Let's Review Some Basic Tablet Security Tips

Here's a quick checklist of security tips for your tablet:

Don’t jailbreak ** your tablet – this might expose the device to greater security risks.   What's Jailbreaking?  See Below **

Be wary of any apps you download – Always check the author.  Don’t download any paid-for apps which are suddenly are available for free, and be wary of any changes in any permission changes it may seek for accessing data. 

Always use a strong password in case your tablet is stolen, and download the Find my iPhone app (also works for iPads) – or download some similar security software for Android – which will locate the device in the event it's lost or stolen.  Remember, 1 in 10 portable computers are stolen!

Be wary of public Wi-Fi !  You may be "snooped on" so avoid logging into web accounts unless you use SSL encryption. Never try to do anything on public Wi-Fi that you’re not comfortable with a bunch of strangers seeing.

Don't trust the "native" security features of your tablet no matter how secure you think they are.  Download a third party mobile security software which will block malicious apps, scan for malware, prevent data loss and locate, lock or wipe a missing device. Recent security reports show that many native O/S across all platforms stop less than 50% of known malware.

** The act of 'jailbreaking' is changing the technical settings of a device so that users can download applications that are not approved by the tablet or smartphone maker.  It is illegal to tamper with the settings of a tablet but, ironically, it's not illegal to jailbreak a smartphone.  Go Figure!

Thanks to Tony Larks, Vice President, Global Consumer Marketing, Trend Micro for sharing these tips.

Read More

Paying the Price for BYOD and Social Media

We always return to work after a holiday with a little trepidation because over the years we have grown accustomed to expecting anguished calls for help as soon as we walk in the door from clients who have just discovered some major problem that jumped up to bite them when no one was looking.  This Thanksgiving was no exception.   Two network clients discovered a brand new malware variant that appeared to be erasing their network data right before their eyes.  Calls like that get the blood flowing even before the morning coffee has a chance to kick in.

This new malware also appeared to propagate itself across networks and infect multiple drives and users which was something new and different from typical infections that tend to stay localized.

To make matters worse, the anti-virus/malware industry was way behind in developing a solution to neutralize and/or remove this culprit.  It took 4 days before it was released to the public by any of the major A/V players.

The malware propagated itself across workstations and network drives through a tiny autorun module that would cross infect other devices and drives whenever a network user accessed a local or network drive.  In this manner it spread rapidly across the networks.

What made the battle even worse was the wide spread use of flash drives and portables at one client so even when we shut down the entire network and cleaned every infected PC, some user would bring an infected device from home and the process of infection would start anew.  Because there was no effective solution to keep the unit clean once the technicians finished re-infection was a constant battle.

Luckily for our clients, our Lead Engineer discovered the malware in this instance was not really erasing their data, it was hiding it using the ATTRIB command on files and folders which just gave the appearance of deletion.  As a little extra bonus, the malware also created new replacement files with sex related names that further spooked one client which was a private elementary school.  At the start, as fast as we'd clean one computer another user would log in and totally re-infect those drives and folders on the network that we had just cleaned.

I'm very fortunate to have a really talented tech team that was able to diagnose and clean the networks of both clients quickly and efficiently without much assistance from the Anti-virus industry for the first 4 days of the outbreak.  Now the other companies are caught up and the malware won't be able to re-infect but it was really hairy for awhile there!

If you're wondering about the original source of the infections,  Facebook was the source for one client and the flash drive of a staff member was the source for the other.  How many computers did we have to inspect?  About 120 PCs, 8 servers and 30 flash drives.  The number of infected computers?  About 85 PC's, 3 servers and 2 flash drives across both clients.  How much time was involved?  About 65 unanticipated work-hours.

Forgive us if we tend to cringe when people ask us how we plan to spend our holidays!

Happy Holidays Everyone!  Oh, and leave that @#$% flash drive at home!

*  BYOD stands for Bring Your Own Device and represents a growing trend of employees introducing personal devices into company networks and there is a growing concern about the vulnerability of company information assets to risks brought to work by employees on poorly protected devices like smart phones, tablets, notebooks and flash drives.  This combined with unregulated access to at-risk social media sites like Facebook and others greatly increase the risk of loss to organizations like those discussed in this post.

