Facebook Security

A colleague recently wrote on her blog about her own father’s experience getting hacked on Facebook – and it serves as yet another useful reminder of why and how we can take measures to keep our online identities secure.

It appears in this situation that the hacker found his victim’s profile on Facebook, submitted a lost password request, and then answered the security questions with information that was easily found on Google. After taking over his Facebook account, the hacker repeated the process to gain access to the victim’s Gmail account and started emailing all of his contacts asking for money.Facebook Logo

If this sounds vaguely reminiscent of something that was in the news a few years ago, it’s because a very similar technique was used by a college student to access Sarah Palin’s Yahoo account. One password reset request later, and Sarah Palin’s emails were all over the Internet.

The take-home here is simple: make sure that your security questions don’t ask about details that are available with a little digging (mother’s maiden name, city of birth, high school mascot). Go for more obscure ones like your first pet’s name or the name of the best man at your wedding (as long as you didn’t blog about your wedding!).  Also, take a good look at the privacy settings on all of your social networking profiles and don’t divulge more information than you have to. That will minimize the amount of damage a hacker can do if they do gain access to your profile.

Don’t assume that a social networking company is as worried about your privacy as you are. The Google Buzz debacle — in which Google effectively used people’s personal email accounts as a platform for public social networking – illustrates that, for many social marketers, they’re more concerned about building a large and open network than they are about protecting the personal information of individuals. That means it’s up to you to stay on top of things and adjust the necessary settings when, for example, Facebook revises its privacy policy.

And remember that the more you share about yourself online, the more ammunition you’re giving potential identity thieves. That doesn’t mean you should shut down all your social networking profiles because someday somebody might hack into your Facebook account. It does mean that you should be careful about what details you share, where you share them, and with whom.

Find out more rules for responsible social networking at our free Webinar, “Social Networking: Uncovering the Hype.” It will be held on Thursday, April 29 at 12pm Central Daylight Time.  Click here to register.


How Will New Airport Security Procedures Affect Business Travelers?

After the attempted bombing of an airliner headed from the Netherlands to Detroit on Christmas Day, many travelers were left wondering how (or if) heightened security measures would affect future flights. This question is particularly urgent for business travelers, who tend to travel farther and more frequently than anybody else.

Transportation Security Administration logoAccording to the TSA, increased checkpoint security may make lines longer for flights headed into the US from other countries. If hold a passport issued by, or are traveling from or through what the TSA describes as “nations that are state sponsors of terrorism or other countries of interest,” you may have to go through “enhanced screening.” However, the rules around what you can and can’t pack in your carry-on haven’t changed.

If you’re traveling domestically, you really won’t notice much of a difference. One new-ish development could signal easier traveling in the future: the TSA says that you do not have to take your laptop out of its case if it offers a clear and unobstructed view of your computer when it runs through the scanner. Some laptop-only sleeves can do this if they’re packed correctly, but most laptop bags don’t yet meet the standard. However, the TSA has encouraged laptop bag manufacturers to develop “checkpoint friendly” designs. You can read more about the TSA’s “checkpoint friendly” laptop bag procedures here.

Until the day arrives when you can just toss your briefcase onto the scanner and be done with it, here are a few tips for traveling with expensive, easy-to-lose electronics:

1. Make sure you’ve run a full backup before you leave. You might consider keeping all your important documents on your corporate file server instead of on your hard drive, in case your laptop gets lost. If you do opt to keep your files on your hard drive, make sure it’s password-protected and all your files are encrypted.

2. Invest in a biometric USB flash drive that requires an authenticated fingerprint to access files.

3. Remember that an ounce of prevention is worth a pound of cure. The best way to ensure that you don’t lose your laptop at the airport is to give yourself plenty of time at the airport and keep an eye on your computer at all times — a recent study showed that people most frequently lose their laptops at security checkpoints and at departure gates.

For more laptop travel tips, click here.

More Password Warnings: RockYou is Latest Victim

“Update your passwords.  Don’t use words.  Throw in numbers and punctuation.

You’ve heard it thousands of times, but I just had a discussion with someone yesterday where we BOTH admittedPassword Icon neglecting updating our passwords frequently or making them complicated enough to keep hackers at bay.

Here’s the latest news of a HUGE user account data theft.  RockYou is just the latest reminder that we’re not paying enough attention to our passwords.  Can you imagine what you could lose if someone had the password to your e-mail account?  Or your business financial records?  Or the information of all your clients?

What Does Brittany Murphy Have To Do With Your Computer’s Security?

