Tech Tuesday: #13: What Plants vs Zombies Can Teach You About Small-business Security

It’s time for Tech Tuesday, where we answer reader questions!

We’re going to take a break from the questions this time, and talk about Internet Security for your small business.

Most everyone has played (or at least heard of) Plants vs. Zombies. It’s a fun game from PopCap Software. Go check it out if you haven’t yet. We’ll still be here when you’re done.

You’re welcome.

So, PvZ is a defense game. You place plants with different abilities on a game field and zombies come. If all goes well your plants will stop the zombies before they get to your home.

What does this have to do with business security? Plenty. Think about the game for a moment, in the screenshot above.

As soon as a zombie appears he gets pelted with peas.
If a zombie survives the peas he’ll run into a chomper.
Then he continues to get hit with peas.
If he survives that he’ll end up dealing with another Chomper.
If that Chomper is full and he gets to the end, there’s a lawnmower that’ll spring to life and run him over.

That’s how network security works in an ideal world. We’ve seen failures every step along the way.

To put it in another perspective,

It a bad guy wants to break into your office he’ll see the alarm company sticker and your security lights.
Then there’s the doorknob lock.
And the deadbolt.
If he gets through that then either door, motion, or glass-break sensors start the alarm.
After several minutes of sound and fury the police are contacted.
Meanwhile, the really valuable stuff is kept in locked cabinets.

And if all else fails you’ve got theft insurance on the really valuable stuff.

So it’s a layered approach. Like an onion

or a parfait.

Of course we’ve got antivirus. Massachusetts law says we need this.
And we’ve got a Unified Threat Management device, a business-grade firewall that can detect threats in all types of traffic.
And we have automatic operating system updates.
And our users work with limited accounts wherever possible.
And we have monitoring and intrusion detection on the firewalls and servers.
And we have users who know what their systems should look like and who to call when something looks suspicious.
And encryption and limited access on the really confidential stuff.

And we recommend cyberfraud insurance for our clients. Just in case all of these measures fail….because they can.

Got questions? Send them to CharlandTech via Facebook, post as a comment on this article, Tweet ‘em to @gregc00 or @CharlandTech, or find another creative way to get them to us.

(And FYI, you can make the gorgeous-looking parfait yourself at LowFat Vegan Cooking…)

New laptop pregame: 2013 edition

I stumbled across an article by Dawn Altnam the other day, Laptop pregame: What to do to your company laptops before you give them to employees. Complete with stock photo of snarky guy holding a laptop.

“Pregame” calls to mind a football metaphor…but after reading the article I got the sense that it could have been written in 2003. Remove all references to “spyware” and “cloud” and it could have appeared in Inc or Forbes magazine in 1993.

In football terms that’s going back to the days of the “flying wedge” and no helmets.

Is this how you’d equip your team in 2013 and beyond?

Of course not.

So what can we do better today for notebook prep?

Security: Virus protection needs to be a closed loop. Most small business owners don’t know the difference between benign reports like toolbars/plugins and the nasty stuff like rootkits, much less how to properly assess and respond to a detection alert.

What does your sales manager do when she sees this?

99% of ‘em click “allow” or “allow always.” Which could possibly load the trojan which starts to scan their e-mails and files for account numbers. Most tech service providers offer ongoing services to handle these alerts consistently and affordably.

And today, we have web filtering to limit users’ exposure (and company liability) to non-business stuff like porn, pirated software, hate speech, etc.

Firewall: The Windows 7 firewall is generally regarded as business-grade and up to the task of protecting a typical computer, even in a coffee shop or  other shared connection.

In the Physical Protection section the author drops the ball. At the very least every corporate computer, external disk, etc should have an asset tag. These start at about 50 cents per label.

Beyond that every business should consider a system like Absolute Computrace or Awareness Technologies’ LaptopCop. These solutions allow us to locate and track a lost or stolen computer. And recover the latest versions of files from the hard drive, then securely erase the disk.

Every business should have a “lost device response plan” in place before handing out a single laptop. It may be as simple as “Call Charland Tech and advise them of the lost device.” (Which means that WE need a response plan for each client with remote devices. If you’re our client you should ask to see it. If you’re not our client you may still ask to see it.)

