443-992-7394

Opening Attachments

You’re sitting at your computer checking your email, when you notice that you’ve got one from DHL. You open the message and read an official-looking message saying that they tried to deliver a package to you, but no one was available. Please open the attached file which contains a form they need to redeliver. Now maybe you’re waiting on a package and don’t remember whether it was DHL, UPS or FedEx; maybe you’re not waiting on a package and can’t figure out what they would be trying to deliver to you.

Or…

You get an email from your brother’s email address that says, “Check this out – it’s really funny!” It’s got an attachment. Well, your brother wouldn’t send you anything bad would he? (No seriously – would he? I probably don’t know your brother.)

In any case, you open up the attached .zip file, run the executable it contains and then… WHAM! You’re infected!! Suddenly you’ve got hundreds of porn pop-ups appearing on your machine. And you’ve got something that says it’s an anti-malware program that you don’t remember installing, coming up to tell you that it’s discovered 385 infections, and you need to run it to get rid of them.

Why did this happen?

In most cases, the reason this happened was because of a technique called Social Engineering. Social engineering is the act of manipulating people into performing actions or divulging confidential information – sometimes both.

Social Engineering relies, primarily, on two things: the basic trusting nature of most people, and fear.

In the first example, there was a little bit of both. You trusted that the email was actually from the company it said it was, and you were afraid something bad would happen (i.e. they wouldn’t deliver your package) if you didn’t do what they said.

In the second example, it was basically just trust. Why would you think that your brother would send you a virus? In fact, your next phone call or email is probably to your brother telling him that what he just sent you was infected. And when he tells you he didn’t send you anything, you don’t know what to make of it.

Windows Pre-Vista

The previous examples are most prevalent on PCs running Windows XP or earlier. Why? Because they’re the most susceptible. Here’s why:

Microsoft and most security experts agree that the best way to run your computer is as a “Limited User”. In other words, a user account that doesn’t really have the privileges to install software, or do other things that could impact the entire machine.

But most users don’t want to run their machines as a Limited User, because… well, frankly, it’s a pain. This, of course, is only even relevant for folks using Windows NT, 2000 or XP. Anything earlier than that didn’t even have the option to run as a Limited User anyway. (If you’re using anything earlier than Windows XP, we should talk anyway.)

But if you run as an Administrative User, then anything you run is run as an Administrator, and Administrators are presumed to know better.

Windows Vista/7 and the UAC

Enter Windows Vista (and now Windows 7) and UAC (User Account Control). This allows the best of both. When you log into your PC, you’re using a Limted User account, and you run everything in that limited mode. When you want to install something, or try to do anything requiring upgraded permissions, everything freezes and goes a bit dark, and a window pops up asking whether you want to allow it. If you say yes, it temporarily places you in Administrative mode to affect the change. Then you go back to your Limited User account, and continue your work.

There are two problems:

  1. People get so used to seeing that “annoying box” that they click Allow without even really looking at it, or thinking about it.
  2. Some people get so sick of the box they actually turn off UAC. Also, some vertical-market applications tell you to disable it (which is usually a sign of bad programming, but be that as it may…)

Either of these behaviors will allow malicious code to run unimpeded on your machine, even with a more-secure operating system. Turning off UAC is actually worse, because you no longer even know there’s anything trying to get in. It makes it, effectively, Windows XP in Administrative mode.

Tips

Here are some rules of thumb that I use when dealing with email attachments:

  • Don’t open them unless you have some reason to believe they are safe.
  • Just because the “sender” is someone you know and trust, doesn’t mean it’s safe. They could have gotten infected themselves, and the virus could be sending itself to all their contacts. Some malware is even smart enough to scan the user’s contact list, choose two names and then send messages “from” one to another. So some third party may have been infected, and you get an email “from” someone you may know in common.
  • In general, you can open attachments you’re expecting. If you’re waiting for me to send you a Service Contract proposal, and you get one from me, it’s probably okay.
  • Even if you weren’t expecting it, per se, if you have contextual reasons to believe it’s really from the person it says it’s from, it may be okay. In other words, if the message part says, “Open this. It’s funny.” – that’s not okay. But if it says, “Hey Dave – This is that article you asked me to write for your blog. Tell me what you think.” – that’s probably fine.
  • If you’re not sure, ask. Send an email back to the sender asking whether they really intended to send that file to you.

Remote Access

It’s February 2010; a couple of days after what President Obama referred to as Snowmageddon. At least if your office is in this region, right now, you’ve probably been thinking about Remote Access to your computer systems. If you have it, you’ve been very glad of it. If you don’t, you may have been wishing you did. And you wouldn’t be alone: According to a CNNMoney article, LogMeIn’s remote access service usage surged nearly 40% during the recent storms.

