You are here: Home / Blog

The SMB security gap in network security

A new study from Symantec finds that while small and midsize businesses are acutely aware of today’s security risks, a large number have yet to take even the basic steps needed to protect themselves. Further, the study shows that simple protection measures could have prevented many of the security breaches reported by these companies.
According to the study, based on surveys of 1,425 SMBs worldwide (defined as companies with 10 to 500 employees) in the first quarter of 2009, the lack of a dedicated IT staff and tight budgets were the main reasons for the lack of action. Respondents also cited a lack of employee skills as a top barrier to security.
The study finds that SMBs have no illusions about today’s risks. Asked how concerned they were about a wide range of security issues, from spam to data breaches to insider attacks, respondents consistently described themselves as “extremely” or “somewhat” concerned.
So what does it mean to say that SMBs have yet to take the basic steps to protect themselves? According to the study:

  • 59% of respondents said they have no endpoint protection (i.e., software that combines antivirus with advanced threat protection technologies such as desktop firewall and intrusion prevention for laptops, desktops, and servers).
  • 47% do not back up their desktop PCs, leaving their important information at risk.
  • 33% lack even basic antivirus protection.
What were the leading causes of the security breaches that these SMBs experienced? The reasons most frequently cited were:

  • system failure
  • a lost or stolen laptop, smartphone, or PDA
  • human error
  • the loss or theft of backup tapes or devices containing sensitive data
  • the use of improper or out-of-date security solutions.
Looking ahead, half of the respondents said they plan to increase their IT security and storage spending in the next 12 months even in these tough economic times, while 41% said their budgets would remain the same.
What we find with a good number of our clients is the unwillingness to do anything different. They have the same level of network security they had 10 years ago because they haven’t made any changes in the way they think about network security.
They don’t want to remember a password other than the one they have used for 10 years. Sometimes, they don’t want to type in a password at all. I am often asked “Can you just make it so that I don’t have a password?”
They don’t want to force everyone to store their data on the server. They don’t want to limit access to social media websites. They don’t want to stop music and picture downloads. They don’t have a problem with ipods being downloaded to desktops, etc.
I have never seen employees with so many liberties with their employers computer systems and network.
The other half of the equation is always budget. Unfortunately it costs a little to be safe and secure. Actually, it cost each month to be safe and secure. Network security is not a one time purchase, because the enemy is constantly evolving, and improving their tactics.
We invest in locks, safety deposit boxes, alarm systems, and surveillance systems, but we have trouble investing in network security. We send our employees to safety training classes to keep them safe, but we will not invest in keeping our employees and customers data safe.
So why the aversion to network security? It is actually very cheap (compared to a security recovery attempt)
Network security is not as expensive as it may sound. Sure, there are high end military grade security measures, but you don’t have the budget for that. We understand, as an SMB ourselves, we don’t have the budget for that either.
Our goal is to get our clients on a plan to be more secure, each yearly budget at a time. We don’t expect a network security budget of $500 a month, just a modest $150 or so to acquire a few new tools and new technology to help keep the network safe.
What can you possibly do for $150 a month?
Glad you asked. For $150 a month you can get a gateway security appliance that scans for viruses, spyware, spam, intrusions, and other nasties. This level of protection is now a necessity for any business network. It is no longer sufficient to protect each computer individually. We need entire network protection as well.
The gateway security appliance sits right between your modem and your router. It scans all incoming and outgoing traffic and blocks the bad stuff.  (Not to get too technical). It also has reports about web traffic for each users or workstation on the network. We can see who is working, and who is playing on Facebook. We can see who downloads the most music, and see who wastes time on non work websites. We can even do fancy things like give each user a splash page reminding them of the companies network policy each day or each week. We can even force them to “agree” before they can get online.
Want your companies network to be safe? Then you have to invest in the tools to be safe. The investment in network security is much less than the cost of disaster recovery.
We still pick up new clients without a basic firewall/router from time to time. Sometimes nobody ever told them how exposed they were, but most time they know how exposed they are and think ” It wont happen to me”
Filed Under: Blog, Business Blog, Security

Data protection the original way

The goal of a identity thief is to get whatever information about you that they can. This includes finding old paperwork in the trash, web searches for your name, and social media research.

Your trash could be a gold mine for identity thieves. Your trash can easily contain;

  • Bills with account numbers
  • Credit card statements with account numbers
  • Water bills with account numbers
  • School forms with student ID’s
  • Mortgage information
  • Banking information
  • Investment information
  • DMV information
  • Charity information

One way to eliminate the treasure trove in your trash is to shred anything with any personal information on it. A good old fashioned shredder will do the trick just fine.

There are two main types of shredders. Strip cut and cross cut. Make sure you get the cross cut type. I don’t know why they even sell the strip cut type anymore.