And don’t forget Compliance and Data Loss Protection…software designed to prevent problems like

• Copying your customer list to a notebook or flash drive
• e-mailing social security or account numbers
• flagging messages containing certain words for management review before sending

And another thought: Businesses also need to develop a plan regarding remote access to company resources. Most offices have a collection of “stuff” inside the office, with other stuff in cloud services. Do they have a desktop in-house to remote into through GotoMyPC or Logmein? Is there a Small Business Server to provide Remote Web Access?

Answer these questions before running out to Best Buy and buying shiny things.

Ms. Altnam’s post ultimately points out why professional technology service providers continue to exist in today’s era of iPads and self-service cloud apps. Because anybody can do it but not everyone does things right.

Tech Tuesday #12? What’s up with Java?

It’s time for Tech Tuesday, where we answer reader questions!

Chris from Devens asks….

I saw a report on the news about disabling Java before hackers steal all my info. What’s up with that?

Thanks, Chris

There’s a lot of panic about Java right now. Headlines abound that the US Department of Homeland Security is recommending that all computer users disable java until this cyber-storm blows over. The media, has naturally jumped on this. Is it because “Department of Homeland Security” sounds more impressive than “Computer Emergency Readiness Team at Carnegie-Mellon University?”

Partly, I’m sure. And partly because we love to panic about our computers. Let’s start with the basics…but first this important message.

I don’t think any of these posts explain clearly WHAT Java is. So…What is Java?

Java is a web programming language. It allows websites to run programs on your computer. Similar to Adobe Flash and Microsoft ActiveX.

Allowing websites to run “stuff” on your computer sounds scary..and there are scary elements to it, but it’s also a powerful thing:

• Want to use web-based remote control like GotoMyPC or Logmein? You need to run a Java, Flash, or ActiveX program on your computer.
• Want to play Angry Birds, Texas Hold’Em or Bejeweled? The game runs a program on your computer.
• Want to use web-based e-mail? You need several of these web-based programs to do that.
• On a site like Facebook…the ticker, chat, and scrolling page updates are all implemented in these programming languages.

There are a number of flaws, recently revealed, that make it easy for someone to trick you into visiting a page that launches code that can take over your computer.

This can be “weaponized” by sending you e-mail that claims to be from the IRS, Quickbooks, the lottery, or your bank. Click on the link in the e-mail…and your computer is compromised.

This also can be brought to bear by compromising other websites and forcing them to host the bad code. This can be a problem for smaller websites without full-time monitoring and support staff.

It’s important to remember…any time you visit a website or load a program on your computer you are trusting the author of that program and the keeper of that website.

For example, if you want to play the online game Pirate Galaxy, you’re exposed to whatever code the developer (Splitscreen games seems pretty trustworthy) has decided to put in the game. You’re also exposed to whatever the host of the game publishes (Kongregate is also legit).

If the chain of trust ended there we’d be in decent shape. However, that’s not the case.

The ads in most pages are not necessarily vetted on a regular basis. It’s entirely possible for a rogue ad to link to a compromised site that looks like the game you want to play.

So for now I think it makes sense to disable java unless you find an important site that absolutely will not work without it. Don’t like those instructions? Try these.

Another way to go is to disable Java, Flash, etc in your primary browser…and use another one ONLY for trusted websites that require running code.

Of course, Java 7 Release 11 fixes the most glaring and commonly-exploited security issues, and adds a major new concept…that the user needs to actively click to let a java program (called an “applet”) run.

We’ll discuss best practices for business Internet safety later this week.

Got questions? Send them to CharlandTech via Facebook, post as a comment on this article, Tweet ‘em to @gregc00 or @CharlandTech, or find another creative way to get them to us.

Tech Tuesday #11: Are We Business-Grade?

Another Tech Tuesday, where we answer reader questions!

Cathie from Rindge asks….

My new technology company says I need to replace my router…or firewall…not sure which. The sales guy said my D-Link is not made for business. Is he just trying to sell me a more expensive one?

