Blog - BizTek Connection, Inc.

Blog

POODLE Bug (AKA POODLEbleed)

Another bug has recently been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol which could be exploited to intercept data that’s supposed to be encrypted between computers and servers. This was discovered by three Google security researchers who went on to offer detailed info about how it could be exploited. That info is readily available but far too technical for this medium.

It is important to note that this is NOT a flaw in SSL certificates, their private keys, or their design but in the old SSLv3 protocol.  SSL Certificates themselves are not affected and customers with certificates on servers supporting SSL 3.0 do not need to replace them.

The usage of Hotspots, public Wi-Fi, makes this attack a real problem. This type of attack falls into the “Man-in-the-middle” category. Basically, an attacker that controls the network between the computer and server could interfere with the handshake process used to verify which cryptography protocol the server can accept. It does this by using what is referred to as a “protocol downgrade dance”. This “dance” will force computers to use the older SSL 3.0 protocol to protect the data being sent. Attackers can then exploit the bug by carrying out a man-in-the-middle (MITM) attack to decrypt secure HTTP cookies, which in turn could let them steal information or take control of the victim’s online accounts.  Remediation steps, by webmasters around the world have already begun but there still remains a lot of work to be done.

What End-Users Need to Do

For end-users accessing websites Symantec recommends:

  1. Check to see if SSL 3.0 is disabled on your browser (for example, in Internet Explorer it is under Internet Options, Advanced Settings).
  2. Avoid MITM attacks by making sure “HTTPS” is always on the websites you visit.
  3. Monitor any notices from the vendors you use regarding recommendations to update software or passwords.
  4. Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.

And, as always, if you have any questions, concerns or help, give us a call.

Posted in: Security

Leave a Comment (0) →

Here Data, There Data, Everywhere…

Without a doubt, you work hard to protect your corporate data.  It is the lifeblood of your company.  Whether competitive information about your products and services, or personnel and payroll data, a breach can cost your business everything.  And so far you’ve done an effective job of protecting your data.

 

But nothing stays the same.  We’re continuously forced into paradigm shifts from external factors.  One of today’s biggest challenges is the growth of mobile devices in the workplace.   Exacerbate that problem with your secure (hopefully) corporate WiFi network.  What often results is your highly protected corporate data begins walking out the door inside employees’ smart phones and tablets.

 

Even if you exclude the possibility of employee-initiated data theft, your corporate data is moving around everywhere.  A lost or stolen device can easily result in a hacker accessing that data.  If configured for mobile network access, that thief may also have access to your network.

 

Then when things seem complicated enough, in steps BYOD (Bring Your Own Device).  Many businesses are beginning to encourage (or require) their employees to work from their own desktop, laptop or mobile devices.  While a popular way to reduce the cost of business, particularly among sales departments, this practice further complicates the process of protecting your corporate data.

 

So what is a company to do?  Fortunately, these issues have already been addressed by other companies around the world.  One benefit of being a small-to-medium sized business is being able to learn from larger companies’ investments.  And as those solutions are replicated on a massive scale, the cost of implementation drops dramatically.

 

BizTek would like to assist you in addressing these potential nightmares.  One of our IT Consultants can meet with you to determine your best course of action.  There are numerous ways to protect your corporate lifeblood and we can help you navigate to the right decisions.  Give us a call today!

 

Making your technology seem invisible…

Posted in: Security, Tech Tips for Business Owners, Tips and Tricks

Leave a Comment (0) →

Managing Your Firm’s Password Security

If your organization hasn’t taken a good look at password security lately, you should.  Your corporate data is only as secure as the weakest password.  Anyone that works at a Fortune 1000 company can tell you that the strength of their passwords are managed, along with the frequency of changing them.  This article is designed to provide you with an overview of best practices.

 

Password Enforcement

Most password policies can be automated using a domain controlled server.  Once established, your policies will be enforced without any human intervention.  BizTek is happy to assist you in this process.

 

Password Strength

Policies should require a minimum password length (eight characters is typical but may not be appropriate).

 

Policies should have requirements on what type of password a user can choose, such as:

  • The use of both upper- and lower-case letters (case sensitivity)
  • Inclusion of one or more numerical digits
  • Inclusion of special characters, e.g. @, #, $
  • Prohibition of words found in a dictionary or the user’s personal information
  • Prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers
  • Prohibition of use of the organization name or an abbreviation

 

Password Duration

Policies can require users to change passwords periodically, e.g. every 90 or 180 days.  Systems that implement such policies should prevent users from picking a password too close to a previous selection.

