Pacific Computer Wizards - Repository ....

An information repository of … thoughts, data, sharing, and ideas, posted.
    – Use the information in these posts at your own risk.      
                                The ideas, thoughts, and expressions posted here are for my own use.                 
                                 
  -President & Chief Wizard                                                        


DHS Binding Operational Directive 18-01 (BOD 18-01)

posted Jun 7, 2019, 2:50 PM by Andrew Chadick   [ updated Jun 12, 2019, 11:53 AM ]


If you are seeing a lot of attempts coming in where phishing emails look exactly like internal emails and are getting through your spam filters, there are some things you can do to mitigate your risks. 

I have seen such emails come through recently which I could barely tell weren't from our own domain, with no evidence of spoofing except minor character changes in source; which has prompted me to increase the mail servers SPF, DKIM, and DMARC record settings to make it as next to impossible to impersonate a user on the server as is possible without someone literally hacking one of our accounts.
.  
If you are interested, this tool will check your email settings for you and tell you what you need to do: http://www.appmaildev.com to increase security.  You Run the DKIM test tool, and send an email to the randomized address it gives you.  After you click send, just wait until the server receives the email and it will diagnose your settings and tell you what's what with your settings. It will even run a spam check. 

After you have done that, you can check all your changes with this site: https://domain-checker.valimail.com to verify compliance with the current standards. It's basically a dashboard view of your settings.

If you need assistance creating a DMARC record, this tool works great: https://dmarcguide.globalcyberalliance.org/#/


Salesforce DKIM Security on Emails - CNAME

posted Jun 5, 2019, 1:19 PM by Andrew Chadick   [ updated Jun 5, 2019, 3:37 PM ]

If you find that your Salesforce emails are going to spam when they were working fine before- it's because of tightening security measures on the backend.  In order to rectify the situation, you will need to create a new DKIM Key in Salesforce.  Go to the Setup area in Salesforce, and search for DKIM.  It will pop up straight away.

One of the things that is very confusing when creating the key, is that what you are given, is NOT a DKIM key, but instead, you are given a pair of CNAME's.  

It took quite a bit of time to figure out what was needed as there is really no explanation given, but, the bottom line, is you need to go into your domain registrar, and create 2 CNAME Txt Records and insert the data you are given.  What Salesforce does is that they have created secure records on their backend, which they don't share with you, and you are simply setting up a CNAME which points to that location, and their servers will handle the rest.

Example of what you are given when creating the keys:
CNAME Record specialkey1._domainkey.mydomainname.org IN CNAME specialkey1.rrge1q.custdkim.salesforce.com.
Alternate CNAME Record specialkey2._domainkey.mydomainname.org IN CNAME specialkey2.9971sp.custdkim.salesforce.com.

The way this looks in your registrar might be different, but for me, it looks like this:

Alias                                      TTL              Refers to Host Name    Other Host                           
____________________           ____________ _____________________    _________________________   
specialkey1._domainkey   3600                                                     specialkey1.rrge1q.custdkim.salesforce.com.
specialkey2._domainkey   3600                                                     specialkey2.9971sp.custdkim.salesforce.com.

The important thing here is to make sure that you have your "Alias" without your domain name added to it as Salesforce does on the detail view of the supposed DKIM record results that they give you.  You have to copy paste the right parts over to your TXT record fields in the registrar. 

Once you have saved the CNAME's to your registrar, it takes about 30 minutes for the changes to take place.  Once you have waited the 30 minutes, go back to the location where you created the DKIM key in Salesforce, and click the button that says "Activate".  

Once activated, the check box next to your key will be ticked, and your emails will now be fixed and flowing back to your inbox instead of spam.  You can test this by running the Test Deliverability (Emails from Salesforce or Email Relay Only) option in the control panel, type your email in, and a series of 16 emails will go out, and they should come to your inbox instead of spam.  If they don't immediately go to the inbox, just wait another 30 minutes.  It will work.

Note to Salesforce: (These links aren't helpful), you need to spell out what it is happening.

SSH Server CBC Mode Ciphers - SSH Weak Algorithms

posted Jun 3, 2019, 8:32 AM by Andrew Chadick   [ updated Jun 3, 2019, 10:03 AM ]

You may have had a security scan of your web server, and found the results of a weak algorithm with your SSH "Cipher Block Chain" Mode Ciphers - See Wikipedia for details.

  1. SSH Server CBC Mode Ciphers Enabled
  2. SSH Weak MAC Algorithms Enabled

The default /etc/ssh/sshd_config file may contain lines similar to the ones below:

  1. # default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
  2. # aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
  3. # aes256-cbc,arcfour
  4. # default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

To disable CBC mode ciphers and weak MAC algorithms, add the following lines into the:

nano  /etc/ssh/sshd_config

  1. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
  2. MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Restart after you have made these changes.