Read More

New Malware That Hides Your Data

For the last day or so we've been fighting battles for multiple client locations that are infected with a malware that McAfee calls a variant of W32/autorun.worm.aaeb-h.  The malware seems to travel on portable flash drives as well as possibly coming in as an email attachment.  It changes the attributes of files and entire folders of data so that they seem to disappear and the replaces them with similarly named .EXE files.  When a user accesses an infected flash drive or an infected folder on a network share, other folders to which they are connected will disappear from view right before their eyes.  (Talk about freaking out users!)  It also appears to infect in such a way that other users that access an infected folder will see it propagate itself to even more folders.  You will have to use Command line DOS prompts to change the attributes of the now hidden files to restore them and then delete the replacement executables that all have identical creation dates and file sizes.

McAfee sent out their alarm fully 7 days after we first encountered it in the wild which underlines just how overwhelmed many A/V vendors are trying to keep up with the flood of new malware and their variants.  As recently as 2007, A/V companies reported a few thousand viruses and malwares per year.  Now we're seeing several thousand new items PER DAY!  This one is a new variant of a well-known malware but it's tweaked enough that it avoided the original counter-measures.

This guy is a real stinker to remove on even a mid-sized network because of it's use of autorun to spread itself around a network.  If you disable AUTORUN on your network via Group Policy you can slow down it's spread but get ready to spend some time going from PC to PC searching for the original infection point.  The McAfee countermeasure/removal tool is called Striker.

Read More

What? Apple leads in vulnerabilities? AND What the heck is Moodle?

I was as surprised as everyone else when Trend Micro released their Malicious Top Ten for Q3 2012 and found Apple at the top of the list of vendors with the most vulnerabilities.

Rank	Vendor	Number of Reported Vulnerabilities 3Q 2012	Vendor	Number of Reported Vulnerabilities 2Q 2012
1	Apple	163	Oracle	97
2	Moodle	93	Linux	76
3	Google	72	Google	74
4	Oracle	71	Microsoft	55
5	Mozilla	57	Mozilla	48
6	Cisco	55	Cisco	45
7	IBM	53	IBM	37
8	Ffmpeg	53	Adobe	27
9	Adobe	42	Apple	26
10	Microsoft	35	HP	24

Maybe this will shut up some of those Apple snobs that sneer at PC products and brag about how secure Apple products are?  Nah, probably not!

In case you're wondering what the heck Moodle is and why it's number 2 on the list, you're not alone.  I had to look it up too.  It's an open source authoring language for teachers who want to write their own teaching applications.  Good luck with that one Rocky!  I even found a YouTube intro for it.  Based upon the quality of the presentation, I won't be trying it out any time soon.

http://www.youtube.com/watch?v=mXBdNdPUwKA

Open Source:  For those too cheap to buy programs from companies that have quality control departments.

"QC?  QC?  We don't got no stinking QC!"

Read More

Microsoft Windows 8 - Introducing Chaos In The Workplace?

A couple of days ago, I sat down with fellow Microsoft partners for a Boot Camp of sorts for the new Microsoft products roll-out.  More than a few of us left scratching our heads with the same thought in our heads - "What were these guys thinking?"  Oh don't get me wrong, much of what the gang at Microsoft has rolled out is pretty cool technologically.  What they seem to have forgotten AGAIN is that sometimes average users aren't alwasy ready for "cool".  Their first priority is to get their job done and introducing major changes intimidate them.  I think businesses that migrate to Windows 8 are biting off on a big chunk of confusion and the need for big-time staff re-training.

Let me give you a couple of examples.  Microsoft is currently marketing the daylights out of Windows 8 and their new Microsoft Surface tablet simultaneously.  At first glance, they look the same BUT THEY"RE NOT!  Surface runs Windows RT while PC's will run Windows 8.  They're not compatible!  Windows RT will not run Windows based programs although they did build in a variation of a couple of office programs.  Don't expect to run Windows-based programs on RT!  The Surface won't join a network domain either which is the backbone of any company network.  It's a consumer product but they've blurred the marketing of the two products so that the average business decision maker may not understand the differences.  Those of you thinking about having your staff using Surface in your office, you'd better think twice.

Windows 8 was supposedly designed to blur the distinction between portable devices and the desktop to create a more "unified approach" to computing.  When Beta testers yelled "Hey, where's the Start menu and Task Bar?" in Windows 8, the "rumor" was circulated that there would be an ability to convert the new desktop back to the more traditional desktop used in businesses that favors keyboard use.  Now that it's out, there's no ability to go back to the tradtional desktop view.  Microsoft seems to have taken the stance "It is what it is, deal with it!".  Anybody getting any Vista vibes?  The Windows 8 desktop is designed with a touch screen in mind not  a keyboard.  Someone at Microsoft seems to have forgotten that in the business world the computer is more production device than consumption device.  Employees in the real world are expected to enter data for the business not just read it. 