 

Unlike computers, human cannot easily delete one memory and replace it with another. Consequently changing a memorized password is very difficult, and most users resort to choosing a password that is easy to guess.

 

If choosing between the two, requiring a very strong password and not requiring that it be changed regularly is often better. However, this approach does have a major drawback: if an unauthorized person acquires a password and uses it without being detected, that person may have unauthorized access to your network for an indefinite period of time.

 

Common Password Practice

Password policies often include advice on proper password management such as:

  • Never share a computer account
  • Never use the same password for more than one account
  • Never tell a password to anyone, including people who claim to be from customer service or security
  • Never write down a password
  • Never communicate a password by telephone, e-mail, text or instant messaging
  • Always log off before leaving a computer unattended
  • Change passwords whenever there is suspicion that they may have been compromised
  • Operating system password and application passwords should be different
  • Passwords should be alpha-numeric and include a symbol

 

Password Generation

Strategies can be utilized for passwords that can be easily remembered, while meeting the strength requirements.  Symbols and numbers can be replaced for letters in memorable words, e.g. Gun$m0ke, An!ma1Hou$3.  Or phrases can be utilized, i.e. “A penny saved is a penny earned” = Apsiape.  And combinations of both, i.e. Ap$!ap3.

Posted in: Security, Tech Tips for Business Owners, Tips and Tricks

Leave a Comment (0) →

Managing Personal Passwords

Password Management Tools

Today there are a growing number of password management tools that can manage the myriad of passwords that you have to keep up with.  Many are free, some with premium versions available, and all are doing more and more the same things.  Frequently you can even import passwords from one tool to another.  Having been around for years, they are proving themselves to be secure and easy to use.

 

Some of the most popular password managers:

  • LastPass
  • Dashlane
  • RoboForm
  • PasswordBox

 

Typical features

Password Generation – Based on your settings, the password manager will randomly create and retain a strong password for new sites; options may include number of characters, symbols, numbers, upper and lower case.

Password Vaulting – Your passwords are maintained securely and automatically available (& inputted) when you return to the site.  Your access to the vault is protected by one single master password.  Obviously, this master password must be one that you can remember, and one that is difficult to crack.

Biometric Access – Some password managers will allow, or (optionally) require, fingerprint based authentication.

Browser Agnostic – Most password managers can be used with almost any browsers.  So you can switch from Internet Explorer to Google Chrome to Firefox.  Some even support Opera and Safari.

Form Filling – Rather than constantly inputting your name, address, company name, email address, your password manager can insert this information for you.  You can even set up your credit card information and checking accounts to eliminate the hassle of ordering online.

Portability – Some password managers will synch your information between multiple devices, all requiring the same master password.  This is helpful when going from desktop to tablet PC to smart phone.

Password Strength Monitoring – Many of the password managers will automatically inform you when you have passwords that are too weak.

 

If you are not currently using a password manager, you probably resort to writing down each of your passwords, or using the same password over and over.  Obviously, either of these methods is what the hackers are looking for.  Crack one password and they can take over your digital life.

Posted in: Security, Tech Tips for Business Owners, Tips and Tricks

Leave a Comment (0) →

Still Using Windows XP?

Some of our clients continue to use the Windows XP operating system, in spite of the fact that Microsoft ceased supporting this OS last April.  That means no more updates and security patches.  It is hard to believe that this OS has been around for 13 years… a venerable dinosaur by technology standards.  Still, 24% of all PC users are refusing to give up XP (“from these cold, dead hands…”).  Some have even asked Microsoft to develop an XP2, but they have no reason to go backwards.  They are busy rolling out Windows 9 in early October, which is the third OS delivered since XP.

So what’s so wrong about sticking with XP?
First, there are the security concerns.  Traditionally, hackers have taken advantage of the “end of life” support of operating systems.  They recognize that if they identify any weaknesses in XP’s armor, they can plunder at will without fear of Microsoft coming to the rescue.   And given their target market is currently 24% of all PC users, there’s much to be gained.

Second, XP’s initial replacement has been around since October 2009.  So any XP machines currently running are a minimum of 5 years old.  And up to 13 years old.  Most IT professionals recommend businesses refresh their PCs every 3 to 4 years.  This not only maintains current technology, but avoids the expense and frustration as PCs bogging down from bloated hard-drives and aging parts.  If you are running any XP machines, you have certainly gotten your money’s worth.