Talking about Securing your PC and Cyber Security

posted May 15, 2019, 2:22 PM by Andrew Chadick

Talking about computer and cyber security, so you can be safe on and offline-

You go to your favorite electronics store, buy a PC, and take it home. You boot the new machine up, it asks you your name, a user-name, you create a password, and then the Operating System puts you on a desktop and you are off and running right?

No, you should stop right here. This is a bad setup. You do not want to run your computer as an administrator. Your first step is to go in to the control panel and create a new user account, make it an administrator, set it up with a long and complex password, then login to that new administrator profile. While in that login, change your first login which is the one with your name to a "user" profile type. Remove administrator level permissions.

Why? You simply do not need administrator rights on your computer in order to use it day to day. When you have a machine setup with the primary login having an administrator level privilege, that is where the problems will start. You want to make sure that your daily use profile is something that doesn't have the ability to modify the basic operation of the computer. You reserve that functionality for the admin account. This is true for home and business users.

Reasoning: If an application is executed, and you have 'user' configured as the security profile, the application just runs and you use the tool as intended. If however you try to install an application with 'user' as the security profile, you will be prompted to enter an administrator password. The install won't happen with it. This behavior is what you should want to happen, as this is the best way to have your system configured.

The best practices is for a user profile for daily use and a separate administrator profile that you only use to install intended applications.

Don't use the administrator profile for any daily activities; it's just there to install or uninstall applications. You want your day to day profile to be one that doesn't have the privilege of installing a program. I can't emphasize this point enough.

The biggest reason? What if you accidentally go to a server on-line that tries to run a virus or malware against your machine? If you are running as admin, it can just install, without you doing anything further than accidentally running it... if however you are running as a user account and it tries to install, a prompt will happen, and at this point you will KNOW that something is trying to install, and you can click Cancel. You want this behavior from your computer. You want the machine to question every install. You do not want a program to just install without you being aware.

Again, this is true for a network of employees, to even if you have a single computer with just one person using it, a home machine, work machine, laptop, etc. The separate user and administrator setup is the ideal and the best practice. This form of configuration is known as "Least Privilege".

If you don't give an application the permission to install, and you have made sure that everything within your power is up to date, software, drives, firmware, and there are no known holes in your security, you have the best chance of keeping your machine secure.

Least privilege is your friend.

Passwords? That's not really a question; they are still needed. Not only needed, but they need to be both good and memorable, while at the same time being something that cannot be guessed or surmised by looking at breach data, and your past passwords - it's a balance.

-

You must have a complex (Letters, numbers, symbols) and lengthy set of words that make up you 'password' and it should be at least 16 digits, but ideally somewhere near 30.

-- You know, telling people this part has never been the highlight of any IT admin's day.

No user wants to hear about having a complex and very long password to remember, or yet alone typing it in every day, multiple times a day.

It's frankly a pain, you type it, you miss a key, or mistype it, and it comes back wrong, and you have to redo it all over again. And to compound matters, you have to have a DIFFERENT long complex password for every computer, every profile, every website. But, it's necessary, not optional. You just have to do it. There is a technique that is know as a pass-phrase. Using several words to make up a single password. Its a very good technique, but, I will take that idea a step further; think of creating an email address, but using random words, combined with numbers, using Caps and Lowercase to create the address.

Something like "General 4 Good @ Internet [dot] com. " This password/phrase is pretty easy to remember and its 25 digits, and is complex. If you made passwords like this, a simple brute force script would take a very long time to complete.

Passwords protect your devices on the front end. And while using techniques like a pass-phrase are really good, you should take password security a step further with your devices, with your websites, with everything you do if it's an option... Enable "2 factor" or Multi Factor protection. You will still enter a user-name and password, but you will also enter a third piece of data, generally a piece of data that comes from your phone.

This kind of password protection is ideal under the current best practices.

The next thing for you to keep in mind, is making sure your devices are updated.

Patch all of them. Every time you see a notification that there is a patch, plan to apply it that night before you go to bed; tell the machine to update.

It doesn't have to take up your day, just get it done when you aren't using it actively.

This is true for your phones as well. Make sure to update it and patch the installed applications too. Remember that any tool you use that is classified as a computer has the ability to be hacked. You want to create a situation for yourself where you have the least opportunity to be attacked by someone that wants to do you harm. Remember, that the people out there that hack others, they generally aren't doing it because they know you, or that they care about you, they just want your data. Don't make it easy for them to get it.

