If you’re confused about all the Conficker chatter everywhere, as an SME (Small & Medium Enterprise) owner or home user there are some simple steps you can take to be safe. Rest assured, if these instructions sound too complicated, we’re happy to help with these issues either on-site or remotely through the magic of the telephone and screen-sharing technology.

These four steps are important to take no matter what your situation is! Think of them like taking your immunizations before you travel to a developing nation. The Internet IS a developing nation!

1. Backup your Data. There are all sorts of backup options available, including ours, called www.NerdsBackup.com where you can easily sign up and have your important data backed up.
2. Keep Windows Update up-to-date. This often over-looked step is actually quite simple, most of the time. On most computers, you can simply click the Start Menu, and you will see “Windows Update”. Choose that option, and then follow on-screen details.
3. Have a reputable Anti-virus program. Our team has the most confidence with NOD32 which you can purchase through Nerds On Site, of course.
4. Implement OpenDNS. DNS is the “phone book” of the Internet. The key to Conficker is its ability to “phone home” for new instructions. Of course it uses the Internet’s phone book, so even if you were to be infected, using OpenDNS can thwart its ability to expand.  We can help with this, too.

If you have an internal IT department, they may have already implemented these steps or should be able to follow them quite successfully.

If you wish to check to see if you are infected, you can simply download Microsoft’s Removal Tool here:

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

If you would like an on-site visit or a telephone call with remote support, simply dial the toll-free number in your country or request support online at:

www.nerdsonsite.com

Update: Thanks for the mention of this blog by Mike Stubbs at AM1290 CJBK on the air today

Careful what you search for and click on — at least if you’re using Google you benefit from its association with Badware.org.

Of course as I searched for “Conficker nmap” this just now, the first hit is:

As I click on it, here’s the warning:

If you click on “Why was this site blocked”, you will get the following advisory (only a portion of it in the screenshot):

Lesson to be learned:  when a search term becomes really popular, apply extra caution in:

• search engine you use
• links you click on
• which browser you use (Firefox with NoScript extension recommended)

The Conficker virus is set to activate on April 1st 2009, this could be very bad but it is unknown to what extent it will damage PC’s, to learn more inluding how to remove the infection see here:

Conficker information and removal links

Overview of the PCI DSS (Payment Card Industry Data Security Standard)
-The PCI DSS is a standard set of controls established by the major issuers of credit cards, including Visa and Mastercard, Amex, Discover, and others.
-The standard applies to any business that accepts credit card payments.
-The current version is 1.2, effective October, 2008.
-The standard is broken down into 12 requirements, grouped into 6 areas
- The standard was created and is maintained by PCI Security Standard Council. This body does not enforce the standard and does not impose any consequences for non-compliance. This function is performed by the card brands.
- There are 4 levels of compliance criteria. Merchants at levels 1-3 are required to have quarterly vulnerability scans. These scans are performed by a Authorized Scanning Vendor.
- Most small business will be Level 4 merchants (merchants that process less than 20.000 transactions per year). Level four merchants are not required by the PCI DSS to have quarterly scans, but scans may be recommended or required by processing providers.
- The compliance of Level 4 merchants is determined by using a self-assessment questionnaire. There are four questionnaires. The questionnaire which applies is determined by the methods that hte merchant uses to process payments. Merchants that store credit card data on their systems are subject to a much larger number of requirements.
- There are 4 types of questionnaires – A,B,C, and D.
- The Type A and B questionnaires are for merchants that do not store any cardholder data on their systems, use only dial-in processing terminals which are not connected to the internet or any other network, or use only manual imprint machines. Most small businesses will use these self-assessment questionnaires. Even these small merchants are subject to some of the PCI DSS requirements:
– Requirement 3-Protect cardholder data: Certain card information should never be stored in any form. This includes the full magnetic track data, the three or four-digit card validation (also called CVV) codes, and PIN data. The full card number should also not be displayed on receipts or in any place where it can be viewed by anyone who does not have a legitimate business need to view it.
– Requirement 4-Encrypt the transmission of cardholder data across open, public networks: POLICIES, practices, and procedures must be in place to preclude the sending of unencrypted credit card numbers through EMAIL.
– Requirement 7-Restrict access to cardholder data by business need-to-know.
– Requirement 9-Restrict physical access to cardholder data: Access to data must be strictly controlled, cardholder data must be marked as confidential, and data must be destroyed when it is no longer needed for business purposes (paper copies must be crosscut shredded, incinerated, or pulped)
– Requirement 12-Maintain a policy that addresses information security for employees and contractors: This means WRITTEN policies, security awareness training, incident reporting procedures, and contractual agreements with service providers

Note that this is one more reason that EVERY business needs to have some sort of WRITTEN security policies in place.

At this point there is no PCI compliance police force that visits every merchant that processes credit card payments. Compliance enforcement is the responsibility of the card brands, and this responsibility gets passed down the chain through the payment processors. Eventually, merchants will be expected to comply and compliance will be enforced.

In the meantime, the PCI DSS provides a standard for data security. ANY merchant, no matter how small, has a responsibility to protect cardholder data and can be held liable if they fail to do so. In the past, we have discussed DUE DILIGENCE and its importance in limiting liability. ANY small business that does not take the steps to comply with the PCI DSS standard is subjecting itself to greater levels of risk and liability.

If you want more information about the PCI DSS, here are a few websites to get you started:

http://www.itgovernance.co.uk/pci_dss.aspx
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1293836,00.html
https://www.pcisecuritystandards.org/saq/instructions.shtml
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Dennis H in West Virginia, US

We have all seen URLs like this one:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9129269&taxonomyId=17&pageNumber=1

It is, well, a bit long. Sites like TinyURL.com and

For the security conscious among us, this represents a troubling security issue. Normally, hovering the mouse cursor over a link will show the actual URL, regardless of the text used in the link. This is a very important security tool. The following link is a little deceptive:

Click here to apply for jobs at IBM

By default, the links generated by TinyURL or Bit.ly obfuscate the true URL of the link – nothing shows up when you hover the cursor over them. This is like getting on an unmarked bus because someone told you it is going Downtown. Maybe it is, and maybe it isn’t.

TinyURL.com does offer an opt-in preview feature that can be activated on their website, and Bit.ly has created an experimental plug-in for Firefox, so there is some hope. Support on smart phones is only partial for both products. We can only hope that these options mature and previews eventually become the default behavio(u)r. We do our best to educate users to avoid clicking on active links, or at least verify them. From a security and anti-phishing perspective, eliminating the verification option is just a bad idea.

Dennis H in West Virginia, US

March 13, 2009

http://tech989.nerdsonsite.com/

Check it out — one of our very own, Andy Larin with just the perfect radio voice, in our opinion, but you be the judge, please feel free to comment!

Phishing sites usually do not run on “known” bad URLs. According to this study, 76% of the phishing sites on the internet are being run from compromised servers. IE7, OpenDNS, and most UTMs maintain anti-phishing blacklists, but if phishing sites are free to move around on compromised servers that also house legitimate sites, anti-phishing blacklists are of limited value. AGAIN, AWARENESS AND EDUCATION ARE THE FIRST LINE OF DEFENSE. We also cannot depend upon AV software to protect the unwary. This book excerpt shows a phishing attack from August, 2008 that slipped a trojan past 34 of 37 popular AV software packages (including NOD32). AV is part of the arsenal against attacks, but it is far from bulletproof. If your doctor prescribes Lipitor for your high cholesterol, you should take it – but that does not guarantee that you will never have a heart attack (credit for that analogy goes to Scott Ledyard).

Dennis H in West Virginia, US

March 4, 2009