Let's start with this cool device I found: Imagine this scenario - you copy your client's precious data for a wipe and reload, reformat their drive, and when you begin to restore the data, your backup drive dies. Sound unlikely? It is - but this actually happened to me. I vowed to never format a client drive again unless I had at least TWO known good backups. That may be a good policy, but backing up twice would take twice as long - unless you had one of these adapters that creates a USB RAID 1 cofiguration. It will copy that precious data to two SATA drives at once.

Now for news:

This one just makes you shake your head - a rogue anti-malware vendor that actually provides live (fake) technical support. Of course, many people assume that this support indicates that the vendor is legitimate, which is, of course, why the ploy works.

The so-called "chip and pin" method of credit card authentication is used widely in Europe, and has been considered for use in the US (I am not sure about Canada). The method is considered to be a strong, two factor authentication method and banks often refuse to refund questionable charges when it is used. There have been several articles about the compromise of this system in the past couple of days, but this one from Bruce Schneier is the most informative.

It is worth noting that Adobe has some important patches available (don't delay on these), and that one of the patches issued byf Micrsoft on Tuesday resulted in a number of BSOD problems. The problem was not with the patch, but an interaction with a piece of malware that was already present on some XP computers.

I am not sure this is even news, and it surely is not good news, but ID fraud hit a new high in 2009.

We used to feel that two-factor authentication made for reasonably safe banking, but even two-factor authentication and one-time passwords do not ensure safety. Attacks against banks are becoming increasingly sophisticated. The problem is that everything is done in the browser. If the browser has been compromised, there is no guarantee of safety. How can you ensure that the browser has not been compomised? The best way is to boot from a live Linux distibution on a CD. The browser cannot be compromised when the files are read-only.

Who pays when bank accounts are compromised? That is often a question for the courts. Here is a case with more than a half-million dollars at stake. Both the bank and the bank's client would have benefitted from some good securiyt consulting and education. Both parties broke common-sense security rules. The courts will have to decide who pays for their errors.

Dennis H in West Virginia, US

February 16, 2010

Tomorrow is Patch Tuesday (again). This is going to be another big one - 13 patches, 5 of which are critical.

Here is another reason that access to commercial bank accounts should be limited to computers that are used for nothing else. Online bank accounts should NOT be accessed by computers used for general-purpose web surfing! Having a dedicated computer may seem like an extreme measure, but not to the City of Poughkeepsie, NY (at least not now)!! Instead of retiring that old desktop or laptop, install a hardened and restricted version of Linux and make it the only computer that has access to bank accounts.

We all love those Firefox add-ons, but watch out for the ones in the "experimental" section - user beware.

Made in China? That may be a reason to think twice when it comes to hardware.

Think banks and retailers are the biggest target for hackers? Think again - think hotels and the hospitality industry. For those of you who have hotel clients, this is worth bringing to their attention.

Why should employers invest in the technology and your services to make SURE P2P and social networking are not part of the workplace? Show them this and this.

Think the dangers of public wifi are limited to the time you are connected to them? Then you MUST read this.

This has NOTHING to do with security, and I by no means want to encourage anything you consider a bad habit, but some or you will consider this good news - beer is good for your bones (but too much of it may lead to breaking them).

Dennis H in West Virginia, US

February 09, 2010

ATM fraud continues to grow. Take a close look at that ATM machine before you feed it your card. This bank in Texas lost $200,000 to this scam.

Here is a social-networking risk you may not have considered. Hackers may attack your friends if you have access to sensitive data and visit social networking sites.

If you are a Chrome user, make sure you are up to date.

Have I mentioned the importance of keeping browser add-ons up to date? Here is an article about the exploit packs that can be purchased and installed on compromised websites. These exploit packs send barrage of attempted exploits at your browser. If one does not work, the nest one may. It is effective - many of these vulnerabilities have long-since been fixed, but there will always be some folks who are not up to date.

100% accurate spam filtering? Well, for the time being, anyway - turning the spammers dirty tricks against them.

Who pays when a bank account is compromised? There are a number of pending cases in which the account holder has filed suit against the bank for not maintaining adequate security, but this Texas bank has preemptively sued the account holder.

Dennis H in West Virginia, US

January 27, 2010

First, a couple from Micrsoft:

This one dates back no less than 17 years and is related to a virtualization technology that allows 16-bit applications to run on 32-bit Windows platforms (virtualization is NOT a new technology). 64-bit versions of Windows are only minimally affected, but 32-bit versions that have 16-bit execution enabled are vulnerable.

