Category Archives: Security

Microsoft Safety Scanner – Remove Spyware, Malware, Viruses Free

Posted on by
Reply

I had some funky display show up when I went to finance.yahoo.com so I ran a antispyware check using  http://www.superantispyware.com/index.html. Since this program takes a long time I ran the Microsoft Safety Scanner, too. Microsoft did not find anything and SUPERAntiSpyware found a false positive on a file included in QuickBooks SDK 10, tiny.exe.

Do you think your PC has a virus?

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

Microsoft Safety Scanner – Remove Spyware, Malware, Viruses Free

Disabling Weak Ciphers

Posted on by
1

This week I disabled weak ciphers on our production web server. This vulnerability was escalated again this last week. This vulnerability exists when your server allows communication using SSL version 2. Less than six months ago it was identified and classified as a low risk. SSLV2 is obsolete and is not available in some of newer browsers. Most new browsers use SSLV3 by default and it is my best guess that no customer is using SSLV2. A quick survey showed that most of the major ecommerce sites do not allow SSLV2. Despite the survey my boss was reluctant to turn off SSLV2. That was solved when the PCI folks mandated that SSLV2 should not be allowed. This may sound cruel but if a customer is using a really old browser that only supports SSLV2, they must update to a new browser if they want to buy stuff off of the Internet. That just the way it is.

Here is a good resource describing the problem and how to harden a variety of web servers, “WebApp Sec: RE: SSL Ciphers”. Since I was primarily interested in IIS I used “How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll” and created a registry file to apply the changes. Here is the registry file I used. It works with all of the browsers I test with. Both Foundstone SSL Digger and our PCI scan folks like the results.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

Quick Picks and Pans on my del.icio.us favorites for last week

Posted on by
Reply
  1. The Histogram Generator for SQL Server looks interesting but I think I will work on making pivot tables easier to use first.
  2. I tried JkDefrag last week. I like the look and feel of the Auslogics defrag tool. JkDefragGUI makes JkDefrag a little easier to use and adds a few features. Both tools are nice upgrades to the standard defrag tool.
  3. VirusTotal is a nice way to generate hashes for downloadable files.
  4. I need to check Ratproxy out. Ultimately I would like to compare this to WebScarab. I need to read this Google document again and play with to figure out why Google re-invented the wheel.
  5. Microsoft’s contribution to fight against SQL Injection would have been more appreciated if it worked for me. It did not generate a report for me. The program was more than willing to tell me that I did not have it configured properly. When I finally had it configured properly, the result is no report?!
  6. PCI 6.6 is a mess. I am suspicious that the firewall option will ever be a cost effective solution for retail web servers. My first run at automated code analysis was inconclusive. I believe that low cost automated and manual code analysis are probably the best cost to benefit options.

wehuberconsultingllc’s favorites on del.icio.us

Picks and Pans for pfSense packages

Posted on by
1

Recently I installed the pfSense firewall and now I have started to check out some of the packages that make pfSense such an interesting firewall platform. Without going into too much detail here is my impressions on several packages.

  • NMAP – It kind of worked for me when I accessed it via the web server. It locked up the pfSense web server a couple of times. It worked fine for me via the command line and the Command page.
  • NTOP – I had not heard of this package before but I was impressed. It had lots of information about my network. Some of the information was actually useful. I am keeping tabs on my son’s Internet usage. With all of this info I kept expecting the computer utilization of pfSense to go through the roof. It did not. Whew!
  • SNORT - I did not get this package to work. It installs but the service does not start and it had problems downloading rules. I am guessing the rules issue might be related to the fact that the package was version 2.7 and the current rules are 2.8. I saw in a forum where several people were having problems running the package on pfSense. I manually uploaded a rule to see if I could start the package. It still did not start. Since I did not see any log messages, I decided it was not worth proceeding. It is hard to debug problems when you have logging turned off.
  • EXEC.php - This goes under the name of Command. It gives you the equivalent of a command prompt and it is for those of us who do not want to crank up SSH for every little thing. It is not a “package” and its disclaimer says it is not supported. However, it worked better for me than the supported packages. Go figure! I used it to verify that NMAP was working. It was a helpful tool to work with SNORT, too.
  • Internet Explorer - You need a SVG viewer plugin to view the traffic graph. I used Adobe’s version. The drop down navigation menu is quirky with IE. It opens and closes before you select an item. In IE the navigation menu is blocked by the traffic graph. I might try and fix this.

