If your business offers unfiltered access to the Internet, chances are there are minutes or hours in the day where non-work activity takes place. Some employers have a work environment where this unchecked and unfiltered state is actually part of a morale of trust and confidence that the staff will get the work done even efficiently and keep a high level of productivity.

Two weeks ago we offered a free trial of a Unified Threat Management appliance to this client of ours at an insurance brokerage of about 15 staff. They had operated without any filters for many years and wanted to at least know what was happening. So we followed these simple steps to allow for a smooth transition and to keep everyone aware of upcoming changes.

Step 1 – Have an Acceptable Use Policy written and signed off

An Acceptable Use Policy – AUP – serves the purpose of making sure all staff know what is acceptable at the workplace, and what isn’t.

Step 2 – Implement a Unified Threat Management Appliance in Monitoring mode

An appliance can be installed at your office premises without disrupting any exiting access, and simply give the employers insight into how the Internet is being used throughout the premises.

Step 3 – Apply appropriate filters

This final step should be in complete accordance to the Acceptable Use Policy.

Special case considerations

• Social Media use is often restricted as it is seen as personal and has no role during working hours. However, most businesses now have a legitimate reason and role to play on twitter and facebook to maintain their own business presence.
• Time of Day access. The complete filtering of all social media access may have a negative effect on morale, and some companies choose time-of-day rules to allow social media access during lunch hour, for example.
• Logs may be misleading. If it’s your first time implementing a UTM, you will likely notice log entries of websites being visited, and when confronting said employee/computer, you will encounter denial. This can be legitimate because millions of workplace computers are infected with malware that cause the computers to operate silently under the control of botnets. Protection from web-based viruses, malware and spyware is another strong reason to implement and keep a UTM at every office.

It’s also worth pointing out that 3G connectivity through mobile phones is ubiquitous in many areas of the world. So blocking facebook on the work computer may simply cause the employee to use their own mobile phone instead. This is why an acceptable use policy is important to have in place. Consistent use of a mobile phone also leaves an optic that is not hard to detect by fellow employees and supervisors.

Do you have any specific need you don’t see covered here? Chances are it can also be achieved with a UTM.

[this post is from Dennis Houseknecht, a Nerd in West Virginia, USA]

The Security Corner has been quite for some time. Lots of other things competing for time.

I want to change the focus a bit – to alerting you to the security news that crosses my desk pretty much every day.

For instance, here is one about how children are vulnerable to internet attacks that everyone should read.

Here is an article about “malware” (or “aggressive adware“, depending on who you want to believe) that is of interest to all Android users.

And here is one about personal data as the main commodity of cyber criminals.

Please share this post with your friends and family, as everyone can benefit with knowing about these issues.

[One of our company founders, David Redekop, found this online, and we feel it's important to share it with our readers.]

“A child can now be at greater risk sitting in a bedroom on a computer, than outside the school gates,” the Home Secretary has said.

Theresa May said cyber-crime was a serious problem which caused more losses than burglars stealing televisions and DVDs from homes.

The new National Crime Agency (NCA) would help tackle this and make people “feel safer”, she said.

In a key speech on police reform in central London, Mrs May outlined plans to give communities tougher protection from anti-social behaviour to put an end to the “horror stories” of victims being ignored despite making repeated complaints to the authorities about problem neighbours.

It comes after HM Inspectorate of Constabulary (HMIC) said last week that only a low number of crimes were recorded from anti-social behaviour cases and the identification of repeat, vulnerable and intimidated victims was “poor” at the first point of contact.

Mrs May said: “As well as growing, the threat from organised crime is also changing.

“Increasingly, the biggest criminal losses do not come from the burglar who breaks into houses to steal TVs or DVD players, but from the cyber criminal who raids bank accounts directly.

“A child can now be at greater risk sat in their bedroom on their computer than they are outside the school gates. And given the nature of the criminal threat, it is now no longer possible to keep communities safe through good local policing alone.

