443-992-7394

Cyber Security and Internet Safety

With all of the information that both individuals and companies keep online, cyber security is increasing in importance every day. Protecting your information from identity theft and fraud is getting more difficult as hackers become more skilled. Stay ahead of the hackers and online criminals with the following cyber security tips for internet safety!

  • Passwords – Your passwords for all of your secure information should be varied and uncommon. The best thing to do is to make sure you use variations of numbers, symbols, and letters. It is also good to make sure you are not using the same password for every website you have. If by chance someone does figure out your password and all of them are the same, they now have access to all of your information on various sites.
  • Social Media – Always limit the amount of personal information you give out. It will help keep you safe and your information secure. Be sure you use the privacy settings that are provided to you that way you’re only sharing information with the people you want to be sharing it with. With email, do not automatically download attachments, but always scan them for viruses and make sure they come from credible sources.
  • System – Make sure your computer is always up to date. This includes anti-virus software, browser, operating system, and any other important facet of your computer and network. Keep your network and Internet secured. Make sure nobody has access to it that shouldn’t. Remember to tell anyone who uses your Internet source to keep the password to themselves and limit what other information they share.
  • Teach and Inform – Teach your children the importance of cyber security at home. This should be part of any safety information you give them. It is just as important to observe internet safety as it is to observe public safety. Keep an eye on Internet history and make sure you know where your children are visiting online. Most companies also give you the ability to censor what your children can see and do online. For a small business, it is also best to censor what employees can see and what information they are able to give out.

Don’t let hackers get your important personal or business information.  Keep your company and home safe by taking these cyber security tips and reading up on some more. You can never be too safe online.

If you have any questions about Cyber Security Tips, please contact Working Nets by calling (443) 992-7394 or visit WorkingNets.com today!

Welcome to Working Nets – your virtual IT Department!

At Working Nets, we support your business by providing top-notch Information Technology (I.T.) services to companies like yours: Companies that don’t need full-time I.T. services, but do need someone to turn to, when they are having a problem. We provide services like Network Design, Monitoring and Maintenance. We troubleshoot technical issues when they arise, and give you options for solving them. We help you use your technology investment to achieve your business goals.

At Working Nets, our focus is on your needs!

You can also follow us on Facebook, Twitter, LinkedIn, and Google+.

Source: Cyber Security Tips

Hurricane Sandy Relief Efforts and Working Nets

Several weeks ago, Hurricane Sandy devastated the East Coast, from Maryland to New York and everywhere in between. And residents of these areas, specifically New York and New Jersey, are still reeling from the damage. One community in particular, Sea Gate, a Jewish community adjacent to Coney Island, is struggling to recover.

The gated community, which consists of about 800 homes, sustained considerable damage. As a result, 90% of residents are still displaced from their homes.

“We have been completely devastated,” said Esther Zicherman, a lifelong resident of Sea Gate. “An entire community has been displaced. The government forgot about us. We are the lost community.”

Luckily, volunteers are coming from far and wide to assist, volunteers who include Working Nets’ own David Spigelman. He was among several hundred volunteers who spent the day in Sea Gate last Sunday.

“We all grouped into groups of five men, and were given assignments,” wrote David in an email to The Jewish Week. “We went to the houses and did what they needed us to do. Someone had previously gone around and offered assistance to all the residents, asking that if they wanted volunteer help, to sign up on the list.”

Please help the Sea Gate Jewish Community!

If you would like to help, there are several ways in which you can make an impact, including:

  1. Monetary Donations: The Sea Gate Jewish community has set up a mailing address for donations to the CYS (Seagate) Hurricane Relief Fund at 3832 Lyme Ave., Sea Gate, NY 11224. Phone pledges may be made (718) 705-9666. Or you can donate online at sgsandy.com.
  2. Volunteering: Sea Gate is in desperate need of volunteers, able and strong, to help families carry out loads of water soaked  possessions, including furniture and heavy appliances.  If you can volunteer, please call us at 718-705-9666.
  3. Food and Equipment: There are many volunteers and victims at Sea Gate that need food. Residents are also in need of generators, gasoline, cleaning supplies, and so much more!

If you have any questions, please contact Working Nets by calling (443) 992-7394 or visit WorkingNets.com today!

Welcome to Working Nets – your virtual IT Department!

