Tuesday, October 28, 2008

ID Theft through ATM Cards
..a group of individuals had apparently installed a device inside a gas station pump in the area. This device had access to all information entered through the payment point.
..The device included a wireless transmitter that broadcast 300-400 feet, allowing someone seated in a car located nearby to capture all the information generated at the pump.At the end of a hard
day’s work, the thief would use this information to print the data onto card “blanks.”
Well, I've said it over and over. While the mainstream press tends to focus on "online predators, blah, blah, blah", the majority of ID theft or bank theft occurs by more traditional methods. Granted, this was making use of some relatively advanced technologies, but it goes to show you that you have to watch out from all angles.

It would be a good idea to read the article linked below.

References:

Happy Birthday…I’ve stolen $2500 from your account
http://blogs.zdnet.com/carroll/?p=1887&tag=nl.e539

posted by Rex Moncrief at 10/28/2008 11:03:00 AM 0 Comments

Wednesday, October 22, 2008

Social Networking and Producing Income
For all of us, there comes a time on any given day, week, and month,every year and in different degrees over our lifetimes, when we choose to act in some way that is oriented toward fulfilling our social and psychological needs, not our market-exchangeable needs. It is that part of our lives and our motivational structure that social production taps, and on which it thrives. There is nothing mysterious about this. It is evident to any of us who rush home to our family or to a restaurant or bar with friends at the end of a workday, rather than staying on for another hour of overtime or to increase our billable hours; or at least regret it when we cannot. -- Benkler, Wealth of Networks
The question then becomes: How do you tap into those times and produce income?

It is not an easy one to answer. An obvious choice would be advertising and many of the social networks are taking advantage of that - some in conservative ways such as Digg.com or Facebook.com - but how does an individual or small business tap into this social need? I think the answer again lies in advertising, only in a more subtle and soft-sell manner.

As an example, I created a MySpace.com page sometime back. As all my friends and clients know, I'm not a fan of MySpace at all, but there is a compelling social aspect to the site. In my case though, I put up page to learn how their template works. Sure, I've had some old friends find me there, but even more importantly I've had a couple of clients pay me to create them a MySpace template - one without all the eye-popping glitzy bedazzled looking garbage.

Here is another example. On any message boards that I frequent, whenever I post I always put a URL to one of my websites in my signature line. Do I get much business from that? No, but I have gained a few clients and it only cost me my time.

Facebook has become very popular in the last 18 months. I definitely like it much better than MySpace, and I finally created a profile there. Am I looking to generate business there as well? Maybe. It doesn't hurt to network out. Think of it like going to a dinner party or conference only it lasts 24/7. If I gain some new business great - at the worst I've found some old and new friends.

The vast majority of my business has been through word-of-mouth. Social networking parallels that very closely. It costs virtually nothing except time and effort. Why not tap into it?

Links:
http://www.amazon.com/Wealth-Networks-Production-Transforms-Markets/dp/0300110561

posted by Rex Moncrief at 10/22/2008 02:12:00 PM 0 Comments

Sunday, October 12, 2008

Network Data and Security
Recently, I've been consulting with a client on network improvements. Following is an email correspondence sent to them in preface to some upgrades - such as migrating to a Novell SUSE Linux network.

============
From Email
============

As a reminder, security is relative. You have to weigh the cost vs usability vs convenience. If security practices are too complicated, end users will attempt to circumvent them at every turn. However, if the security measures only present a small burden to the end users, then most users will embrace them.

There are no 1-stop security solutions. Period. Anyone that tries to embrace that philosophy is selling snake-oil and will lull you into a false sense of security. Always avoid single vendor lockin to proprietary solutions as much as possible. I always favor free and/or open-source solutions where possible.

##############
User Training
##############

Most companies fail at training their users in basic technical skills and safe practices. In the short-term weak training expenditures may result in faster employee turn-around; however, in the long-term it costs more.

Not only should users (employees) be educated on the basic skills for their jobs, they should also be educated on basic security best-practices and company policy. As technology changes, users should be further educated as necessary for their particular job. In today's fast-paced world of data exchange, this is a necessity not an option.

##############
Data Security
##############

First, you need consider that like most things, your data is only as safe as the weakest link in the change. No matter what types of technology you employ, all it takes is one rogue employee with access to the data. This is where your company policies and NDA's come into play heavily. Employees must know that there are severe consequences for breaching policies.

Data must not be permitted to leave the company network unless a user has specific permission to remove the data. This includes USB drives, company and non-company laptops, cell phones, pda's, etc. Even hand-written notes concerning company information must be carefully considered.

Any data that is allowed to leave the company network and confines must be encrypted (see mobile security). It does no good to have the company information locked down, only to transport it in the free and clear.

##############
Email Security
##############

All company email must be controlled tightly through a service such as Google Apps Premier Edition powered by Postini. This allows for superior email security, archiving, and control.

"By 2005, 24% of companies had email subpoenaed and 15% had gone to court over lawsuits triggered by just employee email. According to the same survey, 10% of email at work contained sexual, romantic, or pornographic content." - http://www.amanet.org/press/amanews/2006/blogs_2006.htm

Plan Now for Managing Electronic Data Avoid Tomorrow’s Legal Risks
www.google.com/a/help/intl/en/security/pdf/WP44-BMGuide.pdf

The Impact of the New FRCP Amendments on Your Business
www.google.com/a/help/intl/en/security/pdf/WP42-FRCP_0107.pdf

The use of private consumer accounts must be heavily discouraged. This is one of the easiest attack vectors as a simple copy/paste or upload of a file is all it takes for data leakage. As evidenced by the recent Sarah Palin Yahoo account compromise, most individual users do not employ any sort of security with regard to challenge/response systems, etc.

http://www.google.com/apps/intl/en/business/editions.html
$50/year/user

Emailed information is not secure unless you use end to end encryption techniques such as openPGP. This is a non-proprietay protocol for email encryption using public key cryptography.