“Highly visible neighbourhood policing is vital, but it won’t deal with cyber crime. Arresting drug dealers is important, but it won’t stop the flow of drugs from overseas.”

She went on: “That’s why we need a powerful new crime-fighting force that works across different police forces and agencies, defending our borders, co-ordinating action on economic crime, protecting children and vulnerable people, and active in cyber space. That body will be the National Crime Agency.”

[this post is from Dennis Houseknecht, a Nerd in West Virginia)

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals.  Criminals and security researchers are constantly prodding and testing the code, looking for flaws that can allow a “computer hacker” to take control of a computer or steal valuable data.

When a flaw is discovered, the software vendor issues an “update” or a “patch” to fix the problem.  It is like a recall to replace a defective part for a car.  Failure to apply these updates leaves the system vulnerable to attack or to be compromised, as these cybercriminals use these same updates to reverse engineer ways to take advantage of these vulnerabilities.

Your organization may think “Why would they want to attack us?” We argue – why give them the opportunity, and put your organization at risk?

On rare occasions, an update will cause an unanticipated compatibility issue with a specific application, and the application vendor normally addresses the issue promptly.  The solution is NOT to stop updating the system indefinitely. This WILL leave the system vulnerable, making the entire network vulnerable if infected or attacked.  As a last resort, if  postponing updates is required, it should only be for as short of a time as possible, and the ideal approach would be to ensure that the system that is not updated is not used for other purposes (taken off the network) and not exposed to threats to which is may be vulnerable.

No application is permanently tied to an older version of JAVA, or any other application.  If a JAVA update does cause a problem, it is NOT wise to revert to an older and vulnerable version of JAVA. On very rare occasions, we have seen a situation where a JAVA update causes an application (typically one that is poorly written) to “break”.  In all such cases, the vendor responded by quickly updating THEIR software to be compatible with the new version of JAVA.

We do recognize that applying updates to systems that have not been properly maintained and updated properly may cause some frustrations, inconvenience, and perhaps even consternation, to users who were faced with changes in the “look and feel”, or a change in settings.  However, any problems beyond this are less related to the updates themselves, and more to the lack of proper maintenance or updates to the systems as a whole.

About two years ago, Nerds On Site implemented a strong password policy for all our email users.  Because of todays technology it’s become trivial to “crack” weak passwords, it’s too easy for malicious software and people to take control of email accounts – this means someone could send emails from your account without your knowledge. By strengthening your password, you’re reducing the risk.

It’s easy to reset your password – go to https://mail.nerdsisp.com and enter your email address and current password.  Once you’re logged in, the system will prompt you for a new, stronger password – the system will let you know if it’s a good password or not. Try to chose something that will be easy to remember, or maybe write it down in a safe place (Hint: don’t leave it taped to the side of your screen.)

If you use Outlook, or Mac Mail, or another email client on your computer, you will need to update it to use the new password you’ve just chosen.

To help you with this, here’s a step-by-step video to guide you.

Click here to view the embedded video.

For fun, do you wonder just how weak your current password is? Check out security guru, Steve Gibson’s password tester: https://www.grc.com/haystack.htm.

Remember, strong passwords don’t guarantee that your email won’t get hacked, but it is a big step towards better protection.

Here’s an amusing article about just how weak (and common) some password are: http://www.zdnet.com/blog/service-oriented/security-101-users-still-using-extremely-weak-passwords/8003.

According to a survey conducted by 8e6 Technologies (www.8e6.com), employees are using company computers and resources to conduct non-work related activities.  Some of these activities simply wasting time, but others are malicious, or threaten company security or data.

Here are some of the more extreme cases:

• One employee was caught running a gambling website and acting as a bookie for his co-workers.
• To bypass the company’s web filter, one employee was caught using his desktop computer as an FTP server for the other employees. He had downloaded and saved over 300G of material.
• One employee was busted for giving away confidential information such as price lists, contracts, and software code for application development.
• Another employee was busted for having a side business stealing and selling company inventory on eBay.
• One woman was caught running an online outcall service from her desk.
• One employee was caught renting the corporate IP address to hacker friends to generate DOS attacks.