Finally, as mentioned earlier, Microsoft is not going to return to the XP operating system.  The good news is that Windows 9 will bring back the beloved Start menu.  They will continue to add features that enable a user to switch seamlessly between their desktop and mobile devices.  They will be introducing Cortana to the desktop (Microsoft’s version of Siri).  All this is to say that, like it or not, your choices going forward are to leave behind XP, in favor of the newer Windows, Apple or Android operating systems.  It is just a matter of how long you hold out, and the longer you do, the more difficult it will be to make that conversion.

As someone that recently converted from Windows 7 to 8, I can tell you that while it takes some getting used to, the change wasn’t traumatic at all.  But moving from XP to Windows 9 would most likely be.

Posted in: Security, Tech Tips for Business Owners, Tips and Tricks, Windows 7, Windows 8

Leave a Comment (0) →

WordPress MailPoet Plugin (wysija-newsletters) Has BIG Bug

It seems that every time we turn around there’s another area in which someone is jumping on a new way to exploit weakness on programs on our computer, Operating Systems and even on the websites/server we use to promote out businesses.  Today is no exception.  There has been another serious security vulnerability in the MailPoet WordPress plugin. Unupdated versions of MailPoet allows an attacker to upload any file remotely to the vulnerable website without any type of username or password being required.

File uploads of this time are used to ad code to your site that can cause you to become a spammer, or sell products that you know nothing of, nor make any money from those sales.  Basically, they can make your site open to just about anyone to do just about anything they want to do.  Any way you slice it, this is a serious issue. The MailPoet plugin (wysija-newsletters) is a very popular WordPress plugin with over 1,700,000 downloads so far. This vulnerability has been patched!  So, if you run the WordPress MailPoet plugin, please upgrade ASAP!

Are you affected?

If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.

The only safe version is the 2.6.7, this was just released a few hours ago (July, 1, 2014).

Why is it so dangerous?

This vulnerability gives a potential intruder the power to do anything they wants on a victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!!!

Technical Details

Because of the nature of the vulnerability, specifically it’s severity, I won’t go into the technical details. The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.

It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.

However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.

How should you protect yourself?

Again, update the plugin as soon as possible! Keeping WordPress and all plugins updated is the first step to keep your sites secured. If you don’t know how to do this, or even if you are not sure if your site us using this plugin, give us a call at 501.542.4241. We’ll help mitigate any risks.

Posted in: Malware, Security

Leave a Comment (0) →

TimThumb WebShot Zero Day Exploit

I have not idea if you are, or aren’t, using TimThumb WebShot after a serious vulnerability was discovered last year but, if you are, you may want to rethink it now.

A Zero Day exploit is one where there is now time delay between a particular exploit being discovered and it being released into the “wild”.  And, there’s a new Zero Day that was just disclosed on TimThumb’s “Webshot” feature.  Simply put, this exploit allows for certain commands to be executed on the vulnerable website remotely without any authentication (username/password) being required. With a simple command, an attacker can create, remove and modify any files on your server.

I could bore you with examples but, simply out, someone could remove files and/or create files using very simple URL (web browser, address bar, code execution).  Those two simple things are not the only possibilities… There are many others can be executed remotely (Remote Code Execution).

Are you vulnerable?

The good news is that Timthumb comes with the webshot option disabled by default, so just a few Timthumb installations are vulnerable. However, you have to check if your timthumb file does not have this option enabled to prevent it from being misused. Open your timthumb file (inside your theme or plugin) and search for “WEBSHOT_ENABLED” and make sure it is set to “false”, just like this one:

define (‘WEBSHOT_ENABLED’, false);

If it is enabled, you have to disable it asap.

We can help you, both check for the vulnerability and mitigate any vulnerabilities, if you need our help.   Another piece of good news is that we offer website firewall that will automatically protect against this vulnerability, and many others.

Posted in: Malware

Leave a Comment (0) →

Another Zero Day Exploit Affects Almost ALL Versions of IE

Zero-Day Attack is an attack that exploits a new vulnerability that developers have not had time to address and patch.  Simply put, the name comes from the concept that there were zero days between the time the vulnerability is discovered (made public) and the first attack.  In this case, Microsoft has confirmed this vulnerability in Internet Explorer that could allow remote code execution.

As you might expect, Microsoft is scrambling to fix a security flaw in its browser (Internet Explorer) that could allow a hacker to remotely execute malicious code if a user visits an infected website.  It’s important to know that there is no way for an attacker to force you to the infected site, so this is normally accomplished by convincing the user to visit the site by getting them to click a link in an email message or Instant Messenger.