I think we're going to find a slow acceptance curve in the business world.  I hope that I'm wrong but from what I'm reading on other Blogs, that belief seems pretty prevalent.  The tech that demonstrated the login/ authentication process in Windows 8 seemed pretty impressed when he showed us that signing into the new system consisted of swipes and circles and such and no keyboard use.  For more years that I'm willing to admit to, I've been coaching computerphobic business users on how to navigate their computers that has been pretty static for a long time and now Microsoft have re-arranged the entire environment!

We're looking at a LOT OF RE-TRAINING to do when we start rolling out Windows 8 platforms in the office.  Microsoft seems intent on catering to the BYOD philosophy for portable devices.  All I keep thinking about is that poor office clerk who has to enter invoices and type e-mails working on an operating system and desktop that has pretty much ignored the use of the keyboard.

To be fair, the demonstrator did point out that several third parties have already jumped in with add-ons that you can buy to "adjust" Windows 8 to put back the Start Menu and Task Bar but should that really be necessary?

For you Windows XP hold-outs that have been downgrading your new PC acquisitions back to XP to keep a standardized look and feel on your comporate desktops, the game is over.  Microsoft was quick to point out that their downgrade feature only applies to 2 previous generations and XP is no longer in that category.  You can't legally downgrade your computers to XP because with the introduction of Windows 8, Windows Vista is as far back as you can downgrade and they won't allow you to re-use previously registered Windows XP licenses on new PC's.  Sorry!

Tune in later and I'll tell you how they screwed up the Windows Server 2012 product roll-out by making it incompatible with legacy companion applications.

Read More

Addressing Data Ownership In The Cloud

I was discussing the use of cloud applications with a friend and client of mine who is an attorney the other day when he struck upon the essence of what should always be the chief concern of anyone considering using cloud applications for their business – who owns the data?  In other words, if you’re going to entrust your data to someone else, what is the status of YOUR data on that provider’s servers?  Taken a step further, who is responsible for that data if it is compromised and who could be liable for that loss? He went on to say “As an attorney, I see businesses come and go with great regularity.  How can I be sure that, if they go bankrupt or suddenly shut their doors that my client information won’t just disappear or wind up in the hands of someone outside of my control?”  That is the very heart of the issue of using cloud providers.

I’m surprised everyday by business people I meet that don’t do their due diligence on data ownership in the cloud before turning over custody of their critical business information to someone they've never met in person.

There are several key questions that every organization should ask any cloud vendor before moving their data to that provider:

1.      Where is my data housed? (state and national laws and jurisdictions vary drastically)

2.      Is the vendor hosting the data themselves or contracting with a 3^rd party facility (The answer might surprise you.)

3.      What level of security is in place there?

4.      Is my data encrypted on that server?  What level of encryption? (If their facility is compromised and your data isn’t encrypted YOU could be liable for loss of client information)

5.      How do you download backup copies of your live data? (if they close their doors, you could lose it all)

6.      What is the SLA (Service Level Agreement) for up-time and data availability?  (what’s their service availability and how will they compensate you if they don’t live up to that agreement?)

7.      Do they have a fail-over system in place in case their primary server fails?  (If they go off line, what provisions do they have to get your data back up and running?)

Of course, there are other operational business questions that should also be asked that may be unique to your organizations business needs but these are the core questions that should be asked to assure your data remains secure, available and is still yours if something ever goes wrong.

Read More

Malware on Mobile devices like Smartphones and Tablets

There's been a recent explosion of malware targeting portable computing devices like Smartphones and tablets.  There's a really nice PDF article on this from Trend Micro.  Here's a link to check it out.

Trend Micro article on Mobile Malware

Read More

Helping a Client With e-Discovery

How many of you are familiar with e-discovery or FOIA?  Not many I'll bet.  We're in the middle of assisting a client deal with an e-discovery request.  Even with our automated systems it can be very time consuming.  They've been hit with a request to provide copies of all communcations either incoming or outgoing from any employee with any of about a dozen organizations for a very long period of time.