You can also follow us on Facebook, Twitter, LinkedIn, and Google+.

Image Source

Intuit Failures

At some time, on November 14, 2011, Intuit performed system maintenance across their online-service systems. And then something went horribly wrong. The systems didn’t work as they were supposed to. Online invoicing stopped working, as did their merchant-services payment processing system. Intuit quickly responded via Twitter and their Facebook page, telling everyone that they were aware of the problem, and that they were working on it. At some time between 8:00 & 9:00 PM (EST) that night, they updated their pages as follows:

“QuickBooks Online is back up and running. We apologize for today’s service disruptions and for letting you down. Improving service reliability is a top company priority right now.”

But this morning, things were still not working properly. As of this writing, it’s still not working. At about 11:00 AM (EST), they posted this follow up message:

As part of our efforts to improve service and increase uptime, we did maintenance work over the weekend which caused issues with several of our systems on Monday, November 14. We are experiencing the same issues today and in order to fix it have decided to take QuickBooks Online, QuickBooks Online Payroll, QuickBooks Connected Services, QuickBooks payments processing, GoPayment and all other payment processing services offline until at least 12:00 p.m. PST. No data has been lost. More info: http://bit.ly/tx620f

We’ll have to wait and see.

Now, for me, this is largely an inconvenience. It’s not hugely disruptive of my business efforts. But there are folks out there who use these services for their day-to-day operations. People who have stores that take credit cards are the ones who have been hit hardest. Imagine having to explain to your customers that you can’t take their payment right now. There’s talk of a class-action suit, which I could easily see happening. The natives are not just getting restless, they’re getting mutinous.

Businesses often have to perform maintenance or updates on mission-critical systems. These are typically scheduled during off-hours, so as to minimize impact on their customers. And Intuit did that. But for a mission-critical system, you typically try to have backups; possibly even backups to the backups, so that in the event that something goes horribly wrong, you can get something back into place, quickly, in order to minimize the impact on the users. This, it would seem, Intuit did not do – at least not very well.

This leads me to one of two conclusions:

  1. They didn’t do their jobs properly.
  2. They don’t consider these online systems as “mission-critical.”

If it’s the latter, that’s a major problem. Their customers are small businesses, and these systems, while perhaps not entirely mission-critical to Intuit, are definitely so for their customers! Under normal circumstances, my reaction would be something along the lines of, “If they aren’t that concerned for our business, maybe they shouldn’t have it.”

The problem, in this case, is one of monopoly. Intuit enjoys a fairly monopolistic hold on the small business financial software market. There is simply no other product out there that does the job QuickBooks does, with as much flexibility and power, and for as low a cost. There are many competitive products out there, mind you, but QuickBooks is the standard to which they are all measured, and there aren’t many that measure up very well, especially for the price. In the U.S., some 95%+ of small businesses use QuickBooks. So they’ve got us small business people essentially over a barrel.

Products like FreshBooks are great for some simple needs, but not nearly as powerful. And products like Peach Tree have a lot of power, but you really need to understand the underlying accounting principles to use it. And most small-business accountants out there love the ability to just take a copy (or Accountant’s Copy) of the file, and work with it on their own, without messing up anything live. Where are you going to find that sort of functionality and presence?

So we’re pretty much stuck. Any thoughts?

Security as a Forethought

An article I read today on HuffingtonPost.com, talked about security researcher, Jay Radcliffe’s, recent experimentation on his own insulin pump and blood-sugar monitor. He discussed his findings in his Black Hat conference briefing. Basically, he found that these devices, and presumably others, could be compromised by their wireless capabilities. It could be possible to cause a monitor to display incorrect readings, or a pump to distribute insulin inappropriately.

“Everybody’s pushing the technology to do more and more and more, and like any technology that’s pushed like that, security is an afterthought,” Radcliffe said.

And that’s the problem: Increasing technological capabilities, with Security as an afterthought.

We’ve been doing this technology thing for awhile now. We know there are risks. We know there are people who want to circumvent or break systems, for a variety of reasons. Anything with any kind of connectivity must have Security as part of the original design plans; not something you try to patch later.

Can Macs get viruses too?

This week we heard of two virus-attacks against Macs, out in the wild. But wait… Is that really possible? I thought Macs were immune to viruses!