This brings me to looking closely at what is installed on your machine, and what is receiving updates, or as the case may be, not receiving them. Take a look at what is installed in your machine. Do you need all the applications that are installed? Especially pay attention to Java and Flash Player. Do you need those? My suggestion, is to remove them both and see if you can live without them. Both of them are historically the most exploited applications you can have installed on your machine. If you use the Chrome web browser, you don't need either of them, Chrome will give you a simulation of both services without having them installed. As for the rest of the applications, do you see any bloat-ware? Do you need them there? If not remove them. Anything on your computer that isn't of use to you has a potential for being a future exploit, either because they have a security hole in them now, or they will have a discovered one in the future, especially if it's an application that doesn't receive any/many updates. Remove what you don't use or need. It's just a good rule of thumb.

Zero Days and hacking: Your computer is a machine that has a few functions, and those include doing a few local tasks, but, most likely, it's biggest role is to connect you to the Internet. Aside from anything else it does for you locally like saving photos, doing a few word doc’s or spreadsheets, most people tend to spend the bulk of their time on-line. Because it connects to the Internet, it means your devices are vulnerable when connected. You can minimize your vulnerability by updating your operating system, updating and patching your applications and reducing the number of unused or unneeded applications on it. So what else can you do? You can protect it with tools that scan your drives, ports, and applications. Block unwanted connections through a software configured firewall. That protection can also come from rudimentary protection programs like Anti-Virus, and Anti-Mal-ware. However, I would add something to that list of tools, something that goes a step beyond and scans not only your applications and what is downloaded and that which runs actively in memory, but, a program that also looks at your Internet traffic, does advanced heuristics on it, and watches where domains are pointed. Something that blocks domains with a negative history, or are known for being parked, or have an un-trusted status. You want something that looks at the current configuration of your machine and watches for changes, and can revert back if there is a problem or unexpected change.

Look to such additional protection systems that scan your DNS, look at packet filtration, and do active monitoring of network traffic. Although all of these functions do slow the operation of your machine down a little, the added protections to a machine you care whether or not it gets hacked are worth it. Make sure that whatever tools you implement have decent reporting, and a way to notify you of what it does, and what it is doing or has logged.

Next up - Zero Days. So, to define: Zero Days are simply an exploit or program that has been written and has not been used in such a way as to have been documented. It means that if it's used against your machine, that your machine will likely succumb to whatever it is written to do. As mentioned elsewhere, ‘least privilege’ and other protections can help mitigate this, but, you will need to be watchful still, and be aware of what traffic is going in and out of your machine, review those reports, look at your log files. If you don't know how to do so, look it up, Google, Bing, DuckDuckGo and others are your friend. And, what if you go somewhere and you think you have gone too far, that your machine has possibly been exposed, and is running a virus… what do you do? RESTORE from BACKUP. Just do it. Don’t take chances. Don’t just reboot and hope it will go away.

What else can you do to protect your machine? What about protecting it while it's turned off? Did you know that your machine can be compromised while it's off? Actually yes it can; someone with a little bit of expertise and time and your computer can do what's called an ‘image of the drive’. In essence, they take an external hard drive, plugging it in to your computer, and booting off of either a thumb drive or a CD/DVD and into an Operating System designed to copy your hard drive in digital form from you. The process quite literally copies every piece of data from your current drive to the portable drive they brought with them. This system can be as compact as 2 thumb drives, or SIM card sized memory chips, depending on the type of storage being used. By taking an image, it makes it so that the hacker can take their time in getting in, and work on it at their leisure.

When your machine is turned off, and you get back to turn it back on, you will have no way of knowing if your computer has been touched, as there will be no log files changed. Your OS will not have run. Your drive and it's data will simply be copied.

So, what can you do in this ‘imaged drive’ scenario? You prepare for it in advance. You encrypt your hard drive. Disk encryption is something that has been around for actually quite a while. I would say going back the early 1990’s on the desktop but getting traction before 2010. There have been many programs written to encrypt drives, or create special containers that take up a portion of your hard drive space, and create an encrypted file. Using both of these methods together is the ideal way of protecting yourself and any data you hold as being very important, as reversing two sets of encryption is a daunting task to any thief. This is also true for your smart-phone as well. If disk encryption is available, use it, and create a strong password that protects it.

Lastly, the final thing you can do to protect your privacy and yourself on-line is to be as anonymous as you can possibly be while connected to the Internet.

You can do this in a number of ways, and it does take a little time, has varying levels of anonymity, it can take diligence to make sure it’s still protecting you, and includes just simply being careful and observant. One of the best and most easily used ways is to engage with a Virtual Private Network (VPN) service.