SSL connections provide security from the sender's application to the email server, but the security stops there if then receiver's email provider does not support SSL.

I would even go so far as discouraging the use of MS Outlook and recommending the use of web-based email only via Firefox and Google with the Better Gmail extension for persistent SSL. For those requiring a desktop application - Mozilla Thunderbird combined withSunbird and Lightning extension for Google Calendar integration provides a near-complete replacement for Outlook.

##############
Network Security
##############

Users should be able to access exactly the resources they need to do their job and do it well. By extension users should have no access to resources that are not needed.

This security should be enforced by secure and robust authentication measures such as those provided by Novell and SUSE. Also, there should be sufficient measures for firewalls and security gateways to enforce policies. This also extends to Internet access.

http://www.astaro.com/our_products/astaro_security_gateway

http://www.opendns.com
*See attached screenshot - 24 hr period attempts to access MySpace

WiFi security should be a subset of the network security. Encryption should be provided by WPA-PSK or Radius with a sufficiently strong key (at least 20 characters) to prevent brute-force attack possibilities. 10 non-random characters are not enough. WEP should never be used. As users are able to access the network, then the network authentication should enforce resource access.

##############
Desktop Security
##############

If your desktop computers are compromised, then the other security practices become a moot point. Not only must you have strong network security to provide authentication for your users' desktops, you must also have a strong policy of "not leaving your desktop while logged in", etc. Passwords written on sticky notes on the monitor are simply unacceptable.

You must also strongly enforce software the use of safe software practices such as using Firefox as the primary browser and IE only for specific trusted sites. Each desktop computer should be configured with an appropriate anti-virus license (such as AVG). You users should be strongly discouraged from downloading and installing non-approved 3rd party software.

External device connections (USB drives, etc) should be discouraged without approval. These are easy vectors for data leakage.

##############
Mobile Security
##############

Anytime devices are taken off-site, the security risks increase by a factor of 1000. Company network access should be provided by VPN only. Company email should be provided by SSL only.

ALL LAPTOPS should have full-drive encryption or at the least encrypted containers for all company data.

www.truecrypt.org

A strong policy of data privacy should be enforced with all mobile users.

##############
Backup Security
##############

A solid backup plan involves primary local backups and secondary off-site backups. All backup data should be encrypted. It does zero good to have security on your network, devices, etc, and your backup files are in the free and clear.

www.jungledisk.com

posted by Rex Moncrief at 10/12/2008 07:12:00 PM 0 Comments

Tuesday, October 7, 2008

Google Calendar Sync
I have a client (and friend) who purchased a mobile phone running Windows Mobile. His problem was keeping his phone synced to his Google Calendar, which he runs through Google AFYD. Fortunately, Google released a sync tool called Google Calendar Sync.
Running Google Calendar Sync allows Glenn to keep his phone, pc, and online Calendar together.
I also did the mobile setup for his Google Calendar - so he can add appointments any way that he chooses.

After running for over a week with no issues, he recently had an error with the calendar sync. Here is a copy of the emailed notes.

============
From Email
============

Here are my notes on fixing the Google Calendar Sync:
  • Google Calendar Sync giving error message 2006
  • Tried to launch Outlook - gave error message "unable to open your default folders"
  • Checked Taskmanager - Outlook running in background - killed process
  • Launched Outlook 2003 - worked fine, closed it
  • Ran Google Calendar Synch - worked fine
  • CMD -> net statistics workstation - uptime since 9/29/08
  • Advised Glenn that he must restart workstation at least every other day


Basically, you have to restart XP (or any version of Windows) at least every other day. In your case, Outlook was "hung" running in the background which would not allow Google Calendar Sync to run properly. I had to kill the process and it worked fine.

You need to restart that computer.

posted by Rex Moncrief at 10/07/2008 09:36:00 AM 0 Comments

Monday, October 6, 2008

Is this worth having?
==============
From email
==============
from XOXO
to Rex Moncrief
date Mon, Oct 6, 2008 at 7:25 AM
subject Is this worth having?
mailed-by gmail.com
signed-by gmail.com

Is this worth having?
http://www.komando.com/downloads/category.aspx?id=5536

===========
My Response
===========

Mark Russinovich arguably knows more about the Windows OS than Microsoft does. He has produced some great apps, which is one of the reasons MS finally bought his company.

There are only a small handful of them that I recommend an "above average" computer user should have - and these are ones that I run on a regular basis.

Process Explorer
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
*Runs at startup on all my Windows pcs.

Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

AutoRuns
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

RootKit Revealer
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Systernals applications can be very powerful, which is why I don't suggest them to typical computer users. That is why I also don't recommend downloading them all at once. People tend to get curious and then get off in an area where they don't belong. Of course, that is good for my business, but I try to be honest about technology.

If you want to give some of them a try, but always remember: "You are only as good as your last successful backup - from which you can recover."

*No - Windows System Restore is NOT a backup solution.

Labels:

posted by Rex Moncrief at 10/06/2008 08:44:00 AM 0 Comments