Thanks, Cathie…most small businesses have a single device that acts as both a router (moves traffic between networks) and a firewall (inspects each  packet of traffic and allows/blocks based on a set of rules). Many small-business techies use the words interchangeably now, but you’ve almost certainly got a single device that does both.

Here’s a nifty older picture (despite the mid-90′s iMacs the theory still works)

But the bigger question is….

Is it “professional grade?”

The simple answer? It depends. Many businesses can get by with less-expensive, consumer-grade networking gear. It’s 2013 and nearly any firewall/router you can buy will give a few years of trouble-free connection to the internet.

Take this one, for instance. It’s a TrendNet N150 Router. This is a typical $40 consumer-grade router.

A basic Internet and Wireless connection! Who could ask for anything more?

Well… Looking at the specifications…this is a router that does not claim to have a Stateful Packet Inspection Firewall.

It might be nice to set up a second wireless network for guest access.

And, setting up more than a few connections at the same time the lil TrendNet will start to lag….

and what happens if something doesn’t work? Send an e-mail to Trendnet support and hope for the best?

Level up!

So we can consider an entry-level business firewall…like the Netgear FVS300.

These cost around $200. For the extra money we get:

• Better network speed
• Real SPI firewall
• Phone or chat support
• VPN connections (limited)

What could be better?

Well…

“I want to block job hunting/porn/shopping websites, except on my computer… or at break time.”

“We use voice over IP phones, how do we make sure that gets priority?”

“We need a reliable connection between our two buildings…”

“Our regulations say we need to monitor for unauthorized access…”

“Can I get a report of what websites employees are going to?”

“Can this system collect evidence in case of an attack?”

This is a job for a Sonicwall! (Or Cisco ASA, or WatchGuard, or Meraki, or Fortinet)

Here’s where we leave the “router/firewall” and enter the “Unified Threat Management” systems. These devices have:

• Comprehensive router/firewall systems designed for setup by a professional technician
• Additional services like Intrusion Detection, Web filtering, Remote administration, and incident logging
• Secure wireless systems that offers segmented guest access
• Reliable, highly-secure VPNs for remote and site-to-site connections
• 3G/4G wireless backup connections

What are YOU using for a firewall? Drop a post in the comments!

Got questions? Send them to CharlandTech via Facebook, post as a comment on this article, Tweet ‘em to @gregc00 or @CharlandTech, or find another creative way to get them to us.

How did THAT get on my computer: Part 2, Trojans and Adware

In the first installment of this series I discussed “opt out loaders,” where a legit piece of software automatically installs a toolbar, search helper, or other crap unless you take action by un-checking a box or clicking a button. These are annoying but usually benign.

Answer #2: You found it, downloaded it, and installed it. But it’s not what you thought it was.

Adware is software that installs, with your permission, and shows advertisements as pop-up windows or embedded in the program. Many of these are fine, like PrimoPDF and Weatherbug, but the developers of these programs are notorious for collecting extraneous information, not clearly disclosing how they’re using your search habits and possibly personal information, and “accidently” leak or disclose your info. There gets to be a fine line between “legit” adware and that which doesn’t really do anything but show ads. Most of these are hard to remove the standard way through Add/Remove Programs. Is it lazy programming or malice? Hard to tell.

Note the multiple nice big happy ad spaces in the Weatherbug screen capture:

Many common adware programs just show ads without doing anything else of use.

Trojans, on the other hand, are programs that LOOK enticing but really contain crap you don’t want. Like when you go searching for “awesome free photo editing software” and get a program that doesn’t do much…that you can see. Another common ruse is to send an e-mail with instructions to install a Microsoft Update or other software. These programs start to do the nasty work that we’ll discuss in a later installment.

Here’s an example of a Microsoft Update trojan. The aim is to entice the user to run whatever the program is:

The keys point about Trojans and Adware is that they’re both programs that the person USING the computer looks at, evaluates, and decides are worth the download.

How can we protect against these in a business environment?

1. Make sure your employees have the software they need. From a legit source. A system rebuild costs more than a copy of Adobe Acrobat Pro or Foxit PhantoPDF.
2. Set forth policies about not installing unauthorized software on a work computer. Most IT providers will vet programs for you if you ask, often at no (or minimal) extra charge.
3. Use cool tech like UTMs (Unified Threat Management device, the new buzzword for fancy firewalls with active threat monitoring), cloud-based protection, etc in addition to good ol’ Antivirus software. Consider blocking a wider range of non-work-related sites.