For those of you that haven't yet had the task of dealing with either an e-discovery request or an FOIA (Freedom Of Information Act) request, here's the CliffsNotes version of what's involved.  E-discovery is the electronic version of the legal systems "discovery" system where parties in a law suit can demand any and all documents or other material (including e-mails and instant messages) related to a given person or issue for any period of time.  FOIA is similar but is confined to governmental organizations but requests can come from just about anyone.

We're assisting our client sift through about a million e-mails trying to find communications between any of about a dozen organizations by any employee in their organization over the last 5 years.  Fortunately, we automated their e-mail archival process several years ago so the process should only take a fraction of the time it would take an organization not so well prepared.  Still, this isn't a huge organization and the realization that there would be so much information to sift through is kind of staggering now that we're going back through the archives!   This project would have taken hundreds of hours to complete without the archival system.

More and more organizations are required by law to retain copies of documents and communications for longer and longer periods of time.  Whether you're a HIPAA regulated agency, a governmental agency or school subject to FOIA (Freedom of Information Act) requests or just a regular business, you should recognize that you need to be able reach back in time to pull togther communications and documents of all kinds at a moments notice.

There are systems out there that can cost hundreds of thousands of dollars to buy and even more to install but we've got a very affordable alternative that won't break your budget.  If you'd like a demonstration, please give me a call at (847) 639-7000.

Read More

Portable Device Security On Your Network

I'm frequently stunned by the lack of attention being given to the security risks of portable computing devices on business networks by SMB management.  Especially with more and more applications being used in the cloud, security for personal device is more important than ever.

The current term is BYOD as in Bring Your Own Device and businesses have to recognize that employees CAN be more productive using these devices but without proper planning for security the risks to business can be dramatic.

Especially if you're in a regulated industry like health care, the risk of exposure of confidential personal information is enormous as are the financial penalties associated with those exposures. 

A 2010 study by Ponemon Institute, found that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected.  As portable computing devices proliferate in the workplace that number is probably going to go up exponentially.

Administrators must look to protect all layers of the mobile computing environment – both the endpoint devices and the communication channels that connect the device to the network. Some strategies that are effective include:

• Network access controls to ensure outsiders cannot hack into the wireless network and infiltrate devices
• Education to help users be smarter about how they use and protect their mobile devices
• Improved authentication to control device access.
• Many organizations use role-based policies to control who has access to what applications, when and on what devices access is permitted.

There are a wealth of portable device management solutions once you determine that you're going to allow employees to use their own devices for business purposes.  There's no one-size-fits-all solution for everybody so if you need help in developing a policy for portable device use on or off campus or need help picking the most appropriate solution based upon your unique circumstances, don't hesitate to give me a call @ 847-639-7000.

For those of you that would like to see a short 6 minute video by Symantec on the possible ways to secure portable devices, here is a link to a video by them: http://bcove.me/wy22iac5

Have a good weekend!

Read More

Conventions in the Cloud? Where will it all end?

Debbie and I have been in the computer industry a long time and one of the fun events we used to like to attend was Comdex in Las Vegas every year.  For those of you outside of the industry, it was the largest IT industry trade show attracting over 250,000 geeks and vendors from around the world every year.  It got us out of the office for a few days and we could see what everyone else in the industry was developing and where trends were taking us.  It used to take up 4-6 event centers in Vegas and we'd walk the aisles all day and rest our feet in the lounges or at the blackjack tables at night. 

Sadly, the show became too big and unweildy, and the major vendors started to pull out because it was almost impossible to carry on real conversations in the press of humanity.  That plus the delivery methods for introducing products via the Internet grew so efficient that the bother and expense of reserving exhibit space and shipping staff out of the office for over a week eventually caused it's demise a number of years ago.

Now it's back?  SORTA!

We just got this years invitation to Virtual Comdex 2012.  Now we can walk the "virtual aisles" of the New and Improved Comdex without leaving our desk and even "linger" in the lobby to make virtual friends.  We can chat with sales reps, watch product demos, attend lectures and pick up literature (always a chore getting it all to fit into our luggage on the way home from the show in the "Live" days). 

Technology has come so far that they have almost completely replicated the experience of the huge conventions of the past.  No more sore feet from walking literally miles of exhibit aisles.  No more expensive air fares and hotel rooms.  No more shoulder to shoulder crowds peering at small booth exhibits.  (Although Debbie once stood shoulder to shoulder with Bill Gates outside the WordPerfect booth before he needed body guards.)