Bad weather is but one of the reasons many businesses need some form of remote access, or even remote office solution. It can be a critical component of your overall Disaster Preparedness Plan. If your computers don’t shut down because of some environmental disaster, why does your business have to?

Remote access to your systems can also enable you and your staff to be a bit more time-flexible, or provide for remote technical support. (Yes, I use it all the time.) It can enable sales staff to access critical data while on the road, even from a SmartPhone.

Sounds great! What do we need to do? Well, slow down a moment. Like most things, you do need to put in a little bit of forethought and planning for this. So here are some things to think about:

  • How many people are going to need to use it? Concurrently?
  • Do we need application access, or just data access?
  • How important is remote printing?
  • Do we need remote access even during the workday, without affecting others’ work?
  • How concerned are we about security?

These, and other factors can determine which is the most appropriate / cost-effective way of providing remote access services. These are some of the major categories used:

Remote Control
This type of solution has been around for a very long time. Typical examples of this type of solution include GoToMyPC and LogMeIn. A small client application is installed on the user’s PC(s), which connects out to the provider’s Internet servers. On the remote side, the user logs into the provider’s website, and makes a connection to the provider’s website. To make the actual remote-access connection, these two separate sessions are connected through the provider’s site. Both connections typically use strong encryption, making this type of remote access pretty secure.

As the name describes, this type of connection literally has the remote user taking over control of the host PC. This means that, typically, someone at the office could actually be watching whatever the remote user does, and the remote user will have no way of knowing it. If the user is accessing confidential data, this could be a concern.

Also, because the user is actually taking over the entire computer, the computer cannot be used by anyone else at the same time. If the access is needed during the regular business day, it has to be on a computer that no one else uses.

Terminal Services
This type of solution has many of the same benefits as the Remote Control solutions. The user gets a virtual desktop and runs applications at the remote site. When using a Terminal Server, you can have multiple users on the same machine simultaneously, each with their own virtual desktop. Since users are not actually taking over the remote machine, passersby at the office cannot watch a session taking place. And since a Terminal Server is generally a dedicated machine, it doesn’t affect other users ability to work.

There are some things to be aware of, though. For example, remote printing can be tricky – especially if you’re trying to print to a printer on a remote network. Also, security can be a concern. The encryption used by RDP (Remote Desktop Protocol) is not as strong as some other solutions – at least not by default. And, of course, there is the cost of the Terminal Server itself. A Terminal Server is a Server, requiring a Microsoft Server operating system, and typically, server hardware.

Virtual Private Networks (VPN)
VPN is a term I’ve often heard misused to mean all sorts of remote access services. So let me explain what it is: A VPN uses encryption to form a “tunnel” through an untrusted network (i.e. the Internet). So if you have two offices, you can use a VPN to connect them through the Internet, enabling machines to communicate securely between the two sites. You can also create a VPN from a computer to the network, allowing that computer to communicate as if it were directly connected to the network.

Typically, the encryption used is strong. But people often complain that performance is slower than they expected. The issues are usually due to applications that are not particularly well-suited for this type of connection.

The important thing is that you know your options, and understand both the costs and the benefits each can provide for your business.

Security Paradigm Shift

Yes, I really did use the term, “Paradigm Shift.” This actually is going to be my newsletter topic this month. But not in the buzzword-y sense.

Let’s start with some definitions:

Paradigm: An example serving as a model or pattern (from a Greek word I can’t even hope to pronounce, meaning to show side-by-side)

Shift:
To put something aside and replace it with another

Paradigm Shift:
A change from one model or pattern of thought (or action) to another.

We all live in many different paradigms, and we switch between them all the time. For example:

  • In my home paradigm, I dispense fatherly advice and bad jokes, to my kids. I (usually) help around the house. I fix (and sometimes break) things.
  • In my work paradigm, I call and/or take calls from customers, and help them with their computer problems. I deal with the finances. I work on Sales and Marketing.
  • In my religious paradigm, I go to synagogue, pray and generally do my best to keep the laws and traditions of my belief-system.

When we need to quickly figure out how to respond to something, we look to the paradigm we’re using at the time. If a client has a problem, and needs my help, my response shouldn’t be to pray or dispense fatherly advice. Knowing which paradigm I’m in, at a given moment, gives me the context to understand how to respond, pretty much intuitively.

Which Paradigm?