Enhanced Protected Mode, which is enabled by default on IE 10 and IE 11, will help protect against this potential risk. You can also use Google Chrome or Firefox, since this particular exploit doesn’t appear to involve these browsers.  But, even more importantly, you can simply avoid clicking on suspicious links!  You may ask; what is a suspicious link?  In my opinion, any link in a message sent to be from any external source.  I know, that may be a bit “over the top”, but I see the repercussions from people clicking those links almost every day.

Not to sound like a broken record, but clicking links in messages sent to you, even from people that you know and trust, is a risky venture.  It is extremely common for attackers to mimic the email address of someone that you may know to get you to click that link.  It’s always a best practice for you to contact the sender of a message to confirm that they sent the message and there is a valid reason to visit a site by clicking the link imbedded in a message.  As a general rule of thumb, whenever I receive a message with a link, even if it’s from a trusted source and they have confirmed the message to be valid, I will type (as opposed to clicking the link) the entire URL into the address bar.

Exploits are, and will always be, around.  I’ve frequently said that whatever one person is bright enough to create, another is bright enough to break (or exploit, in this case).  So, do everything you can to mitigate the risks, including explore using a different browser AND being extremely skeptical about clicking links in messages.

Posted in: Malware

Leave a Comment (1) →

Microsoft OneDrive/SkyDrive Changes: 10 Things to Expect

It’s official. Microsoft’s SkyDrive has officially become OneDrive. I’ve heard a lot of quesions related to “Why”? The rebranding wasn’t one of choice, but follows a bitter legal battle with the United Kingdom’s British Sky Broadcasting, or BSkyB. It was a simple matter of making the change rather than waste time and money trying to win what looks like a loosing battle.  Whatever the reason, SkyDrive is dead, and now, OneDrive appears to be here to stay. Overall, OneDrive is an awful lot like SkyDrive, including its design layout and feature set. Still, the platform is notable in that it’s Microsoft’s best effort yet to compete with cloud-storage services from Google and other players in the market. It’s also arguably one of the most important online services the company will offer in the coming years as the cloud continues to evolve as an integral component in the average person’s life. I’ll give you some basic bullet points to outline both new and old features, and key factors for your consideration.  Here is what to expect from OneDrive.

  • The overall look and feel will be similar since Microsoft was forced to make the transition from SkyDrive to OneDrive somewhat quickly. Those who had been using SkyDrive will find that getting around the service is simple, and completing many of the same tasks won’t require any breaking in, which is a good thing.
  • Microsoft is offering Free Storage.  In a continued effort to entice new users to sign up for OneDrive, they are giving free storage. Microsoft says that every new person who signs up for the cloud solution will get 7GB of free storage. Beyond that, there are some nominal fees that will be accrued annually.
  • There is a “Refer-a-Friend” to bring on new members to OneDrive. The company said in a blog post Feb. 19 that customers who refer others to OneDrive will receive 500MB free, up to a maximum of 5GB free. Microsoft is even giving customers 3GB free when they use its camera backup feature.
  • Pick a Device, Any Device! One of the nice things about Microsoft’s OneDrive is that it’s available on just about every device imaginable. The service works with Android handsets, can connect to Windows PCs and works on Macs. The service also works exceptionally well on the Xbox One, and allows users to back up files from iOS. Ubiquity might be a key reason OneDrive could eventually enjoy success.
  • Automatic Android Photo Backup is one new feature of OneDrive.  This feature allows users to set their Android handsets so that as soon as an image is taken, it’s automatically backed up to their OneDrive. The feature is similar to the automatic backup available with OneDrive on iOS and Windows Phone 8.
  • Sharing Videos Just Got Easier!  One of the issues SkyDrive users were having was the general inability to quickly and easily share and watch videos. In many cases, they were forced to wait an inordinate amount of time to access the content. That has been solved with OneDrive. Microsoft says that the issues users were previously experiencing are now gone and should allow for a more entertaining time watching videos
  • Office Web Apps? Still There! Office Web Apps are still accessible from OneDrive. Users can access and view Office files, as well as edit Word, Excel, PowerPoint and OneNote documents. OneDrive also includes the ability to integrate those files with the desktop versions of Office.
  • Microsoft Added Real-Time Document Collaboration which is, by many opinion, one of the biggest improvements to OneDrive!  With that feature, users in a corporate environment (or friends on the consumer side) can work on the same document in real-time without fear of OneDrive losing the latest version. It’s something that Google Drive users have had for a while, and it’s nice to see Microsoft offering a similar solution.
  • Microsoft’s “Smart Integration”  works with Third-Party Apps!  Microsoft realizes that, in order to be successful, its offering must be capable of playing nice with any and all third-party services. We’ve already mentioned support for Macs, iOS and Android, but Microsoft also allows users to seamlessly share photos or videos to Facebook or email. After recording game play from the Xbox One, the content can be uploaded to OneDrive and shared with others. Microsoft is platform-agnostic with OneDrive and should be commended for that.
  • There’s an Act-Fast Opportunity… This one might have a short shelf life, but Microsoft announced that it will be giving away 100GB of free storage for one year to 100,000 people. Microsoft hasn’t said exactly how it will determine who gets the free storage, but it has urged users to follow its Twitter page “for clues.” It’s a nice offer, and speaks to just how serious Microsoft appears to be about getting users onto OneDrive.

