Category Archives: Internet Self-Defense

Tech Tuesday Special: Windows XP End Of Support

It’s time for Tech Tuesday, where we answer reader questions!

TechTuesdays from Charland Technology

We’ve been asked a lot lately…What does the “End of Windows XP” mean?

The End Is Near with Grumpy Cat

As Microsoft announced some time ago, support for Windows XP stops on April 8, 2014. By all means hit the link for the official Microsoft countdown clock.

What’s the official Microsoft stance?

Simply, that Microsoft will not be working on any more Windows XP security updates after April 8. And if Microsoft isn’t fixing XP problems, no one else will be either.

But what does that mean?

For some people, it’s not a big deal. The sun will rise, the computer will start, and the world will go on.

If you use your computer in business it’s not so simple.

A major part of any security standard includes running a supported, up-to-date operating system.

PCI-DSS, HIPAA, Sarbanes-Oxley, and Mass 201 CMR 17.00 all mandate that your computer systems must be running supported operating systems with reasonably current security updates.

If you can’t update the operating system you can’t be in compliance.

The safest advice at this time:

  • If your business stores health care or patient information on your computers;
  • If your business processes credit cards using computers;
  • If your business is a publicly-traded entity that’s subject to SEC or other government oversight;
  • If you process or store account information concerning Massachusetts residents;

Then you are obligated to be compliant.

It’s early March…a bit late to get into a large-scale shift, but there’s still time for most smaller businesses to act. And starting to do something, even if you miss the “deadline” by a few weeks, is better than doing nothing.

What to do?

There are several approaches:

  • You can buy new computers that run a supported system like Windows 7 or Windows 8.
  • If your computers are relatively new (2010 or later) they may be able to upgrade to Windows 7 (or 8).
  • If you have a large number of older computers, we can install a Windows MultiPoint Server or Windows Terminal Server, and reload your desktop computers as “thin clients” that only are able to initiate a connection to your server.
  • You may be able to devise policies that restrict credit card entry, etc to certain computers.

It’s time to think about this, and act soon.

 

Windows XP sunset

Windows XP sunset

Tech Basics: Backup Speak

Continuing from my recent post on backup basics, there are some things to know before we get too deep into the details.

Backwards analog clock with caption

Because not everyone can afford a DeLorean.

The overall premise of data backup is to protect your stuff. Simple enough until you start looking at the range of solutions. You could argue that everything from an old beat-up flash drive to a completely redundant data center is “backup.”

How to compare? Fortunately there are some industry-standard buzzwords:

RPO: Recovery Point Objective. How old is the stuff you recover?

RTO: Recovery Time Objective. How long does it take to get your stuff back?

Retention. How long your stuff is saved and when old copies are written over or destroyed.

File backup. Your stuff is saved file-by-file.

Image backup. Your stuff is saved as hard drive blocks.

Scheduled Backup. Your stuff is saved at regular intervals.

Continuous Data Protection. Your stuff is saved as changes are made.

Full Backup. Saves a full copy of your stuff.

Differential backup. Saves stuff that’s changed since the last full backup.

Incremental backup. Saves only stuff that’s changed since the last backup of any kind.

Shadow Copy. A copy of your stuff that some systems will make when a new copy is saved.

Delta. The parts of your stuff that have changed since we last checked it.

Archive. Keeping your stuff for a set period of time, usually for legal reasons. Like tax returns in a storage box.

Disaster Recovery. Getting your stuff back (and running) after something bad happens.

BDR/BDR Device. A self-contained computer with lots of hard drive space, programmed to save image backups of your computers. Can usually run copies of those computers in case of major failure.

Bare-Metal Recovery. The ability to re-load your stuff onto a computer without installing Windows first.

Hardware-Independent Restore. The ability to re-load a backup onto a computer that’s not an exact match.

Failover. An extra whatever that will start working in case the first whatever stops working.

Deduplication. Looks for matching stuff and keeps only a single copy of it. Say you have two copies of Moby Dick, de-dupe saves one and puts a link where the other one would go.

<Whatever>-Aware. A backup that can work with a specific program, usually a mail server or database, to back it up properly. Most file backups don’t handle databases well unless they’re “aware.”

Did I miss any? Let me know in the comments, or on our Facebook page.

Tech Basics: The importance of backups

Quick question:

What is the most important thing you can do to protect your information?

It’s not antivirus.