But it’s not always so easy to determine which paradigm you should be in. Sometimes, we can make mistakes. Consider this scenario:

You’re walking to the door of your office building. It’s a secure key-card access door. Someone else is walking up behind you. Do you hold the door for him? On the one hand, there is clearly concern about security here. On the other hand, closing the door in the guy’s face might be rude.

The problem here is that no one’s clarified the appropriate paradigm. If Security was an underlying rule of thumb, it would be obvious, and closing the door in his face wouldn’t be considered rude at all – in fact it would be expected. If you don’t believe it, ask anyone who’s ever worked on a military base, or in a secure government facility. (I’ve worked in both.)

Every business owner I’ve spoken to, says that they want their business to be “secure”. Then, many of them insist that everyone in the office use the same user name and password, or no password at all, for network access. In fact, according to a recent InfoWorld article, a similarly recent Symantec survey says that small businesses tend to “shun” basic security measures. Once again, the problem is usually an unclear paradigm.

Security Policy

This is where a Security Policy can be really useful, even for a small business. It communicates the organization’s security foundations; what’s important to the company, from a security perspective. Basically, it’s the documented security paradigm for the company. And it doesn’t need to be really complicated either. In fact, simpler is better. Should you enforce stronger password policies? Well, if the policy says, “Everyone should be able to get to anything they want, without restriction,” then the answer is immediately clear. It’s also clear if the policy says, “Users should be able to reach only the information required for them to do their job.” These statements also answer questions, like, “Should everyone have Administrative privileges?” and “Should we lock the doors at night?” and “Should the janitor be able to get into QuickBooks?” – Alright, so they probably need a little work… but perhaps not too much. Remember, the intent here is to have a guide, not a detailed manual covering every possible situation.

Why not be more detailed? Because that’s often why businesses don’t write policies. It’s why we never even get started: The task becomes too huge to contemplate. So don’t let it. Just try covering some topics like:

  • Passwords
  • Access privileges
  • Internet access
  • Anti-virus
  • File-sharing networks (i.e. BitTorrent and Gnutella)
  • Software piracy

You can always add to it later.

There’s more to be said, and I may even say some more of it in another letter, or on our blog. In the meantime, think about your company’s security position, and whether it fits your vision for the company.

Where DOES that link really go?

One of the things I always caution my customers about is clicking links in email messages. Just because a link says it’s going to http://www.foxnews.com, doesn’t really mean that it is. (Yes, it’s safe to click on the link – would I send you somewhere bad?)

One of the easy ways to check where a link is actually going, is usually in your browser or mailer window. If you read your email in a browser window, there’s usually a link identifier somewhere in the window (in IE and Firefox, it’s down at the bottom-left of your browser window) which will tell you where the link is actually going. In your mailer, there’s usually a similar function. In Outlook, for example, you need to hover over the link for a second or so, and the actual link address will pop up over it. If it isn’t a site that looks right, you probably don’t want to click on it.

Why does it matter?

Why? Because the link could redirect you wherever they want to. It could be a malware site (see this link for a demonstration of how that might work), that actually does something to your computer, like install a trojan. Or it could be a phishing site, trying to fool you into revealing something about yourself, or your web accounts. These are typically sites that look like the real site, and convince you to enter your username and password, which they can then use to access your accounts later.

How can you tell?

How do you tell if a site looks right? Well, that can actually be tough, because the bad guys… well, they don’t want you to know. So it might look something like this: , which just looks like it has so much random junk in it, that you may not be able to tell where it’s from. Or it might say something like , or , all of which could look very serious when looked at casually.

But a closer look reveals an important clue, if you know what you’re looking for: The most important parts of the website address, most of the time, are the last two dotted sections. Let’s look at the URLs. The ends of the dotted sections are:

  • sezkmvob.cn
  • ur.pl
  • prevention.br

Now I don’t know what the first one is purporting to be (I pulled it off a spam message I got, and modified it so it doesn’t really go anywhere I know of), but I do know that the server location is CN – China. The other two are intentionally fraudulent. They’re using the name of a bank somewhere in their URL, in order to make you believe that they’re from that bank. But looking at the domains from which they actually come, show us that one is from a domain in PL – Poland, and the other is from a domain in BR – Brazil. It’s pretty unlikely that either of these are from the banks!

So a little bit of care in watching what you click, before you click on it, can save you from a world of hurt.

That said, there is an additional wrinkle involved, which I’ll save for another post. In the meantime, be safe!

Tagged.com – The Non-Virus Virus

This morning, I received an email message from a service called Tagged.com. In fact, I received about 8 email messages from them, telling me that there were pictures they wanted to share, and that I’d been “tagged”.

