Bummer

[Guest]

Archived from groups: rec.games.computer.ultima.dragons (More info?)

Had to fire an employee Friday. He had lots of customer complaints for
his rudeness, however unintentional it was. He had been with us for 23
years. However what outraged me the most was the fact that he had been
using our computer at work to access disreputable sites. A couple of
months ago I activated Content Advisor to block him from doing so, but
of course it interfered with plenty of legitimate sites. After talking
with him to explain why I had done that, after a few weeks I turned it
off to see if I gave him enough rope to hang himself. During
maintenance last week I discoverd Norton Antivirus Auto-Protect was
turned off, so I did a full scan, came up with one virus and two
trojans, stemming from his last visit. Fortunately, the firewall
blocked over 2700 inbound attempts to use the trojan. But man! We have
hundreds of Medicare kids' Social Security numbers on that puter, as
well as all our payroll software with OUR SS #s!
That was simply too much! I feel horrible, having trouble sleeping and
all, but I feel that I have done the right thing.
If anyone is interested, I'll post the infections later. Routine
backdoor trojans if I remember correctly.
--
Optician Dragon
-=UDIC=-
"There is no cause so right that one cannot find a fool following it."
Larry Niven

 

[Guest]

Archived from groups: rec.games.computer.ultima.dragons (More info?)

On Thu, 15 Sep 2005 11:12:52 GMT, Optician Dragon <dragonlensman1@verizon.net> wrote:

>Had to fire an employee Friday. He had lots of customer complaints for
>his rudeness, however unintentional it was. He had been with us for 23
>years. However what outraged me the most was the fact that he had been
>using our computer at work to access disreputable sites. A couple of
>months ago I activated Content Advisor to block him from doing so, but
>of course it interfered with plenty of legitimate sites. After talking
>with him to explain why I had done that, after a few weeks I turned it
>off to see if I gave him enough rope to hang himself. During
>maintenance last week I discoverd Norton Antivirus Auto-Protect was
>turned off, so I did a full scan, came up with one virus and two
>trojans, stemming from his last visit. Fortunately, the firewall
>blocked over 2700 inbound attempts to use the trojan. But man! We have
>hundreds of Medicare kids' Social Security numbers on that puter, as
>well as all our payroll software with OUR SS #s!
>That was simply too much! I feel horrible, having trouble sleeping and
>all, but I feel that I have done the right thing.
>If anyone is interested, I'll post the infections later. Routine
>backdoor trojans if I remember correctly.

Shouldn't you keep the computer with sensitive content isolated from routine
Internet usage entirely? Remove the browsers and make sure any user accounts
cannot install any new software.

Even if you don't have Windows Server 2003, Microsoft has a highly regarded
guide useful in locking down and hardening Windows computers,
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
--
The Polychromic Dragon of the -=={UDIC}==-
http://home.comcast.net/~macecil/
http://home.comcast.net/~safehex/
RGCUD Photo Gallery: http://home.comcast.net/~rgcud/

 

[Guest]

Archived from groups: rec.games.computer.ultima.dragons (More info?)

On Thu, 15 Sep 2005 07:47:14 -0500, Polychromic <macecil@comcast.net>
wrote:

>On Thu, 15 Sep 2005 11:12:52 GMT, Optician Dragon <dragonlensman1@verizon.net> wrote:
>
>>Had to fire an employee Friday. He had lots of customer complaints for
>>his rudeness, however unintentional it was. He had been with us for 23
>>years. However what outraged me the most was the fact that he had been
>>using our computer at work to access disreputable sites. A couple of
>>months ago I activated Content Advisor to block him from doing so, but
>>of course it interfered with plenty of legitimate sites. After talking
>>with him to explain why I had done that, after a few weeks I turned it
>>off to see if I gave him enough rope to hang himself. During
>>maintenance last week I discoverd Norton Antivirus Auto-Protect was
>>turned off, so I did a full scan, came up with one virus and two
>>trojans, stemming from his last visit. Fortunately, the firewall
>>blocked over 2700 inbound attempts to use the trojan. But man! We have
>>hundreds of Medicare kids' Social Security numbers on that puter, as
>>well as all our payroll software with OUR SS #s!
>>That was simply too much! I feel horrible, having trouble sleeping and
>>all, but I feel that I have done the right thing.
>>If anyone is interested, I'll post the infections later. Routine
>>backdoor trojans if I remember correctly.
>
>Shouldn't you keep the computer with sensitive content isolated from routine
>Internet usage entirely? Remove the browsers and make sure any user accounts
>cannot install any new software.
>
>Even if you don't have Windows Server 2003, Microsoft has a highly regarded
>guide useful in locking down and hardening Windows computers,
>http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
They are running XP Pro.
Problem with removing browsers, etc is that this computer also has to
acces the net to verify customers' insurance coverage, we use it to
bill Medicaid electronically as now required, and I use it to order
lenses from the lab in Pittsburgh electronically. We usually log onto
a more restricted account and I may have stupidly left it logged in as
Administrator during maintenance, but I don't know how Norton allowed
itself to be turned off. The trojans found were Trojan.ByteVerify and
Trojan.Adclicker.
I did notice that he used a Guest account on the company's AOL to sign
on with, We removed his screen name a couple years ago after he got
AOL trojaned and sent out about 1kilospams before they cut off our
account. I must say now that AOL does a better job of spam filtering
and they check every attachment for viruses.
I still like t-bird.
--
Optician Dragon
-=UDIC=-
"There is no cause so right that one cannot find a fool following it."
Larry Niven

 

[Guest]

Archived from groups: rec.games.computer.ultima.dragons (More info?)

On Thu, 15 Sep 2005 21:42:37 GMT, Optician Dragon
<dragonlensman1@verizon.net> wrote:

>On Thu, 15 Sep 2005 07:47:14 -0500, Polychromic <macecil@comcast.net>
>wrote:
>
>>Shouldn't you keep the computer with sensitive content isolated from routine
>>Internet usage entirely? Remove the browsers and make sure any user accounts
>>cannot install any new software.
>>
>>Even if you don't have Windows Server 2003, Microsoft has a highly regarded
>>guide useful in locking down and hardening Windows computers,
>>http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
>They are running XP Pro.
>Problem with removing browsers, etc is that this computer also has to
>acces the net to verify customers' insurance coverage, we use it to
>bill Medicaid electronically as now required, and I use it to order
>lenses from the lab in Pittsburgh electronically. We usually log onto

Well, I think I would still set up a machine isolated from the net which
stored the sensitive records. Then I'd set up the billing computer so it
could only visit those few approved sites you mention (you can do this in
the Content Advisor section of IE) and just access records on the isolated
machine as needed remotely.

>a more restricted account and I may have stupidly left it logged in as
>Administrator during maintenance, but I don't know how Norton allowed
>itself to be turned off. The trojans found were Trojan.ByteVerify and
>Trojan.Adclicker.

Well, they are trojans so they didn't load themselves - I guess your
recently fired employee was trying to load cracks or porn viewers. The
Adclicker one is pretty harmless - it just tries to drive up click counts
for pay per click type revenue. The BV is a RAT (remote access trojan).
Since you don't know how long it has been on there or if the computer has
been remotely accessed, I would take no chances. Format and reinstall is
the safest way to go especially since this computer currently does have
sensitive information. If you do a sfc /scannow, it will only check the
Windows files (and you'll have to reinstall any patches since your base
install) and it won't check other program files for integrity. If you
have an image file you can do a binary comparison of the machine's files
against, that would be one way to avoid a complete format and reinstall.
But it will probably be faster and more certain to just do that.

>I did notice that he used a Guest account on the company's AOL to sign
>on with, We removed his screen name a couple years ago after he got
>AOL trojaned and sent out about 1kilospams before they cut off our
>account. I must say now that AOL does a better job of spam filtering
>and they check every attachment for viruses.
>I still like t-bird.

Remember, if a person has physical access to the machine that even a good
admin password will not be safe. Mounting your computers in an
air-conditioned computer closet (or a rack perhaps) behind an unbumpable
lock would help make them more secure.
--
The Polychromic Dragon of the -=={UDIC}==-
http://home.comcast.net/~macecil/
http://home.comcast.net/~safehex/
RGCUD Photo Gallery: http://home.comcast.net/~rgcud/

 

[Guest]

Archived from groups: rec.games.computer.ultima.dragons (More info?)