Somehow, it just won't be the same.  Sure, it's more efficient and less expensive but I think the excitement will be lacking and so will some of the fun.  It was fun to watch the groups from Japan and China in their matching caps scurrying along behind their immaculately uniformed tour guide with a bicycle flag stuck to their back.  Or the hopelessly geeky Comdex attendees trying to blend in with the regular Vegas clientele and failing miserably.  I once opined that the entire pocket protector industry could be wiped out if something happened in Vegas that week.  Ok, I know I just dated myself because pocket protectors are obsolete but you get the idea.

There's something to be said about the value of in-person interaction that I don't think can be replaced in the virtual world.  Maybe I'm too old-school, but I still like to look someone in the eyes face to face to "get a feel" for whether or not they're for real or just blowing smoke (or is that now virtual smoke?).

Read More

Old Password Practices Must Change For The Cloud

A new fitness center opened up across the parking lot from our offices and apparently the owner is into "old school" fitness activities because he brings his clients into the parking lot frequently to push weighted metal blocking sleds across the parking lot, pound on tractor tires with sledge hammers and loudly grunt while lifting free weights.  Aside from the loud grunting outside my office window when I'm trying to talk on the phone, I don't really have a problem with some old school techniques. 

I am reminded, however, that other "old school" practices, particularly in todays information society, aren't necessarily a good thing.  I'm speaking specifically of the ways that some businesses keep a very casual attitude on security and passwords as they move to the Cloud.  In the "good old days" when PC's, workstations and servers were all maintained within a closed environment inside of a single building, businesses tended to be casual about things like passwords and physical security because of the sense of security they had when everything was under one roof. Like it or not, those days are disappearing rapidly.

Today's business are dealing with more mobile employees and their ever evolving mobile devices.  Access to company information is much more widely distributed and more easily accessible that ever before.  Yet, many employers haven't kept up with security Best Practices and cling to the old ways of enforcing security.  For whatever reason, security practices still lag way behind as employees now access company confidential information now located in the Cloud that once was behind a locked door.

When was the last time you sat down and reviewed your security procedures and audited your password protection practices?   Have you just exchanged the old employee practices of taping their passwords to their monitors or under they keyboard for the equivalent on their new portable devices that can be picked up by any stranger?  Is "1234" or "password" still their favorite password?  How often are they forced to change their password for that data in the cloud?

Remember, your server down the hall behind the locked door isn't there anymore.  It's out there in the Cloud and anybody with enough time and energy can steal your data if your don't keep your security practices up to date.

If you've been meaning to get around to thinking about security "one of these days" but can't seem to find the time.  Don't wait too long!  ACT has a free offer until the end of 2012 for a free security audit of your business IT so give us a call at (847) 639-7000.

Read More

New Webinar - Business Data Protection Basics

We just finished our first business guidance webinar for small and mid-size businesses.  It's on YouTube if you'd like to check it out. 

http://youtu.be/oZbHOsAq0CQ

Its creation was a prolonged and agonizing process because each time that I thought we had covered everything that a company might need, a memory would pop up of a client we had seen that had suffered a devastating loss because of some unusual circumstance that they hadn't planned on.  Over 24 years, we've seen so many different ways that companies have been brought down.  Each time they never imagined it could possibly happen to them.  Each memory would trigger an urge to add "just one more thing" to the broadcast and the presentation just kept growing and growing with examples until finally we decided to just pull all of the horror stories and just stay with the "principals" of data disaster protection and save the stories for a book.

We also put out a white paper not too long ago about a relatively recent data disaster that we had to help a client through.  The client thought they had an effective protection strategy for their servers provided by their "home office" until their mail server died.  Only then did they find out that one of the key principles of our webinar hadn't been followed - TEST IT FREQUENTLY TO INSURE THAT IT WORK.  Nope!  It wasn't. 

At that moment, the job of recovery switched to "salvage mode" and they spent many thousands of dollars to recover what data could be salvaged from almost completely useless hard drives.  Fortunately, after a near Herculean effort, we were able to recover about 90% of their lost data and four days later we were able to bring what was left of their data back on-line.  The last 10% (mostly corrupted spreadsheets attached to emails) had to be re-constructed from scratch by their staff requiring countless hours of additional work.

If you'd like to read that White Paper, it's called "Anatomy of a Data Disaster" and can be found on the welcome page of our corporate website: www.act4networks.com.

Read More