Although these are extreme cases, many companies have fired employees for violating company policies. It’s much more common than people realize.

As an employer, if you have an Acceptable Use Policy, which is strongly recommended, it must be enforced. Simply having it may not deter employees from finding ways around it in hopes of not getting caught.

There are excellent solutions that ensure that your Acceptable Use Policy is not violated, intentionally or otherwise. these solutions offer web filtering (gaming sites, gambling, or downloading viruses), email filtering (keywords or inappropriate jokes, etc), and many other must-have features.

Give us a call and let’s talk about your network security and Acceptable Use Policy, and find ways to make sure your company’s resources aren’t being wasted by your employees.

Phishing is alive and well. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

I wrote this article to help you help others. As it turns out, only a small number of people encountering phishing attempts report them. Here I will show you step by step how easy it is to report phishing attempts to minimize a thief’s ability to steal your friends’ and associates’ money and identities.

I received a phishing attempt this morning as you can see here:
It reads as follows:

Dear Customer,

BMO Bank of Montreal detected irregular activity on your Account on 23 January 2012. For your protection, you must verify this activity before you can continue using your BMO Bank of Montreal Account.

Click on the link below to access and verify your statement.

https://www1.bmo.com/cgi-bin/netbnx/NBmain?product=1 This instruction has been sent to all bank customers and is obligatory to follow.

Thank you
Customers Support Service
BMO Bank of Montreal.

The phishing technique is hidden, as usual. The URL shown above in the email is actually the correct URL. However, when clicked in the email itself, the link is to a phishing site at this URL:

http://chiron.mn/wp-content/plugins/akismet/NBmain.html

Usually this URL is shown if you rest your mouse on a URL (as in the screenshot above when I rested my mouse over it). Naturally I checked to see if this wasn’t already reported on StopBadware.org by using Google’s SafeBrowsing tool. The URL I used is:

http://www.google.com/safebrowsing/diagnostic?site=chiron.mn

You can use the URL above yourself and just replace chiron.mn with the site you are checking. If you see a long URL, the only portion that matters is what’s AFTER the http:// and BEFORE the next slash:

http://someurl.com/something/somethinglonger

You can try my posted URL above for yourself and I expect very shortly it should find and show the malware on this specific site I’m reporting here. However, on my first visit, this is what I found:

This means that StopBadware is not yet blocking this site for unsuspecting users, but the good news is anyone can help resolve that quickly. Here’s what I did immediately: I browsed to:

http://www.google.com/safebrowsing/report_phish/

And here’s how I completed the form (and ask you to do the same for any new phishing URLs you may encounter hidden in emails):

When you’ve completed the submission, you will see a confirmation, but note that the listing isn’t immediate. It takes some time for the phishing site to be verified by others.

Please note that like many phishing attempts they target people everywhere and with different banks. It so happened that I deal with this bank so I am a perfect target. The next one may be to you and your bank.

The best advice I’ve heard is from Brian Krebs:

Never install software you don’t seek out.

By extension the same goes for clicking links. If you are concerned about an email like this having some validity, then close your email program, launch your browser and go to your banking site by typing the URL, using your Bookmark/Favorites or whatever method you normally use. Avoid clicking on links in email.

Please help spread the word and educate everyone you know on the concept of Phishing.

P.S. Please note that all URLs in this article that are ‘clickable’ are safe. I have purposefully remove the click-ability on the bad ones.

As a follow-up to Kevin’s previous article on Wi-Fi Protected Setup (WPS) Vulnerability, I wanted to quickly provide an update as to how you can protect yourself and, if you just want someone to take care of it for you, that’s what our business is all about, and we’re here for you, of course (you may call us or request a call/service on-line).