All in all, I’m a big fan of OneDrive and it’s offerings.  There are other players in the market, but this one is desinged to work and play well with all platforms and it tightly intergrated into the Microsoft Platforms and Applications.  Like them or not, they are a major player that most of us use regularily.  That’s just one person’s opintion, feel free to add your two cents worth.

Posted in: Cloud Computing, Technology and How it's Used

Leave a Comment (0) →

6 Password Tips to Protect Against Business and Identity Theft

Ah, those pesky passwords. If you work in the corporate world or in an office, you have one for your PC/Network and, unless there is a password synchronization application that combines them, you probably have more than one for other applications. Add those to the ones that you have for your home Internet, your banking and other websites that require passwords, and before you know it you have a nightmare on your hands in trying to manage them. How easy a target are you for business and identity theft?

Part of the frustration has to do with the different requirements for password formatting. Some systems only require four characters, some require eight. Some need a combination of alpha and numeric characters and others do the same with the addition of a few capital letters thrown in for extra security. It can be positively maddening.

The worst thing you can do with your passwords is to place them in a text document which can be accessed on the hard drive of your computer. Your files are vulnerable to business and identity theft- even if you think they are not. If someone is intent on finding them, they can. Even if you place them into a password protected document, those can be cracked, too.

Writing them down has its own vulnerabilities, too, and there are varying opinions on this practice. If you do write them down on a piece of paper, put the document in a locked location whether it is in your home or at work.

Here are 6 tips on how to handle your passwords to protect against business and identity theft:

1. Make them complex. People who use easy to remember or short passwords are inviting disaster. Use a little imagination and pick a password that is very difficult to attach to your life. Stay away from birth dates, phone numbers, house numbers, or any other number that is associated with your life.

2. Keep passwords unique. When you change your passwords, make them unique from each other. Do not use the same password on all of your sites. If you do, then you are open to having every site that you have a password to being vulnerable to hackers to log on and steal your identity, money or destroy your reputation.

3. Be obscure. Use a combination of letters, numbers, capital letters and special characters if possible. The more you do this, the more secure your passwords will become. Create an alphanumeric version of a term you can remember. Using this technique the word “Spaceship” becomes “Sp@ce5h!p”.

4. Change regularly. This is the singular tip that can save you if you do not heed any of the other tips. How often should you change your password? How secure do you want to be? The frequency with which you change your password will determine how secure you are from becoming a victim. The more often you change it, the better you are. The longer you leave it the same, the more vulnerable you become. Three months is a good cycle for a password, but certainly if you fear for the security of your identity, then a monthly change is not out of the question.

5. Password-protect your PC. Be sure to give your PC a password on power-up. This will help protect your files unrestricted access to your PC.

6. Password-protect your wireless home network. If you have a wireless home network, be sure to password protect it as well. Use the same principles above in order to secure your wireless network. This will prevent others from accessing your connection and using it maliciously to hack the personal or business PCs and laptops you and your family use at home.

Finally, there are password programs that can help with this important task, but the best advice is to start with the tips above right away. Password software can be useful as an organizational tool, but it is no match for using sound methods to manage and make your passwords difficult to crack.

Click here to learn how BizTek Connection, Inc. can help protect you against business and identity theft with our Network Security Services for your business in Little Rock, AR and surrounding cities.

Posted in: Tech Tips for Business Owners

Leave a Comment (0) →
Page 1 of 28 12345...»