If your business offers unfiltered access to the Internet, chances are there are minutes or hours in the day where non-work activity takes place. Some employers have a work environment where this unchecked and unfiltered state is actually part of a morale of trust and confidence that the staff will get the work done even efficiently and keep a high level of productivity.

Two weeks ago we offered a free trial of a Unified Threat Management appliance to this client of ours at an insurance brokerage of about 15 staff. They had operated without any filters for many years and wanted to at least know what was happening. So we followed these simple steps to allow for a smooth transition and to keep everyone aware of upcoming changes.

Step 1 – Have an Acceptable Use Policy written and signed off

An Acceptable Use Policy – AUP – serves the purpose of making sure all staff know what is acceptable at the workplace, and what isn’t.

Step 2 – Implement a Unified Threat Management Appliance in Monitoring mode

An appliance can be installed at your office premises without disrupting any exiting access, and simply give the employers insight into how the Internet is being used throughout the premises.

Step 3 – Apply appropriate filters

This final step should be in complete accordance to the Acceptable Use Policy.

Special case considerations

• Social Media use is often restricted as it is seen as personal and has no role during working hours. However, most businesses now have a legitimate reason and role to play on twitter and facebook to maintain their own business presence.
• Time of Day access. The complete filtering of all social media access may have a negative effect on morale, and some companies choose time-of-day rules to allow social media access during lunch hour, for example.
• Logs may be misleading. If it’s your first time implementing a UTM, you will likely notice log entries of websites being visited, and when confronting said employee/computer, you will encounter denial. This can be legitimate because millions of workplace computers are infected with malware that cause the computers to operate silently under the control of botnets. Protection from web-based viruses, malware and spyware is another strong reason to implement and keep a UTM at every office.

It’s also worth pointing out that 3G connectivity through mobile phones is ubiquitous in many areas of the world. So blocking facebook on the work computer may simply cause the employee to use their own mobile phone instead. This is why an acceptable use policy is important to have in place. Consistent use of a mobile phone also leaves an optic that is not hard to detect by fellow employees and supervisors.

Do you have any specific need you don’t see covered here? Chances are it can also be achieved with a UTM.

[this post is from Dennis Houseknecht, a Nerd in West Virginia, USA]

The Security Corner has been quite for some time. Lots of other things competing for time.

I want to change the focus a bit – to alerting you to the security news that crosses my desk pretty much every day.

For instance, here is one about how children are vulnerable to internet attacks that everyone should read.

Here is an article about “malware” (or “aggressive adware“, depending on who you want to believe) that is of interest to all Android users.

And here is one about personal data as the main commodity of cyber criminals.

Please share this post with your friends and family, as everyone can benefit with knowing about these issues.

[One of our company founders, David Redekop, found this online, and we feel it's important to share it with our readers.]

“A child can now be at greater risk sitting in a bedroom on a computer, than outside the school gates,” the Home Secretary has said.

Theresa May said cyber-crime was a serious problem which caused more losses than burglars stealing televisions and DVDs from homes.

The new National Crime Agency (NCA) would help tackle this and make people “feel safer”, she said.

In a key speech on police reform in central London, Mrs May outlined plans to give communities tougher protection from anti-social behaviour to put an end to the “horror stories” of victims being ignored despite making repeated complaints to the authorities about problem neighbours.

It comes after HM Inspectorate of Constabulary (HMIC) said last week that only a low number of crimes were recorded from anti-social behaviour cases and the identification of repeat, vulnerable and intimidated victims was “poor” at the first point of contact.

Mrs May said: “As well as growing, the threat from organised crime is also changing.

“Increasingly, the biggest criminal losses do not come from the burglar who breaks into houses to steal TVs or DVD players, but from the cyber criminal who raids bank accounts directly.

“A child can now be at greater risk sat in their bedroom on their computer than they are outside the school gates. And given the nature of the criminal threat, it is now no longer possible to keep communities safe through good local policing alone.

“Highly visible neighbourhood policing is vital, but it won’t deal with cyber crime. Arresting drug dealers is important, but it won’t stop the flow of drugs from overseas.”

She went on: “That’s why we need a powerful new crime-fighting force that works across different police forces and agencies, defending our borders, co-ordinating action on economic crime, protecting children and vulnerable people, and active in cyber space. That body will be the National Crime Agency.”