More Thought on numbers used once(i.e. nonce)

Posted on by
Reply

Although I still believe what I wrote in which I said that the use of wp_nonce in the last steps of the WordPress Automatic Upgrade plugin is an unnecessary precaution, I am puzzled why it did not work.  According to Mark’s post on nonces, it sounds like in theory this "number use once" should still be valid if you are forced to log in again.  Here is what he wrote.

They are unique to the WordPress install, to the WordPress user, to the action, to the object of the action, and to the time of the action (24 hour window). That means that if any of these things changes, the nonce is invalid.

I guess that if we work through the logic, the only thing I can see that has changed is that the user has logged in again. I must conclude that it is identifying the user by something other than the username. Hmm… This is a puzzle.

WordPress 2.5 Secret_Key Vulnerability

Posted on by
Reply

Wow, I did not know about this security feature in 2.5.  I did not have the ‘SECRET_KEY’ defined since my WordPress sites were upgrades. Since I prefer to follow the Secure WordPress recommendations and missed that section in the paper, I added a random key to all of my sites. The key does not cause any ill effects. Read the original post, WordPress 2.5 Secret_Key Vulnerability, for more details.

ISS X-Force Database: icmp-timestamp(322): ICMP timestamp requests

Posted on by
Reply

A PCI audit point I saw recently recommended that servers not respond to ICMP timestamp requests. For externally based web servers this probably means asking your host provider to implement a rule on their router to block ICMP packets type 13 or 14 with a code of 0. I haven’t tried this but this should allow normal maintenance packets(e.g. ping) and prevent echo tests using timestamp requests.

Description:

The target computer responded to an ICMP timestamp request. By accurately determining the target’s clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.

Platforms Affected:

  • Apple, Mac OS
  • Cisco, IOS
  • Data General, DG/UX
  • HP, HP-UX
  • HP, Tru64 UNIX
  • IBM, AIX
  • IBM, OS/2
  • Linux, Linux
  • Microsoft, Windows 98 Second Edition
  • Microsoft, Windows 2000
  • Microsoft, Windows 2003
  • Microsoft, Windows 95
  • Microsoft, Windows 98
  • Microsoft, Windows Me
  • Microsoft, Windows NT
  • Microsoft, Windows XP
  • Novell, Novell NetWare
  • SCO, SCO Unix
  • SGI, IRIX
  • Sun, Solaris
  • Wind River, BSD

Remedy:

Configure your firewall or filtering router to block outgoing ICMP packets. Block ICMP packets of type 13 or 14 and/or code 0.

ISS X-Force Database: icmp-timestamp(322): ICMP timestamp requests

BlogSecurity » Blog Archive » WPIDS v0.1.2 officially released

Posted on by
Reply

Recently while upgrading my WordPress blogs I installed WPIDS 0.1.2. WPIDS is a Intrusion Protection System, which is based upon the Intrusion Detection System PHPIDS. It is a nice plugin for those curious about WordPress security. In theory this should improve the security of my blogs.

For the last couple of days I have been monitoring its log. So far I have not found any false positives. It looks like it is blocking some comment spam. Most of my comment spam is caught by Akismet.

I am kind of fascinated with this plugin.  If the developers are looking for ideas, it would be nice if:

  1. It would tell me if there is a new filter available. I am not sure how often the filter is updated but with a little modification the plugin could update the file directly. WordPress would like updated plugins to be updated on their web site. An updated the revision number for the plugin would appear in the plugin panel. In a perfect world the use could then update the plugin automatically.
  2. The search stats button overlaid the standard report onto the admin page for the plugin. It is not very useful in this format.
  3. It would be nice if the report said why the bad request was blocked. I have several blocked requests showing something called “__utmz” in the tag field.
  4. It would be nice to download the report as a csv file.
  5. It would be nice to have a summary report by type of blocked request.

