Technical Services

Reporting Spam?

21/02/11 05:38 Filed in: Security
images
Just a quick link for those of you that find chronic SPAM as frustrating as I do. It is a lot simpler to report SPAM to the FTC than it used to be. Just forward it to spam@uce.gov and you are done. Reported SPAM is collected into a BIG database for analysis and forwarded onto a case worker.

Security? Security You Say? Hah!

11/02/11 19:20 Filed in: Security
RTC_Magazine

by: Tom WIlliams, Editor and Chief

OK, folks, let’s get real. If you put it on a computer and that computer is connected to a network, it’s not secure. It may be difficult to get to, but it’s just plain not secure. I know, I know—I will surely get blowback explaining things that the responders are not “at liberty” to fully explain, telling me that things really can be made secure. But I’m not buying it. We’ve seen too much.

The recent WikiLeaks imbroglio is but the latest example. When some Pfc can walk into his workplace with a Lady Gaga CD and walk out with all kinds of military and State Department cables, the word “security” becomes a laughing stock. Yes, I know there are higher levels of security and more “secure” networks, but all these things are really just a means of making difficulty of access appear greater than the value of that access to the intruder. They do not make the systems “secure.” In the case of the WikiLeaks breach, that relation was insufficient.

The word “secure” comes from the Latin word “securus” meaning carefree, without care. It can also mean reckless or careless. It is the combination of se (without) plus curus (care). People working on computer security are definitely not carefree types. They are better off as paranoids. Securus is what we are not.

At the time of this writing, the WikiLeaks upset is still in full swing. Recently there have been—in addition to the attempts of several governments to take down WikiLeaks—attacks by anonymous WikiLeaks hacker support groups against organizations they perceive as opposed to their champion. They have at least temporarily taken down sites for Master Card, Visa and a Swiss bank to mention a few. What we have been seeing is the outbreak of the world’s first infowar. Most of these have been denial of service attacks but things could easily turn more ominous and may give us a picture of what might happen if the PhD-studded cybertroops of nation states started going after each other. The recent rather successful attack on Iranian nuclear sites with the now infamous Stuxnet worm is an example.

There is an irony in all this. The more our advanced technologies like power generation, transportation and communication depend on embedded computer intelligence, the more vulnerable they become to attacks using the same technology they are based upon. For example, the Smart Grid is, in most informed opinions, essential to a more efficient, reliable and expandable system for energy distribution. Still, it depends heavily on embedded intelligence and networking—all of which can be compromised if hackers can breach the perimeter. It is being designed to prevent the uncontrolled spread of accidental outages but could as easily leverage the spread of intentional malicious access.

We constantly hear hype about “evaluation assurance levels,” e.g., “EAL-5,” as if these meant anything about actual security. They are assurance levels that the claims made about the security of a software product have been evaluated to that level of assurance. To know anything about the actual security of the product, you also have to carefully examine those claims. And some of the documents filed that describe the strength of the security that is supposedly provided can have some pretty slippery language.

But hype doesn’t make us secure. Besides, that which technology can supposedly reliably protect can also be breached by people by means of carelessness (there’s that word again), subterfuge or sex. How do we know there was only one Pfc with a Lady Gaga disc? How do we know there aren’t more of them and more sophisticated breachers going after even higher-level networks? The fact is that we don’t. The fact is that we never will for certain. The fact is that if you put it onto a computer that is connected to a network, it is not secure. It is at the very best simply more difficult to access than some bad guy feels is worth the trouble.

In the end, of course, that is actually worth something. We have to try. We have to do better. But we cannot operate on illusions. We have to at some point be prepared for a catastrophic breakthrough. And we have to have the means of recovery at hand. What that might entail has been little studied, or at least little discussed. Could the same Smart Grid that is being designed to limit the scope of an outage also be designed to automatically detect and limit the damage caused by an intentional break-in? Could such techniques be applied to other systems? Maybe if we admit that the walls will never be perfect, we can develop more in-depth resistance to damage to go along with increased efforts to achieve the unachievable—complete security.

Bob's Note: Normally I don't pass on Internet articles, but this person is spot on. Short, to the point and correct in his findings.

Speed Up My PC - SCAM-

31/01/11 16:25 Filed in: Security
as-seen-on-tv
Lately there has ben a lot of these "Speed Up My PC" scams on the television. I am surprised the FTC has not shut them down. More surprising is the willingness of the broadcast companies to knowingly propagate this fraud. Here is a list the procedures they use to "Speed Up Your PC". Hopefully enough people will take this on as common knowledge and put these scammers out of business.

Note: If you use a Mac or a LINUX based computer, disregard this. You don't need any manual tuning.