According to a survey conducted by 8e6 Technologies (www.8e6.com), employees are using company computers and resources to conduct non-work related activities.  Some of these activities simply wasting time, but others are malicious, or threaten company security or data.

Here are some of the more extreme cases:

• One employee was caught running a gambling website and acting as a bookie for his co-workers.
• To bypass the company’s web filter, one employee was caught using his desktop computer as an FTP server for the other employees. He had downloaded and saved over 300G of material.
• One employee was busted for giving away confidential information such as price lists, contracts, and software code for application development.
• Another employee was busted for having a side business stealing and selling company inventory on eBay.
• One woman was caught running an online outcall service from her desk.
• One employee was caught renting the corporate IP address to hacker friends to generate DOS attacks.

Although these are extreme cases, many companies have fired employees for violating company policies. It’s much more common than people realize.

As an employer, if you have an Acceptable Use Policy, which is strongly recommended, it must be enforced. Simply having it may not deter employees from finding ways around it in hopes of not getting caught.

There are excellent solutions that ensure that your Acceptable Use Policy is not violated, intentionally or otherwise. these solutions offer web filtering (gaming sites, gambling, or downloading viruses), email filtering (keywords or inappropriate jokes, etc), and many other must-have features.

Give us a call and let’s talk about your network security and Acceptable Use Policy, and find ways to make sure your company’s resources aren’t being wasted by your employees.

Phishing is alive and well. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

I wrote this article to help you help others. As it turns out, only a small number of people encountering phishing attempts report them. Here I will show you step by step how easy it is to report phishing attempts to minimize a thief’s ability to steal your friends’ and associates’ money and identities.

I received a phishing attempt this morning as you can see here:
It reads as follows:

Dear Customer,

BMO Bank of Montreal detected irregular activity on your Account on 23 January 2012. For your protection, you must verify this activity before you can continue using your BMO Bank of Montreal Account.

Click on the link below to access and verify your statement.

https://www1.bmo.com/cgi-bin/netbnx/NBmain?product=1 This instruction has been sent to all bank customers and is obligatory to follow.

Thank you
Customers Support Service
BMO Bank of Montreal.

The phishing technique is hidden, as usual. The URL shown above in the email is actually the correct URL. However, when clicked in the email itself, the link is to a phishing site at this URL:

http://chiron.mn/wp-content/plugins/akismet/NBmain.html

Usually this URL is shown if you rest your mouse on a URL (as in the screenshot above when I rested my mouse over it). Naturally I checked to see if this wasn’t already reported on StopBadware.org by using Google’s SafeBrowsing tool. The URL I used is:

http://www.google.com/safebrowsing/diagnostic?site=chiron.mn

You can use the URL above yourself and just replace chiron.mn with the site you are checking. If you see a long URL, the only portion that matters is what’s AFTER the http:// and BEFORE the next slash:

http://someurl.com/something/somethinglonger

You can try my posted URL above for yourself and I expect very shortly it should find and show the malware on this specific site I’m reporting here. However, on my first visit, this is what I found:

This means that StopBadware is not yet blocking this site for unsuspecting users, but the good news is anyone can help resolve that quickly. Here’s what I did immediately: I browsed to:

http://www.google.com/safebrowsing/report_phish/

And here’s how I completed the form (and ask you to do the same for any new phishing URLs you may encounter hidden in emails):

When you’ve completed the submission, you will see a confirmation, but note that the listing isn’t immediate. It takes some time for the phishing site to be verified by others.

Please note that like many phishing attempts they target people everywhere and with different banks. It so happened that I deal with this bank so I am a perfect target. The next one may be to you and your bank.

The best advice I’ve heard is from Brian Krebs:

Never install software you don’t seek out.

By extension the same goes for clicking links. If you are concerned about an email like this having some validity, then close your email program, launch your browser and go to your banking site by typing the URL, using your Bookmark/Favorites or whatever method you normally use. Avoid clicking on links in email.

Please help spread the word and educate everyone you know on the concept of Phishing.

P.S. Please note that all URLs in this article that are ‘clickable’ are safe. I have purposefully remove the click-ability on the bad ones.

As a follow-up to Kevin’s previous article on Wi-Fi Protected Setup (WPS) Vulnerability, I wanted to quickly provide an update as to how you can protect yourself and, if you just want someone to take care of it for you, that’s what our business is all about, and we’re here for you, of course (you may call us or request a call/service on-line).