Automated WordPress Hacking Tool Cached by Google

Posted on by
Reply

I just finished checking my WordPress sites with both a dork and a FTP. Google says that there 29,000 infected sites. I guess that I was left out of the party since my WordPress sites are at the most recent stable release.

Cyberinsecure recently posted details of an automated WordPress hacking tool that is doing the rounds. This malicious worm or program appears to create the directory, "wp-content/1/" as well as spam comments:

The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1″ to get them spidered and to get people to visit them.

Smackdown also has a nice blog entry about this issue.

Automated WordPress Hacking Tool Cached by Google
DK
Wed, 26 Mar 2008 23:52:40 GMT

Getting a L2TP VPN connection to work through the Comodo firewall

Posted on by
Reply

I have been using the Comodo™ Firewall for over a year now. My experience with it leads me to believe that it is more secure than others on the market. I really liked its flexibility and monitoring capability. When the beta for version 3 came out I enthusiastically installed it. I was surprised and disappointed that I was no longer able to use my VPN network connections. So I went back to version 2.4. Since I switched back to the old version I struggled to get back to configuration that worked before I undertook the leap of faith with the beta. The PPTP VPN connection worked but the L2TP VPN connection did not work for me locally.

Let me digress for a bit and describe my local network and the VPN connections I have set up. When I am out of the office and accessing my server via the Internet, I use a VPN connection that uses the DNS name in its configuration. The DNS name points to the static IP address of my hardware firewall. The hardware firewall forwards the VPN traffic to my SBS server where the software firewall, ISA, completes the VPN connection. When I am at my office my laptop connects to the same network that connects the SBS server to the firewall and the VPN connection I use to access the server remotely does not work. To get around this minor problem I use a different VPN connection with the local IP address of the server in the configuration. This connection goes directly to the server and does not go through the firewall. Yesterday I figured why the L2TP connection was not working.

The ports they say you need to open up on your hardware firewall to allow L2TP access from the Internet are 500, 1701, and 4500. When I look at the ISA log I can see the laptop using ports 500 and 1701. When I looked at the Comodo activity log I found that it blocked an outbound access to protocol 50. This sounded vaguely familiar. It was hard to find but Microsoft talks about protocol 50 and 51 in this article, Interoperation with Other Services. Why was Comodo blocking outbound access? I was befuddled but I decided to go ahead and add a IP IN/OUT allow for protocol 50 rule to my local server IP. My L2TP VPN is now working. It is interesting that you will not find protocol 50 showing up in the ISA log but according to the Comodo log it is talking to the server with this protocol.

Installing Live Writer behind a ISA firewall

Posted on by
Reply

I like Live Writer a lot but it is very hard to install when you are behind Microsoft’s ISA firewall. I spent a couple of hours trying to figure out what ports I needed to open in the firewall so that the Live Writer install program would install. All of my attempts ended with the “Try Later” message. I finally gave up and added the computer temporarily to my Linux firewall rule to complete the install.

Then I set about writing this post. When I opened the post properties to add some keywords, the keywords field was not there. Hmm.. The Live Writer version on my laptop works has the keywords field so I was befuddled. After a little searching I found this post, Add Tags To WordPress 2.3 Posts From Windows Live Writer 2008. I am running the latest version of WordPress so I was not surprised to see that I already had the code changes. I was missing the wlwmanifest.xml file. After downloading the zip file, uploading it to the “wp-includes” directory, and then updating my weblog style, I was back in business.

When Microsoft’s recommendations do not fix your userdata persistence error(0x800A0046)

Posted on by
1

About once a month I go to the Windows Update and let it check my computer. If Windows Update is working properly, the Windows Update cupboard will be bare. Sometime in December Windows Update stopped working for me and it started giving me a userdata persistence error. The help system said that all of my problems would disappear if I would just enable userdata persistence in my browser. So what do you do when your browser already has userdata persistence enabled? While I pondered that problem I ran Microsoft Baseline Security Analyzer to get my updates.

