At this time there is still no fix from Microsoft, but they have released a workaround as well as a quick-fix tool which will implement it for you; however, this solution disables or limits .lnk parsing, so most will find this fix to be a huge nuisance;  It will turn most of your icons into ambiguous white squares.

So, with the IT Security world in minor panic, Sophos comes to our rescue with the following tool, which specifically promises to intercept malicious code if a malicious .lnk comes our way:  http://www.sophos.com/pressoffice/news/articles/2010/07/shortcut.html

See here for microsoft’s temporary workaround solution (plus pics of what your icons will look like) : http://support.microsoft.com/kb/2286198

I’ll be installing the Sophos tool on my main machine shortly. Msg me or leave some comments if you’re curious about how it goes.

- Paul

If you do not use Bitlocker (which is probably always), you can safely remove the System Reserved Partition by following the instructions in step #4 of the following post:

http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/5f9e147e-32de-4a69-80eb-86f1b10f1c4c

You can also avoid Windows setup from creating the parition to begin with by following Method 3 in the following post:

http://www.mydigitallife.info/2009/08/20/hack-to-remove-100-mb-system-reserved-partition-when-installing-windows-7/

However, since most new machines will ship with the partition already created (and deleting it seems a bit “hackerish”), I would leave it alone.  Just make sure to back it up once and set it aside.

Because we configured 6 x 2tb drives in a RAID 10 configuration, we now have a 6TB drive that can only be used as a 2tb drive.   The remaining 4tb un-partitioned space cannot be used in Windows.  I suspect more of you will discover this as you create more ginormous arrays for a few hundred bucks!

1. To break the 2tb barrier, you must convert the drive as a GPT drive.
2. However, you cannot boot from a GPT partition.
3. Also, you can only convert drives that are empty.

 Therefore, you can pretty much forget about installing Windows on a partition larger than 2tb.  That shouldn’t be a problem since your boot partition doesn’t need to be much larger than 80gb anyway.  Just make sure when configuring RAID array larger than 2tb, split it in to two volumes (or virtual drives in Dell Perc lingo).

1. 80gb MBR – Boot disk
2. 2tb > GTP – Data partition (Maximum 256 TB)

Here are some references.

http://carltonbale.com/how-to-break-the-2tb-2-terabyte-file-system-limit

http://www.microsoft.com/whdc/device/storage/gpt-on-x64.mspx

They may be a victim of email address spoofing, a technique spammers use to hide their identity.  Basically, a spammer sends out junk email using your email address as the From: address, and when the receipients reject the message, the true owner of the address ends up with the rejection notice. 

Most domains send outbound mail through a relatively small number of servers. Domains should describe that set of servers in an SPF record in their DNS. Internet email receivers can then reject forged messages which don’t come from an envelope sender domain’s approved servers.If the receipient’s spam filtering solution is configured to check SPF before receiving messages, it will reject any spoofed messages not originating from the designated servers. 

SPF record syntax is a bit cryptic and I”m not exactly sure how it works, but there is a tool that helps you generate the correct formatting.  You should also be able to contact your email service provider to help with the correct mail server adddresses to enter into the SPF record. 

http://old.openspf.org/wizard.html 

For example, GFI MailProtection uses the following servers for outbound servers. 

92.51.176.0/24
92.51.177.0/24
174.36.154.0/24
207.154.50.0/24
208.43.37.0/24
208.70.88.0/24
208.70.89.0/24
208.70.90.0/24
208.70.91.0/24 

By running the wizard and selecting no to the first three options and entering in the above list of IP addresses in the “ip4:” field, the following record is generated (note: select YES to the ~all field): 

“v=spf1 ip4:92.51.176.0/24 ip4:92.51.177.0/24 ip4:174.36.154.0/24 ip4:207.154.50.0/24 ip4:208.43.37.0/24 ip4:208.70.88.0/24 ip4:208.70.89.0/24 ip4:208.70.90.0/24 ip4:208.70.91.0/24 ~all” 

Now log into your DNS host and create a TXT record using the above syntax.  