Every year hackers get smarter and sneakier about how to infiltrate people’s computers, steal vital personal information, and spread mischief. A few years ago, all you had to worry about was malware spread by e-mail attachments. These days, you have to worry about mysterious links showing up in your instant messages, weird messages from Facebook friends you’ve never heard of, and malicious web sites downloading who knows what to your computer as soon as you visit them.

So what’s a safe Web surfer to do, short of unplugging the computer and conducting all correspondence by carrier pigeon?

1. Stay vigilant, no matter what application you’re using. Hackers are hip to new media and won’t hesitate to use Twitter, Facebook, MySpace, or instant messaging to get to you. If you wouldn’t click on a strange link in email, don’t click on it in Facebook.

2. Expect spam and phishing to spike around holidays or major events. If a celebrity just died (here’s the Brittany Murphy connection)  and you get an email containing an attachment purporting to be video of that celebrity’s death – don’t open it.

3. Read your email with a VERY skeptical eye. One of our clients was recently contacted by a service that said it was investigating another company’s registration of a domain under our client’s company name. They were pretty obviously just phishing for information about our client. That email went straight in the trash, no response.

4. Know how to spot a zombie. If your computer sounds like it’s running all the time but processing has slowed to a crawl, or if you find returned messages in your inbox responding to emails you’ve never sent – your computer might very well be part of a bot net.

5. Be wary of warnings. Right around this time last year, a nasty spyware application — the AntiSpyware XP 2009 Virus – spread by throwing up bogus popups warning people that they could be infected by hundreds of viruses if they didn’t install an update. People who clicked “OK” to install the update instead installed the spyware.

So as the holiday season rolls around, remember – you’ll probably get a few Christmas-related spam messages, an invitation to view a stranger’s holiday photos on Facebook, a suspicious inquiry from an overseas firm, and a maybe even a popup or two asking you if you want to install the latest and greatest in antispyware protection. The best thing you can do is ignore all of this, run another backup of your files, do a full system scan, and update your antivirus/antispyware protection with the latest definitions.

CMIT’s Marathon service automatically runs system scans and security updates, so you never have to worry about being up to date. To learn more about CMIT Marathon visit our website.

Not sure if an email’s for real? Wondering what to do about a persistent virus warning? Call CMIT Solutions at (800) 399-2648. We’ll give you our professional opinion.

10 mistakes new Windows Administrators make

Maybe you’re a brand new network admin. You’ve taken some courses, you’ve passed some certification exams, perhaps you even have a Windows domain set up at home. But you’ll soon find that being responsible for a company network brings challenges you hadn’t anticipated.

Or maybe you’re an experienced corporate IT person, but up until now, you’ve worked in a UNIX environment. Now — either due to a job change or a new deployment in your current workplace — you find yourself in the less familiar world of Windows.

This article is aimed at helping you avoid some of the most common mistakes made by new Windows administrators.

#1: Trying to change everything all at once

When you come into a new job, or start working with a new technology, you may have all sorts of bright ideas. If you’re new to the workplace, you immediately hone in on those things that your predecessors were (or seem to have been) doing wrong. You’re full of all the best practices and tips and tricks that you learned in school. If you’re an experienced administrator coming from a different environment, you may be set in your ways and want to do things the way you did them before, rather than taking advantage of features of the new OS.

Either way, you’re likely to cause yourself a great deal of grief. The best bet for someone new to Windows networking (or to any other job, for that matter) is give yourself time to adapt, observe and learn, and proceed slowly. You’ll make your own job easier in the long run and make more friends (or at least fewer enemies) that way.

#2: Overestimating the technical expertise of end users

Many new administrators expect users to have a better understanding of the technology than they do. Don’t assume that end users realize the importance of security, or that they will be able to accurately describe the errors they’re getting, or that they know what you mean when you tell them to perform a simple (to you) task such as going to Device Manager and checking the status of the sound card.

Many people in the business world use computers every day but know very little about them beyond how to operate a few specific applications. If you get frustrated with them, or make them feel stupid, most of them will try to avoid calling you when there’s a problem. Instead they’ll ignore it (if they can) or worse, try to fix it themselves. That means the problem may be far worse when you finally do become aware of it.

#3: Underestimating the technical expertise of end users

Although the above applies to many of your users, most companies will have at least a few who are advanced computer hobbyists and know a lot about technology. They’re the ones who will come up with inventive workarounds to circumvent the restrictions you put in place if those restrictions inconvenience them. Most of these users aren’t malicious; they just resent having someone else in control of their computer use — especially if you treat them as if they don’t know anything.

The best tactic with these users is to show them that you respect their skills, seek out their input, and let them know the reasons for the rules and restrictions. Point out that even a topnotch racecar driver who has demonstrated the ability to safely handle a vehicle at high speed must abide by the speed limits on the public roads, and it’s not because you doubt his/her technology skills that you must insist on everyone following the rules.