You could easily reconstruct things shredded with a strip cut shredder. It takes a little time and patience, but isn’t very hard to for anyone who enjoying puzzles. A cross cut shredder cuts things down into confetti style clipping. Infinitely harder to piece back together.

What should you shred? Anything with your name on it. Unfortunately this is just about every piece of mail you get. It does seem over the top to shred every piece of mail, so use your best judgement. At a minimum shred all bills, and account statements from anyone.

You can get a decent cross cut shredder for less than $100.

Get it, use it, be safe!

Filed Under: Blog, Business Blog, Webspace Blog Tagged With: ,

New phishing scams

Anyone not know what a phishing email is?

“Phishing” (also known as “carding” or “spoofing”) refers to email that attempts to fraudulently acquire personal information from you, such as your account password or credit card information. On the surface, the email may appear to be from a legitimate company or individual, but it’s not.

As a general rule, never send credit card information, account passwords, or extensive personal information in an email unless you verify that the recipient is who they claim to be. Many companies have policies that state they will never solicit such information from customers by email.

That being said, the phishing emails are getting better at looking legit.

People usually ask me where the term “Phishing” comes from. It comes from “Fishing”. Setting out your bait, and waiting to see what bites. In today’s word, the bait is financial gain or information, and they are hoping “you” bite.

For tips on how to avoid being the victim of a phishing scam, take a look at these tips from Microsoft.

I received a great looking phishing email last week, It looked very legit, until the very bottom. Then I noticed some non English characters. That was my second clue. My first clue was that I don’t have an iTunes account and they don’t have my credit card.

The phishing email claimed that iTunes had just charged me $600. If this was an error, I should click this link to dispute the charges (or something to that effect). The link is where the trouble would begin. On close inspection I noticed the link didn’t go to itunes or apple, but instead to a domain registered in russia.

I sent a copy to apple so they could investigate and deleted it. Here is a look at what the email looked like.

Two days later a customer came in the store who had clicked on the link. His PC was infected and he now needed a repair. He received the same exact email as I did.

Be careful. A single click can cause a world of pain. Be vigilant, and don’t click on anything you don’t need to.

Filed Under: Blog, Software Blog, Webspace Blog Tagged With: , ,

UPS to stop giving drop off receipts

Being in the computer business, we deal with shipments quite frequently.  Either we are receiving broken laptops shipped to us from customers, receiving stock for inventory, shipping parts to customers or returning parts to vendors, we are often dealing with boxes, labels, and tracking numbers.

Insurance and shipping

When you ship something of value, you are often asked for a “declared” value. This tells the shipping company how much your box is worth. They use that number to calculate the cost of the insurance for the shipment. If i am not mistaken anything under $50 is covered with no additional charges. (Or it used to be) If your package is worth more than $50 you usually have to pay for additional insurance. This provides protection against loss, damage, breakage, etc. Almost a necessity when shipping anything of value.

Insurance claims

If your item is lost or damaged in shipping, usually the first question is “Was it packaged correctly”. If you didn’t provide adequate protection on each sides and inside the box, your claim may be denied.

I found this out first hand 8 years ago. We shipped a new computer and when the customer received it they said it had tire marks on it. It had been ran over by a truck or car at some point after we gave it to UPS. They sent pictures of the box and pictures of the smashed (I do mean smashed) computer. I couldn’t believe my eyes.

UPS refused to honor the insurance citing “it wasn’t packaged correctly” I told them the packaging  wouldn’t have mattered if a car ran over the box. In either event they refused my claim and I am still leery to ship with UPS even to this day.

If you ever need to file a claim for a package lost in shipment, there are a few pieces of paper you need. You need to know your tracking number, you need to have proof of payment, and you need some documentation showing chain of custody.

Change to chain of custody

Previously, this chain of custody was easy to produce. You would need a copy of your tracking number and you needed a copy of the drop off receipt. That little piece of paper showing that you dropped your package off at the counter.

This drop off receipt was a small but informative piece of paper. It had everything you needed on it. Tracking number, drop off location, store clerk, store address, store ID, time, date, etc. Everything you needed to prove that you did mail a box.

Without that drop off receipt, there would be no way for UPS to verify you actually took a box to the counter for shipment. Sure you had your tracking number, but until the box is scanned into the system, the only person who knows that box actually exists is you. If I were UPS, I wouldn’t pay out insurance claims on boxes that were “supposedly” lost in shipment that we never received. How crazy would that be?

If you never gave it to us, then it isn’t lost. (That is what I would say if i were UPS)

What the change does

Imagine that conversation two ways;

(Them) We don’t have a record of your shipment sir.

(You) I have proof, I have my drop off receipt. It says right here scanned at 11:30am on Feb 13, 2012 at location #1234

(Them) Can you send us a copy of that receipt?