Kevin’s article pointed out that disabling WPS is essential. However, it appears that in most cases that either there is no ability to turn it off, or the switch has no effect (in Linksys, for example). So if you want to secure yourself, here is a guideline of what you may be able to do to mitigate the problem:

• Locate the make and model of your wireless access point or router (whichever device provides your wireless services) and jot it down.
• Locate your router or wireless access point in this list of devices and review the status of vulnerability and vendor patch
• If you find yourself vulnerable and are able to successfully turn it off, that’s the best-case scenario.
• If you find yourself not having an option to turn off WPS, but you want to protect your network from potential intruder access, you have two options:
1. Turn off your router or access point (and therefore have no wireless usage at all)
2. Replace your router with a non-vulnerable unit

Apple Airport not vulnerable

Although Apple is so far been strangely silent on this, our own testing and that of others shows that WPS pin-based is only on if the light is Blue, which in turn is turned on using the Airport Utility. This is good security by design and is the reason why our recommendation for home and SOHO routers/access points should be replaced with Apple Airport devices. This recommendation is limited to areas that are typically served by one or two access points and do not require enterprise management functions.

Meraki not vulnerable

Nerds On Site has been a proud partner of Meraki, wireless network equipment provider of choice for SME and Corporate clients that require a little more than a SOHO wireless infrastructure. Fortunately Meraki products do not have WPS functions at all and therefore are not vulnerable to this WPS concern.

Why do I care if someone intrudes on my network?

I actually personally met a successful business person this week (let’s call him Bill) who admittedly didn’t care if his network was breached, until I pointed out the dangers (and I’m sure there are more):

• His network and Internet access could be used by a criminal to carry out criminal activities while Bill will carry responsibility as his Internet connection was used
• Casual sniffing of his activities online can be captured and in a short while enough data can be gathered to steal his identity or anyone’s identity using his network
• Any equipment that hosts data of any sort is much more vulnerable to attacks “from the inside” when your network is widely accessible

How have you secured your wireless network? Any other comments/questions?

Most routers released in recent years are at risk, due to a vulnerability discovered in the WPS (Wireless Protected Setup) feature. WPS makes it easy for people to connect their computers to their router without having to get very technical about it, but – it turns out – security was sacrificed for simplicity, as an attacker can gain full access to the network by using a brute force attack.

Millions of devices are potentially affected, and it could take a long time to fix them all. That said, the solution is simple: disable WPS.

You can disable WPS by logging into your router over the network and changing the setting.

There are many tools that are freely available to eavesdrop on network traffic, and can take advantage of this fault in WPS, and if a brute force attack is successful, intruders can connect to devices on a network, or monitor the internet traffic in hopes of learning passwords or other information.

This serious vulnerability was discussed in full detail on the latest Security Now podcast, hosted on the TWiT.tv podcast network. As soon as show notes are made available, we will link to them in this post.

WPS is often activated by pressing a button on the router, allowing Windows to quickly and easily connect to the wireless network and automatically figure out the relevant settings, requiring only a PIN and the wireless password.

If you’re unsure of how to disable WPS, refer to your router manual, or ask a tech-savvy friend or professional (such as a Nerd) to help you turn it off.

Hopefully vendor will quickly provide software upgrades to rectify the problem, and the newer products will have rectified and correct this flaw in WPS, making it safe to use again.

DynDNS no longer offers a free service. Most nerds and many of our clients over the years have used the great free (as well as pro) services of DynDNS. Many of our clients only need the single hostname service to a single location for access to webcams at home, for example.

While there are free services like no-ip.com and zoneedit.com, the reason why DynDNS is preferred is that many devices offer only DynDNS-specific support.

So, if you’re looking for that single hostname solution to access your webcams at your office or home broadband Internet connection, hop on over to:

https://www.dlinkddns.com/

D-Link Dynamic DNS is actually powered by DynDNS and still allows for a single hostname to be registered to a unique account and email address.

This makes sense because D-Link makes a decent set of webcams and it’s an essential part of what their clients need.

So thank you to D-Link and DynDNS for this remaining free alternative!

An estimated 75% of Canadians live within 100 miles of the border to our friends to the south, United States of America. This is why we often travel there for various reasons from business ventures to vacations or shopping and dining. Our Australian and South African clients are also frequent international travellers.

