Category Archives: Security

Beware of ‘Sneakware’

Have you opened up your internet browser recently only to find that there are two or three new toolbars installed?  Or perhaps there are new icons on your desktop and you have no idea where they came from?  This is Sneakware.

Companies are being paid to sneak their software on to our computers.  These are not small firms just trying to make a few extra bucks when you download a trial version of their game.  Now there are big firms doing the same thing, companies like Java, Adobe, and Yahoo.

Each time you update Java now it will try to load Google Chrome and the Google toolbar.  Installing the Yahoo toolbar brings with it four or five other programs that will interfere with your browser.

To prevent this we must all break a long held habit.  While you are installing software or updates, you have to pay attention to and read the license agreements.  Not every line and detail but enough to make sure you are agreeing to install only the software you want.  Read the text next to any radio buttons or check boxes.  Gone are the days when you could just click past all of these screens to get what you want.

This phenomenon will only get worse.  These companies are being paid for each program they can install on your system.  I am sure it pays well because we are seeing it more and more.  Paying close attention when you are installing a product will save you a lot of frustration in the long run.  Beware of Sneakware!O365 banner2

P@$$w0rd$ — Make Them Strong

Over the past year we have all heard stories about the giant security breach at Target.  Thousands of credit card numbers and debit card number with their PINs were stolen from the retailer’s system.  This was big news, especially during the Holiday season.  What you may not have heard about is the pizza restaurant in Delaware County, Ohio that had the same thing happen to them.  The thieves were smart in this case and waited nearly six months to begin using the stolen numbers.  The thieves don’t care about the size of your business, they are all potential targets (no pun intended).

It is not just credit card information thieves are after.  How easy would it be to become an identity thief if I could access your personnel files?  Do you think your competitors might be interested in your client files?  We all keep sensitive business information on our systems that could cripple us if a data breach became public knowledge.

As a reminder to you all, SplashData, a California security software firm, publishes a list of the twenty five worst passwords each year.  This year’s list:

Rank

Password

Change from 2012

1

123456

Up 1

2

password

Down 1

3

12345678

Unchanged

4

qwerty

Up 1

5

abc123

Down 1

6

123456789

New

7

111111

Up 2

8

1234567

Up 5

9

iloveyou

Up 2

10

adobe123

New

11

123123

Up 5

12

admin

New

13

1234567890

New

14

letmein

Down 7

15

photoshop

New

16

1234

New

17

monkey

Down 11

18

shadow

Unchanged

19

sunshine

Down 5

20

12345

New

21

password1

Up 4

22

princess

New

23

azerty

New

24

trustno1

Down 12

25

000000

New

 

 

 

 

 

 

 

SplashData’s top 25 list was compiled from files containing millions of stolen passwords posted online during the previous year. The company advises consumers or businesses using any of the passwords on the list to change them immediately.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Make your password STRONG

A good password is one that is difficult to guess. There are ways to make your password hard for even the best ‘hacking’ tools to figure out. Making your password STRONG (hard to guess) is a matter of being just a little creative.

  • Use CAPS – Most password algorithms recognize the difference between a capital letter and a lower case letter. A capital letter or a number thrown into a password is a good way to mix it up a bit. Even using a capital letter with your name (not the first letter!) adds a small degree of difficulty for the hacker – miKe is different than mIke and Mike!
  • Add a number – just putting a number in the password makes it harder to guess. Even if you use your name, a 6 at the beginning, end or in the middle will make it a bit more difficult.
  • Consider a symbol – Adding a symbol (Ex. – @#$!%^&*) can make it really hard on the human hacker and will slow down the hacking program. Watch out for substituting symbols that resemble the letters like the one I used in the title – P@$$w0rd. Hackers have caught on to that little trick…
  • Add one more character – with 26 letters, 10 numbers and 15 or so symbols, adding one more character to your password makes it exponentially harder to break.
  • Try a ‘pass phrase’ – using a phrase versus a word is one of the best ways to create a strong password that is easy to remember. ‘Ilivenear1234AnywhereDr’ has enough letters and characters in it to keep a hacker (human or machine) busy for a long time.

The bottom line is – security is up to you. Use passwords. Make ‘em strong. Change them regularly.

Protect Your Network From Smart Phones

We subscribe to a news service called Weave.  It searches the web for tech related news stories.  Most of these are nothing more than advertisements for new products being released.  But there was a headline recently that grabbed my attention:

Hackers can control almost all Android phones.” 

The article, by Claire Porter of news.com.au, goes on to point out that researchers have discovered a flaw in the code that is used to make Android apps work.  Hackers have been able to exploit this flaw to infect your apps with Trojan viruses.  These can do things like steal any password or financial information on your phone, or move itself on to any network you connect to.  This flaw affects over 900 million devices.

So, a smart hacker is not going to affect your phone or apps at all.  They are going after the big game, your employer.  They may be able to get a few hundred or thousand from you, but they can potentially get much more from your company.  And don’t think you are immune.  There was a story on our local news a few months back about a pizza restaurant that had been hacked.  The hackers gathered the customers’ credit card numbers and waited more than six months before using them.  60 Minutes did a piece on some former drug dealers in Florida.  They switched to hacking credit card numbers because it is safer and there is less chance of being caught.  One of them admitted to making more in an afternoon hacking than they could make in a month dealing, and there was almost no chance of being shot.

So how do you protect your company from attack when every one of your employees has a cell phone?  You need to develop a strategy on how to allow the employees wireless access, but keep them off your network.  The IT industry calls this a BYOD (bring your own device) policy.

The simplest way to protect yourself is to create a separate network called a guest network.  This will give the employees access to wireless Internet without allowing them to connect with the systems, servers, and information you are trying to protect.  They will have a completely distinct and detached network.  Most routers have the ability to do this easily.