Now, the email service that I use has some pretty decent spam filtering, so I was a bit intrigued as to how it got through, since it didn’t really seem on the up-and-up. So I loaded up Firefox in a Sandboxie sandbox (and if you don’t know what that is, let me know – you should!), and checked out the site.

Tagged.com promotes itself as a social networking service, with all the usual blah-blah. It then explained that I needed to sign up in order to see the content it had promised. I clicked on the sign up link, and looked at the form. I was looking for the Terms of Service checkbox that almost everything has, and lo and behold, it was there on the bottom of the page.

I make it my practice to at least skim through the TOS on just about everything I sign up for these days. It’s fascinating what you discover, and frankly, it’s something more people should be doing. Here’s what I found interesting in Tagged.com’s TOS:

E) Notice Regarding Commercial Email

MEMBERS CONSENT TO RECEIVE COMMERCIAL E-MAIL MESSAGES FROM TAGGED, AND ACKNOWLEDGE AND AGREE THAT THEIR EMAIL ADDRESSES AND OTHER PERSONAL INFORMATION MAY BE USED BY TAGGED FOR THE PURPOSE OF INITIATING COMMERCIAL E-MAIL MESSAGES.

I read this as meaning, “You’re giving us permission to use your email address to spam other people.” And my guess is that’s exactly what happened. I don’t think that the person who sent me the email actually intended to “invite” me, per se. I think they just sent me out an email, from her personal address. Perhaps she used their handy “upload your contacts” feature, or something like that.

And all this from a site that promotes itself as being for teen use… giving out personal email addresses – sheesh…

In any case, this means that this spam wasn’t due so much to infection, as it was part of the service she signed up for. And since I did turn out to know her, she sailed through my spam filters.

I’m not a lawyer. I don’t even play one on TV. But the bad guys will continue to use laws against the generally law-abiding. Know what you are agreeing to. You could regret it otherwise.

Keeping Patches Current

Patches? We don’t need no steenking patches!

This seems to be the attitude of many business people, regarding their computer systems. But keeping your machines updated is a critical part of their regular maintenance. Kind of like dusting them out, or washing the keyboards in the dishwasher. (Don’t actually try that one, although I do know of people who have done it!)

Why don’t they keep their computers current? For some, it’s the fear that something will suddenly go wrong with their computers, and their business software will just stop working. For others, it’s just the bother of having to go around to all those computers, and do the updates, especially since things seem to be working as they are. Many people are convinced that their machines are set to automatically update, and therefore must be current… and by the way, what does that little yellow shield in the tray mean, anyway? And let’s face it… some of us are just lazy, especially when it comes to dealing with things we really don’t understand anyway.

But small business owners can’t afford to be lazy, when it comes to our security. For most of us, our entire businesses are on our computers. When they’re down, we’re down; we’re not making money, or we’re severely hampered in our ability to do so.


How important are they?
Remember the Conficker worm that caused everyone to panic, back in March and April? It spreads, mostly, through a security flaw that Microsoft patched in an update made available back in October 2008! Well, according to industry pros, including Symantec, there are still some 50,000 new machines infected every day! Many, if not most, still don’t have the patch installed that would have prevented it.

What should we know?
Well, for one thing, that little yellow shield often means that your machine is not up-to-date, no matter what the auto-update settings are. Many people have their machines set to download, but not install updates automatically. And there are many updates and patches that want user-interaction, and just won’t do the automatic update without it. Often, these are required in order for other updates to be installed – if you don’t install them, you don’t even know about the others.


Security vulnerabilities cost money
In fact, they cost a lot of money. A Computer Economics article, from 2007, showed damages of more than $13 billion almost every year since 1999, and that data’s already aging. Malware costs companies in equipment, in professional services – like the computer technician who has to come in to fix the problem, or the attorney who has to defend you and your company from claims that you did not make adequate efforts to protect customer data – and in time… lots and lots of time. Time that the computers are out of service; time that the users may be sitting around idly.

Keeping your machines updated can prevent many outbreaks, by locking down the vulnerabilities before malware is commonly available to exploit them. Keeping them updated can save you money!

What about the concern that some of your business software will develop problems, after an update? Well, if you’re running old software, this actually could be an issue. In some cases, it’s actually necessary to roll back a security update on a particular machine, until another solution becomes available. Perhaps there’s a patch provided by the software manufacturer to address the problem. Maybe you need to consider an upgrade or even a replacement to your current software. A consultation with your technology advisors can help you to make the appropriate business decision.

