ATM fraud continues to grow. Take a close look at that ATM machine before you feed it your card. This bank in Texas lost $200,000 to this scam.

Here is a social-networking risk you may not have considered. Hackers may attack your friends if you have access to sensitive data and visit social networking sites.

If you are a Chrome user, make sure you are up to date.

Have I mentioned the importance of keeping browser add-ons up to date? Here is an article about the exploit packs that can be purchased and installed on compromised websites. These exploit packs send barrage of attempted exploits at your browser. If one does not work, the nest one may. It is effective – many of these vulnerabilities have long-since been fixed, but there will always be some folks who are not up to date.

100% accurate spam filtering? Well, for the time being, anyway – turning the spammers dirty tricks against them.

Who pays when a bank account is compromised? There are a number of pending cases in which the account holder has filed suit against the bank for not maintaining adequate security, but this Texas bank has preemptively sued the account holder.

Dennis H in West Virginia, US

January 27, 2010

When’s the last time your hosting company came on site to your business to help you with your email issues? When it comes to support, there really is only 2 levels of support in the hosting industry – email support and phone support. Both can be extremely frustrating, but with Nerds On Site there is actually a third way – on site support. Our Nerds can and will come directly to your place of work and setup your email and offer support for hosting issues.

The next time you are on hold with your hosting company for ½ hour, think of calling Nerds On Site, and have someone come directly to your business and help you!

In an attempt to describe how good or reliable their product is, there are two terms used in the hosting industry. These terms are uptime and availability, and today many people (both in and out of the business) think that these two terms mean the same and are completely interchangable. When studying the reliability of a hosting company, it is important to understand that these terms are not synonymous, and this is a vital point to discuss with your hosting company.

First, what does ‘uptime’ signify? Uptime is the most common term used, and it tries to convey the impression that this is the time your website will be up and available to your clients. In reality, however, uptime generally signifies the time that the actual server is up and powered on and available to the system administrators. Having a server up and powered on does nothing for your company if the actual services that your site requires are not up. Take for example, the scenario in which the web server your site is currently on is up and running, but the Apache web service is stopped. This counts as uptime for the server and the hosting company, but your website is still down, causing you to lose business, while the hosting company gets to pad their statistics.

Instead, ‘availability’ is the term that you should be looking for. According to Dictionary.com, ‘availablilty’ means the servers are ‘present and ready for use’, ‘willing to serve or assist’ or in other words – the server is up and ALL services with it. Nerds On Site measures it’s services availability, not the uptime of our servers. Thus, our trust site (trust.nerdsisp.com) measures the amount of time ALL our SERVICES are up and running for you and your businesses.

In the past week, I had the opportunity to observe a major company publish a live 100% uptime statistic, while in fact one of their most crucial services was down. They were correct in publishing the 100% uptime statistic, since the server in question was indeed running, but since the services on that server weren’t running, no one could access it. Thus uptime was 100%, but availability for that period was 0%.

It is true that some hosting companies use the term ‘uptime’ but mean and measure ‘availability’, but the general mis-use of terms means that the discerning client would be mislead by these statistics. I encourage every business IT Manager to immediately contact their hosting company and ask them to justify their use of the two terms, and to backup their statistics.

First, a couple from Micrsoft:

This one dates back no less than 17 years and is related to a virtualization technology that allows 16-bit applications to run on 32-bit Windows platforms (virtualization is NOT a new technology). 64-bit versions of Windows are only minimally affected, but 32-bit versions that have 16-bit execution enabled are vulnerable.

This vulnerability in IE is serious enough to prompt Micrsoft to issue an emergency patch today. Yes – that means it is serious.

If you are a Mac user feeling smug about those MS security woes, you should know that Apple has also issued a security update that addresses a dozen serious security issues as well.

More “stuff you should know” coming soon…..

Dennis H in West Virginia, US

January 21, 2010

You may have noticed that the focus and the format of the Security Corner has changed a bit. I will be posting current news items and short tips twice per week, mostly in the form of links. Two or three times per month, I will post longer articles as well.

The MiFi – cool tool, but, it has a GPS, so your provider has a record of where you are and where you have been. As it turns out, they may not be the only ones that know.

Be careful where you get your Quicktime movies. There is a buffer overflow vulnerability in older versions of QT. A malformed .mov file can be used to execute code. The current version has not been shown to be vulnerable to remote code execution, but may crash. If it can be crashed, remote code execution is usually around the corner.

Not all threats come from the outside. “Trusted” employees can represent even greater threats because they have privileged access.

ATM fraud – more common than you think. Check out this skimmer – complete with a camera to record pin number entries. Pay attention when visiting tht ATM!

The “Google attack” had broad implications. The Chinese attack on Google is one of the biggest security stories in recent months. I have had little to say about it, because it has been so well covered by the media. The broader implication is that even a company like Google (not to mention Adobe and many others) is vulnerable to zero-day attacks. Never ASSUME your clients are safe – check for signs of unusual activity and NEVER, NEVER stop raising their level of awareness.

Dennis H in West Virginia, US

January 18, 2010

Microsoft’s “patch Tuesday” was pretty low-key this month (unless you are still running Windows 2000, but Adobe has release some critical patches. Keeping applications, especially those used for internet access, patched is now as important as keeping the operating system patched.

Clients often ask why their anti-virus program failed to catch a piece of malware that infected their computer. Here is one of the tools that malware-writers can use to test their wares to see which AV programs are able to detect them as malware. This company does not hide the fact that this service is for malware writers and the results are NOT reported to the AV vendors. This makes it much easier for the “bad guys” to test their code and stay ahead of the AV vendors.