#4: Not turning on auditing

Windows Server operating systems have built-in security auditing, but it’s not enabled by default. It’s also not one of the best documented features, so some administrators fail to take advantage of it. And that’s a shame, because with the auditing features, you can keep track of logon attempts, access to files and other objects, and directory service access.

Active Directory Domain Services (AD DS) auditing has been enhanced in Windows Server 2008 and can be done more granularly now. Without either the built-in auditing or third-party auditing software running, it can be almost impossible to pinpoint and analyze what happened in a security breach.

#5: Not keeping systems updated

This one ought to be a no-brainer: Keeping your servers and client machines patched with the latest security updates can go a long way toward preventing downtime, data loss, and other consequences of malware and attacks. Yet many administrators fall behind, and their networks are running systems that aren’t properly patched.

This happens for several reasons. Understaffed and overworked IT departments just may not get around to applying patches as soon as they’re released. After all, it’s not always a matter of “just doing it” — everyone knows that some updates can break things, bringing your whole network to a stop. Thus it’s prudent to check out new patches in a testbed environment that simulates the applications and configurations of your production network. However, that takes time — time you may not have.

Automating the processes as much as possible can help you keep those updates flowing. Have your test network ready each month, for instance, before Microsoft releases its regular patches. Use

Windows Server Update Services (WSUS) or other tools to simplify and automate the process once you’ve decided that a patch is safe to apply. And don’t forget that applications — not just the operating system — need to be kept updated, too.

#6: Getting sloppy about security

Many administrators enforce best security practices for their users but get sloppy when it comes to their own workstations. For example, IT pros who would never allow users to run XP every day logged on with administrative accounts think nothing about running as administrators themselves while doing routine work that doesn’t require that level of privileges. Some administrators seem to think they’re immune to malware and attacks because they “know better.” But this over confidence can lead to disaster, as it does in the case of police officers who have a high occurrence of firearms accidents because they’re around guns all the time and become complacent about the dangers.

#7: Not documenting changes and fixes

Documentation is one of the most important things that you, as a network admin, can do to make your own job easier and to make it easier for someone else to step in and take care of the network in your absence. Yet it’s also one of the most neglected of all administrative tasks.

You may think you’ll remember what patch you applied or what configuration change you made that fixed an exasperating problem, but a year later, you probably won’t. If you document your actions, you don’t have to waste precious time reinventing the wheel (or the fix) all over again.

Some admins don’t want to document what they do because they think that if they keep it all in their heads, they’ll be indispensible. In truth, no one is ever irreplaceable — and by making it difficult for anyone else to learn your job, you make it less likely that you’ll ever get promoted out of the job.

Besides, what if you got hit by a truck crossing the street? Do you really want the company to come to a standstill because nobody knows the passwords to the administrative accounts or has a clue about how you have things set up and what daily duties you have to perform to keep the network running smoothly?

#8: Failing to test backups

One of the things that home users end up regretting the most is forgetting to back up their important data — and thus losing it all when a hard drive fails. Most IT pros understand the importance of backing up and do it on a regular schedule. What some busy admins don’t remember to do regularly is test those backups to make sure that the data really is there and that it can be restored.

Remember that making the backup is only the first step. You need to ensure that those backups will work if and when you need them.

#9: Overpromising and underdelivering

When your boss is pressuring you for answers to questions like “When can you have all the desktop systems upgraded to the new version of the software?” or “How much will it cost to get the new database server up and running?”, your natural tendency may be to give a response that makes you look good. But if you make promises you can’t keep and come in late or over budget, you do yourself more damage than good.

A good rule of thumb in any business is to underpromise and overdeliver instead of doing the opposite. If you think it will take two weeks to deploy a new system, give yourself some wiggle room and promise it in three weeks. If you’re pretty sure you’ll be able to buy the hardware you need for $10,000, ask for $12,000 just in case. Your boss will be impressed when you get the project done days ahead of time or spend less money than expected.

#10: Being afraid to ask for help

Ego is a funny thing, and many IT administrators have a lot invested in theirs. When it comes to technology, you may be reluctant to admit that you don’t know it all, and thus afraid — or embarrassed — to ask for help. I’ve know MCSEs and MVPs who couldn’t bear to seek help from colleagues because they felt they were supposed to be the “experts” and that their reputations would be hurt if they admitted otherwise. But plunging ahead with a project when you don’t know what you’re doing can get you in hot water, cost the company money, and even cost you your job.