Logos of several popular antivirus programs

It’s not a firewall. It’s not network protection, monitoring, or remote access monitoring.

 

Really expensive firewall

As much as I appreciate the value of good hardware, that’s not the most important thing.

Burned server equipment

These things are important. No one wants to deal with viruses, data getting out, replacing hardware, dealing with insurance companies, etc…

But backup is the part of this that can literally save your business:

  • Got the nasty CryptoLocker ransomware? Clean everything then recover from a recent backup.
  • Server hard disk failed, controller corrupted your data? Fix it, rebuild the server, recover from a recent backup.
  • Fire burned down your facility? Choose your future systems, get a temporary setup, and recover from a recent backup.
  • Cloud provider went out of business? Re-load data from a recent backup.
  • Ex-employee erased a bunch of folders on her way out the door? You guessed it, recover from a recent backup.

Which brings us to the key here. Information backup can have different forms, speeds, and capacities. There are many places and technologies that we can use to save your stuff.

Our role is to look at your organization and choose protection against the risks you face.

However it’s done, backup is the first and last word in protecting your business.

backup safe

Questions about your backup and data protection plans? We’re here to help!

 

 

Tech Tuesday: #13: What Plants vs Zombies Can Teach You About Small-business Security

It’s time for Tech Tuesday, where we answer reader questions!

TechTuesdays from Charland Technology

We’re going to take a break from the questions this time, and talk about Internet Security for your small business.

Most everyone has played (or at least heard of) Plants vs. Zombies. It’s a fun game from PopCap Software. Go check it out if you haven’t yet. We’ll still be here when you’re done.

You’re welcome.

So, PvZ is a defense game. You place plants with different abilities on a game field and zombies come. If all goes well your plants will stop the zombies before they get to your home.

What does this have to do with business security? Plenty. Think about the game for a moment, in the screenshot above.

As soon as a zombie appears he gets pelted with peas.
If a zombie survives the peas he’ll run into a chomper.
Then he continues to get hit with peas.
If he survives that he’ll end up dealing with another Chomper.
If that Chomper is full and he gets to the end, there’s a lawnmower that’ll spring to life and run him over.

That’s how network security works in an ideal world. We’ve seen failures every step along the way.

To put it in another perspective,

It a bad guy wants to break into your office he’ll see the alarm company sticker and your security lights.
Then there’s the doorknob lock.
And the deadbolt.
If he gets through that then either door, motion, or glass-break sensors start the alarm.
After several minutes of sound and fury the police are contacted.
Meanwhile, the really valuable stuff is kept in locked cabinets.

And if all else fails you’ve got theft insurance on the really valuable stuff.

break-ins,buildings,burglars,cat burglar,cat burglars,gloves,jeans,occupations,photographs,roofs,securities,stocking caps,thieves,windows

So it’s a layered approach. Like an onion

agriculture,chopping boards,cutting,food,onions,vegetables

or a parfait.

Of course we’ve got antivirus. Massachusetts law says we need this.
And we’ve got a Unified Threat Management device, a business-grade firewall that can detect threats in all types of traffic.
And we have automatic operating system updates.
And our users work with limited accounts wherever possible.
And we have monitoring and intrusion detection on the firewalls and servers.
And we have users who know what their systems should look like and who to call when something looks suspicious.
And encryption and limited access on the really confidential stuff.

And we recommend cyberfraud insurance for our clients. Just in case all of these measures fail….because they can.

Got questions? Send them to CharlandTech via Facebook, post as a comment on this article, Tweet ‘em to @gregc00 or @CharlandTech, or find another creative way to get them to us.

(And FYI, you can make the gorgeous-looking parfait yourself at LowFat Vegan Cooking…)

New laptop pregame: 2013 edition

I stumbled across an article by Dawn Altnam the other day, Laptop pregame: What to do to your company laptops before you give them to employees. Complete with stock photo of snarky guy holding a laptop.

“Pregame” calls to mind a football metaphor…but after reading the article I got the sense that it could have been written in 2003. Remove all references to “spyware” and “cloud” and it could have appeared in Inc or Forbes magazine in 1993.

In football terms that’s going back to the days of the “flying wedge” and no helmets.

Is this how you’d equip your team in 2013 and beyond?

Of course not.

So what can we do better today for notebook prep?

Security: Virus protection needs to be a closed loop. Most small business owners don’t know the difference between benign reports like toolbars/plugins and the nasty stuff like rootkits, much less how to properly assess and respond to a detection alert.

