Have you ever switched hosting providers and discovered just how grueling a process this is? Nerds On Site offers a unique service to all our future clients – we’ll move you to our service completely free of charge! Allow our team to handle all the technical details of such a move. Our team will also test your website to ensure that it has survived the move with no issues.

Contact our team today to ask for more details!

Are virtual machines more or less secure than their physical counterparts? The answer, of course, is YES. Several Nerds have asked for my perspective on recent research from Gartner indicating that 60% of virtual servers are less secure than the physical servers they replace. This research has gotten a lot of press and raised some serious concerns, as it should.

The most important point to be taken from this research is that the decrease in security is NOT due to the fact that these servers are being run as virtual machines. Rather, the problems arise from the failure of administrators to recognize the additional risks which virtual environments present. The same tools that make it easy to quickly create, modify, and reproduce virtual servers can provide new opportunities for attackers. Most of the rules for securely managing physical servers still apply, but virtual environments present a new set of risks to be managed. If you are planning a virtualization project for a client, these risks MUST be taken into account. The GOOD NEWS is that we have virtualization and security experts that can help. Leverage the POWER OF THE TEAM!!

First, access to virtual machine images MUST be strictly controlled. It is certainly possible for someone to remove a physical server from the rack and walk out the door with it, but this risk is easily managed. A virtual machine can be placed on a “thumb drive” or copied across the network – a risk that is not so easily managed. Good administrators carefully protect server backup images and data backup files by controlling access to them and / or encrypting them. Virtual machine disk files are not always treated with the same care. Multiple testing and development versions may exist and when they are discarded, the deletion process may not be secure.

Because it is so easy to spin up a new or saved VM with a few mouse clicks, extra caution is required to ensure that it is the RIGHT VM, and the RIGHT VERSION. Have all the right access controls been applied? Are all the patches current? Has it been hardened? Is in on the right network or VLAN? With physical servers, there is only one version of that server. With virtual machines, there could be many, each with different levels of access control, patching, and hardening.

Virtual machines run on top of a host operating system or a hypervisor, which is simply a specialized and very “thin” host operating system. The host operating system or hypervisor has access to all the guest virtual machines, so it has to be protected and managed even more carefully than the guest operating system. This includes patching, updating, and tight access control.

Virtual networking creates management challenges similar to those of virtual machines. The network connections between virtual machines running in the same physical server have to be controlled, on the basis of security policy, the same as connections on a physical network. Communications between guest servers on the same host are largely invisible to network monitoring and access control devices.

Virtual severs require the same maintenance as physical servers – they have to be audited, patched, and secured in the same ways and on the same cycles. The real security issue with virtual machines is that they are TOO easy to manage. They can be cloned or moved to a different network with a few mouse clicks. However, a configuration that was secure in one environment may be very insecure in another. Snapshots can revert a virtual machine to a previous state with incredible ease, but this can undo security patches or access controls with the same ease. Spiderman creator Stan Lee said it well – “With great power there must also come–great responsibility.“

This discussion would not be complete without mention of some of the security BENEFITS that virtual machines provide. “One service per server” is the mantra of security professionals and network administrators alike. It makes for better security and easier management. In the world of physical servers, this principle is rarely followed, especially in smaller networks. The reasons are obvious – running a separate server for each network service is too expensive and consumes too much space and power. Virtual servers make adherence to this policy much more possible. Backup and disaster recovery are also huge security concerns, both of which are made much easier with virtual machines. If a security breach does occur, recovery is much easier, assuming proper backups have been maintained.

The benefits of virtualization are undeniable and there is no question that the trend toward virtualization will continue to grow and will become the standard for deploying and managing servers. At least within the corporate environment, desktop virtualization will not be far behind, for many of the same reasons. Virtual servers and desktops CAN be MORE secure than their physical counterparts, but virtual security, like physical security, has to be built on the three P’s – Policies, Processes, and Procedures. These three P’s must be documented, tested, audited, and enforced. This is not rocket science. In fact, it’s Security 101 – inventory the assets, identify the threats, mitigate the vulnerabilities, and manage the risks.

Dennis H in West Virginia, US

March 29, 2010

(Need help planning or securing a virtualization project? Contact me and I will connect you with the right folks)

I sat down to write an article on Virtual Machine security / insecurity (coming soon), but there was just too much interesting news to pass up.

Charlie Miller – hacking genius, good guy, or bad guy? Charlie Miller, perhaps the best-known white-hat hacker, took the $10,000 prize for the fastest compromise of OS X 10.6 for the third year in a row. Charlie says he is fed up with the poor security practices from Apple, Microsoft , and Adobe. He is declining to reveal the flaws he has uncovered, but will tell the vendors how to find the vulnerabilities. He thinks they will benefit more from this than they would if he simply told them what the flaws are.

Charlie found most of these flaws by using a “dumb fuzzer” that he wrote. Vendors use fuzzers as well, but apparently Charlie’s is better.

