Green is good, but not for security. Here is an example of why turning off computers at night can save a few dollars in power costs, but at a much higher cost. Turning off computers can prevent updates from installing correctly.

Watch out for Chuck (Norris, that is). This malware target routers, rather than computers. Make sure t default passwords are not used and that remote administration is turned off (duh). The good news is that a reboot will send Chuck packing.

Did you know that Windows 7 has a new feature that allows it to act as a wi-fi client and as a wi-fi access point at the same time? The result is a bridged network. Think about the security implicationsof that.

There is a new zero-day exploit in Firefox 3.6.

There is also an issue with Adobe Dowload Manger that yo should know about.

The Kneber botnet is major new threat that is reported to have infected more than 74,000 computers. It is a Zeus variant a may work cooperatively with Zeus.

On the other hand, this new Russian botnet tries to kill the rival botnet Zeus.

Finally, I have written about ATM fraud several times, but check out the numbers in this article.. ATM fraud is a serous problem costing banks millions. Take a close look before you put in that card!

Dennis H in West Virginia, US

February 23, 2010

Detouring your website lookups – ISP DNS Proxy

We apologize in advance that some aspects of this article contain NerdSpeak but we hope that the gist of the article is of value to you.

What is this DNS proxy all about?
DNS is fundamental to the Internet, similar to your address book or phone book. We don’t want to know all the IP addresses behind websites, so DNS does the lookup for us. Internet Service Providers have always provided this lookup service as part of their service offering, but many people and companies prefer to use alternate lookup servers such as OpenDNS or Google. Some ISPs are now intercepting their customers’ lookups, if they are using an alternate lookup server (in the form of a Proxy) and providing answers directly rather than allowing them to use these alternate lookup providers.

How do I know if my ISP detours or proxies my DNS?
OpenDNS has an article that describes this for you, and this was our result when we suspected the ISP had turned on DNS Proxy services and this verified it:

Why is this bad?
Proxying these DNS lookups is bad for us for the following reasons:

1. It prevents customer choice
2. It breaks DNS filtering features that are extremely useful for a number of reasons including customer-controlled filtering and botnet protection
3. It is a bit like a dictatorship on the Internet

Why might ISPs do this?
ISPs actually do have some legitimate reasons why they would want to do this:

1. Minimize technical support costs. Your computer’s DNS servers may be setup with one set of servers at work and they may not work at home, or vice-versa. This is when the ISP incurs technical support costs that they would rather avoid. If they proxy your DNS, then your non-compliant settings magically work, a technical support call and downtime frustration is avoided. However, this is just a band-aid and doesn’t solve the root problem.
2. Protect their customers from botnets. Although the intention is good here, having an ISP responsible for your Internet security forces them to apply a one-size-fits-all policy which has ill side effects. It’s like our government dictating what kind of grass we can grow in our yard.

What should they do instead?
Opt Out. Considering that ISPs have reasonably good reasons for doing this, just offer customers an Opt-Out option. This way, all of us that have enjoyed the features of OpenDNS and Google DNS servers can continue to enjoy them and everyone is happy.

Are there any workarounds if the ISP does not offer an Opt-Out feature?
Yes, there certainly are ways to work around this.

1. TCP vs UDP – some ISPs only proxy UDP-based DNS requests but not TCP. To find out, check this arcticle: http://www.opendns.com/support/article/208 Note, however, that switching your services to use TCP only will affect your performance and each DNS lookup will take longer.
2. VPN – A VPN connection makes your type of traffic invisible by your ISP so they cannot proxy DNS. If you have an internal DNS server that you want to use OpenDNS or Google recursively, make the VPN connection only from that server and not from your desktop. That way everyone on that network gets the benefit of the one VPN connection. Alternatively, if you make your own VPN connection, choose to NOT make it your default route (an option in VPN software) but do use the VPN’s DNS servers.

What obviously motivated this article is that we’re huge OpenDNS fans – check out how you can take advantage of what OpenDNS has to offer both in free and commercial flavours… If you have any comments, please feel free to share. Thanks to Arthur Wiebe for his input on this article.

David R in Ontario, Canada

February 22, 2010

Let’s start with this cool device I found: Imagine this scenario – you copy your client’s precious data for a wipe and reload, reformat their drive, and when you begin to restore the data, your backup drive dies. Sound unlikely? It is – but this actually happened to me. I vowed to never format a client drive again unless I had at least TWO known good backups. That may be a good policy, but backing up twice would take twice as long – unless you had one of these adapters that creates a USB RAID 1 cofiguration. It will copy that precious data to two SATA drives at once.