Today I found my solution. While I was investigating another problem, I found KB943144 – Updates are not installed successfully from Windows Update…. In this article it tells you how to manually re-install Windows Update. This was just what the doctor ordered!

Report to California Sec. of State Details Security Flaws in eVoting Systems (July 27, 28, & 30 2007)

Posted on by
Reply

A review of electronic voting systems commissioned by California Secretary of State Debra Bowen has been released, and the results are “not encouraging…….

Report to California Sec. of State Details Security Flaws in eVoting Systems (July 27, 28, & 30 2007)

This link will take you to the article on SANS site. If you want to read the actual report, click on the link below.

http://www.sos.ca.gov/elections/elections_vsr.htm

MSKDetct.exe – Application Error – Software – Virus/Spyware – Dell Community Forum

Posted on by
2

Please follow the instructions below to run the SpamKiller removal tool. This will completely remove SpamKiller from your computer.
Download and save the MSKCleanupTool.exe to your desktop.
Locate MSKCleanupTool.exe on your desktop and double-click to launch.
to download MSKCleanupTool.exe, type the link in your URl address bar:
http://download.mcafee.com/products/licensed/cust_support_patches/MSKCleanupTool.exe

MSKDetct.exe – Application Error – Software – Virus/Spyware – Dell Community Forum

The Comodo firewall reminded me that the standard uninstall of McAfee does not completely remove everything. MSKDetct tried to call home. I dread uninstalling virus checking programs because sometimes they don’t work. You can create a real mess with a “bad” uninstall. I downloaded the cleanup program to remove the leftovers. The log file confirmed that most of the product was already gone. There were only a few leftover programs. So far so good!

HIPAA audit: The 42 questions HHS might ask

Posted on by
Reply

A document obtained by Computerworld from a reliable source indicates that Piedmont was presented with a list of 42 items that HHS officials wanted information on within 10 days. Specifically, Piedmont was asked to provide policies and procedures for:

  1. Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
  2. Emergency access to electronic information systems.
  3. Inactive computer sessions (periods of inactivity).
  4. Recording and examining activity in information systems that contain or use ePHI.
  5. Risk assessments and analyses of relevant information systems that house or process ePHI data.
  6. Employee violations (sanctions).
  7. Electronically transmitting ePHI.
  8. Preventing, detecting, containing and correcting security violations (incident reports).
  9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
  10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
  11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
  12. Physical access to electronic information systems and the facility in which they are housed.
  13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
  14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
  15. Internet usage.
  16. Wireless security (transmission and usage).
  17. Firewalls, routers and switches.
  18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
  19. Terminating an electronic session and encrypting and decrypting ePHI.
  20. Transmitting ePHI.
  21. Password and server configurations.
  22. Anti-virus software.
  23. Network remote access.
  24. Computer patch management.

HHS also had a slew of other requests:

  1. Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
  2. Please provide a list of terminated employees.
  3. Please provide a list of all new hires.
  4. Please provide a list of encryption mechanisms use for ePHI.
  5. Please provide a list of authentication methods used to identify users authorized to access ePHI.
  6. Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
  7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
  8. Please provide organizational charts that include names and titles for the management information system and information system security departments.
  9. Please provide entity wide security program plans (e.g System Security Plan).
  10. Please provide a list of all users with access to ePHI data. Please identify each user’s access rights and privileges.
  11. Please provide a list of systems administrators, backup operators and users.
  12. Please include a list of antivirus servers, installed, including their versions.
  13. Please provide a list of software used to manage and control access to the Internet.
  14. Please provide the antivirus software used for desktop and other devices, including their versions.
  15. Please provide a list of users with remote access capabilities.
  16. Please provide a list of database security requirements and settings.
  17. Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
  18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

Source: HIPAA audit: The 42 questions HHS might ask

Jeff of the HIPAA Blog talks more about the questions here and that the questions are pertinent to all firms with information security requirements.