This vulnerability in IE is serious enough to prompt Micrsoft to issue an emergency patch today. Yes - that means it is serious.

If you are a Mac user feeling smug about those MS security woes, you should know that Apple has also issued a security update that addresses a dozen serious security issues as well.

More "stuff you should know" coming soon.....

Dennis H in West Virginia, US

January 21, 2010

You may have noticed that the focus and the format of the Security Corner has changed a bit. I will be posting current news items and short tips twice per week, mostly in the form of links. Two or three times per month, I will post longer articles as well.

The MiFi - cool tool, but, it has a GPS, so your provider has a record of where you are and where you have been. As it turns out, they may not be the only ones that know.

Be careful where you get your Quicktime movies. There is a buffer overflow vulnerability in older versions of QT. A malformed .mov file can be used to execute code. The current version has not been shown to be vulnerable to remote code execution, but may crash. If it can be crashed, remote code execution is usually around the corner.

Not all threats come from the outside. "Trusted" employees can represent even greater threats because they have privileged access.

ATM fraud - more common than you think. Check out this skimmer - complete with a camera to record pin number entries. Pay attention when visiting tht ATM!

The "Google attack" had broad implications. The Chinese attack on Google is one of the biggest security stories in recent months. I have had little to say about it, because it has been so well covered by the media. The broader implication is that even a company like Google (not to mention Adobe and many others) is vulnerable to zero-day attacks. Never ASSUME your clients are safe - check for signs of unusual activity and NEVER, NEVER stop raising their level of awareness.

Dennis H in West Virginia, US

January 18, 2010

Microsoft's "patch Tuesday" was pretty low-key this month (unless you are still running Windows 2000, but Adobe has release some critical patches. Keeping applications, especially those used for internet access, patched is now as important as keeping the operating system patched.

Clients often ask why their anti-virus program failed to catch a piece of malware that infected their computer. Here is one of the tools that malware-writers can use to test their wares to see which AV programs are able to detect them as malware. This company does not hide the fact that this service is for malware writers and the results are NOT reported to the AV vendors. This makes it much easier for the "bad guys" to test their code and stay ahead of the AV vendors.

Depending upon your point of view, these "security researchers" are forcing software vendors to address security flaws quickly, helping the "bad guys" wreak havoc on internet users, or are just plain acting irresponsibly. These folks are release one "zero-day exploit" per day for 30 days - without giving the vendors any advance warning. They say that vendors do not respond unless the exploits are release publicly. The next month could be a busy one.

Want to test a site before you visit it? Here are four sites where you can paste URLs before you visit them to get a report.

Dennis H in West Virginia, US

January 14, 2010

What is "Sensitive Information"?

This second part part of a multi-part series on creating an information management plan for business clients.

Basically, any information that your client would not want posted on the bulletin board is potentially sensitive information. Many clients will say that they to not have that much sensitive data on their systems. This may be true, but there are some questions we have to ask them.

Do you have sensitive information?

- Do you process any "keyed" credit card transactions or take any credit card information over the telephone? If so, is the credit card information ever written on a piece of paper? What happens to that paper after the transaction is processed? (The PCD DSS requires that the paper be shredded immediately in a crosscut shredder) What controls (written policies, supervision, etc,) are in place to ensure that this happens?

- Is any credit card information kept on file, either on paper or in an electronic form? The PCI DSS requires that access to such records be controlled. The PCI DSS also clearly states that the 3-digit security code on the back of the card MUST NOT be recorded or stored - it should not be written down in a paper file or stored electronically, even in an encrypted form.

- Do you process payroll or keep any employee files (practically every employer does maintain employee information, even if they contract payroll to a third-party)?

- Do you maintain customer or client lists that you do not share with all everyone in the business and/or the public?

- Do you maintain financial records for clients or business partners?

- Do you maintain client or patient records that you are required by law to protect (examples would be PIPDEDA in Canada, HIPAA for health information in the US, GLBA for financial records in the US - every country has laws requiring protection for certain types of records. You need to research laws in your country)?

- Do you maintain records about ongoing projects, bids, company process, or other information that you have developed, "company secrets", ways that you do things, etc. that you would not want to be made public?

- Do you have internal or external correspondences or documents (emails, internal memos, etc.) that you would not want to share with everyone in your organization?

Most businesses clients will answer "yes" to one or more of these questions. If there are no controls in place to protect sensitive data, it should be assumed that ANYONE who wants to could access that data. All businesses have SOME controls in place - our job is the determine what controls ARE in place and what controls SHOULD be in place, based on the answers to the questions above.