On Thu, 15 Sep 2005 17:13:16 -0500, Polychromic <macecil@comcast.net>
wrote:

>On Thu, 15 Sep 2005 21:42:37 GMT, Optician Dragon
><dragonlensman1@verizon.net> wrote:
>
>>On Thu, 15 Sep 2005 07:47:14 -0500, Polychromic <macecil@comcast.net>
>>a more restricted account and I may have stupidly left it logged in as
>>Administrator during maintenance, but I don't know how Norton allowed
>>itself to be turned off. The trojans found were Trojan.ByteVerify and
>>Trojan.Adclicker.
>
>Well, they are trojans so they didn't load themselves - I guess your
>recently fired employee was trying to load cracks or porn viewers.
The latter I suspect.
"You must load this to view page content" or somesuch.
I did check the trojans out at Symantec's site.
The
>Adclicker one is pretty harmless - it just tries to drive up click counts
>for pay per click type revenue. The BV is a RAT (remote access trojan).
>Since you don't know how long it has been on there
4 weeks today at 4:30 pm - a half hour after I left work.At least it's
only the once in the last 8 weeks.

or if the computer has
>been remotely accessed,
Dunno - I had just updated Zone Alarm the week before and since it's
insstall it's blocked over 2700 inbound attempts, all but a dozen or
so "high-rated". Scans with every vendor's online virus scans in Safe
Mode show nothing.All the data seems to be there. We tried recalling
some random ones from the medicaid program ( recently updated in Y2K
being a DOS program), and the Payroll Software has it's own additional
encryprion, without my password it can't be accessed anyway. (Gee do
you think he'll guess my password? 123456? That'll fool him won't it?)

I would take no chances. Format and reinstall is
>the safest way to go especially since this computer currently does have
>sensitive information. If you do a sfc /scannow, it will only check the
>Windows files (and you'll have to reinstall any patches since your base
>install) and it won't check other program files for integrity. If you
>have an image file you can do a binary comparison of the machine's files
>against, that would be one way to avoid a complete format and reinstall.
>But it will probably be faster and more certain to just do that.



Kicking myself for not Ghosting new images after the last F&I.
I do back up the data weekly, but only to a second PW-protected drive.
Maybe not secure enough. Maybe I should get a couple of removable
backup drives? Would Flash drives be considered reliable enough? The
actual data, not counting program amounts to only 250 Mb or so for
both. Heck I should just use CD's.
My guess is the stored image would still be good from the other drive,
but it is too old.

>>I did notice that he used a Guest account on the company's AOL to sign
>>on with, We removed his screen name a couple years ago after he got
>>AOL trojaned and sent out about 1kilospams before they cut off our
>>account. I must say now that AOL does a better job of spam filtering
>>and they check every attachment for viruses.
>>I still like t-bird.
>
>Remember, if a person has physical access to the machine that even a good
>admin password will not be safe. Mounting your computers in an
>air-conditioned computer closet (or a rack perhaps) behind an unbumpable
>lock would help make them more secure.
But my Taser guarded keyboard works flawlesslyyyyyyyyyyyyyyyyikes!!
--
Optician Dragon
-=UDIC=-
"There is no cause so right that one cannot find a fool following it."
Larry Niven

 

[Guest]

Archived from groups: rec.games.computer.ultima.dragons (More info?)

On Thu, 15 Sep 2005 23:36:12 GMT, Optician Dragon
<dragonlensman1@verizon.net> wrote:

>but I don't know how Norton allowed itself to be turned off.

Norton takes a couple minutes to activate when you reboot. If the fired
guy rebooted the computer and immediately went to a site with a malicious
exploit active, that would be all it takes. (This is one of the problems
with Norton's bloat.)

>Kicking myself for not Ghosting new images after the last F&I.
>I do back up the data weekly, but only to a second PW-protected drive.
>Maybe not secure enough. Maybe I should get a couple of removable
>backup drives? Would Flash drives be considered reliable enough? The
>actual data, not counting program amounts to only 250 Mb or so for
>both. Heck I should just use CD's.
>My guess is the stored image would still be good from the other drive,
>but it is too old.