What does your sales manager do when she sees this?

99% of ’em click “allow” or “allow always.” Which could possibly load the trojan which starts to scan their e-mails and files for account numbers. Most tech service providers offer ongoing services to handle these alerts consistently and affordably.

And today, we have web filtering to limit users’ exposure (and company liability) to non-business stuff like porn, pirated software, hate speech, etc.

Firewall: The Windows 7 firewall is generally regarded as business-grade and up to the task of protecting a typical computer, even in a coffee shop or  other shared connection.

In the Physical Protection section the author drops the ball. At the very least every corporate computer, external disk, etc should have an asset tag. These start at about 50 cents per label.

Beyond that every business should consider a system like Absolute Computrace or Awareness Technologies’ LaptopCop. These solutions allow us to locate and track a lost or stolen computer. And recover the latest versions of files from the hard drive, then securely erase the disk.

Every business should have a “lost device response plan” in place before handing out a single laptop. It may be as simple as “Call Charland Tech and advise them of the lost device.” (Which means that WE need a response plan for each client with remote devices. If you’re our client you should ask to see it. If you’re not our client you may still ask to see it.)

And don’t forget Compliance and Data Loss Protection…software designed to prevent problems like

  • Copying your customer list to a notebook or flash drive
  • e-mailing social security or account numbers
  • flagging messages containing certain words for management review before sending

And another thought: Businesses also need to develop a plan regarding remote access to company resources. Most offices have a collection of “stuff” inside the office, with other stuff in cloud services. Do they have a desktop in-house to remote into through GotoMyPC or Logmein? Is there a Small Business Server to provide Remote Web Access?

Answer these questions before running out to Best Buy and buying shiny things.

Ms. Altnam’s post ultimately points out why professional technology service providers continue to exist in today’s era of iPads and self-service cloud apps. Because anybody can do it but not everyone does things right.

Tech Tuesday #12? What’s up with Java?

It’s time for Tech Tuesday, where we answer reader questions!

TechTuesdays from Charland Technology

Chris from Devens asks….

I saw a report on the news about disabling Java before hackers steal all my info. What’s up with that?

Thanks, Chris

There’s a lot of panic about Java right now. Headlines abound that the US Department of Homeland Security is recommending that all computer users disable java until this cyber-storm blows over. The media, has naturally jumped on this. Is it because “Department of Homeland Security” sounds more impressive than “Computer Emergency Readiness Team at Carnegie-Mellon University?”

Partly, I’m sure. And partly because we love to panic about our computers. Let’s start with the basics…but first this important message.

I don’t think any of these posts explain clearly WHAT Java is. So…What is Java?

Java is a web programming language. It allows websites to run programs on your computer. Similar to Adobe Flash and Microsoft ActiveX.

Allowing websites to run “stuff” on your computer sounds scary..and there are scary elements to it, but it’s also a powerful thing:

  • Want to use web-based remote control like GotoMyPC or Logmein? You need to run a Java, Flash, or ActiveX program on your computer.
  • Want to play Angry Birds, Texas Hold’Em or Bejeweled? The game runs a program on your computer.
  • Want to use web-based e-mail? You need several of these web-based programs to do that.
  • On a site like Facebook…the ticker, chat, and scrolling page updates are all implemented in these programming languages.

There are a number of flaws, recently revealed, that make it easy for someone to trick you into visiting a page that launches code that can take over your computer.

This can be “weaponized” by sending you e-mail that claims to be from the IRS, Quickbooks, the lottery, or your bank. Click on the link in the e-mail…and your computer is compromised.

This also can be brought to bear by compromising other websites and forcing them to host the bad code. This can be a problem for smaller websites without full-time monitoring and support staff.

It’s important to remember…any time you visit a website or load a program on your computer you are trusting the author of that program and the keeper of that website.

For example, if you want to play the online game Pirate Galaxy, you’re exposed to whatever code the developer (Splitscreen games seems pretty trustworthy) has decided to put in the game. You’re also exposed to whatever the host of the game publishes (Kongregate is also legit).

If the chain of trust ended there we’d be in decent shape. However, that’s not the case.

The ads in most pages are not necessarily vetted on a regular basis. It’s entirely possible for a rogue ad to link to a compromised site that looks like the game you want to play.