Now for news:

This one just makes you shake your head – a rogue anti-malware vendor that actually provides live (fake) technical support. Of course, many people assume that this support indicates that the vendor is legitimate, which is, of course, why the ploy works.

The so-called “chip and pin” method of credit card authentication is used widely in Europe, and has been considered for use in the US (I am not sure about Canada). The method is considered to be a strong, two factor authentication method and banks often refuse to refund questionable charges when it is used. There have been several articles about the compromise of this system in the past couple of days, but this one from Bruce Schneier is the most informative.

It is worth noting that Adobe has some important patches available (don’t delay on these), and that one of the patches issued byf Micrsoft on Tuesday resulted in a number of BSOD problems. The problem was not with the patch, but an interaction with a piece of malware that was already present on some XP computers.

I am not sure this is even news, and it surely is not good news, but ID fraud hit a new high in 2009.

We used to feel that two-factor authentication made for reasonably safe banking, but even two-factor authentication and one-time passwords do not ensure safety. Attacks against banks are becoming increasingly sophisticated. The problem is that everything is done in the browser. If the browser has been compromised, there is no guarantee of safety. How can you ensure that the browser has not been compomised? The best way is to boot from a live Linux distibution on a CD. The browser cannot be compromised when the files are read-only.

Who pays when bank accounts are compromised? That is often a question for the courts. Here is a case with more than a half-million dollars at stake. Both the bank and the bank’s client would have benefitted from some good securiyt consulting and education. Both parties broke common-sense security rules. The courts will have to decide who pays for their errors.

Dennis H in West Virginia, US

February 16, 2010

Yesterday I posted a video exploring the possibility that a website could or would be hacked, and in it we presented some alarming statistics. At the end of the day, the general consensus is that nearly every website is at risk for getting hacked, and that it really is only a matter of time until your website is hacked. In fact, it is a vital part of your business strategy to assume that your site WILL get hacked, and to plan for that eventuality.

Of course, your first step is to have your website scanned for vulnerabilities, and to have as many of these eliminated as possible. Your greatest asset here is an experienced team of developers, which you can find in Nerds On Site, with our development team spread out between 9 countries, and containing experts in security and every type of web technology available. (Contact them for a free chat on your needs, development@nerdsonsite.com.)

However, Nerds On Site goes way beyond what any other team or hosting company would dream of doing. We offer pro-active hacking detection. In protecting your physical inventory, you don’t wait until after your wharehouse is robbed to secure it, but you post guards and install security systems. Nerds On Site takes the same approach by scanning every single one of our clients for defacement activity every single business day. Imagine – a hosting company that will actively check your website’s homepage for you every day, and then will contact you with solutions if there is an issue.

The best news is that Nerds On Site offers even more thourough packages, with two levels of Nerd Care Assurance for our hosting clients. One of our features is a deep-level, file by file scan of your website every single hour of every single day, with cryptographical signatures of every file, so that our team will be immediately notified of even the tiniest change anywhere in your website.

In today’s business reality, where a competent website is vital to your business success, and the hacking of that same website is almost expected, isn’t it time you considered protecting your investment with Nerds On Site’s hack detection and prevention tools? Even more inviting may be the fact that our base defacement detection is absolutely free and included with every hosting account we sell!

Kevin O’Reilly, an eNerd with Nerds On Site in Brampton, Ontario Canada was preparing to go meet a client at 9 a.m. on the freezing –17˚C morning of the 29th of December 2009. Thinking “it sure would be nice to be sitting next to a warm fire on a day like today”

He went outside to start his diesel Volkswagen Beetle Nerdmobile, or as an eNerd may say “give it a COLD boot” but it would not start. So back inside Kevin went and gave his client a call to say he would be a little delayed, as he had to call for a boost.

Between 5-10 minutes later, Kevin heard a loud BANG! He went back outside and looked down the street to find out what the noise was, and saw nothing. Then all of a sudden, he could not believe his eyes… his Nerdmobile was engulfed in a cloud of black smoke and flames. Not exactly the warm fire to sit beside he had in mind!

Immediately he called 911. Then being the quick thinking eNerd he is, Kevin used his iPhone and took the action pictures you can see below, along with the “after” shots. Needless to say, the Nerdmobile was a write-off.

According to the Firemen and Kevin’s Mechanic, what happened is not a common occurance for diesel vehicles, yet known to happen, though not typically diesel cars.

Even though Kevin had removed the key from the ignition, there seems to have been a short still supplying power to the glow plugs (diesel’s don’t have spark plugs). When the diesel got hot enough to vaporize, it ignited setting the Nerdmobile aflame. The brunt of the damage was near the battery, or what was left of it! Talk about “firewire”!