We are always telling clients to update their applications, as well as their operating systems. The bad news is that there is now malware that overwrites software updaters. This is doubly bad news – people will be infected by doing the “right thing” and updating. Worse, they will be afraid to update in the future because of the experience. Let’s hope that software vendors find a way to solve this problem quickly.

Mozilla Plugin Check is a place where you can go to check Firefox for the latest versions of plugins. Mozilla is going to take this service one step further and check other browsers as well.

Spam pays. Why? Because even savvy users can’t resist the temptation to CLICK THOSE LINKS, OPEN THOSE ATTACHMENTS, AND FORWARD THAT MESSAGE ON TO INFECT OTHERS! People just won’t learn.

Another threat warn clients about: Rogue toolbars. Sheesh!

What are the biggest scams on the internet? Fake anti-virus popups are one of them, but I was shocked to see that “hitman” “pay me or I will kill you” scams are also on the list. Double sheesh!

If you want to read the sick stats on SPAM, here is an article for you. What is the probability that a .rar email attachment is infected with malware? Almost 97%. Go figure. It not one of the most common malware-laced attachments, though. Those would be .xls, .doc, .zip, .pdf, .exe, .jpg, and .ppt.

I am looking for GOOD NEWS in the security world to match the title of the post, but not seeing much. I guess the Good News is that YOU are there to HELP your clients be the ones who STAY SAFE. Come to think of it, that really is Good News.

Dennis H in West Virginia, US

March 29, 2010

I am somewhat shocked that I’m writing this article. Who would have thought that in 2010 there are major hosting companies that still do not provide FTP services to their clients? Does yours?

First, what is FTP? FTP stands for File Transfer Protocol, the standard way to move website files to and from a hosting provider, and has been in use since 1971. There are many free FTP programs, such as FileZilla, as well as many commercial products, like WS FTP Pro. In addition, most WYSIWYG (What You See Is What You Get) editors, like DreamWeaver, use FTP to move the finished files to the hosting provider.

Now, if FTP is the standard, is free and virtually all development software requires it, why wouldn’t some hosts provide this access to their clients. The answer is somewhat disheartening – by disabling FTP access, the host has made it extremely difficult for you to ever consider moving to another hosting provider. In other words, you’re locked in.

Just today our team completed moving a client away from a major ISP in Ontario that did not provide FTP access to their clients. The move was still possible, but it just took much longer as our team had to move each file manually away from the old provider and onto our hosting platform. Would you consider moving providers any time soon? I would like to recommend to you that if your current host doesn’t provide FTP, it’s a sign that you should move today. However, the fact is that there are many circumstances in which you would like to move in the future, such as consolidating your IT needs with one provider.

Ask your hosting provider – do you provide me with FTP access? If not, why not?

Over the past 7 days, we’ve tried to explain some of the features of our NerdCare Assurance packages. We’ve talked about our monitoring, backup, disaster recovery, hack detection, preventative maintenance and content updates, and these are just the major points in our Assurance packages.

Our packages are designed to increase your Productivity, Pleasureability and Profitability, and in addition to our pre-packaged Bronze and Silver solutions we offer customized packages for your unique needs. All of our packages include guaranteed response times and flat rates to allow your business easily budget. Since downtime and recovery due to hacking can cost thousands of dollars per incident, our Assurance packages give you peace of mind with flat rate costs.

If the information we’ve shared over the past few days hasn’t already clearly showed the lengths we are willing to go for our clients, consider this. All clients covered by our Silver package will be contacted by a member of our team at least once a month to ensure that we are doing all we can for your website and your business. Imagine your current hosting provider initiating contact once a month to make sure that all your needs are being met!

This level of support translates really resulting a protection of your image and brand, as well assuring the quickest possible response times and smallest amount of downtime. At the end of the day, Hosting NerdCare Assurance will have a direct effect on your bottom line, by ensuring that your website is up all the time!

In our continuing series on Hosting NerdCare Assurance, we want to mention an incredible feature of our Silver package. Monthly content updates allow your business to simply shift the responsibility and burden of updating your website to our team, freeing up you and your staff to work on other aspects of the business.

A regularly updated website receives a higher ranking with the search engines, and naturally attracts more traffic. Clients will only visit websites that present them with fresh information on a regular basis. While the responsibility for creating that content remains yours, our NerdCare package will mean that you no longer have to perform the work required to upload it to your website.

Our team can take your new information, such as new products, photos, contact details, team members, blog entries and much more, and upload it to your website on your behalf. Having a team perform this service for you results in you having more time to devote to the other aspects of your business. Now, when you create a new newspaper advertisement, you just have to provide it to our team, and it will be copied on your website as well.

This level of support translates really resulting a protection of your image and brand, as well assuring the quickest possible response times and smallest amount of downtime. At the end of the day, Hosting NerdCare Assurance will have a direct effect on your bottom line, by ensuring that your website is up all the time!