Things get more complicated if you need some of those employees to use the resources of the primary network.  You are going to have to develop a set of standards regarding antivirus and antimalware programs that you will require.   There must be restrictions on both the software loaded on the phone or tablet, and strict enforcement of where the resulting files are stored.

We have seen cases in which the employee must agree to open their devices to a remote wipe if the device is lost or stolen, or if the employee leaves the company.  A disgruntled employee can devastate a business if they are allowed to leave with a tablet, or laptop filled with your client information, and your company secrets.

Before you just arbitrarily start enforcing a new policy, we recommend getting a group of your employees together and talk with them.  Get their input.  Make them understand the threats and make them partially responsible for your protection.  If they know they are potentially part of the problem, they should be happy to be part of the solution.

Internet Explorer 10 broke my favorite website!!

Nobody likes IE10.

Bank websites don’t work on it. News websites don’t work on it. Porn sites don’t work on it.

GOOD! We’re getting what we’ve been asking for from Microsoft forever. IE10 is the most secure browser ever released by Microsoft and is far more effective than it’s nearest competitor, Google Chrome. Firefox, Opera and Safari fall waaayyy back from there.ie10

NSS Labs, one of the world’s leading information security research and advisory companies, recently released a study showing that IE10 blocked 99.96% of malicious software from downloading. That means that only 4 of every 1000 malicious downloads got past IE10 vs 170 of every 1000 for Chrome. Safari and Firefox blocked around 10% and Opera a frightening 1.9%!

If your favorite/most needed website doesn’t work, why blame Microsoft? The IE10 development platform was released in April 2011. Companies have had over two years to work out any bugs. If they are committed to keeping your data secure, why haven’t they made their website compatable with the most secure browser on the market?

So, while sometimes the only choice you have to use your favorite website is to download Google Chrome, remember that you are instantly more vunerable to malicious downloads. It’s not our choice.

BYOD – Let the party begin!!

byodBYOD? Don’t you mean BYOB? What the heck is BYOD?

BYOD is short for Bring Your Own Device. BYOD refers to the practice of employees or clients bringing their own computing devices – such as smartphones, laptops and tablets – to the workplace for use and connectivity on the corporate network.

OH! No big deal right?

Let’s put it this way…it doesn’t have to be a big deal. But, if you don’t adapt a BYOD policy for your employees and guests, it could be! Tablets and smartphones are capable of carrying and transmitting viruses and enabling unauthorized access to your network and data, just like any PC or laptop.

BYOD Security

BYOD security starts with the company establishing (and enforcing) a BYOD security policy that clearly states the company’s position so that they can better manage these devices and ensure network security is not compromised by employees using their own devices at work.

Setting up a ‘guest’ network can allow your employees and guests to access the Internet while keeping your corporate network secure. But, if you want to allow your employees to access corporate resources via their personal devices, your BYOD security must provide detailed security requirements for each type of personal device that is used in the workplace and connected to the corporate network. You should require devices to be configured with passwords, prohibit specific types of applications from being installed on the device or require all data on the device to be encrypted. Limiting what programs or apps are permissible or requiring an approved anti-virus be installed are also recommended.

For an interesting look at how BYOD is affecting the business world, check out this infographic – http://www.biztechmagazine.com/article/2013/04/byod-growing-needs-more-support-it-infographic

We say – Join the party. It’s BYOD!
Just make sure you hold the keys.

P@$$w0rd$ – Make ’em STRONG

Security starts with your password

Keeping your data secure can be a big job these days. The first thing (and one of the easiest) to do is to use passwords, change them regularly, and make them strong.

Your PC and, especially, your laptop should have a logon password. When you walk away from your PC, you should always ‘lock’ your PC. Click the ‘Windows key + L’ and your laptop will be automatically locked. You can also do the familiar ‘Alt/Ctrl/Del’ and then choose the ‘Lock this computer’. Doing this will require that your password be entered to gain access to your PC or laptop and your data.

Don’t make it easy on the bad guys

A recent article in Time Magazine referenced the 25 worst passwords of 2012. The vast majority of the passwords on this list were passwords that anybody would guess. A successive string of numbers (123456 or 987654) or a string of letters (abcdefg or qwerty.)

Other bad passwords include your name or your email address or your phone number. That information can be easily gathered from your business card or a listing on your website. Your birthday, pet names or home address may be harder to guess but, are still less than optimal.

Make your password STRONG

A good password is one that is difficult to guess. There are ways to make your password hard for even the best ‘hacking’ tools to figure out. Making your password STRONG (hard to guess) is a matter of being just a little creative.

      • Use CAPS – Most password algorithms recognize the difference between a capital letter and a lower case letter. A capital letter or a number thrown into a password is a good way to mix it up a bit. Even using a capital letter with your name (not the first letter!) adds a small degree of difficulty for the hacker – miKe is different than mIke and Mike!
      • Add a number – just putting a number in the password makes it harder to guess. Even if you use your name, a 6 at the beginning, end or in the middle will make it a bit more difficult.
      • Consider a symbol – Adding a symbol (Ex. – @#$!%^&*) can make it really hard on the human hacker and will slow down the hacking program. Watch out for substituting symbols that resemble the letters like the one I used in the title – P@$$w0rd. Hackers have caught on to that little trick…
      • Add one more character – with 26 letters, 10 numbers and 15 or so symbols, adding one more character to your password makes it exponentially harder to break.
      • Try a ‘pass phrase’ – using a phrase versus a word is one of the best ways to create a strong password that is easy to remember. ‘Ilivenear1234AnywhereDr’ has enough letters and characters in it to keep a hacker (human or machine) busy for a long time.

The bottom line is – security is up to you. Use passwords. Make ’em strong. Change them regularly.