So for now I think it makes sense to disable java unless you find an important site that absolutely will not work without it. Don’t like those instructions? Try these.

Another way to go is to disable Java, Flash, etc in your primary browser…and use another one ONLY for trusted websites that require running code.

Of course, Java 7 Release 11 fixes the most glaring and commonly-exploited security issues, and adds a major new concept…that the user needs to actively click to let a java program (called an “applet”) run.

We’ll discuss best practices for business Internet safety later this week.

Got questions? Send them to CharlandTech via Facebook, post as a comment on this article, Tweet ‘em to @gregc00 or @CharlandTech, or find another creative way to get them to us.

Tech Tuesday #11: Are We Business-Grade?

Another Tech Tuesday, where we answer reader questions!

TechTuesdays from Charland Technology

Cathie from Rindge asks….

My new technology company says I need to replace my router…or firewall…not sure which. The sales guy said my D-Link is not made for business. Is he just trying to sell me a more expensive one?

Thanks, Cathie…most small businesses have a single device that acts as both a router (moves traffic between networks) and a firewall (inspects each  packet of traffic and allows/blocks based on a set of rules). Many small-business techies use the words interchangeably now, but you’ve almost certainly got a single device that does both.

Here’s a nifty older picture (despite the mid-90’s iMacs the theory still works)

But the bigger question is….

GMC Professional Grade Logo

Is it “professional grade?”

The simple answer? It depends. Many businesses can get by with less-expensive, consumer-grade networking gear. It’s 2013 and nearly any firewall/router you can buy will give a few years of trouble-free connection to the internet.

Take this one, for instance. It’s a TrendNet N150 Router. This is a typical $40 consumer-grade router.
TrendNet N150 Home Router

A basic Internet and Wireless connection! Who could ask for anything more?

Well… Looking at the specifications…this is a router that does not claim to have a Stateful Packet Inspection Firewall.

It might be nice to set up a second wireless network for guest access.

And, setting up more than a few connections at the same time the lil TrendNet will start to lag….

and what happens if something doesn’t work? Send an e-mail to Trendnet support and hope for the best?

Level up!

So we can consider an entry-level business firewall…like the Netgear FVS300.
Netgear FVS318

These cost around $200. For the extra money we get:

  • Better network speed
  • Real SPI firewall
  • Phone or chat support
  • VPN connections (limited)

What could be better?

Well…

“I want to block job hunting/porn/shopping websites, except on my computer… or at break time.”

“We use voice over IP phones, how do we make sure that gets priority?”

“We need a reliable connection between our two buildings…”

“Our regulations say we need to monitor for unauthorized access…”

“Can I get a report of what websites employees are going to?”

“Can this system collect evidence in case of an attack?”

This is a job for a Sonicwall! (Or Cisco ASA, or WatchGuard, or Meraki, or Fortinet)
Sonicwall TZ-series wireless Threat Management System

Here’s where we leave the “router/firewall” and enter the “Unified Threat Management” systems. These devices have:

  • Comprehensive router/firewall systems designed for setup by a professional technician
  • Additional services like Intrusion Detection, Web filtering, Remote administration, and incident logging
  • Secure wireless systems that offers segmented guest access
  • Reliable, highly-secure VPNs for remote and site-to-site connections
  • 3G/4G wireless backup connections

What are YOU using for a firewall? Drop a post in the comments!

Got questions? Send them to CharlandTech via Facebook, post as a comment on this article, Tweet ‘em to @gregc00 or @CharlandTech, or find another creative way to get them to us.

How did THAT get on my computer: Part 2, Trojans and Adware

In the first installment of this series I discussed “opt out loaders,” where a legit piece of software automatically installs a toolbar, search helper, or other crap unless you take action by un-checking a box or clicking a button. These are annoying but usually benign.

Answer #2: You found it, downloaded it, and installed it. But it’s not what you thought it was.

Adware is software that installs, with your permission, and shows advertisements as pop-up windows or embedded in the program. Many of these are fine, like PrimoPDF and Weatherbug, but the developers of these programs are notorious for collecting extraneous information, not clearly disclosing how they’re using your search habits and possibly personal information, and “accidently” leak or disclose your info. There gets to be a fine line between “legit” adware and that which doesn’t really do anything but show ads. Most of these are hard to remove the standard way through Add/Remove Programs. Is it lazy programming or malice? Hard to tell.

