst case scenario, you have to postpone your meeting. Neither of which solution is ideal.

Thankfully, Splashtop Business allows you to quickly and securely log in to your MacBook, iMac, Mac Mini or Windows system just using your iPad. The process is relatively easy. You install Splashtop on each system which you would like to access remotely (and of course on the iPad itself). When you need to log in, all it takes is a few clicks and you are virtually in front of your office computer. You can open up applications, make changes, perform file transfers and even video streaming. Data transmission is secured using end-to-end TLS 256-bit encryption and Splashtop is fully HIPPA compliant.

A very neat app which can save you time and potentially a lot of hassle.

What Irish small businesses can learn from the Mossack Fonseca (Panama Papers) data leak.

it-support-dublin-importance-of-data-encryption

A couple of weeks ago on 3rd April the world became aware of an alleged cyber-attack on the law firm of Mossack Fonseca in Panama. A couple of days later, it emerged that the attacker leaked over 2.6TB of data including over 4.8 million emails, 2.1 million .PDF files, 1.1 million images and 320,166 text files into the public domain. The files contained confidential financial information belonging to prominent politicians, actors, lawyers and business people.It was interesting to read the media coverage of this case. A lot of general media commentators cited the firms’ failure to update its WordPress and Drupal content management systems. While this did possibly contribute to the ease of access which the hacker(s) had, the roots of this hack lie a lot deeper.

Firstly, the data which Mossack Fonseca was holding was not encrypted. Given its confidentiality and headline worthiness, this was an egregious mistake. Storing confidential personally identifiable information in plain-text format is far from best practice. It should have been protected using AES whole-disk encryption or at a bare minimum stored using file-level encryption.

Next mistake was having a public-facing mail server dual-purposing as a document server. This means that a hacker having compromised their website could – with a little more work – hack into emails and then their documents. Easy peasy. Their mail server should have been in their DMZ protected by an external and internal firewall. The document server should have been put on an ultra-secure subnet, with stringent logging (monitored by experienced IT professionals who can spot anomalies quickly) and protected by an APT detection system.

Once they had their network structure secure, they could have then worried about the technicalities at the presentation and application layer of their network. Why was their email was not using TLS? Why was WordPress (with its one-click update function) or Drupal not updated? Why were their WordPress plugins not updated etc? (In other words, the stuff that Sky News talk about after there has been a cyber attack)

Lastly, for a business dealing with such confidential information of such prominent people, from media reports at least, there appeared to be a very low level of cyber-risk awareness present among senior or lower ranking staff. It might have just taken one employee to notice something was awry when 2.6TB of data was going into the ether.

As a result of failing to have a secure IT infrastructure and a cyber risk-aware culture in place, Mossack Fonseca got worldwide negative publicity and severe reputational damage to their business.

When Time Machine Won’t Backup

mac-support-dublin-ireland

Reliable Time Machine functionality is essential in any Apple environment. In most cases, Time Machine is a reliable backup application but can occasionally develop glitches. It is important not to ignore Time Machine errors or put them on the “long finger” because Murphy’s Law dictates it will be the very time your hard drive will crash and you might risk losing important data. The following is a brief (non-exhaustive) checklist on what to do when Time Machine will not backup.

Make sure your Time Machine disk using the GUID or Apple Partition Map. Most external hard drives come pre-formatted with NTFS (which is designed for Windows OS). This needs to be changed to HFS+ Journaled with GUID.

Time Machine might not be backing up because your Time Machine or Time Capsule disk is running out of space. This is a common issue for users who decide to use a single backup disk for various TM backups from different machines. This is not considered best practice, especially when using USB external drives because it often leads to confusion when it comes to restoring a disk in an emergency. To delete TM backups, use the Time Machine browser by clicking on the Time Machine icon on your dock. Locate the TM backup you want to delete via the Timeline. Control-Click the item and select “Delete Backup”.

Sometimes you might see a message that the “backup volume is read only”. This can be solved by simply disconnecting and reconnecting your drive from your local computer or network. If this does resolve the issue, this error can be solved by repairing permissions using Disk Utility (or running an “fsck” command in Terminal). Please note that for best results, it is strongly advisable to copy your Sparcebundle to a local computer on which the repair will be executed instead of executing a repair over your LAN or WLAN.

When backing up to a network drive you might sometimes encounter a “back-up disk image could not be created”. This can be caused by your Mac having no “Localhosthame”. To change this, go to System Preferences>Sharing panel and then insert a name into the “computer name” box at the top of the dialog box.