Installing the Messaging Security Agent from the Security Dashboard

Posted on by
Reply

SMEX Error MessageThis week I upgraded the Trend Micro SMB installation on my “dog food” server to version 3.6. It kind of worked. The virus checking stuff upgraded nicely but the Messaging Security portion did not. I got this message, “Error 1923.Service Trend Micro Messaging Security Agent Remote Configuration Server(ScanMail_RemoteConfig) could not be installed”.

I researched the problem and it said I should check my privileges. After researching what privileges it was complaining about, I figured out that the privileges for the Administrator userid were just fine. So I rebooted and tried to install Messaging Security portion again. I was unsuccessful but this time it told me to install it from the Security Dashboard. I don’t remember seeing that message before but I was game. After a little research I found these instructions on how do this.

Installing the Messaging Security Agent from the Security Dashboard

These instructions were a little too short for me since the installation process asked me a few more questions than were included in the instructions. The installation process asked me which directory to install Messaging Security in and the “shared” directory. I was not sure what they wanted for the shared directory since this field was prefilled with C$. C$ looks like a “share” to me and I was clueless about a shared directory. If Trend Micro has a shared directory they want me to use, they hid it well. Since I was installing these files on my “H” drive, I assumed they wanted the “share” for the drive, H$. Anyway that is what I gave it. When I pressed the enter key, a screen showing the installation status popped up. The status screen updated several times over the next ten minutes before it finally completed. Now when I check the “Live Status” and “Security Settings” screens they show me that the Anti-spam is working. Since Microsoft’s Intelligent Messaging Filter catches most of the spam for my “dog food” server I got through this unscathed.

Free Firewall Software – Comodo™ Firewall

Posted on by
1

Comodo Free FirewallVersion 2.4

It’s Free. Forever. No Catch. No Kidding

Comodo Firewall Pro

The Award-Winning Comodo Firewall Pro
  • PC Magazine Online’s Editor’s Choice
  • Secures against internal and external attacks
  • Blocks internet access to malicious Trojan programs
  • Safeguards your Personal data against theft
  • Delivers total end-point security for Personal Computers and Networks

Install now for out-of-the-box protection against identity theft hackers, Trojans, scripts and other unknown threats

Free Firewall Software – Comodo™ Firewall

Yesterday I decided to upgrade my Trend Micro SMB software to version 3.6. While I was at it I decided to give their firewall another tryout. I was using Microsoft’s firewall so there must be something better. Within a few minutes I remembered why I was not using Trend’s firewall. Microsoft’s firewall is much easier to configure. If you have a bunch of exceptions to the rule, Trend Micro’s firewall is best forgotten.

Since I knew that there had to be a better firewall out there, I started looking around. Zonealarm is the traditional favorite. Comodo has a nice firewall that received some nice reviews recently and it is free, so I decided to give it a try. Since the online threats have morphed over the years I wanted a firewall that was easy and flexible to configure, have some built-in monitoring, and incorporate some application level filtering. The old port blocking firewalls are not very adept at catching the new online threats which take advantage of ports that are normally open(e.g. http-port80). It takes some application level filtering to catch the new threats. Comodo’s application level functionality reminded me of Microsoft’s ISA firewall. Microsoft’s ISA is a more robust product but Comodo’s application filtering looks pretty good.

Downloading and installing the program was easy. Configuring the program took me a lot longer since my laptop has an Apache web server, a FTP server, a MYSQL server, a Subversion server, and a VMware server on it and I wanted to restrict the access to these servers. The firewall will prompt you to add rules for specific programs. You can use the rules that the firewall creates but they were too general for me. So I changed them to be more specific. I restricted the ports and destinations available in each rule. My servers are for testing and development so there is no need to expose them to the world. Along the way I found out that I have a lot of chatty programs I have been ignoring and Google Desktop is the biggest culprit. It is amazing how many programs have to call home.

So far I have been impressed with the firewall. Its got great flexibility and monitoring capability. This is a nice addition to a layered approach to security.

Need to archive?

Posted on by
Reply

From Susan Bradley’s blog(aka SBS Diva) comes…

I have rec’d an email from one of my clients saying that he needs to recover email from 2005 in regards to a lawsuit. There is barely a backup plan in place. It holds backups of everything for a few days only, written only to an external hard drive. I don’t think our users have any idea what pst files are. Is there anything inherent to SBS2003 that would help? Is there any products you recommend for the future?