Next time we’ll get into the less-avoidable (and increasingly more common) ways THAT gets on your computer.

Wake up, Mac users…

Seriously, folks. Mac OS makes many of the same security/ease of use compromises as Windows.

I’ve been reading with interest the recent reports of malware activity involving Mac OS computers. A couple “must read” pages include the Mac Virus blog,  the ESET Threat blog,  and Kaspersky’s SecureList blog. Some of these pages get into deep technical content. You’ll either get or cure insomnia depending upon how much of your life and information is online.

The basics:
Within the past two weeks several drive-by-download attacks have been spread against Mac OS computers.

What’s a drive-by-download?
A drive-by-download attack is a way to spread an unwanted program by “breaking into” a website and posting specially-crafted code there. This code takes advantage of security flaws commonly found in Adobe Flash, Java, and Windows/Mac OS, and can activate even without being clicked on or purposely “run.”

What does this bad stuff do?
It depends. These recent Mac-focused attacks haven’t done major damage, but the idea that an unauthorized person can take control of your computer and run whatever they want obviously isn’t a good thing. These attacks are usually extended to report usernames and password, possible credit card numbers, send SPAM e-mail, and try to infect other computers and web sites.

But….I thought Macs were safer!
Macintosh computers have had viruses since the early 1990′s. OS X, the new operating system introduced in 2000, has also had several minor outbreaks of viruses.
Apple touts OS X’s BSD-Unix heritage as a security strength, but there are several ways in which the system trades-off security for ease of use. To be fair many of these are similar to concessions in Windows systems. Things like reducing the number of times a user needs to type a password…the ability for programs to maintain a “run as Administrator” state…and the ability for automatic-starting programs.

Kind of like building a house of bricks with a screen door.

What are Flash and Java?
Java and Adobe Flash are programming languages that allow web developers to run programs on your computer.
Now wait…that’s usually a good thing. The US Official Time page uses Java to show its animated time clock. The Dan-Ball Dust Java game uses Java to waste hours of our time. And Flash is used by many, many sites, including YouTube:

SO there are certainly some good reasons for using Flash and Java.

Why Macs? Why now?
There are people around the world who are constantly looking for new flaws in these programming languages. As these flaws are reported the programmers at Microsoft, Oracle (makers of Java), Adobe (makers of Flash), and Apple work to fix the problems in their own systems. That’s why you’ll see Windows or OS updates….and Flash updates….and Java updates.

When you see them, run them.

The flaws targeted by the recent attacks were fixed by Microsoft and Oracle fairly quickly, but Apple has tended to lag behind in fixing these.

So someone customized code to target Macs. And compromised 600,000 of them.

Yet Another Data Breach: Credit Card Processor Warns of Compromise

Over the weekend multiple sources announced a compromise of Global Payments Inc that led to the unauthorized release of at least 1.5 million credit card records.

According to the reports the hacked data includes credit card Track 1 and Track 2 swipe details, which is everything needed to make a counterfiet card.

What to do?

This might be a good time to re-evaluate use of debit vs credit cards, particularly for business use (credit cards have much stronger protections, and you’re directly using the bank’s money)

Watch your credit and debit card activity online for suspicious charges and report them to your card issuer immediately.

 

How did THAT get on my computer? (Part 1)

We hear variations of this all day:

“I don’t even know what that program is.” “I’ve never seen that before.” “No, I don’t get daily deals.” “Is that megawickedspywarecleaner any good?”

And finally, “I only go to work-related sites. I run antivirus. How does this crap get on my computer?”

Answer #1. You “asked” for it.

The Java updater will install a toolbar unless you opt-out.

Not to be left out, Adobe Flash Player installer will also stuff the completely-unrelated “McAfee Security Scan Plus” into your computer unless you opt-out.

And CNET’s download.com, which used to be one of my favorite sites for finding free and trial software, changed….the site doesn’t allow you to download files directly any more, you must use their “secure” installer that, naturally, offers up crap with your software.