Sorry folks, they’re not. Never were. The problem is that a lot of people don’t seem to really understand what viruses are, and what makes a computer vulnerable to them.

Basically, a virus is a program written by a person (they don’t just grow by themselves), for the purpose of attacking specific types of machines. Remember the Stuxnet virus that made the news in July 2010? That was designed to attack a specific Siemens industrial process control system, which was being used by Iran in their efforts to create nuclear weapons. That’s how specific viruses can be.

So why haven’t we seem them very often on Macs? My thought is that there are two primary reasons:

  1. Thusfar, the Mac platform has simply not been considered worth attacking because of Apple’s relative marketshare to Windows. Although recently, Apple has had tremendous increases in marketshare, there are still many more Windows machines than Macs out there. If you were going to write a virus to, say, steal credit card numbers from consumers, would you rather spend your efforts on systems with more users, or with relatively fewer users? More PCs (and frankly, more less-educated users) means more targets, and that means more compromised machines. (There are even fewer viruses out there that attack Linux systems, for the same reason.)
  2. Windows XP and earlier had a lot of security vulnerabilities. A lot more than Vista and Windows 7. So the operating systems were easier to exploit. And the vast majority of Windows machines still out there (at least as of this article) run Windows XP.

Given those two reasons: More opportunity, and easier to break – it makes sense that most viruses were written to attack Windows systems. But as Apple systems gain more market traction, they become much more attractive to malware writers. The fact that Mac users are not used to using anti-virus software can potentially make it worse. And the fact that Mac users have never had to worry about dirty social-engineering tricks that Windows users have had for years – like the ones used by the most recent attacks – can potentially cause this to become very bad, very quickly.

So Mac users – don’t be so confident that you don’t need antivirus software, and start being vigilant about where you go, and what you allow to install on your machines. This is only going to increase.

More on Malware Sites

Since my last post about the Windows UAC function, and how it can give you early warnings about possible malware infections, I’ve had a number of people ask me for more information about the infections work. How do they get past your AV software?

AV Can Only Do So Much

The first thing to realize is that traditional anti-virus software has limitations. It can only find malware once it’s on your machine. And by then, much of the time, it’s too late.

What is User Account Control (aka UAC)?

The much-maligned UAC is an important Windows security feature that first made its debut in Windows Vista, and has continued into Windows 7 and Windows Server 2008. It’s a really important feature that we should all be embracing. But most people don’t really understand what it does; they find it annoying and largely ignore it. Worse, some folks actually turn it off, which removes a lot of the protections afforded by Vista and 7 over Windows XP.

In brief, UAC is the security feature that makes your screen go dark, and brings up a window asking you to Allow something to do something (i.e. install software) to your computer.

It is interesting that Macs have something very much like it, as do most current versions of Linux. But their users don’t seem to complain about it too much. I think this is due, largely to the way Microsoft chose to go about it, particularly in Vista. Windows 7 has done it a lot better, but I still think we have a way to go.

So what, exactly, is UAC? What does it do? Why do you want it?

In order to understand that, we have to go back a little bit…

Why XP is so vulnerable

There’s a concept in Security referred to as “Least Privilege.” The idea is that you give someone the least access you can, while still allowing them to do their job. It makes sense, if you think about it. You give all of your staff access to the email system and the Internet, but the Accounting Dept. also gets access to the financials, and HR has access to the personnel files. There’s no reason for HR to be rooting around in the accounting system, or for Accounting to be looking at whether Bill was reprimanded for that incident in the Break Room… The Janitorial folks, who come in when everyone else has gone for the day, have access to everyone’s offices, but not the network. That’s Least Privilege: Everyone has what they need, but not more.

Well, most people don’t really need administrative privileges on their local computers either. Certainly not most of the time. It doesn’t take an admin to write a Word document, or work on a spreadsheet. But those Microsoft Updates need to be installed, and there’s that new version of Firefox, and they really wanted to try that new utility everyone’s been talking about… In larger companies, those things are regulated by the central I.T. Dept. and that’s that. But at home or in smaller companies, it’s just easier to let people do those kinds of things on their own. So it’s typical, on Windows XP computers, to just give the local user administrative-privileges on their own computers.

