SCADA Security

SCADA devices are systems that control manufacturing or infrastructure devices.  We are always calling for the need to protect these devices with appropriate security measures.  Here’s a look at how easily they can be found and seen by anyone on the internet.

Steps to protect SCADA (Supervisory control and data acquisition networks)

Microsoft SQL slow after updates

While disabling LLMNR can speed up your SQL connection sometimes, ironically you may be slowed down by MS14-066 (KB2992611).

See this article -
“Microsoft does it again, botches KB 2992611 SChannel patch” - Infoworld

What do you do?  The article above gives some advice and more advice comes from the link at the bottom of this blog posting.
Here’s a couple of fixes if you installed KB2992611 and your SQL server came to a crawl

Possible fixes if you’re already affected:

Open gpedit.msc

Go to computer configuration > administrative templates > Network > SSL Configuration Settings > SSL Cipher Suite Order

Set it to enabled

Reboot or gpupdate /refresh at an elevated command prompt

The policy populates the Windows registry with the legacy cipher suites less the 4 new cipher suites added by MS14-066 /2992611.

Source/Credit : http://blogs.msmvps.com/spywaresucks/2014/11/16/hold-off-installing-ms14-066-kb-2992611/

Note:  ALWAYS backup your data before your try reversing a patch or modifying policies or the registry.

Microsoft should fix this soon…

Here’s how to improve performance – LLMNR -

http://ttcshelbyville.wordpress.com/2009/11/30/slow-sql-connection-to-windows-7/

A love for computers and music

One of the most talented people I know is Jared Ledlow.  A former student, Jared was remarkable at diagnosing computers, learning new technology and absolutely loved playing and writing music.   His personality is contagious and his unselfishness in learning and teaching others is above reproach.

171847_1812638963652_7258580_o

After graduation, Jared started as a government contractor resolving help desk tickets.

He went on to become a Technical Assistance Associate in one of the largest data centers.

Jared now monitors the critical infrastructure behind the day to day operations in his company’s data center.

Some of his responsibilities include monitoring UPSs, CRAC units and a ton more.

In IT you need motivation, initiative, worker ethics, a desire to learn and more.  Jared Ledlow has these qualities and more.

Cannot switch users in Windows 8/8.1

If you cannot change accounts in Windows 8, 8.1 or Windows 8.1 Update there are several things you can try -

First try editing the registry

In the search box, type regedit
Navigate to the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Modify the registry value of HideFastUserSwitching from 1 to 0

Log off and restart the machine

Did it work?  If not, try editing the group policy

In the search box, type gpedit.msc
Navigate to -
Local Computer Policy/Computer Configuration/AdministrativeTemplates/System/Logon
Double click Hide Entry Points for Fast User Switching to bring up a dialog box to change Fast User Switching policy setting.
Choose Enabled
Close the group policy editor
Open a command prompt and type gpupdate /force

If the above did not work, try a refresh pc

Go to a “Command Prompt” as an Administrator
Next enter
shutdown.exe /r /o /f /t  00
The computer will restart
Select Troubleshoot
Select Refresh PC

Only one user showing during logon of Windows 8/8.1 Pro

After some some updates, you may notice that you cannot see all of the users when logging in.

Open GPEdit.msc (Group Policy Editor)

Navigate to Windows Settings, Security Settings, Local Policies, Interactive logon: Do not display last username and double click.  Select enable and reboot your computer or use gpupdate /force.

2

No, you are not a Microsoft employee, no I don’t have a virus and by the way, you are definitely talking to the wrong people

Ironically I’ve seen warnings from other techs like Dawn, Mickey and more of my IT peers about fake Microsoft calls. Today, I got the pleasure of speaking with one.

When these people call you, they will identify themselves as a Microsoft employee or some other prominent company.   Microsoft will not call you to tell you that your computer is running slow or that it is infected with malware/virus.

Within one minute of talking with this individual, he wanted to take control of my computer.  Knowing what was taking place, we have virtual computers in controlled labs that would be perfect for this caller.  With the help of Pat and Nathan, we fired up a virtual computer and kept talking to the individual.

Note:  The virtual computer was in a controlled environment.   The computer had Windows 10 Technical Preview installed and had no viruses or malware.  The virtual machine had 2 gigabytes of RAM, 2 processors and the virtual hard drive was only 30 gigabytes .

Giving the individual a name (he got it wrong twice) and a 555-5554-555532 phone number, I was asked to go to a website that allowed remote control of my computer. I in turn asked for his name again and he gave me another name that was not the original one from the start of the call. I also asked for his Microsoft badge number and he said bb65tr9 (fake of course).

Prior to going to the website, I started the problem step recorder so I could record him navigating through Windows.

Navigating to the website, I downloaded a software that allowed remote control.  The individual kept insisting that my computer had viruses and that he would have to get an engineer to fix them if he couldn’t.

Once he gave me the whole spill on how bad my computer was, he opened up the services tab and insisted that ALL of the services should be running.  He then showed me CSRSS.exe in the running processes and insisted it was a virus that was stopping the services from running.

Knowing that CSRSS.exe (What is CSRSS?) is a Microsoft  program, I asked the students to be at the ready to pull the plug when needed.

2

After showing me the “virus”,  the individual entered a link that lead directly to a software setup that would install another program on the computer (above).  I asked what it was and he said it would scan my computer for performance.  Instantly hundreds of errors appeared along with other visually terrifying effects.   Microsoft’s Gold Partner was on the software (fake) and another company which I am sure is also fake.

I had one of the students unplug the RJ45 cable and pretended to lose the connection.  The individual said that would not be a problem, he could always log into my computer with the remote program I had downloaded at any time.  He also stated that they would have to charge me for removal of the virus.

After more than 25 minutes online of listening to this person tell me how bad my computer was, I hung up.   I had what I needed-a great lesson for the students, files to analyze and information about the location of this individual.

Knowing that this was a fraudulent call, it gave the students a first hand view of what is going on in the world of computers and security.

Never give remote control to anyone you don’t know.  

Below is the program that has been somewhat obscured so that people won’t search for it online.  Note that he said I had hundreds of registry problems yet the screenshot shows a green check that the registry is ok.

3

We saved the PSR file and the programs on a secure flash drive and deleted the virtual computer.  We will analyze the files later and will be analyzing the firewall to see the IP address and location of the individual.

List of rogue software.  (This list is changing often)

http://en.wikipedia.org/wiki/List_of_rogue_security_software

PC cleaning apps scams

http://www.howtogeek.com/162683/pc-cleaning-apps-are-a-scam-heres-why-and-how-to-speed-up-your-pc/