Category: From the Help Desk

File-Count Audits are a necessity in modern computing and security. Any number of security and auditing tools will automate this process for you, and notify you of discrepencies, but even the smallest IT firms can easily perform this task by hand with a simple search application. First, let’s discuss why.

Recently, companies as large as LexisNexis had their networks compromised by files that could’ve been anything from remote access trojans to botnet zombies. One article on Slashdot mentions that a file named nbc.exe was placed on the servers and resided there for months. Months!? Really? Nobody caught that? The file name is obviously suspicious, but not once did it come up in an audit of new files? People fall for “system.exe” or “OS.exe” or “Windows.exe” all the time – but to have a corporate server with a file named nbc.exe and nobody to take a second glance at it is quite poor.

I get it, some companies have extremely large datasets. Auditing every little change might be practically impossible, or at the very least, excruciatingly expensive (both in terms of financial and system resources!). Still, even when the data you house changes, it isn’t typically going to be executable data. This is an easy thing to spot! Even free tools like the one shown above, WinDirStat, can be used to keep a running count and list of .exe files on your server. Your .exe filecount should practically never change, particularly without your knowledge. Some Windows Update installers / uninstallers might include new .exe files, but typically your server isn’t in a position to have the active number of executable files in flux.

Say you even have User directories on your Active Directory server, and a user uploads a .exe file into their directory. You still have no reason not to audit the contents of those directories, and perhaps enforce a security policy that executables cannot be stored on the server.

Performing a file-count audit once a month, even if it is just of critical filetypes such as .dll, .exe, and .bat; simple behaviors like this can protect you in the long run. Even if you don’t know every file name in every folder, just get a count of how many .EXE files there are, and if that number changes without you doing something, then you can pull the list of executables. Even with nothing to compare it to, I would hope a name like “nbc.exe” would jump out, particularly if it were in a nested folder where nobody would normally place a file. Use common sense and protect yourself, your company, and your customers.

I’m not prone to conspiracy theories, but some things are just a bit too much even for me. Cisco recently released an advisory about a new piece of DNS poisoning malware which can install a Tor client on a user’s machine. Their suggestion? “Enterprises should consider blocking Tor traffic on their networks.”

This, just days after a massive chunk of Tor sites were compromised under the guise of fighting child pornography. It seemed like a safe thing to do, after all; nobody wants to defend child porn. BUT, privacy advocates everywhere are literally and physically reeling from the crackdown on the Tor network, seen in recent weeks. “Tor” stands for “The Onion Router” and is a service that can anonymize traffic on the web, by allowing multiple shared entry and exit points. Your traffic goes in to “The Onion Router” network, through several layers and bouncing off of several other routers and peers in the network, then gets spit out on of a random exit point, along with all of the other traffic routed out the same exit. In the end, it is virtually impossible to trace back to any one user, without more identifiable markers on their machine (which is what the malware planted in Tor-based sites is doing). We have even seen sites like Silent Circle, and Lavabit shut down their services and Hushmail fold to the feds.

With a sudden attack on Tor and privacy and anonymity protection software is executed by the government, then a well known and major security and networking company advises that most enterprises should start blocking Tor based traffic on their networks… it just feels a bit too “coincidental.” In a time when the discussion has never been larger, the NSA and other federal agencies ordering these crackdowns have NEVER been so brazen. Where most private companies would be experiencing a panic and a PR nightmare, these organizations appear to be moving forward with the cavalier attitude of Don Quixote, oblivious (or unconcerned) to the rubber band-like reaction that lies ahead. I’m not a conspiracy theorist, I’m not even a privacy advocate, but someone out there has forgotten what it means to be subtle when trampling the little people.

I recently had a user call me and explain that they couldn’t save to their offline files and folders when offline. Little did I know the can of worms we were going to open.

The troubleshooting rabbit hole involved finding out that you could, in fact, copy and paste documents in to those folders, however we couldn’t save PDF files from Adobe Reader by using the File/Save command. No error message appeared, they looked like they saved, but when you looked in the folder, the file would be missing. It was specific to Adobe Reader. Once I knew that, I had to dig further.

In the end, the problem was that Adobe Reader wouldn’t allow the user to save files in the Offline folder because it was sandboxed (an enhanced security mode which doesn’t allow Adobe Reader to react with other applications, in an attempt to prevent virus infected PDF files from infecting your whole system). To resolve this, close any open PDF documents, but open Adobe Reader. Click Edit, then Preferences. On the left click Security (Enhanced), then UNCHECK Enable Enhanced Security at the top of the Window, and click OK. Exit Adobe reader, then try again. It should work without a problem now!