Sometimes anti-virus products (like Bitdefender for Mac) can interfere with the Time Machine Backup process making it slow down to a crawl. Make sure that you add your AV application to the “safe zone” of any such products or simply use an alternative AV solution like Sophos for Mac. Also beware of third-party disk applications like WD Smartware which can interfere with TM accessing network drives.

Encrypting a Windows 10 Pro Laptop

enable bitlocker encryption it support ireland

If your Windows 10 laptop ever gets lost or stolen, you are potentially putting your data or that of your client’s at risk. The Windows login password is not enough as this can often be bypassed within minutes. Only by using a whole disk encryption application like Bitlocker can the confidentiality of your data be maintained.

To enable Bitlocker on Windows 10

  • Click Start > File Explorer > This PC. Then right-click your system drive where Windows 10 is installed, then click Turn on BitLocker.
  • Enter a password to unlock your drive; this will be an important test to ensure you can boot the system if you happen to lose the recovery key.
  • Decide how you want to back up your recovery key, you can use your Microsoft account if you have one, save it to a USB thumb drive, save it somewhere other than the local drive or print a copy.
  • The option presented asks you how much of your drive you need to encrypt. If your laptop is new select “Encrypt used disk space only”. If your laptop has already been used select “encrypt entire drive”. (make sure your laptop is securely connected to a mains power supply during this entire process)
  • You will now be asked to choose which encryption to use “new” or “compatible”. Choose “new encryption” as this uses the very secure XTS-AES algorithm.
  • The encryption process will now begin.
  • After this process has run its course, your data should be fully encrypted.

 

Encryption does not protect your data from failing hard disks or accidental data loss. Moreover, in rare instances, encryption applications can go corrupt rendering your data inaccessible. Therefore, it is imperative that your freqently perform data back-ups.

7 Tips to keep your Wireless Network Secure

secure eircom wireless network

Driving out of an industrial estate in south Dublin recently at around 7pm in the evening something caught my eye. I spotted a dark coloured Honda Civic with three large antennas on it’s roof parked in a lay-by of the estate. Inside were three occupants each of them tapping away furiously on their laptops. Now they could of been a harmless group of guys who just needed to check out the special offers on the  Halfords website or they could have been engaging in a bit of “wardriving”. This is the practice of people driving around actively searching for insecure wireless networks. When they do find insecure networks they will try to access them.  People think this only happens in Hollywood films but wardriving does occur, even in a grey Dublin industrial estate.

Here are a few tips to protect your wireless network from unwanted snoopers.

 

  • Change the default login settings of your wireless router. Each router will have default username/password settings, (like admin / admin) which most hackers know about. Changing these combinations will make their life a little more complicated. But don’t forget to record these somewhere safe.
  • Make sure the remote management functionality of your wireless router or access point is disabled. Disabling HTTP and Telnet requests is also worthwhile.
  • Your router’s firmware should be up-to-date. Reputable manufacturers continually release new firmware for their devices and some of these can help enhance security.
  • Always apply the most secure wireless security protocol to your network. WPA is no longer secure, but WPA2 is considered “secure enough” for most SME’s. Make sure that that passphrase used contains numerals, characters and symbols. For example, “blackthornroad2016” is not secure where as “$KwiOl-qnCZng%2Z4S%p6ed&Z” is much more secure.
  • Change the default SSID to something that does not readily identify your company. For example, calling your network “Blackthorn Finance Secure Network” could be a red rag to a bull for some hackers. An anodyne name like “network 57” would be much less alluring.
  • Create an isolated guest network. Visitors or contractors to your business might need to access your wireless network. It can be a good idea to have a separate “guest network”. Using VLANing a guest network can be isolated from your business network.
  • Some wireless routers or access points come with a scheduling feature where they can be disabled between certain hours e.g. between 7pm and 7am. This can reduce the window of opporitunity for potential hackers.

 

Addendum: A lot of SME owners ask us “why can’t you just make my wireless network invisible?”. Well, that usually means configuring the router or AP so that an SSID is not broadcast to local computers. This sounds all well and good but most hackers will be using specialised wireless sniffing software which is designed to detect hidden SSID’s.

The benefits of a streamlined email service – Dublin accountancy firm case study

outlook technical support help dublin

There are some saying that email is dying and is being supplanted by applications such as Slack.  This may be true for close-knit teams and inter-company messages, but it is still the most widely communication tool which SME’s use for external communication.