(You) I sure can.

(Them) We received your drop off receipt and will start processing your claim. Sorry for the inconvenience..    yada-yada-yada.

(You) Thank you very much

-or-

(Them) We don’t have a record of your shipment sir.

(You) I dropped it off 2 days ago at your store on 123 anywhere street.

(Them) We don’t see your shipment in the system sir.

(You) I don’t know what happened, but  I dropped it off 2 days ago at your store on 123 anywhere street.

(Them) Do you have any documentation of this?

(You) No. They told me they stopped giving out drop off receipts. I asked and they wouldn’t give me one.

(Them) I am very sorry, there is nothing I can do for you sir, we don’t have any record of your shipment.

(You) %3$%SH!

(Them) We don’t see your shipment in the system sir.

This probably goes round and round until someone hangs up on someone.

Small change big impact

I’m sure this small change saves a few bucks for UPS. (Probably million’s in paper cost actually). The change has the potential to screw the shippers big time. If you can no longer get proof of your drop offs, they can deny-deny,deny they ever received it.

Find some cost savings somewhere else please. I will bring my own paper for a drop off receipt if that helps.

Filed Under: Business Blog Tagged With: , , , , ,

Computer hard drive warranties slashed

Western Digital is dumping a lump of coal in customers’ stockings this holiday season.

Some Warranties cut by 60%

Western Digital sent out a letter to its channel partners informing them that Caviar Blue, Caviar Green, and Scorpio Blue drives will have their warranties slashed from three years to two years beginning January 2, 2012. Caviar Black and Scorpio Black drives will still carry their existing five-year warranties.

Not to be left having the longest warranty in the business, Seagate announced that they are also cutting their hard drive warranties.

Here are some of the “details”;

  • Constellation 2 and ES.2 drives: 5 years reduced to 3 years
  • Barracuda and Barracuda Green drives: 5 years reduced to 1 year
  • Barracuda XT: 5 years reduced to 3 years
  • Momentus 2.5-inch (5400 and 7200rpm): 5 years reduced to 1 year
  • Momentus XT: 5 years reduced to 3 years

How does this affect me?

Most low end desktops ship with Barracuda Green drives. If you go into one of the box stores and buy the el’ cheapo’ drives they stock, it is probably a Barracuda Green.

Hard drive failure rates are much higher than they should be already. At least with the longer warranty, you could get a replacement.

Either they have no confidence in their products, or due to lack of competition, they feel can do whatever they want.

Lack of competition

There are only three main hard drive manufacturers left. We have Western Digital, Toshiba, and Seagate. Here is a nice little diagram I found to illustrate;

As you can see we went from 12 down to three. This makes it much easier for them to set pricing and warranties terms. This doesn’t sound good for any of us. Not sure if there is anything we can do buy stop buying the drives with the lower warranties.

 

Filed Under: Business Blog, Hardware Blog

Security flaw in WPS setup on most wireless routers

Have you ever pushed that little (WPS) button to connect to your wireless router? You know, the one where you don’t need a password to use it? Researchers have just discovered a dangerous flaw that would let someone crack that in less than a few hours. This person wouldn’t have to be in your home or office, they could attempt this from anywhere within range of your wireless signal. For more modern routers, that can be as far as 400 feet away.

What is WPS

WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN. By design this method is susceptible to brute force attacks against the PIN. When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

Impact

An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

What can I do?

DHS has suggested that people disable the WPS service until there is a fix.

Custom PC Suggestions

I never did trust WPS. It didn’t require any sort of password, all you did was push a button and you could get connected. I always wondered what happened if someone tried to connect to your router at the same time you did. Could they get connected? Seemed to much of a chance for me so we have had WPS disabled on all our company routers.

It does make it easy for the average person to get connected so I’m sure they will come out with a fix at some point. For now, disable the feature.

Filed Under: Hardware Blog, Software Blog

Ways Online Poker Players Should Customize Their PC Setup

Just a decade ago, about the only way to make money playing video games was to go into game design or testing. However, that began to change once online poker and online gambling sites started taking real money bets online. Now, there are many people around the world that make money playing poker online. However, it takes more than sound poker knowledge to make money. It also takes a solid PC setup.

If any person is planning on being a serious online poker player, they will need to learn how to multi-table at their home poker room. Once a player becomes proficient at multi-tabling, some an play as many as 20 to 30 games at a time. As such, a player is going to need some type of multi-monitor setup if they want to make multi-tabling easier. A top of the line video card is helpful, but nowhere near necessary since many online poker sites do not have highly intense graphics.

Next, consider going the ergonomic route in your gaming setup. This means look into both an ergonomic keyboard and mouse, and even consider investing in an ergonomic gaming chair. Online poker is the epitome of repetitious movement and you want to do what you can to prevent wear and tear on your wrists and prevent carpal tunnel.