There was never any requirement for archiving purposes in the past so no company policy was forwarded to me. So I don’t think there is anyway that I am liable.

First off you are not. Secondly, you are only required to do your best efforts to recover that email. In a typical SBS network here’s the forensic places that email will land.

First off when email comes into the server (assuming you’ve set it up so that the SBS holds the email and it grabs the email) and dumps it into the Exchange store. When your end users read their email and hit the delete key in their personal email boxes, it doesn’t really “delete” the email but rather it merely moves it to the deleted email folder. Unless you set a rule to delete that email, chances are, that email of 2005 might be there. If someone has deleted the email, then it sits on the server in the mail store for 30 days before it truly and utterly gets deleted.

If your clients use the default SBS mailbox setup, they don’t have pst’s but rather ost’s that the SBS box sets up automagically as part of it’s Cached mode setup. Outlook has a rule set up (I’ve forgotten when it kicks in) of prompting you every now and then “do you want to archive your email”. Once again, it won’t truly delete the email, but will move it to an archive folder.

You might find it easier to get onto their ‘exact’ profile to see the Outlook folder structures they have on the local system as well as the files on the server.

But last but not least, you are only required to make a reasonable effort to recover this. If your policy is to NOT store emails, then you can’t be liable if you can’t find them. Where you get into issues (as in Enron/Arthur Anderson) is when you have a policy regarding email (or any correspondence for that matter) and don’t follow it. If you say you are going to delete after 30 days and don’t, or retain all email regarding X client and don’t, that’s when it’s an issue.

Remember that the new Federal Rules of Evidence kick in when you get a lawsuit in Federal Court. At THAT time you need to ensure that all electronic documentation is maintained.

But need to have a long term need to archive? Check out Message Journaling (native), check out GFI (third party) http://www.gfi.com/mailarchiver/

Computers do add some nuances to rules of evidence and you can see in these articles – http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1253827,00.html and http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm

Link to Susan Bradley’s “Need to archive” article
[tags]security[/tags]

Don’t Panic, But New Discovery Of Electronically Stored Information In Litigation Rules Now Apply :: WRAL.com

Posted on by
Reply

Link to Don’t Panic, But New Discovery Of Electronically Stored Information In Litigation Rules Now Apply :: WRAL.com

Today I read a post over on Susan Bradley’s blog about the need to archive and I remembered this article. This article is a couple of months old and was written by lawyers practicing in the ESI area. It provides a nice overview of the discovery rules and the problems the lawyers are facing. Once you have a grasp of the discovery rules, it is much easier to recommend the policies and tools that will help you and your clients create a ESI plan/policy that will reduce the impact of discovery requests in the future. The final step is for your clients to run the ESI plan by their lawyer.

Safeguards For RIAA Hard Drive Inspection

Posted on by
Reply

NewYorkCountryLawyer writes

“In SONY v. Arellanes, an RIAA case in Sherman, Texas, the Court entered a protective order (PDF) that spells out the following procedure for the RIAA’s examination of the defendant’s hard drive:

(1) RIAA imaging specialist makes mirror image of hard drive;

(2) mutually acceptable computer forensics expert makes make two verified bit images, and creates an MD5 or equivalent hash code;

(3) one mirror image is held in escrow by the expert, the other given to defendant’s lawyer for a ‘privilege review’;

(4) defendant’s lawyer provides plaintiffs’ lawyer with a ‘privilege log’ (list of privileged files);

(5) after privilege questions are resolved, the escrowed image — with privileged files deleted — will be turned over to RIAA lawyers, to be held for ‘lawyers’ eyes only.’ The order differs from the earlier order (PDF) entered in the case, in that it (a) permits the RIAA’s own imaging person to make the initial mirror image and (b) spells out the details of the method for safeguarding privilege and privacy.”

Link to Safeguards For RIAA Hard Drive Inspection

This fascinating description highlights a procedure being used on discovery requests to reduce privacy concerns of the defendant.
[tags]security[/tags]