Deployment difficulties
Software update deployment can be a real pain, especially for a small business with a lot of computers. It can take hours to get around to each desktop, downloading and installing updates. Again, your technology advisors can be very helpful here. Updates, and even new software packages, can often be scheduled and deployed to hundreds of machines, automatically.

This can help the lazy among us too. You don’t have to remember to install updates and patches, because you’ve got someone else doing that for you, automatically.

You need to know
Like everything else in your business, information is key. How do you know if your computers are all up-to-date with their security patches? How do you make sure they get deployed without causing you a lot of time, trouble, and headache?

By contacting companies like Working Nets, of course! (Hey – it’s our blog. You can’t expect us to completely avoid the occasional shameless plug!) Give us a call to learn how our new Managed Services Program can help you make sure that your systems are up-to-date, and much more!

Adobe Acrobat Vulnerabilities

In the last couple of weeks, Adobe has acknowledged a number of vulnerabilities in their Acrobat products, including a “Zero Day Exploit” (which means exploit code was found “in the wild” before the vulnerability was even known by the Security Community), all involving their use of JavaScript. (See this link for more details.)

What is JavaScript? Well, it’s a scripting language… essentially a relatively light programming language. It’s used in many web sites, and web-based applications.

But Acrobat is supposed to be a “cross-platform” document format, meaning that the same document can be displayed, and printed, in the same way, regardless of what computer you’re using. Windows, Mac, Linux – it doesn’t matter.

So why do we need JavaScript in an Acrobat Document?

Frankly, I’m not really sure that we do. It certainly doesn’t enhance the ability to use the basic functionality for which it was designed: Creating and reading documents.

At this point, Adobe, and other Security professionals are recommending that you just turn it off. Here’s how to do it (at least on Windows systems, but other platforms should be similar):

  1. Open Adobe Acrobat or Acrobat Reader.
  2. Click the Edit menu item.
  3. Click the Preferences menu item.
  4. In the Categories box, along the left side, look for JavaScript, and select it.
  5. Uncheck the Enable Acrobat JavaScript checkbox.
  6. Click OK.

That’s it. You can now close Acrobat, or use it for reading documents. Whatever you want.

The Internet’s a bit like the Wild Wild West. There are great opportunities out there, but it can be a dangerous place. As Michael Conrad’s character used to say after his daily briefings, in the old Hill Street Blues series, “Let’s be careful out there…”

Disaster Preparedness

Disaster Recovery Planning has developed into an industry unto itself. There are firms that specialize in this, providing comprehensive planning systems, often costing tens or hundreds of thousands of dollars. If you’re a large enough enterprise, they’re worth every penny.

But there’s a lot that a small business can do to help prepare for a business disruption too. Obviously, insurance is an important component, but insurance isn’t going to prevent your customers from finding other vendors, while you’re trying to get things up and running again. No, I don’t sell insurance, but if you need some, I know a guy…

The point is, you want to get as much of your business back up, as quickly as possible – even if it means getting a couple of computers set up in your living room for a few weeks.

Redundancy is the key!

The more redundant your systems, the less you will suffer, within reason. That’s the idea behind data backups, but there are other things you will need “backed up,” besides your data itself.

Here is a short list of things you can do that will greatly decrease the time you’ll need to bring your computerized systems back quickly:

  • If you have applications that run your business – even if it’s just Microsoft Office – be sure to have copies of the CDs and, if possible, the documentation stored somewhere offsite.
  • Have a list of all your critical system passwords stored in at least two locations: one onsite, and one offsite. Restoring your data doesn’t help you, if you can’t log into the computer. This list doesn’t have to be computerized, by the way. It does, however, have to be a “living document,” in that, when you change the information, all copies get updated. And of course, you’ll want all copies to be secured.
  • Where possible, use automation to alert you when your critical systems go down. No one really wants a text message at 2:30am, but believe me – you’d rather know than not.
  • Document everything! This is an important one, so let me repeat it: DOCUMENT EVERYTHING!!! (How’s that for being redundant?) Pretend you had to bring in someone new to get your computers up and running again, and he knows nothing whatsoever about your business. He’ll need all the information we’ve mentioned above, as well as:
    • Your restore procedures, including how to get to the backup software and media, as well as any documentation he might need to operate it.
    • Vendor information, including account numbers and system credentials (username/password), as well as a list of the software you’re using.
  • Do periodic run-throughs of your recovery procedures. This will help identify anything you’ve left out of your plans, and keep everyone familiar with them.

A basic Disaster Recovery Planning worksheet is available at our website. Click here to get it.

We all hope never to suffer a business disaster, but it happens. As they say in the Boy Scouts, be prepared.