Interestingly enough, the documents Kevin had on his front dashboard inside the Nerdmoblie at the time of the incident remained in tact and not even singed from the flames. Who knew even Nerdmobiles have such great “firewalls” to protect important documents!

After all the drama, Kevin called back his 9 a.m. client to let them know what happened, and that he would be further delayed, as he was waiting for the wreck to be towed, and a rental car delivered. At noon the rental car arrived and Kevin called his client once more to let them know he was on his way. When he finally made it to the client and showed them the pics, they asked him why he still came out to see them!

This goes to show how dedicated our Nerds On Site are and what a terrific example of an eNerd Kevin is. Just like that old saying, “Neither snow, nor rain, nor Nerdmobiles aflame, stays these Nerds On Site from the swift completion of their appointed rounds”!

Kevin is fortunate to not to have been injured from this event, his house did not catch fire, and everyone at Nerds On Site is VERY grateful for his safety. Kevin is also thankful to the members of his team who were very supportive during this emergency.

Kevin commented during the worldwide Team Meeting what a GREAT Team we have. “You know you work with a great group of people when they are there to help, know you are safe,

…then the ‘much needed humour’ began, even from the CEO and Founders, Kevin’s story was such a HOT topic!

Some of their comments were:

”Hey Kevin… you know there are better and less expensive ways to shovel your driveway, right?”

”I don’t think that is the recommended method of defrosting your windows.”

“We are very happy no one was hurt, but the question is… Where are the pictures of the firemen???”

“Kevin, you’re one HOT nerd all FIRED up for 2010 apparently! ”

“AHHHhhhhhh…. well – just like u bud – ONE IN A MILLION!! de-branded – now THAT’s a goodun!!!”

Whether you’re another eNerd driving a diesel Volkswagen Beetle Nerdmobile, or anyone else for that matter who drives a diesel vehicle, keep this story in the back of your mind for when it gets really cold out.

Never in the past six years with Nerds on Site did Kevin have any serious problems with his 2000 or 2006 Volkswagen Beetle, and both cars had always been properly serviced by VW Canada. Kevin is now actively looking for another Volkswagen Beetle Nerdmobile, and diesel is still preferred.

Day by day, Nerds On Site is working to make itself a more enjoyable and effective partner of choice for traditional and emerging technology for You! We’re in constant and passionate pursuit of more pleasurable, productive and profitable ways to fully leverage computers and all that’s tied to ‘em! We’re driven to become your PowerBrand of choice… and have FUN doing it! … even if our Nerdmobiles spontaneously combust!!!

Tomorrow is Patch Tuesday (again). This is going to be another big one – 13 patches, 5 of which are critical.

Here is another reason that access to commercial bank accounts should be limited to computers that are used for nothing else. Online bank accounts should NOT be accessed by computers used for general-purpose web surfing! Having a dedicated computer may seem like an extreme measure, but not to the City of Poughkeepsie, NY (at least not now)!! Instead of retiring that old desktop or laptop, install a hardened and restricted version of Linux and make it the only computer that has access to bank accounts.

We all love those Firefox add-ons, but watch out for the ones in the “experimental” section – user beware.

Made in China? That may be a reason to think twice when it comes to hardware.

Think banks and retailers are the biggest target for hackers? Think again – think hotels and the hospitality industry. For those of you who have hotel clients, this is worth bringing to their attention.

Why should employers invest in the technology and your services to make SURE P2P and social networking are not part of the workplace? Show them this and this.

Think the dangers of public wifi are limited to the time you are connected to them? Then you MUST read this.

This has NOTHING to do with security, and I by no means want to encourage anything you consider a bad habit, but some or you will consider this good news – beer is good for your bones (but too much of it may lead to breaking them).

Dennis H in West Virginia, US

February 09, 2010

Does your hosting provider offer unlimited disk space? If not, you should strongly consider moving to a provider that offers this feature. In today’s online world, with video and photos becoming the main way we communicate, you may suddenly find yourself outstripping your providers space limitations. Running out of disk space will cause your site to become unavailable to your clients, or will cause your business to incur overage charges. Either way, you lose.

If your provider does offer unlimited disk space, probe carefully to determine if it’s truly unlimited, or if they have an artificial cap in the fine print somewhere. However, keep in mind that unlimited never truly means unlimited, since a physical hard drive can only hold so much data. However, the truly good providers will allow you to use as much space as the server will allow, and the bad providers will limit you to some arbitrary number that will cause you to limit your site in some way.

In a previous article, I explained a few of the problems caused by the never-ending struggle by many hosting providers to lower pricing. Today I would like to explain a few of the qualifications that you should be looking for when searching for a new hosting provider for your business activities.