Your grandmother could run a botnet. Really? You probably thought hacking skills and technical know-how were needed to be botmaster. Nope – just $2500 US, an email address, and a desire to do some evil. Don’t worry – Nana’s (probably) not herding bots, but it’s not because she lacks the necessary skills.

This may explain why cyber crime losses almost doubled last year. The number of web-based botnets doubled in the second half of 2009 and web-based bodnets now outnumber the “old school” irc-based botnets. Really? Yeah, really.

You might want to hold off on Firefox 3.6 for a while. Really? There is a known vulnerability that will not be patched until March 30.

100% guaranteed malware detection? Really? That is the claim that Dr. Markus Jakobsson makes for his new technique. He is being taken seriously by some major companies, too. This is a nerdy read, but an interesting one.

Humans are still the weak link in security. Really? That’s not exactly big news, but it is worth repeating.

Lock down the security on that……copier? Really? Think about it – high end all-in-one office machines are copiers, scanners, and printers. They often have hard drives containing TONS of sensitive data and they are generally not on the radar screen when it comes to security. Permissions are often wide open. The next time you visit your SME clients, CHECK THE COPIER! If it has a hard drive, there is probably a lot of stuff on there that your client would like to keep private.

Takin’ names and kickin’ a** – Really?Publicizing the names of ISPs that allow their clients to do mischief is one way to get them to stop taking money from the bad guys – at least in places where people care about that sort of thing.

One more time – be careful where you put that payment card. Really? Here is another case of credit card fraud involving fake PIN pads that were planted in a chain of stores in the UK. Actually, the fake pads were visually identical to real ones, so no amount care would have saved you. Some are now arguing that credit cards are safer than debit cards, since the crooks cannot empty your bank account and credit card companies provide more protections against credit fraud than against debit fraud, especially if a PIN number was entered. This article explains further.

Dennis H in West Virginia, US

March 23, 2010

The Nerds On Site Development team has a few things on the go right now that we are pretty excited to release in the upcoming weeks. One of which is our streamlined approach to getting small businesses and even individual business owners web-ready at an affordable price. Imagine the simplicity in being able to search hundreds of web page layouts and picking the one that best suits your needs. Once that is done, you simply provide us with your logo the content for your site and we do the rest. We also give you the knowledge and power through basic training to then control the site and complete real-time updates without the hassle of waiting on someone else. Believe us when we say we will make you the master of your domain!

Whether you are just making yourself visible to the world, or you are looking at having more complex requests we can get you set up in a timely and cost effective manner.

In our continuing series on Nerds On Site’s Hosting NerdCare Assurance, I would like to talk about our preventative maintenance provisions in our Silver NerdCare package. As a Pembrokeshire proverb says, “Eat an apple on going to bed, And you’ll keep the doctor from earning his bread.”

CMS-based websites, such as Joomla, Drupal and WordPress have become very popular. Due to their popularity, however, they have become a prime target for hackers. Generally speaking, if a hacker can determine a vulnerability in one of these technologies, they can write a worm that automatically search for and hacks all other websites built on the same CMS.

The developers behind all the popular Content Management Systems work hard at releasing updates to their product to combat this hacking activity. However, this becomes an extreme inconvenience to many clients, both because you just want to focus on running your business, and also because some of these patches can take advanced technical knowledge to deploy. Our Silver NerdCare package covers all these updates, and our team will patch your website as they are released. This procedure allows us to close all known vulnerabilities in your website before hackers can take advantage of them.

This level of support translates really resulting a protection of your image and brand, as well assuring the quickest possible response times and smallest amount of downtime. At the end of the day, Hosting NerdCare Assurance will have a direct effect on your bottom line, by ensuring that your website is up all the time!

While all the pieces and tools in our Hosting NerdCare package work together and are equally vital to your piece of mind, our hack detection system does stand out in the industry for its uniqueness. At the time of this blog, we are not aware of another company offering a product even close to ours, and the benefit to you over your competition is really quite amazing.

Clients protected by our Hosting NerdCare Assurance will have their website scanned every hour of every day. In a nutshell, our system will take cryptographic signatures of every single file in your website, and compare them on an hourly basis. If a hacker manages to change even one bit in one of your files, our team will be immediately notified of the change, and we can swing into action. The vast majority of business owners only find out that their site was compromised once Google or Badaware.org block their site, and once that happens, it can literally take weeks to reverse the damage and have the site back up and running.

Nerds On Site’s Assurance packages allows for our team to know the moment a breach is made, and equally as important, we are notified as to which exact file was compromised. This level of detail allows us to repair the damage before anyone knows about it, ensuring that your site isn’t blacklisted.

This level of support translates really resulting a protection of your image and brand, as well assuring the quickest possible response times and smallest amount of downtime. At the end of the day, Hosting NerdCare Assurance will have a direct effect on your bottom line, by ensuring that your website is up all the time!