The problem is that now you use that administrative-user account to go to some perfectly legitimate website on a server that’s been infected, and wham – things start popping up all over your machine. Nasty, vile things that you don’t want to see; that you certainly wouldn’t want your kids, or your boss, to see. Then you get a window that tells you that you’ve got 3 bazillion viruses on your machine, and that you’ve been barred from the Internet, but that for a mere $80.00, they’ll unlock their “malware removal tool,” which will immediately fix all the problems, and all will be right in the world again.

And then, you call me…

UAC

Now imagine that you didn’t have to worry about some of those things. Imagine that your computer automatically stopped the bad stuff from infecting your computer. Imagine that, instead, your computer told you that something was trying to install itself, and then asked you if you were sure you wanted it to install. Then you could say something like, “Hey – I wasn’t trying to install anything on my computer. I was just surfing on a website. Why is it trying to install stuff on my machine? That might be malware. I’m going to say No!”

Alright, stop imagining. That’s what Vista and Windows 7 are doing. In keeping with the concept of Least Privilege, your “Normal” account is now secretly a “Limited” account. And for most of your day, that’s fine. When something comes up that requires Admin-level privileges, instead of just telling you that you can’t install it with a Limited account, it asks you if you’d like to temporarily upgrade your privileges, in order to do that particular function.

That gives you the best of all worlds: You’re using Least Privilege at all times, without even knowing it. The bad guys can’t install things surreptitiously on your computer, because they don’t have the permissions required to do it. The only way they can get those permissions is by asking you! Sure, they’ll use Social Engineering techniques to try to trick you into saying Yes, but that’s more difficult. You can say No.

But Microsoft doesn’t explain that part so clearly. Instead, in typical Microsoft-ese, they tell you that “A program needs your permission to continue…” They don’t tell you what, or why. And you get frustrated because you’ve seen it before, like when you were legitimately trying to install Flash Player, and they freaked you out with that pop-up window, (because you thought it meant you had a virus). But it turned out to be okay. Now, you see that window so often that you just Allow everything without even thinking about it. Or maybe you’ve disabled it entirely, to prevent it from ever bothering you again.

Software Companies and UAC

Also frustrating is that many software manufacturers actually recommend that UAC be turned off, in order to get their software to run properly. They do it because their software isn’t really written to the Vista/7 specifications, but they wanted to get their applications to run on those OSes, without having to recode them a whole lot. This is most common with “Vertical Market Applications,” which are applications written for specific industries: Beauty Salon Management software; Medical Office software; Auto Shop software; things like that.

The companies that make these types of software are usually smaller companies, with very limited budgets. They don’t want to rewrite their software if they don’t have to. And they often don’t have to because there’s no push-back from their target markets. They don’t have customers threatening to switch to a competitor because of it. But they should! Essentially, they are saying that they don’t care about their customers’ security. They’d rather put your computers and your data at risk, than rewrite their out-of-date code to conform with new security standards. And since you don’t know better, you don’t complain about it.

Well, now you know better!

What else can I do?

So if you shouldn’t turn off UAC, what do you do when some applications just won’t run properly with it turned on? What do you do when the software vendor’s Support Team tell you that it’s not compatible with their software?

I’d like to say that you tell them that you’re going to switch to another application unless they fix the problem, but that’s not always realistic. I’d also like to say that Microsoft has provided a way to address it, but unfortunately, they haven’t really.

Microsoft did improve the UAC configuration set significantly in Windows 7. In Vista, there were two settings: On and Off. And the On setting was very annoying, giving rise to things like this commercial, from Apple. Windows 7 now has an additional option in between those two poles. Alright, they give you two, but they’re really identical, except for the question of whether the screen goes dark or not. This additional option(s) says that it will
ask you about some things, but not about others. It’s much less intrusive. But even this isn’t good enough, in my opinion.

There’s much talk from users about the possibility of a UAC “Whitelist”, which would allow you to specify certain applications as being automatically Allowed by UAC. I think that would be a great idea! It would enable you to avoid UAC problems for known applications, while still protecting your computer from the things you don’t want installed. Yes, it could lead to some compromises. You could expressly Allow malware to run, defeating the purpose of it. But let’s face it: you just can’t protect everyone from everything. And it would be better than having people turn UAC off on their machines entirely. But for now, that’s not an option. Hopefully, they’ll put something like that in soon.