Note the multiple nice big happy ad spaces in the Weatherbug screen capture:

Many common adware programs just show ads without doing anything else of use.

Trojans, on the other hand, are programs that LOOK enticing but really contain crap you don’t want. Like when you go searching for “awesome free photo editing software” and get a program that doesn’t do much…that you can see. Another common ruse is to send an e-mail with instructions to install a Microsoft Update or other software. These programs start to do the nasty work that we’ll discuss in a later installment.

Here’s an example of a Microsoft Update trojan. The aim is to entice the user to run whatever the program is:

The keys point about Trojans and Adware is that they’re both programs that the person USING the computer looks at, evaluates, and decides are worth the download.

How can we protect against these in a business environment?

  1. Make sure your employees have the software they need. From a legit source. A system rebuild costs more than a copy of Adobe Acrobat Pro or Foxit PhantoPDF.
  2. Set forth policies about not installing unauthorized software on a work computer. Most IT providers will vet programs for you if you ask, often at no (or minimal) extra charge.
  3. Use cool tech like UTMs (Unified Threat Management device, the new buzzword for fancy firewalls with active threat monitoring), cloud-based protection, etc in addition to good ol’ Antivirus software. Consider blocking a wider range of non-work-related sites.

Next time we’ll get into the less-avoidable (and increasingly more common) ways THAT gets on your computer.

Wake up, Mac users…

Seriously, folks. Mac OS makes many of the same security/ease of use compromises as Windows.

I’ve been reading with interest the recent reports of malware activity involving Mac OS computers. A couple “must read” pages include the Mac Virus blog the ESET Threat blog,  and Kaspersky’s SecureList blog. Some of these pages get into deep technical content. You’ll either get or cure insomnia depending upon how much of your life and information is online.

The basics:
Within the past two weeks several drive-by-download attacks have been spread against Mac OS computers.

What’s a drive-by-download?
A drive-by-download attack is a way to spread an unwanted program by “breaking into” a website and posting specially-crafted code there. This code takes advantage of security flaws commonly found in Adobe Flash, Java, and Windows/Mac OS, and can activate even without being clicked on or purposely “run.”

What does this bad stuff do?
It depends. These recent Mac-focused attacks haven’t done major damage, but the idea that an unauthorized person can take control of your computer and run whatever they want obviously isn’t a good thing. These attacks are usually extended to report usernames and password, possible credit card numbers, send SPAM e-mail, and try to infect other computers and web sites.

But….I thought Macs were safer!
Macintosh computers have had viruses since the early 1990’s. OS X, the new operating system introduced in 2000, has also had several minor outbreaks of viruses.
Apple touts OS X’s BSD-Unix heritage as a security strength, but there are several ways in which the system trades-off security for ease of use. To be fair many of these are similar to concessions in Windows systems. Things like reducing the number of times a user needs to type a password…the ability for programs to maintain a “run as Administrator” state…and the ability for automatic-starting programs.

Kind of like building a house of bricks with a screen door.

What are Flash and Java?
Java and Adobe Flash are programming languages that allow web developers to run programs on your computer.
Now wait…that’s usually a good thing. The US Official Time page uses Java to show its animated time clock. The Dan-Ball Dust Java game uses Java to waste hours of our time. And Flash is used by many, many sites, including YouTube:

SO there are certainly some good reasons for using Flash and Java.

Why Macs? Why now?
There are people around the world who are constantly looking for new flaws in these programming languages. As these flaws are reported the programmers at Microsoft, Oracle (makers of Java), Adobe (makers of Flash), and Apple work to fix the problems in their own systems. That’s why you’ll see Windows or OS updates….and Flash updates….and Java updates.

When you see them, run them.

The flaws targeted by the recent attacks were fixed by Microsoft and Oracle fairly quickly, but Apple has tended to lag behind in fixing these.

So someone customized code to target Macs. And compromised 600,000 of them.

Yet Another Data Breach: Credit Card Processor Warns of Compromise

Over the weekend multiple sources announced a compromise of Global Payments Inc that led to the unauthorized release of at least 1.5 million credit card records.

According to the reports the hacked data includes credit card Track 1 and Track 2 swipe details, which is everything needed to make a counterfiet card.

What to do?

This might be a good time to re-evaluate use of debit vs credit cards, particularly for business use (credit cards have much stronger protections, and you’re directly using the bank’s money)

Watch your credit and debit card activity online for suspicious charges and report them to your card issuer immediately.