If you go this route, I recommend that you use a paid one; that way you have an expectation of getting what you pay for out of the service, and you get certain guarantees. You can use browser search engines like duckduckgo so your searches aren't tracked. You can make sure that you don't sign in to any websites while you surf the Internet. Remember to clear your cache, cookies, and temp files every time, or set your browser to automatically clear them for you.

VPN tunnels to a point, protect you from having your Internet connection’s packets from being sniffed, which is a technique that many hackers utilize to monitor network traffic and obtain your user-names and passwords when being transmitted on-line. Some hackers can even do man in the middle attacks, which, are a way of intercepting your Internet traffic and running it through their computer so that they can get your data. This works even on SSL traffic to different websites providing that you go directly to the site once connected. The VPN tunnel creates an encrypted pathway from your connection to outside of the network you are in, and effectively places your computer into a network on the other side of the world, limiting your exposure to certain forms of hacking. It’s definitely a means to protect your machine on-line when you are traveling, or in a network that you don’t trust.

For those that are always in untrustworthy networks; You can even go a step further, and boot off of a thumb drive, or DVD to an alternate OS, which automatically uses a VPN and destroys itself when you turn off your computer. This form of privacy protection is the ultimate way of protecting yourself on-line. Why would you go this far when a VPN tunnel to a service provider offers pretty good protection? Because a temporary Operating System offers you the protection of nothing being stored on your hard drive. Nothing can be physically taken from you. You don’t have to worry about imaging, or even browser exploits that steal stored passwords. Every time you boot, you have a fresh operating system. It’s an option for those that want it.

As with all information and advice, you should take it in, research the topics given, and make your own informed decisions. Don't just take our word for it.

Storage Sense - Windows 10

posted Apr 23, 2019, 1:04 PM by Andrew Chadick

Love this! - This should be on by default -Storage Sense.

Pi

posted Mar 14, 2019, 12:08 PM by Andrew Chadick   [ updated Mar 14, 2019, 1:32 PM ]

Very Close fraction to get a value of Pi =  355/113


Other Approximate Fractions
:  fractions include  22/7333/106355/11352163/16604

Broken Install / Uninstall

posted Mar 8, 2019, 9:28 AM by Andrew Chadick

Having trouble uninstalling something?  Try the Microsoft tool for it.  This tool goes in and finds the problem with the installation, and removes it from the OS.  It's very straightforward in it's use.  

Time Services

posted Feb 21, 2019, 9:28 AM by Andrew Chadick   [ updated Feb 21, 2019, 9:29 AM ]


  • net stop w32time
  • w32tm /unregister
  • w32tm /register
  • Net start w32time
  • w32tm /config /update /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 pool.ntp.org,0x8" /syncfromflags:MANUAL
  • w32tm /config /update
  • net stop w32time && net start w32time
  • w32tm /resync /rediscover

Sign up your non-Gmail email address to access Google Shared Resources

posted Jan 24, 2019, 1:49 PM by Andrew Chadick

This step-by-step walkthrough will show you exactly how to use your company email address (the marketing@yourcompany.com email we recommended you set up before or another domain of your choosing) to create a Google Account.

1. Open Google.com and click the blue Sign in button at top right of your screen. If you are already signed in, log out first and then click the Sign inbutton.

sign into google

2. Next click the Create account link below the sign in box for a new Google Account sign up form.

create google account

3. Fill in your First and Last Name in the appropriate fields.

4. Under the “Choose your username” box is a link that says “I prefer to use my current email address” which, when clicked, will allow you to use your alternate email address. Click that link.

use current email address

5. Then you can enter your current (non-Gmail) email address in the box.

input email address

6. You can then continue filling out the rest of the form, which is pretty standard and doesn’t require any special steps:

  • Create and confirm a password
  • Enter your birthdate
  • Select your gender
  • Add your mobile phone number (for security)
  • Choose your geographic locations

Once you’ve filled out all the fields you can click the Next step button. You’ll then be asked to confirm that you agree with Google’s Privacy and Terms. Once you’ve done that you’ll just need to confirm your account by following the instructions sent to your email address that you gave.

And that’s it! You’ve officially set up a company Google account with your own domain name.



Credit:
https://www.steadydemand.com/how-to-setup-a-google-plus-account-with-you-company-domain-name/

Fonts - adding users for Active Directory

posted Jan 18, 2019, 12:49 PM by Andrew Chadick   [ updated Jun 5, 2019, 2:36 PM ]

CMD as administrator

attrib -r -s %systemroot%\fonts
 

takeown /f "%systemroot%\fonts" /r /d n
 

After taking ownership, you can go into Explorer and add those that need to have access.

1-10 of 189

Comments