If you’re a Vista user, there is a Norton tool that’s still officially in “beta,” which apparently does exactly what I was suggesting: It allows you to save a UAC setting for a given application, so if you Allowed it once, it will always allow it. The tool looks like it does a great job, but it doesn’t work for Windows 7 – I tried it.

Otherwise, in those situations, you may just have to turn it off. But you should be asking your software companies why UAC isn’t supported, and when they’ll have a version that works properly available. And you should be aware of the risks.

Microsoft Patch – MS10-046 – Critical

Microsoft released a Critical patch today for pretty much all versions of Windows, from XP on up. (This doesn’t mean it doesn’t also apply to earlier versions; just that earlier versions are no longer supported.)

The issue behind this patch lies in that when you create a shortcut for something, Windows actually reads part of the underlying file to pick up things like the icon to use for the shortcut. Well, they’ve found a problem in the way that this works, and that very process of displaying the icon can be exploited, enabling code of the attacker’s choosing to run, with the privileges of the locally logged-on user.

In other words, you don’t even have to run the program, in order to be attacked. All they have to do is make an icon appear on your desktop, and when Windows reads the file to display the icon for it, it will run the malicious code with your permissions. Since many people use Windows XP with Administrator permissions, this means they own your system. And since many people with Vista or Windows 7 routinely ignore (or even turn off) the UAC warnings, they’re going to to own them too.

If your system is set for automatic updates, you’ll have already applied this patch this morning. If not, do! It’s a Critical level security patch, and it will likely require a system reboot – it did for me.

Facebook Privacy – Again

It’s true… Once again, those security guru’s at FaceBook have decided that your privacy isn’t all that important. At least, not important enough to do something novel like… ask your permission before divulging your personal information!

This time, it’s your phone numbers. Recent changes now have the defaults set to show your phone numbers to your Friends only. I guess I can hear the logic on it: If they’re my friends, then maybe it’s okay for them to have my phone numbers. Unfortunately, that’s not in line with the way most people actually use FaceBook. They have business acquaintances, the guy they met at that last trade show, people they knew back in kindergarten who may have grown up to be axe murderers (you never know…), etc. Come on people – we’ve all done that. And we’re generally okay with them seeing our bizarre thoughts, but do we really want them all calling us?! I think not!

Nonetheless, they are out there, available. If you want to get an idea as to the scope of this, try this:

  • Log into your FaceBook account.
  • On the top right of the screen, click Account, and then Edit Friends.
  • On the left side of the screen, click Phonebook.

Take a look at all your friends, and their phone numbers!

Now if you don’t want your numbers to be displayed like that, here’s what you gotta do:

  • Click Account, and then Privacy Settings
  • Select Custom, and then click Customize Settings link, on the lower left of the chart.
  • Scroll down to the Contact Information section, and then set the appropriate items to Only Me.


Man Infects Self With Computer Virus

In England, this past week, Rory Cellan-Jones, reporter with the BBC, reported about a “scientist”, Dr. Mark Gasson, who implanted himself with a computer virus. Apparently, this was supposed to be an “ooh, aah” sort of thing. Revolutionary and whatnot. It wasn’t, but more on that later.

The response to the article was apparently (and I believe correctly) largely derisive, to the point where yesterday, Mr. Cellan-Jones published a follow-up article. In it, he admits that he “should have adopted a more sceptical tone” in his original piece, but then attempts to justify it anyway. He also contacted Dr. Gasson for a reply to some of the criticism. Dr. Gasson responded that he wanted to bring attention to the need to consider security in medical technology devices.

Now, I agree that security absolutely must be considered as we begin to move towards electronic devices being used as body parts. It would be terrible if, for example, unsecured wireless technology was used to connect the brain to an artificial arm, and someone hacked it and made it beat its owner to death. But Dr. Gasson’s experiment isn’t anything like that.

What Dr. Gasson did was take some “virus code”, put it on an RFID chip, and implant it under his skin. The code was designed to redirect a web browser to a malware site. Dr. Gasson is not a web browser, at least not in the technical sense. And the chip doesn’t have the mechanics necessary to make him do anything. It was no more impressive than if he stuck it in his pocket. This “experiment” is sort of analogous to sticking dirt up your nose to see if it will give you a dirty mind. At best, this was more a political point than a science experiment. At worst, it was simple publicity seeking.