One painful inconvenience of international travel is the high costs of mobile phone operation – both voice and data. Here’s a text message I received as soon as I crossed recently into USA:

Quick math tells me that 100 minutes of talk time will cost me $145 – wow! My main smart phone in Canada is with Rogers, and they do offer Travel Paks (www.rogers.com/roaming/). With one of those purchased in advance, you can get as low as $0.50/minute if purchasing a bundle of 100 minutes. Still very limiting and costly if you plan on staying for several days or weeks.

Value of Unlocked phones

The value of unlocked phones becomes obvious when you realize you can purchase a pre-paid or monthly plan from a number of carriers for about the same price as 100 discounted roaming minutes with Rogers. If you purchased a smartphone at a discount with a contract extension, likely your phone is carrier-locked. It means that using a SIM card from another carrier will not work. In Canada/US, iPhone 4 and 4s models are unlocked only when purchased from Apple directly or authorized retailer (not mobile phone stores). SIM locks vary from country to country, but generally speaking, unlocked phones do not qualify for purchase subsidy, and therefore cost more.

If you are an international traveller and plan on purchasing a new phone, make sure it is not carrier-locked, but rather a complete unlocked phone in which other carrier SIM cards will function.

The next step is to simply purchase a pay-as-you-go SIM or MicroSIM card for your phone when you reach your destination. In my specific example as a Canadian travelling in the USA, the best option was to purchase a $60/mo T-Mobile plan with unlimited talk, text, web up to 2GB of data.

For the frequent international traveller

These guidelines apply if you travel internationally frequently and don’t find it is practical to give a large group of people a temporary foreign contact number at which to reach you while away. You want international travel to be possible without disruption to your important circle of associates and friends and family to be able to reach you.

1. Establish your main contact number to be PBX-driven, not your mobile phone. Having your main number be a virtual number is important for you to establish customized call routing rules. In the US, a popular service is Google Voice, and in Canada a similar set of features (except SMS) is available via RingCentral. If you have an established network of people who only know your mobile number, many countries offer number portability. In Canada, see http://www.wirelessnumberportability.ca/.
2. Use Find-me, Follow-me features on your PBX (or virtual PBX service) to forward your main phone number to the country and mobile number you’re currently at.
3. Avoid SMS messaging from your mobile phone directly as it starts to fragment your phone number identity. Many countries now have services of virtual SMS numbers that integrate with email. It means that SMS messages you receive are translated via email, and you can use email or web interfaces (or apps) to respond. Google Voice does this well (available only in the US).

The difficulty in seamless international travel is that phone systems have their roots in a geographically-zoned world, but the modern virtual and international entrepreneurs don’t know such borders, so it’s a major problem still to be solved.

Have I missed anything valuable in international travel that you want to contribute in the comments?

There has been no shortage of coverage on the discovery of Carrier IQ‘s software being present in 140 million+ handsets. Engadget has a great article that’s been kept up-to-date with developments, but we thought it was worthwhile to summarize our thoughts and comments driven by what our clients want and need to know.

1. Context. It always helps having context to a “discovery” such as this one so let’s go back in history for a bit. Since the earliest mobile phones and technology devices in general, diagnostics logging has been a key integral part. Technology by its very nature is evolving constantly and rapidly. The best way for engineers to improve a technology product is to know as much about its performance as possible. Furthermore, within mobile phone technology, most carriers have been open about collecting diagnostics-related information and included it as part of the license agreement. 15 years ago it didn’t bother us. Our response tended to be “I don’t have anything confidential on my phone. I call people and businesses, and the carrier has to know that anyway in order to provide the service.” That no longer applies today. Let’s fast-forward to today.
2. Smartphones have become personal and private. The more personal they are, the more likely they contain confidential information, whether private texts or online banking transactions. Even though the discovery by security researcher Trevor Eckhart showed the logging of every single keystroke, Carrier IQ’s statements and follow-up interviews assert that contents of text messages are not transmitted off the hand-set.

• Action you may want to take: If you are on an iOS device (iPhone, iPod, iPad), update to the latest iOS version using iTunes. Then with a few taps disable the logging with Settings -> General -> About -> Diagnostics and Usage -> Don’t Send (see screenshot here). If you are on an Android handset, you may be able to install a Detector software from the Android Market and, if you believe you have it installed, call your Carrier and convince them to change it. Only the carrier can make the changes on carrier-locked handsets. If you’re on a BlackBerry, RIM has denied use of Carrier IQ software in BlackBerries.

Hopefully this is helpful, but please leave comments if I’ve left out anything important you would like included.