Next: Data Classification

Dennis H in West Virginia, US

November 26, 2009

WOW! That's the typical response when people's computer boots up in half the time it did just 10 minutes ago. Chances are quite good you can have this experience. Assuming your Windows computer is spyware, adware and virus-free, there are 5 simple steps you can easily do yourself or have your favourite IT person (we hope he/she is a Nerd On Site, of course) take care of for you:

1. MSCONFIG - every since Windows 95, Microsoft has made it fairly easy to manage all the programs that automatically start with your computer. Here's what mine looks like on one of my Windows computers:
   If you are not sure which ones you need or don't need, it is safe to uncheck most or all of them (and restart computer) and then selectively re-enable one at a time (and restart) to enable what you really need. Often there are programs in here for multi-function printers and other devices you may have connected. In some computers, the large majority of programs that load here and take all of YOUR precious time away by taking forever to boot are completely unnecessary.
2. 15% or more free disk space
   
   I know most of us are guilty of being pack-rats, right? I mean why throw anything away since it doesn't actually take up any physical space, right? As it turns out, once you've reached 85% of your hard drive's capacity, the computer will take a turn for the worst in terms of performance so keep lots of disk space free. If you're past that usage now, here are a few tips to get you below that usage:
   • Obtain an external USB drive and copy archives to that drive. Copying, and then deleting the source is always a safer bet, by the way (as opposed to Moving a file).
   • Replace your hard drive with a larger one. This has always been my choice because it seems to be the easiest route since I don't have to think as hard about which selection of videos or photos or large files I need to move to external drives.

   It used to be the case that defragmenting the drive increased the performance, but nowadays the performance is hardly recognizable because most drives are so fast anyway. Modern operating systems and filesystems are also better at managing fragmentation. Still not perfect, but good enough that running such a process separately will not usually make any noticeable difference.

3. Keep a clean desktop - if your desktop looks like this, you may want to simply create a new folder on the desktop and move everything into it - something like "Desktop Stuff".

   
   You will be amazed at how much faster your computer starts up once you have no desktop clutter. The icons on the desktop actually take time to be retrieved and displayed, and that has to happen before you are able to run any other program.

4. Upgrade RAM
   
   If you're still chugging away at 512MB or 1GB of RAM, adding more RAM is cheaper than ever and can dramatically increase not only the startup time of your computer but the speed at which all of your programs operate. In our experience, also a very common WOW! reaction follows a RAM upgrade.
   RAM upgrades you can typically obtain directly from the manufacturer, although that's the priciest way to purchase. Of course one of our own team members would be happy to quote you as well on a memory upgrade on any type of computer. If you're brave and wish to do this yourself, just make sure that whatever memory purchase you make is guaranteed to be compatible with your computer and you are able to return it if it doesn't work. Some considerations to make when adding RAM:
   • Will you be able to add it to the existing memory or will it be replacing existing chip(s)?
   • Does it require pairs of chips to be installed?
   • What is the maximum your computer will take?
   • Are you running a 32-bit or 64-bit Operating System? 3 or 4GB are the maximum that 32-bit Operating Systems will recognize and/or be able to use?

   In extreme cases where some specialists operate intensive database programs such as simulations in health care research, maximizing on RAM and utilizing a 64-bit version of your Operating System may allow you to run your databases in RAM instead of the hard drive. If you spend a lot of time in front of your computer waiting, it may be worth consulting with an expert how extra RAM can result in dramatic productivity increase for you.

5. Clean install of Windows
   This one is not for the faint of heart. We call it a "wipe and reload" and it's like having a shower! Only it's a little harder and takes much longer!

   Provided there are no technical problems with the computer, this guarantees that the computer will run at least as fast as it did when it was new. The benefits of this "clean shower" is that your computer will feel just so very refreshed. An additional side benefit is that if you ever had any doubt about some software still lurking in there somewhere, you will now have the Peace of Mind that nothing is lingering behind. The essential process for a clean install of windows is as follows:

   • Make a complete backup of the entire computer
   • Ensure the backup is working and accessible
   • Re-install Windows from scratch
   • Restore your programs and data

   Depending on the amount of programs and data you have, this could be anywhere from a 1-4 hour process, and in extreme cases, perhaps even longer. Most nerds apply this process every 6-12 months at the most just to make sure the computer runs optimally.

The above list is by no means exhaustive, and they imply that you have administrative access to your computers, but if you pick out one, two or three of these you can apply with the least amount of effort, you may find it very worthwhile. Whether you do or don't, we'd love to hear from you in our comments section below.