This isn’t a foolproof method since not all spam filtering solutions support SPF records, but it should reduce the number of some spoofing attempts.  Also, some DNS servers may not support SPF records (i.e. doesn’t allow you to create txt records), in which case you may want to consider switching your DNS host to one that does.

http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

excerpt:

 ”It’s a little surprising that the SID duplication issue has gone unquestioned for so long, but everyone has assumed that someone else knew exactly why it was a problem. To my chagrin, NewSID has never really done anything useful and there’s no reason to miss it now that it’s retired. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so Microsoft’s support policy will still require cloned systems to be made unique with Sysprep”

I called Sonicwall tech support to confirm that this is a known issue. They suggested that:

1. Purchase a new generation of Sonicwall, (e.g. TZ100, 200, and 210)

or

2. Block the domains by IP address by performing nslookup.

I tried option 2, and blocked every IP address for Facebook.  It did not work. I’m not sure exactly how many web servers Facebook has, but doing the nslookup doesn’t seem to necessarily find all of them. (I got two different results for the IP address at different times.)

So if you have an older model (e.g. TZ170, 180, and 190), the HTTPS trick will override forbidden domains…if the domain supports HTTPS that is (which is rare).

With regards to file transfers, there are four relavent sections in HIPAA 

1. Standard § 164.312(a)(2)(iv) –  Encryption and decryption 

 “Implement a mechanism to encrypt and decrypt electronic protected health information.”  

2. Standard § 164.312(e)(1) – Transmission Security 

“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” 

These two sections require the transfer of the file to be encrypted and the storage to be encrypted as well. 

Dropbox website lists the followig security features: 

http://www.dropbox.com/features 

Security & Privacy 

Dropbox takes the security and privacy of your files very seriously. 

• Shared folders are viewable only by people you invite.
• All transmission of file data and metadata occurs over an encrypted channel (SSL).
• All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.
• Dropbox website and client software have been hardened against attacks from hackers.
• Dropbox employees are not able to view any user’s files.
• Online access to your files requires your username and password.
• Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable.

 So Dropbox meets the transmission requirement with SSL and storage encryption requirement with AES-256. 

3. Standard § 164.312(b) – Audit Controls  

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” 

This section requires that you need to be able to audit who accessed the information. 

Here is a screenshot from my Dropbox account.  As you can see, there is a clear audit of the recent activities. 

Also make sure to use strong passwords and don’t tell anyone what your password is.   If someone else can log in as you, then their actions cannot be audited.

4. Standard § 164.308(a)(3)(i) – WORKFORCE SECURITY
“Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.” 

To meet this standard,  DO NOT put any files in the Public folder!  This allows non-authorized uses to access those files.  Create separate folders and grant user access to only those who are authorized to view them. 

In Conclusion

Following these guidelines, Dropbox can be HIPAA complaint!  There is no such thing as HIPAA certification, and these requirements do not have specific implementation standards.  As long as you demonstrate that you thought it through and documented (with emphasis on DOCUMENTED) your reasons for why you believe that your solution meets these requirements, you are “compliant” at that point. 

So feel free to refer to this blog post, but please document your findings.

“The cause of this delay appears to be a deferral by Yahoo.  As part of their anti-spam tactics, Yahoo will defer messages when connections from a single IP or range of IPs exceeds their limits.  In this case, the message in question was deferred for delivery at a later time by Yahoo.

 McAfee continues to work with Yahoo to make sure they do not put temporarily blocks on our sending IP addresses.  Yahoo states that these rejections are not blacklists and are four hour “temporary deferrals”.  We do apologize for this inconvenience but request that you simply resend mail rejected by their servers.”

Translation: Someone at Yahoo needs to get fired!

Anyway, since the problem seems to be on Yahoo’s end, a simple workaround is in order.

In order for MX Logic outbound to work, you have previously set a smarthost forwarding all outbound messages through MX Logic.  Add a second connector and make it specific to the Yahoo.com domain.  Set the connector to use DNS to resolve recipient address.  Set the cost as 1, and set the cost on the MX Logic smarthost cost to a greater number, e.g. 10.  This will ensure that emails sent to Yahoo.com emails gets processed first, and bypass MX Logic.

On Exchange 2007, the setting can be found under Organization Configuration -> Hub Transport -> Send Connectors