You need to work from home; Just enable Microsoft Remote Desktop on your PC at the office, if you DARE.
When using computer systems that are used on the internet there are inherent risks that cannot be seen by the operator of the computer. Many operating systems such as Microsoft Windows have built in firewalls and even a virus / malware scanner. With Microsoft bundling a security package one might believe there is nothing really to worry about. Your biggest liability is in what you download or upload either in the form of files, or the web content itself. When you venture on the internet and you enter personal information such as social security numbers and credit card numbers you could be hanging in the wind ripe for evil doers to take you for all you have.
That sounds glum doesn’t it? Well as technical service providers, it is our job to look at glum and either eradicate it, or mitigate it as much as possible. Our business model is built around desktop support. In order to do that, we have to be good at disaster prevention, remediation and restoration. We use technology such as Antivirus scanners, Malware scanners, Ransomware prevention strategies, Unified Threat Management, and have backup solutions. We can never guarantee complete internet safety. Unfortunately small businesses cannot pay to protect themselves from unseen bad guys.
One of our clients who could not buy a firewall, and just has some old routers in place called with a virus alert from Windows Defender. (He uses Windows Desktop to access his PC’s at the office. He was sure the Windows, his ISP would keep bad things from happening.) We were not terribly worried about the alert, he gets them from time to time, and usually they are false positives. We immediately used out remote technology to gain access to his office PC where the alert came from, and got the details.
We have two virus scanners on the office PC’s, one threw an alert, and the other did not. We notified the company who did not throw the alert and sent them the PC logs. Turned out we had a real bonafide virus. The virus was in a directory called bitcoin. Knowing our client the way we do, we were 90 percent sure he did not place bitcoin on his computer. There were a couple other directories on there as well with recent dates.
Next stop was the security logs. We found a user logging on who is not among our users. (A security account left behind from a Symantec antivirus trial. Symantec left it behind when the uninstall was done.) The logon times correspond to the times the directories we found were created. Next we checked the user manager on his servers, and the workstation that was compromised. The user name the attacker was using did not show up. We found the Symantec remnant user via power shell where we issued a net user command. We did this on the server and the user did not. Best we can tell from the logs this user set himself up an account of ghost user by using the Symantec account, then granted himself admin rights to at least the workstation. If you have Symantec endpoint virus protection. Typically this user being in your system is not a red flag in and of itself, but if your not using an account, kill it. We traced the IP of the attackers location to the Russian Federation. We combined the user name with that ip, and the login times of the file creations, and rested assured this user had a proven a bonafide security breach.
How could this happen? A typical router’s firewall does not look for odd behavior. The router’s firewall is just a gate, and this router is no exception. It has a few ports open for business applications. One such port is RDP 3389 which is the Remote Desktop port. By opening 3389 to the entire world, rather than a single IP address, all traffic destined for his office and is tagged with 3389 as its destination is sent to the workstation at that address. The attacker then checks to see what services are turned on at the workstation. There are always a few, but one really easy to compromise service is RDP. So the attacker launches software that finds all the holes in the workstation that are available for him to make use of. With Windows firewall locked down tight, and the virus scanners working hard, there are ways to get around the workstation’s security. Microsoft can’t keep up with the people who love to exploit their services. Don’t worry, Mac and Linux are not fool proof either, we have dealt with them being exploited as well.
If you have been in the position of this client, don’t feel badly. It is human nature to only throw money at technology you can see and use right now. It’s easy to think “I will get to this later”, but later never comes. Please know that as assuredly a day turns to night this will happen to you if your not prepared. This customer is not in a position right now to install a good security system.
He agreed to allow us to close the RDP hole on his router, and set his remote workers up to use a free VPN package from the University of Japan. The RDP over VPN works, but video resolution bugs him it maxes at 1400×900 and his work PC has to be set to that. We wish he would buy our Unified Threat Management solution(UTM). Using our UTM product he could work at home or anywhere for that matter; using his laptop, with no remote desktop software and it would be just like he was in his office. The adage “You get what you pay for” rings true. He pays nothing and is frustrated by the poor performance of his technology and myriad of consultants he has hired and fired. He pays us to mess with his monitor all the time. He could buy the right security solution, or complain to us about our short comings while paying our hourly rate. We make more money listening to him complain and tweaking his display. Penny Wise, Pound Foolish? You can decide that for yourself but for now that’s his world.
Back to the virus
Once we had determined his office computer was the only thing compromised it’s time to backup the data. Wipe the hard drive, reinstall the OS, then his apps, then the virus scanners, then the data. The time to do this, cost him about $1,200. The Free VPN software cost him $400 in time for us to install and optimize, and he has bout $600 in display teaks. His problem will continue to haunt him, and make us money. We would much rather he was using the money that he threw our way to move his business forward rather than rearrange icons, and screen sizes. We are looking for businesses looking to get the job done right the first time. In future ventures, we will not take on clients such as this. Our reputation only suffers, as we can’t deliver in such circumstances, but if we were not RDP experts before, we are now.
For about $2500.00 in a company his size (Less than 10 users) we could replace his router firewall with a Watchguard Unified Threat Management System. Add IpSec VPN to the Watchguard and to every device that needs access to the office. This allows remote workers to do all their work on their laptops securely from anywhere in the world, just as though they are in the office.
There are times where cutting corners may make business more affordable. Security and remote workers are two areas you can’t go cheap and expect to survive. Let us help you fix the problem areas in your technology that are preventing you from growing your business.
Contact Athena Pantekoek 503-798-0422