If you have another machine networked you could sync the data to it daily,
then do backups to a burner weekly or however often you wanted on that
machine. There's even a free program that can do that kind of syncing of
the data called SyncBack. Set up 7 target folders and 7 schedules so it
backs up the data every day to the appropriate folder. Pretty simple as
long as you remember to burn the data to discs on a routine schedule. Of
course, you only have to burn one of the days as long as its data is
intact.
--
The Polychromic Dragon of the -=={UDIC}==-
http://home.comcast.net/~macecil/
http://home.comcast.net/~safehex/
RGCUD Photo Gallery: http://home.comcast.net/~rgcud/

 

[Guest]

Archived from groups: rec.games.computer.ultima.dragons (More info?)

On Fri, 16 Sep 2005 02:25:21 -0500, Polychromic <macecil@comcast.net>
wrote:

>On Thu, 15 Sep 2005 23:36:12 GMT, Optician Dragon
><dragonlensman1@verizon.net> wrote:
>
>>but I don't know how Norton allowed itself to be turned off.
>
>Norton takes a couple minutes to activate when you reboot. If the fired
>guy rebooted the computer and immediately went to a site with a malicious
>exploit active, that would be all it takes. (This is one of the problems
>with Norton's bloat.)
I doubt he did anything that dumb, besides I don't think you can
reboot, get the browser fired up and hit the site before Norton
activates, since it seems to have a higher priority, i.e. other progs
won't finish loading until it's going. But since it's a part of
SystemWorks, I agree with the bloat. Is their Corporate Antivirus
stand-alone any more efficient?
>
>>Kicking myself for not Ghosting new images after the last F&I.
>>I do back up the data weekly, but only to a second PW-protected drive.
>>Maybe not secure enough. Maybe I should get a couple of removable
>>backup drives? Would Flash drives be considered reliable enough? The
>>actual data, not counting program amounts to only 250 Mb or so for
>>both. Heck I should just use CD's.
>>My guess is the stored image would still be good from the other drive,
>>but it is too old.
>
>If you have another machine networked you could sync the data to it daily,
>then do backups to a burner weekly or however often you wanted on that
>machine. There's even a free program that can do that kind of syncing of
>the data called SyncBack. Set up 7 target folders and 7 schedules so it
>backs up the data every day to the appropriate folder. Pretty simple as
>long as you remember to burn the data to discs on a routine schedule. Of
>course, you only have to burn one of the days as long as its data is
>intact.
We have seven computers sharing an internet connection and three more
that are not online at all in the exam rooms, as our Doctor uses a
computerized eye exam program. I have all file sharing off. There are
only two puters that have any sensitive data at all, the others are
used for miscellaneous duties and the one in my office is for lens
research and Halo.
Both units with the sensitive data have CD-RW drives.
I have seen a program somewhere that will allow you to change the
order of loading of your programs, does that work?
--
Optician Dragon
-=UDIC=-
"There is no cause so right that one cannot find a fool following it."
Larry Niven

 

[Guest]

Archived from groups: rec.games.computer.ultima.dragons (More info?)

On Fri, 16 Sep 2005 11:30:00 GMT, Optician Dragon
<dragonlensman1@verizon.net> wrote:

>I doubt he did anything that dumb, besides I don't think you can
>reboot, get the browser fired up and hit the site before Norton
>activates, since it seems to have a higher priority, i.e. other progs
>won't finish loading until it's going. But since it's a part of
>SystemWorks, I agree with the bloat. Is their Corporate Antivirus
>stand-alone any more efficient?

Yes, it's quite nice but it really needs a client/server situation to work
correctly. I don't think it would work right in a peer to peer setup
unless you just installed the server version on each machine.

>We have seven computers sharing an internet connection and three more
>that are not online at all in the exam rooms, as our Doctor uses a
>computerized eye exam program. I have all file sharing off. There are
>only two puters that have any sensitive data at all, the others are
>used for miscellaneous duties and the one in my office is for lens
>research and Halo.
>Both units with the sensitive data have CD-RW drives.
>I have seen a program somewhere that will allow you to change the
>order of loading of your programs, does that work?

It will only affect the loading order of programs in the startup folder,
not those that load as services. I think. You can do the same thing
without a program by just naming the shortcuts there with numbers as the
first part of their names, IIRC. Maybe that was only W95.
--
The Polychromic Dragon of the -=={UDIC}==-
http://home.comcast.net/~macecil/
http://home.comcast.net/~safehex/
RGCUD Photo Gallery: http://home.comcast.net/~rgcud/