Depending upon your point of view, these “security researchers” are forcing software vendors to address security flaws quickly, helping the “bad guys” wreak havoc on internet users, or are just plain acting irresponsibly. These folks are release one “zero-day exploit” per day for 30 days – without giving the vendors any advance warning. They say that vendors do not respond unless the exploits are release publicly. The next month could be a busy one.

Want to test a site before you visit it? Here are four sites where you can paste URLs before you visit them to get a report.

Dennis H in West Virginia, US

January 14, 2010

Google announced yesterday (http://nosurl.com/9s) that they were finally making HTTPS access for webmail the default setting, which encrypts all email as it travels between the client’s computer and the Gmail mail servers. We applaud this move, but it’s another example of how extremely large companies are slow to implement changes, even necessary changes. Nerds On Site has provided only HTTPS webmail access for over a year now, and while Gmail is finally catching up on this critical security need, most major hosting providers still haven’t taken care of this issue. In addition, Gmail still allows non-secured webmail access (through HTTP), which permits uninformed clients from inadvertently exposing themselves to privacy concerns.

One of the latest techniques in fighting spam is domain-based reputation systems, something that Nerds On Site has integrated into our systems over 2 years ago already. However, the buzz around domain-based reputation has increased significantly, with major ISPs such as Yahoo, Gmail and AOL adding such protection to their spam filters. In brief, every domain-based reputation is a little different from other anti-spam techniques for two reasons.

First, domain reputation is inheritably a positive approach to anti-spam. It is, in a way, much like getting a signed letter of recommendation when visiting a stranger, something that positively proves that you are who you say you are. The technique for this is something called ‘DomainKeys Indentified Mail’. Essentially, your hosting companies sets up your domain to automatically digitally sign every single email address you send as being certifiably from the real you. Thus, when your email arrives at a mail server that supports domain-based reputation in their anti-spam systems, your email will have the greatest chance of passing the filters, since it has been cryptographically authenticated as having come from the real you, and not a spoofer.

Second, domain reputation is independent from IP addresses. In the shared hosting world, many hundreds or even thousands of domain can share one IP address. That means that just one of the clients on the same mail server as you needs to send out spam, thus ruining the IP reputation of the entire mail server, and thus of all the domain on the mail server. A domain-based reputation eliminates this problem, making the spam filtering more granular and specific.

According to WatchGuard’s Reputation Authority, the domain-based reputation score for Nerds On Site is perfect, which is a rating that we strive to maintain. This does not mean that all our client’s automatically attain the same status, but it proves to our clients the diligence we take in maintaining and securing our mail servers, something that will immediately lend itself to your own domain reputation if you host with us.

In his annual email predictions blog entry for 2010 (http://nosurl.com/9c), Matt Blumberg has predicted a sharp increase in the amount of email traffic that will flow across the Internet in the upcoming year. Every year more and more pundits declare the death of email, but they couldn’t be more wrong. According to email-marketing-reports.com, 247 billion emails are sent every single day. Many people will point to the incredible rise and growth of social media, but fail to realize that these services generally rely on email for notifications and alerts. Thus, as social media continues to grow and integrate into an increasing array of business activities, it falls to email to continue to hold it all together and provide a single point of contact. The marketing companies certainly believe this trend, and that is why marketing experts are predicting a strong growth in email marketing.

What this all means for the average business person is a sharp increase in email being sent to their inbox, and a steadily growing percentage of it will be spam. That is why it is increasingly important to ensure your email is being handled by a hosting company that provides for three things:

• Unlimited email traffic
• Unlimited email storage
• Adaptive spam protection

Our clients can look to Nerds On Site for exactly this and more, with over 6 layers of spam filtering and protection and hosted Exchange services for even the most demanding of office environments.

News:

W3C Standard for a Database Engine Within the Browser – Cool, but Will it Create More Security Holes?

The Fix for the SSL Renogiation Flaw Has Been Finalized

Ecryption Keys Will Contunie to Get Bigger (Note that This Refers to RSA Asymmetric Keys – 128-bit Symmetric Keys are Still Strong

Google Chrome Takes the Lead in Browser Sandboxing

Google Loalized Search – Do You Want Google to Know Where You Are (and Have Been)?

Controls – What Kind of Armor Do We Need?

Up to this point, we have classified the types of sensitive data under our care, determined where that data lives, and documented the various channels over which it is transmitted. Now that we have found it, how do we keep it safe? The mechanisms used to protect data are controls. Controls fall into three categories:

Administrative Controls: These are policies and procedures that are designed to let everyone who comes into contact with data know what access and what actions are permissible. These have to be backed up by physical and technical controls.

Physical Controls: These are tangible protections mechanisms, such as locks, video cameras, etc. Physical security is often overlooked by IT professionals.

Technical Controls:, In terms of data protection, these generally fall into two categories – access controls and encryption controls.

Access Controls are used to prevent data from being viewed, transmitted, or printed.

Encryption Controls are used where we cannot control access, or as an additional control in case our access controls are not effective. If data is properly encrypted, it does not matter whether it is viewed, copied, or printed. There are two aspects to maintaining proper encryption controls – encryption strength and key management. These have been discussed in depth in other Security Corner articles.

The types of controls available will vary, depending upon the environment. The cost of controls varies greatly. Cost is sometimes measured in terms of dollars (or Rand, etc.), but more importantly, the cost of a control must be measured in terms of the effort required to implement it and the amount of inconvenience it imposed on those who use the system.

The details of these controls are beyond the scope of this article. They have been the focus of past articles and will certainly be the focus of future articles. The important point in terms of our Information Management Plan is to determine what controls are available and which ones have acceptable costs.

In Part 7 of this series, we will take the three types of information we have gathered – data classifications, data locations and transmission channels, and controls, and use them to generate a matrix. From that matrix, we will generate information protection policies.

Dennis H in West Virginia, US

January 11, 2010