1) Use Microsoft update and be sure to choose the "Custom" option. Select all the updates (except MS Live) and update your system. http://www.update.microsoft.com/

2) Remove ALL unnecessary programs. If you don't use it, delete it! Be careful and use the uninstaller that came with your program. If you get too aggressive, you can break things!

3) Update all of your programs, not just the Operating System. Often vendors will release fixes for problems, patch security holes and maybe even add new features.

4) FREE AV Program! Yes, it is FREE from Microsoft. http://www.microsoft.com/security_essentials/

5) Piriform is your friend. Get and use their CCleaner and Defraggler Products. Again... FREE Note: Don't schedule Defraggler it will wear out your drives by doing a lot of unnecessary maintenance. Also be sure to use the Registry Check feature in CCleaner. http://www.piriform.com/

That's it! You have safely tuned your PC without inviting questionable entities into your computer. Did I mention that it was FREE?

IT Turnover

25/01/11 15:30 Filed in: Security
fired-stormtrooper

Workforce turnover in any form is a pain. There are some specific issues related to IT turnover that need to be addressed when the time comes. This guideline is focused on permanent, temporary, vendor and non-binding contract situations.

Before Notice is Given:

1) Define what assets are in play. Make sure all persons involved are notified of the impending change. Note issues that need to be addressed in the turnover process. Realistic time to deal with any issues is about 8 hours before notifying HR.

2) Notify HR and deal with any paperwork they have. Have everything you need (including last payment) for the termination session. If a contract worker or vendor is leaving, be sure to pay their last invoice promptly.

3) Notify IT. Make sure all access to systems are changed according to company policy. If person leaving has access to any system administration logins, ALL passwords will need to be reset system-wide (not just the Admin).

Note: Changing of all passwords applies to inter-company transfers as well. If the person is no longer in a sysadmin or position of needing "root" access to the systems, ALL passwords will need to be changed.

4) Go to work area and box persons personal affects. Ask co-workers if there is anything in the common areas that needs to be removed as well.

As Soon as Notice is Given:

1) Have someone in the termination room to act as escort. It may be best to have security or someone from another department to be the escort. The less chit-chat the better.

For security reasons it is not advised to give any notice (by either person or company) of termination intent. It may sound rude, but it is a MAJOR security issue to have a "short timer" with access to IT assets.

2) Collect any keys, or company material in person's possession. Be sure to account for any additional material that cannot be readily collected.

3) Once notice is given and paperwork is signed, give person personal affects and escort them out of the building. No stops along the way.


After Notice is Given:

1) Send email to all employees notifying them of the personal change. Scuttlebutt can do a lot of damage. Be professional and give people closure. List person involved, person temporarily taking over duties, and where to forward questions.

2) Notify vendors and clients of changeover. Let them know the new contacts they will be using. It is unnerving trying to contact a vendor to be told my account is being serviced elsewhere or by someone else.

3) Be sure to send amended contracts to parties that need them, even if on a temporary basis.


Bringing in New Talent:

1) Debrief the new person as best you can (without violating any ethics) what happened to the previous person.

2) Introduce new person to co-workers, vendors and clients.

3) Make sure work area has ben properly prepared for new occupancy.

4) Amend any contracts that may be in place. This is also a good tool to get new person familiar with commitments that need to be kept while occupying the position.


This entry is a work in process. Check back often as I will be adding as more information comes to light. There are no specific IT termination processes readily available, so lots of changes will be made.

Company Reputation

24/01/11 13:29 Filed in: Work
images-1

I just had a reminder how important corporate image is on the net. (My bad spelling and grammar aside.) Quest sent me an email asking me to verify my "Free Listing". Of course they butchered the company name, had old phone numbers and we even were miscatagorized as Plumbers!

We spend a lot of money in advertising and take great pains to ensure our companies reputation remains in tact. All it takes is one person with a grudge to cause irreparable damage to an on-line reputation as well as overall loss of revenue.

The real pain in the butt, is that there are so many social medial outlets, review and rating sites, that it is almost impossible to keep track of what people are saying about you and your company. Time for Google Alerts.

Google Alerts is easy to set up. Just log into your Google account (or create one) and enter up to 5 search terms. Be careful on choosing your terms. If they are too general, you will get lots of useless information. Too specific and you will not get anything. Fortunately "Datajockeys" and "HeliosNyx" are rare terms so we get great results. Terms are easily changed to fine-tine what your results.

I strongly suggest to all of my clients that they take advantage of this free service. Besides Quests mucking up our company information, there were users using our corporate identity to establish user accounts on various forums. Most professional system administrations are quick to resolve copy-write and corp identity issues. Just contact them (politely) and let then know your concerns. If you don't get the results you want, please contact us.