Kevin’s article pointed out that disabling WPS is essential. However, it appears that in most cases that either there is no ability to turn it off, or the switch has no effect (in Linksys, for example). So if you want to secure yourself, here is a guideline of what you may be able to do to mitigate the problem:

• Locate the make and model of your wireless access point or router (whichever device provides your wireless services) and jot it down.
• Locate your router or wireless access point in this list of devices and review the status of vulnerability and vendor patch
• If you find yourself vulnerable and are able to successfully turn it off, that’s the best-case scenario.
• If you find yourself not having an option to turn off WPS, but you want to protect your network from potential intruder access, you have two options:
1. Turn off your router or access point (and therefore have no wireless usage at all)
2. Replace your router with a non-vulnerable unit

Apple Airport not vulnerable

Although Apple is so far been strangely silent on this, our own testing and that of others shows that WPS pin-based is only on if the light is Blue, which in turn is turned on using the Airport Utility. This is good security by design and is the reason why our recommendation for home and SOHO routers/access points should be replaced with Apple Airport devices. This recommendation is limited to areas that are typically served by one or two access points and do not require enterprise management functions.

Meraki not vulnerable

Nerds On Site has been a proud partner of Meraki, wireless network equipment provider of choice for SME and Corporate clients that require a little more than a SOHO wireless infrastructure. Fortunately Meraki products do not have WPS functions at all and therefore are not vulnerable to this WPS concern.

Why do I care if someone intrudes on my network?

I actually personally met a successful business person this week (let’s call him Bill) who admittedly didn’t care if his network was breached, until I pointed out the dangers (and I’m sure there are more):

• His network and Internet access could be used by a criminal to carry out criminal activities while Bill will carry responsibility as his Internet connection was used
• Casual sniffing of his activities online can be captured and in a short while enough data can be gathered to steal his identity or anyone’s identity using his network
• Any equipment that hosts data of any sort is much more vulnerable to attacks “from the inside” when your network is widely accessible

How have you secured your wireless network? Any other comments/questions?

Most routers released in recent years are at risk, due to a vulnerability discovered in the WPS (Wireless Protected Setup) feature. WPS makes it easy for people to connect their computers to their router without having to get very technical about it, but – it turns out – security was sacrificed for simplicity, as an attacker can gain full access to the network by using a brute force attack.

Millions of devices are potentially affected, and it could take a long time to fix them all. That said, the solution is simple: disable WPS.

You can disable WPS by logging into your router over the network and changing the setting.

There are many tools that are freely available to eavesdrop on network traffic, and can take advantage of this fault in WPS, and if a brute force attack is successful, intruders can connect to devices on a network, or monitor the internet traffic in hopes of learning passwords or other information.

This serious vulnerability was discussed in full detail on the latest Security Now podcast, hosted on the TWiT.tv podcast network. As soon as show notes are made available, we will link to them in this post.

WPS is often activated by pressing a button on the router, allowing Windows to quickly and easily connect to the wireless network and automatically figure out the relevant settings, requiring only a PIN and the wireless password.

If you’re unsure of how to disable WPS, refer to your router manual, or ask a tech-savvy friend or professional (such as a Nerd) to help you turn it off.

Hopefully vendor will quickly provide software upgrades to rectify the problem, and the newer products will have rectified and correct this flaw in WPS, making it safe to use again.

DynDNS no longer offers a free service. Most nerds and many of our clients over the years have used the great free (as well as pro) services of DynDNS. Many of our clients only need the single hostname service to a single location for access to webcams at home, for example.

While there are free services like no-ip.com and zoneedit.com, the reason why DynDNS is preferred is that many devices offer only DynDNS-specific support.

So, if you’re looking for that single hostname solution to access your webcams at your office or home broadband Internet connection, hop on over to:

https://www.dlinkddns.com/

D-Link Dynamic DNS is actually powered by DynDNS and still allows for a single hostname to be registered to a unique account and email address.

This makes sense because D-Link makes a decent set of webcams and it’s an essential part of what their clients need.

So thank you to D-Link and DynDNS for this remaining free alternative!