If you’re in over your head, be willing to admit it and seek help from someone more knowledgeable about the subject. You can save days, weeks, or even months of grief by doing so.

Microsoft kicks fake security software off 400,000 PCs

In the second month of a campaign against fake security software, Microsoft has booted the rogue application “Antivirus 2009” from almost 400,000 PCs, the company recently claimed.

December’s version of the Malicious Software Removal Tool (MSRT), a free utility that Microsoft pushes to Windows users as part of Patch Tuesday, targeted one of the most popular phony security app, Antivirus 2009. According to Microsoft, the MSRT erased the fake from over 394,000 PCs in the first nine days after it released this month’s edition on Dec. 9.

Last month, Microsoft trumpeted a similar cleaning operation against another family of bogus security software that it said had purged nearly a million machines of programs like “Advanced Antivirus,” “Ultimate Antivirus 2008” and “XPert Antivirus.”

December’s campaign targeted a different family — dubbed “W32/FakeXPA” by Microsoft — that includes fake security software going by names such as “Antivirus XP,” “AntivirusXP 2008” and “Antivirus 2009.”

Windows users increasingly have been plagued with worthless security software as criminals bundle the money makers with other malware or seed significant users with waves of spam touting the programs. According to one researcher, cybercrooks can pull in as much as $5 million a year by installing the rogue programs on PCs, then dunning users with infection claims and constant pop-ups until the victims pay $40 or $50 to purchase the useless applications.

Microsoft also aimed the December version of MSRT at an affiliated piece of malware, called “W32/Yektel,” that works alongside W32FakeXPA and is often bundled with the phony security software.

Classified by Microsoft as a Trojan horse, Yektel takes advantage of users’ worries about browser security by inserting false warnings into Internet Explorer. Those warnings, explained Microsoft researcher Hamish O’Dea in a post to the company’s malware protection center blog two weeks ago, appear at random and mimic IE’s own legitimate drop-down alerts.

Newer variations of the Yektel Trojan go a step further, and insert phony warnings into Google search results, said O’Dea. Whenever these even-sneakier versions detect IE rendering a URL that includes “google,” it inserts a fake message that reads “Google has detected unregistered Antivirus 2009 copy on your computer. Google recommends you activate Antivirus 2009 to protect your PC from malicious intrusions from the Internet.”
The links from Yektel’s IE and Google warnings, of course, take users to a Web site where users are urged to pay $50 to register Antivirus 2009.

Windows users can download the MSRT manually from Microsoft’s Web site or via the Windows Update service.

Most Profitable (Recession-Proof) Products

Since I was on maternity leave in Aug/Sept, I’m behind on some of my readings.  I found a great article from Channel Insider dated 9/23/08.  We are in a good space to be servicing technology as the economic slow down (or crisis if you want to see it that way) will not drastically affect the services we provide.  This article looks at the top 10 technologies that remain high in demand and produce healthy profits.

10. Point of Sales/Commerce Applications – Go Quickbooks – The CMIT family has many certified QB POS technicians so reach out and keep the business in the family.

9.  Network Infrastructure – as Sun Microsystems said “The network is the computer.”  Small Business owners need network connectivity more than ever and we will continue to deliver.

8.  Application Development – SharePoint anyone???  My expectation is that SharePoint development will take off this year and really help the small business.

7.  Enterprise Application – SMBs are realizing that the cheap open source products they started using don’t cut it.  They are now looking to pay for feature-rich and dynamic applications that help optimize business performance.

6.  Storage Solutions – I believe storage virtualization will grow in 2009 and beyond.  For now, leverage CMIT’s great prices with Dell or a managed hosted server through our partnership at Rackspace.

5.  Business Intelligence Software – There is an opportunity for software sales but most importantly, professional services opportunities which means longer engagements and higher margins!

4.  Mobility Solutions – Small Business owners will begin to make the entire office mobile so solutions for security and management will be on the rise.

3.  Managed Services – Channel Insider describes it as “white hot”.  CMIT was one of the first solution providers to start selling managed services in Q4 of 2006.  Less than 2 short years we have realized what a game changer it is for our industry.  Dell and other big players will help educate the market that proactive management is a MUST.  CMIT Marathon will continue to be a hot seller!

2.  Software as a Service (SaaS) – The ease of management and upgrades will keep this on the top of the list.  CMIT will continue to provide solutions like CMIT Anti-spam that make SaaS a key part of our services.

1.  Security – We were right about launching CMIT Guardian as our next product line.  This solution keeps the small business protected with an onsite and offsite backup strategy.  With a 2008 profitability rating of 31%, there is no better time than to promote CMIT Guardian.

What a good article!  Click here to view it for yourself.