Finally, make sure you have enough RAM. While many can get away with a standard 2 to 4 gig of RAM, you might want to think about going up to at least 8 gig of RAM. This will guarantee that you have enough RAM to handle the load for your apps, internet, and online gaming programs.

Many players that start playing poker tournament using Mac or Windows think that that it is as simple as installing the poker software. However, if you don’t have the right setup, you may experience decreased performance and other problems that could cause you to not play as efficiently or may even cost you if your PC locks up during a key hand. Having the right setup will help those wanting to play online poker for a living to be more successful.

Filed Under: Hardware Blog

Create better passwords

We all know we should have a good password. We also know we should change it often. The problem is, there are too many passwords, and I don’t want to keep with up with all of them!

Some of us are worse at this than others. Here is a list of the 10 most common passwords;

123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123

If you have any of these passwords, you should change it fast.

Last year Sony’s online music and movie systems were hacked and 37K user accounts where revealed. Just using the passwords from those 37K accounts we found that the most common ones were;

seinfeld
password
123456
princess
peanut
shadow
ginger
michael
sunshine
tigger
bailey

Any password that uses words found in a dictionary are easily hacked with a simple “dictionary attack” they just try your username with every word in the dictionary. This works for over 50% of passwords.

There is an easier way to create secure passwords, and not rack your brain with remembering them all.
Start with a base password that is not a real word.

Lupischeluck

Then add some numbers on the front for non financial websites (blogs, Pandora, netflix, warranty registration, etc).

So for those accounts you may have 8727Lupischeluck

Then add a few numbers and symbols to the end for financial websites (banking, credit cards, loans, investments, etc.) Now you have 8727Lupischeluck%#)

Here is the real secret. Vary the numbers in the front and the back using a technique unique to you. You can have as many numbers as vowels int he name of the company, or have as many symbols as many times as the letter a appears. Whatever personal encryption you use, make it hard to guess and keep it private.

How you have secure passwords for everywhere and all of them are unique.

Filed Under: Blog, Software Blog Tagged With: , , , , , ,

Is it 4G or not?

There is a dirty little secret about the 4G you see advertised on TV these days. It isn’t really 4G. If you are paying more for it, I’m sorry, you are not getting your money’s worth. Truth be told, very few carriers in the world actually have 3G, but we wont open that can of worms today.

T-Mobile says they have the biggest 4G network, Sprint says there 4G is the best, Verizon says their 4G is the fastest, and AT&T even has a 4G network now. Not one of them has a 4G network.

Why not?

Because to have 4G you have to hit a certain download speed. It’s like dial-up broadband service or like calling a car with leathers seats a luxury car.

Let’s start with what the “G” means on these 3G and 4G phones and plans. the G only means generation. I guess the original phones were 0G, and then the new phones were 2G, and then we graduated onto 3G. Nobody really marketed the G until we made it to 3. They wanted you to know that the new 3G phones were faster than the 0G phones of yesteryear.

There is a organization out there that decided what 3G was, what 4G is, and probably what 5G will be. They are called ITU (International Telecommunication Union). most of you have never heard of of them unless you are in the electronics or telecommunications industry. Long ago they set out data and speed specifications for 3G and 4G and we simply haven’t achieved those speeds yet with wireless phones.

True 4G was supposed to be close to 1000Mbps. Even the new LTE 4G networks are only delivering real-world speeds of 3Mbps-12Mbps. 4G was supposed to be a major step ahead in terms of speed and reliability. Does your 4G phone go 1Gbit? Nope, not even close.

So why do they all say you have 4G? They needed to sell some phones! They needed to sell some plans. They needed to have a reason to get you to pay an additional $10-20 a month.

Is today’s 4G faster than your old 3G? Probably. Will you notice it? Maybe. Is it worth the additional cost? Probably not.

Just know that you don’t have 4G, even if you are paying for it. Not yet at-least.

Filed Under: Blog, Hardware Blog Tagged With: , , ,

Cnet download.com software bundled with addware

Recently while looking for a software program called offline update, I found myself on Cnets website. Previously being a website I trusted for downloading software, I didn’t think anything of it when then download said cnet-offlineupdate.msi. Strange but OK.

After it finished, I proceeded to install the software and bam, i’m hit with questions about installing crapware. Wait, this came from Cnet? Yup, sure did.

I went back to cnet just to make sure I didn’t click on the wrong thing, and I most certainly did not. Then I did a few searches for software I already have, and everything I downloaded included cnet-crapware.

So fellow downloaders beware, cnet is no longer crapware / addware free. I hope the money they are making makes up for the loss of users, especially myself.

Filed Under: Blog, Software Blog Tagged With: , , , ,
« Older Posts