And Skype (now part of Microsoft) installed something called EasyBits.

Most of these products, while annoying, can be removed through Add/Remove Programs.

What about the other stuff? I’ll explain that next time.

Quick Review: Object File Zip

During a recent server migration, a big, .ZIP’d backup file wouldn’t open in Windows Explorer. After some searching I found Object File Zip, a freeware program from Essential Data Tools, that claims to recover damaged zip files.

I downloaded it, malware tested it, and everything looked clean.

I installed it on one of my test systems, copied the 5GB corrupt ZIP file, and ran a repair/extract. The program gives the option to copy to a new .ZIP file or just extract the contents.

All went well, and the program was able to extract the files from my corrupted ZIP file.

As always your results may vary and I always recommend you do your own testing and scanning of any new tools, but Object File Zip worked as advertised for my application.

The home page is http://www.essentialdatatools.com/products/objectfixzip/ which has a direct download… and it is also available from  Download.com (which I no longer recommend).

Read this BEFORE your five year old network dies!

We had a situation recently that really drove home a key point in technology planning for Small businesses. This is especially relevant to “paperless” professional offices, like doctors, dentists, veterinarians, and other business that don’t routinely keep paper backup…and rely on their computers to run business day-to-day.

First off, let’s make this clear: Data backup is the single most important protection for any business. Or person. Period. If you don’t have a tested data backup that is the first thing you need to do. Call or e-mail us today to make it happen. We won’t laugh, yell, or judge you, but we will act with all possible haste to make sure you’re protected.

So once you have your files safely backed up once a day you’re done, right? Indeed, for many small businesses a file-based backup is all they need. Sometimes, though, there is more to the story.

Another type of loss

A new client had a problem: Their server “died” unexpectedly overnight. The office manager arrived in the morning and found that she couldn’t access the system. They had a reliable data backup in place, so there was no initial panic, but after a few moments she realized she

• could not view the day’s schedule
• could not access patient phone numbers to ask the day’s patients to reschedule
• was not able to access patients’ records
• was not able to confirm tomorrow’s patients
• could not record procedures and calculate charges
• could not accept checks or run credit cards for payment

In short, this busy professional office was brought to a standstill.

A $300 per hour professional business owner and her $75 per hour technicians were unable to perform most of their core job functions. The office staff was unable to contact clients, compute bills, or collect payments. This collateral damage will set the operation back by thousands of dollars in addition to our emergency response labor charges.

Ouch. Of course we have a better way.

The Alternate Reality

One of our other clients had an event that started in a similar way: Their server “died” unexpectedly overnight. They knew they had a tested file-based backup system in place and didn’t panic. After a few seconds, the impact of a server-less day started to hit the office manager. She called us.

We connected into their network and accessed an on-site backup device….signed on…selected the server name, set a few options, and clicked a link called, “Virtualize this server.” Within ten minutes we saw a message saying “Server started” and were able to connect into a complete copy of their server  taken at the end of the previous day.

Within 30 minutes the office manager was viewing the day’s schedule. A full day’s work was done (and billed for!) We fixed the server in our lab during daytime hours at our normal labor rates, returned the system a couple days later, and performed a “bare metal” restore to re-install the server with then-current data.

This incident left the operation down for one hour. About a day’s labor at normal rates. Total cost is reduced by more than 70%.

Advanced recovery from major problems

We can also add off-site virtualization, so that in the event of a fire, flood, theft, or other major disaster we can start a copy of the server “in the cloud,” so that the practice owner and office manager can get into a working copy of their database to get the most critical information (next day’s schedule, financials, client contact info) and begin provisions to work from a temporary location…or at least notify the next day’s patients of schedule changes.

These systems are surprisingly affordable for businesses where they are needed. We generally use a combined approach with a file-based backup that maintains multiple revisions of key files, combined with a backup device to keep important systems available for use.

It’s almost certain that an investment of a few hundred dollars per month will save your business from several thousand dollars of loss during its life. Even if your server is relatively new we can show you how it works and determine if an advanced business continuity solution makes sense for your operations.

Call, e-mail, message, or connect with us to get the details!

-Greg