Sometimes it helps to be old enough to remember how things were done in "pre-historic" times BEFORE there were computers on every desktop. To get a little perspective on the value of technology, ask clients how many more employees they would need if they had NO computers in the office. Even in a small office, most businesses would need at LEAST one additional employee. In a larger office, that number would be much higher. The work done would also be more costly in terms of paper, travel time, etc......not to mention more error-prone. Much of what computers do could simply NEVER be done by humans at a reasonable cost.

Now ask your client what those employees would cost, in terms of salaries, benefits, and, well, the other "costs" of having additional employees. The cost of the computer and a NerdCare plan to keep it running smoothly starts to look incredibly affordable in this context. In addition, the headaches that occasionally arise with computers don't seem quite so bad when you compare them to the headaches and complexities that come with their, er....human counterparts.

So ask the question: What would you have to pay humans to do all the things these computers do every day? $4,000, $6,000, $10,000 per month? Makes that NerdCare plan to keep those "digital employees" well fed and happy seem like a pretty good bargain.

Dennis H in West Virginia, US

April 30, 2010

Companies, System Administrators, (and your Clients) could all learn a lesson from the "Click-It or Ticket" campaign - launched a few years ago in the US to encourage the use of seat belts in automobiles to save lives. This article by Bruce Schneier discusses the fact that states with the strongest enforcement had the greatest success. The amount of money spend on media advertising was a less important predictor of success. Of course, with security awareness, or with any other attempt to change behavior, it's not an either / or proposition. The important point is that enforcement is a key component. Without it, rules have little benefit.

Of course, the popularity of the iPad has brought about a new attack vector for the purveyors of malware. The attack does not actually affect the iPad, but is another way to trick Windows users into downloading malware. I suppose there is a touch of irony in using the iPad to attack Windows.

This story is a bit US-centric, but I suspect it's only a matter of time until the same issue pops up in Canada and in other countries. The state of Massachusetts in the US has passed a law requiring ANYONE storing or transmitting Personally Identifiable Information about its residents to encrypt and protect that information. The fines for failing to do so are substantial. This is interesting because this law seeks to reach beyond the borders of the state. It will be interesting to see how this plays out in the courts over time. In any case, the growing problem is identity theft is likely to spawn similar laws around the world.

If you have clients who redact data from PDF documents before sending them, they should know that the "redacted" data may still be visible.

In an other round of the ever-escalating "armor vs. ordinance" malware battle, some malicious websites are now able to detect search engine "bots" and hide the malware from them. Detecting malware on websites is a priority for Google and Firefox, who use APIs to blacklist malicious sites.

On another front of that same battle, fake malware vendors are gaining ground and the legitimate AV products are having more difficulty detecting the "rogues".

Breaches are going to happen. Here is an example of what a responsible dissemination of information looks like. Sadly, you rarely see this sort of transparency.

Dennis H in West Virginia, US

April 28, 2010

Zeus + PDF = another security challenge. PDF files have become one of the leading attack vectors on the internet, and everyone needs to know to be careful. Zeus, one of the nastiest banking trojans, is now being spread this way.

"No updates for you!" Microsoft is a bit gun-shy after recent blue-screen problems that were actually the result of underlying malware infections. Some new updates will not install if "certain abnormal conditions" exist in the kernel (a likely indication of a malware infection). Running "mrt" from the "Run" box on XP or from the search bar on Vista / W7 will remove most of these infections.

Here is a good summary of the security features of W7 that we should all be familiar with.

Not many Nerds are big fans of Norton Internet Security, but it's good to see what they are up to. The 2011 version has some interesting new features, which are likely to consume even more resources that with previous versions. The additional complexity will probably confuse users as well.

Fix a problem - create a bigger one. Microsoft has incorporated cross-site scripting (XSS) protection into IE8, but researchers have found a way to turn this "fix" into an even bigger problem. Security is not easy.

In case you were wondering - yes, there are "security / spyware (depending on your perspective)" apps for the Blackberry.

Here are 3 reasons employees break security rules: They don't know about them, the rule are not enforced, and the rules hinder productivity.

Public networks + smart phones = business risk. Everyone likes to be mobile, and what we used to call a "cell phone" is now a portable computer. The problem is, security on smart phones is often less robust and / or mis-configured.

Finally, here is a link to part two (so you can link back to part one) of a two-part series on protecting children online. It is a good summary and should be passed on to your clients who have young children.

Dennis H in West Virginia, US

April 20, 2010

PDF files have become the de-facto standard for sending documents. We think of them as being relatively innocuous because they are generally not editable. The specs for these documents are very powerful, though. Contained within these specifications is the power to run code within the document. If that sounds a little scary - it should.

PDF documents have become one of the most widely-used attack vectors for malicious code writers. This has been mostly related to security holes in the programs used to interpret .pdf files, specifically Adobe Acrobat Reader and (to a lesser degree) Foxit Reader. Most of these attacks can be thwarted by disabling the javascript execution features of these readers.

The native code-execution features of PDF files are supposed to be sandboxed. We have seen, though, that a "sandbox" is not the digital equivalent of a maximum-security prison. There have been several instances where Java code has managed to "escape" from the sandbox.

Recently, Didier Stevens showed that it is possible to embed malicious code within .pdf files without relying on javascript. Jeremy Conway has also shown that it is possible to create PDF worms that can overwrite and infect other PDF files.

The bottom line - advise all clients to be very cautious about opening PDF files, especially those that are unexpected or from untrusted sources. Attacks have been surfacing in the wild and we may reach the point where even PDF files from trusted sources are a threat.

Both Adobe and Foxit are scrambling to address this issue. In most cases, Adobe (and now Foxit, with the latest patch) will warn before executing code, but the attacker can manipulate the text in the warning dialogue, so there will be efforts to trick users into allowing the code to execute. Warn clients about this!!!

Dennis H in West Virginia, US

April 07, 2010