Recently, we were helping a Dublin accountancy firm with a rather precarious email setup. The firm’s owner had amassed four different email accounts and his two staff were each using two different accounts. Almost every week there would be an incident where an inbound email from a client would go missing. This was resulting in a lot of wasted time looking for lost emails or having to contact  the client again to request a resend. They asked RealClear IT support to devise a more reliable and a streamlined email system. We set them  up with a whole new hosted email solution. We setup forwarding rules on their old account so new emails would be automatically forwarded to the new platform. Their new email system had an easy and quick search facility. We then set configured it sync with their Outlook and Mac mail clients.

Other benefits of their new email platform include:

Ample Online Storage Space – Over 20GB of storage space for emails. This was a lot more than the 5GB which they had been allocated by their previous email platform.

On-the-go Email – All their email accounts could now be accessed on their mobile devices such as iPads and iPhones.

Security – Their new email platform uses an SSL-encrypted connection and uses two-factor authentication for enhanced security.

Powerful Anti-Spam – Previously, they had to trawl through approximately 100 spam emails a week. Since they migrated to the new platform, this has been whittled down by 90 per cent. The stray spam emails that they receive now go direct to their spam folders.

On follow-up ten days later, they were delighted. The stress of lost emails of lost emails had been eliminated from their workflow. They could not concentrate on offering their clients an even better accountancy service. And yes, the rumours of emails’ demise have been much exaggerated…

 

Mystery of slow and unreliable WiFi solved for Dublin accountancy firm

fix poor wifi dublin ireland

We recently assisted a Dublin accountancy firm with a slow and unreliable WiFi issue which was driving their staff to frustration. The WiFi network in their 8-seat office (where most users were connecting wirelessly) was performing sluggishly and the connection was intermittently dropping. In a busy accountancy practice, this was resulting in significant downtime, frustration and missed deadlines.
We went on-site to investigate. We asked the office manager about the background to the problem. They had first noticed the problem two weeks previously and the wireless network quality seemed to be deteriorating ever since. The building was divided into 5 different offices on three different floors. Our wireless site-survey revealed that the signal coverage in 4 of the offices was quite good. In the remaining basement office the signal was poor.

Diagnostics of wired network and access points

Firstly, we checked their Eir Huawei F2000 modem-router in their comms room and connected it directly to our laptops. It was getting fairly average upload and download speeds – 2.43Mbps and 17.83 Mbps respectively. A 24-port Cisco switch was connected to the modem-router and appeared to be working with no issues. They had 3 Netgear ProSafe access points which were located around their building. We logged into each one of these APs to check the data rates, channel settings and transmit power settings. They all had the latest firmware installed and appeared to be perfectly configured. The problem resided elsewhere.

Diagnostics with packet sniffer and problem diagnosis

Deploying a wireless packet sniffer called Wireshark we were able to analyse the data packet transmission on their network. This is a powerful piece of software which can see almost all network traffic on a LAN (local area connection) or WLAN (wireless LAN). Within 15 minutes, we started to see a second DHCP server appear on their network. A DHCP device is any device which automatically assigns IP addresses in a network. In the context of a SoHo (Small Office Home Office) network, there should only be one DHCP server and that function is normally assigned to the router. To confirm our findings, we logged into their Huawei modem-router again and disabled it’s DHCP functionality. As suspected, our packet-sniffer was still indicating an active DHCP service on their network. In short, there was a second router (or some other rouge DHCP server) on their network, which was causing this problem and we had to find it. Their friendly office manager recalled that two weeks previously one of their staff in their basement office brought in a device from home in order to improve the WiFi. This device sounded like the culprit. Back to the basement office and on top of a cabinet we found the source of the problem – a TP-Link router still connected to a network point.

Our solution to slow and unreliable WiFi issue

The TP-Link router was added to their network by a well-intensioned staff member who thought it might improve the wireless signal strength and connected to a an unused network point. But, in SoHo network design you should never have more than one router (DHCP server) on any one network because they conflict with one another. The solution was simple. We logged into the TP-Link router and changed it from “router mode” to “access point” mode. This turns off the DHCP service and turns off NAT in order to avoid a double-NAT problem. We then gave the device an IP address outside the range of their Eir modem-router in order to avoid any IP conflicts. Finally, we secured the TP-Link device using WPA2-AES256 encryption.

Solution Follow-up

On follow-up of the problem one week later, we were pleased to hear that their WiFi network is working reliably and smoothly. The basement office team member is finally getting reliable WiFi. The whole team was now able to enjoy fast, reliable and secure WiFi and able to file tax returns on time and. Moreover, the office manager no longer has to listen to moans about slow or unreliable WiFi from frustrated staff.