Availability
The easiest way to eliminate a hosting company from your list is if they fail to publish their availability or uptime statistics. Any company that refuses to be transparent on this issue is hiding something from you, and the uptime and availability of your business website is absolutely crucial to your bottom line. If the prospective provider does publish their statistics, ask these three questions: do your statistics cover ALL your servers (many will only show their best server, or a sampling), do your statistics reflect availability as opposed to uptime, and are your statistics gathered and guaranteed by a third-party?

Team
When any public entity or large corporate submits requests for proposals, they always want to know the size of the team that will be supporting them. It is crucial that you determine if the new hosting company is a one-man show, or a large, distributed team. No matter how qualified, experienced and personable the one-man operation is, when he or she goes on vacation, your business will be left in the cold.

Reseller
Closely following the team question is the tasks of determining whether the provider is actually just a reseller for another company. While resellers in and of themselves shouldn’t be discarded just on this merit, it is important to determine whether you are really just dealing with the middle man or with the actual hosting company.

Service
The next question is this – what kind of support can I expect when something goes wrong? Some of the better hosting providers will provide excellent 24×7 phone support, but does this really go far enough for your business? Will a phone support technician really be able to adequately help you diagnose that email client issue you are having, or help you setup your new employee’s address over the phone? Look for a company that can provide on-site support in the form of a qualified individual that can truly understand your needs. After all, no matter how good phone support is, your business can not afford you spending time on the phone troubleshooting with a faceless individual, especially the time waiting on hold.

Services
Next, what services and flexibility does your provider offer? While the basics are now (generally) offered by any company you’ll look at, here are some crucial aspects that you may not get, and should look for. Hack detection, unlimited bandwidth, unlimited disk space, SEO services and on-site service. On-site service clearly falls under two categories, but it is a crucial aspect for any business that wants a truly symbiotic relationship with their hosting provider. If your hosting provider offers unlimited bandwidth or unlimited disk space, inquire as to whether there is a catch – many will actually have a limit in the fine print.

Complexity
Just how complicated will it be to hosting with the new company? If your new hosting provider will not take care of ALL aspects of your hosting (domain names, registrars, DNS, email, web, anti-spam, anti-virus, etc) then you will have a much more complex and un-productive life trying to marry all the different providers you have. To maximize your productivity, profitability and pleasurability, you will need to find a provider that will take care of all aspects of your hosting and website for one price.

Price
While price is the last thing I recommend checking, it is important to ensure that you are not being gouged, and that the price can be justified. Remember, the better the quality, the higher the price. It is then important to determine the perfect balance in this equation for your business.

There is an alarming trend in the hosting industry, one that has been building for quite some time but is now starting to accelerate and permeate all areas of the trade. Almost every industry rag you pick up today will cheer on the ‘commoditization’ of hosting, talking about how the cost of hosting is dropping steadily, almost to the point of being free. Unfortunately, no one is asking at what expense this trend is happening, and as competitors lower their prices, other hosting companies feel obligated to find areas where they too can shave some costs.

I remember a conference I attended in Washington, DC. two years ago, and I happened to have a chat with two representatives from a major US hosting provider. These ambassadors for their company were all too eager to brag to me about the many thousands of clients they were able to stuff on one machine, keeping their costs as low as possible. This virtual approach to cheek-by-jowl living hurts both the clients and the hosting companies in the long run, as thousands of clients are forced to share the meager resources of the cheapest servers the hosting provider could slide into a rack.

Another way companies try to save money is with cheap ‘white-label’ servers, which are not built with quality name-brand parts, carry no warranty, and break down far more frequently than their more expensive, name-brand counterparts. Google is famous for using such machines, but their setup is significantly different, as every machine is redundant to every other machine, and thus the failure of one server does not affect anyone.

Business clients looking for a place to host their website need to remember that price should be far down the list of things they look for. Compare hosting to the hiring of an employee. When searching for that new employee, you will first weed through a stack of submitted resumes, looking for a short list of suitable, qualified, professional looking candidates. This is much like the process of reading hosting providers’ websites for information on their services. Next, you will interview this short list, probing the candidate to see if he or she will be the best possible fit for your business. As you select an employee based first on her qualifications, so should you select a hosting provider based on their qualifications.

If a hosting provider is one of the cheapest providers in the industry, remember to ask what corners had to be cut to achieve that price level. It is somewhat disingenuous for a hosting provider to tell you that volume is what led to their price reductions, as volume generally means the company was able to stuff more clients per server than anyone else out there. In a future article I will tell you a few qualifications that you should look out for when choosing a new hosting provider for your business.