Category Security Corner
 
In a recent project aimed at uncovering insecure internet devices to promote awareness, researchers have found nearly 21,000 routers, webcams and VoIP systems left wide open to attack. These devices can be accessed from anywhere on the internet and those who own them have not even changed the manufacturer's default password. Any wrong-doers that find these devices can use them to host their attacks; they can even alter the firmware of VoIP systems to record conversations.

 
Almost half of the 2,729 accessible Linksys routers still had their default passwords in place, while almost a third of the Polycom VoIP units still had theirs. Even though the Internet Providers have been notified of such insecurities, the manufacturers of these internet devices should be making their products secure by default and consumers should be provided with instructions regarding how to change the passwords themselves upon initial setup. The team conducting this test will continue their research for another couple months, notifying ISPs to contact their customers about internet security and hoping for the best. A repeat of the whole process will be scheduled to determine if the number of insecure devices goes down after public notification by the ISPs.

If you own any consumer routers or similar devices, have you changed the passwords? Double-check to ensure a complex password is used; because you rarely need to access the device management, write the password down and keep it at home. The best thing you can do for yourself and your business in this situation is keep your network and the information within secure. If your company is in need of computer support in Glendale, give us a call at 818-541-9195 and we can get you on the right track.

Posted by Keith Lancaster At 10:02 AM Location Reseda, CA | Permalink | Comments (0)

Category Security Corner
 
Do-it-yourself identity theft protection does not take as much money as you think. I don't have to tell you how important your personal information security is, so run through this list to ensure you are doing what you can to keep your identity safe:


1.   AnnualCreditReport.com offers legitimately free credit reports at one report per bureau, per year. You can even order them by phone at 877.322.8228.
2.   Get one of the three bureau reports every three months to ensure consistency in both your monitoring and their reporting. Through AnnualCreditReport.com, you can keep the quarterly cycle going indefinitely.
3.   Place a fraud alert on your credit report by calling any one of the bureaus. The contact info for all of them can be found at www.fightidentitytheft.com. Create a reminder in your calendar to renew your alert every 90 days.
4.   Tell bureaus to stop selling your information to credit services! Going to www.OptOutPrescreen.com or calling 888.567.8688 will reduce the number of credit card offers that come in the mail.
5.   Request free public records reports from ChoicePoint. Print the form and mail it in with some necessary information in order to receive a copy.
6.   Take your name off of other marketing lists by signing up for ProQuo.com's free service.
7.   Buy a mailbox that locks or use a PO Box to protect your physical mail.
8.   Buy a crosscut paper shredder and shred any junk mail with your information on it.
9.   Never follow a link from an email message in order to log into a financial website. If you need to log into your bank or investment portal, do so by going directly to their URL in your web browser.
10. If you think someone has compromised your personal information, contact the Identity Theft Resource center. Volunteers are there to help!

Posted by Patrick Moffitt At 11:13 AM Location Altadena, CA | Permalink | Comments (0)

Category Security Corner
 
With recent threats to our digital security like the Conficker worm, it is more important than ever to strengthen your network's defenses. There is a fantastic free service specifically designed to boost network security called OpenDNS; it is free and will protect you from many future attacks if you just take a moment to set it up. The OpenDNS website provides simple instructions for changing your DNS server on a single machine or router (so that the change affects ALL networked computers) and even includes a video tutorial. What does this accomplish? Making the change will cause your computer to go to an OpenDNS server to look up the domain names for the sites you visit instead of the DNS server provided by your ISP; the OpenDNS server has the ability to deny you access to known phishing and hacking sites. There is a content filter that will deny access to any type of questionable site you do not want your child visiting and the ability to report network traffic is built right in.


You may be asking yourself, "How is such a service free of charge?" Whenever you type in a domain name that doesn't exist (www.______.com), instead of a page error, you simply get a screen with some advertisements on it... not a bad trade-off to have a strengthened network if you ask me!

Posted by Keith Lancaster At 8:43 AM Location Reseda, CA | Permalink | Comments (0)

Category Security Corner
I'm sure nobody has to tell you this, but keeping your company's data secure is important. This is why I am taking a moment to outline a few ways you can keep things tightened up around the office without worrying too much about employee turnover or any other factor interrupting your business.
 

1. Use different passwords EVERYWHERE. If your e-deposit machine password is the same as the password for your time clock and exchange server, people will notice. It is easier to remember, which is both the good and the bad thing. It will be easier for anyone trying to get confidential information from your company to guess the password you have a habit of using. Combat this with a password vault of some kind. We recommend Password Safe, a free utility that requires you to remember a master password in order to gain access to its database of passwords for your online accounts, servers or anything else you wish to store. Take a look at the October 18th, 2008 article we posted in the Security Corner section of this blog for more info.
2. When an employee leaves, delete them! We are very strict about our procedures with our clients when it comes to terminating an employee. Not only is it smart to delete the user immediately, but add his / her login information to a "deny access" group if applicable. Regardless of whether the employee is leaving on good terms, it is better to be safe than sorry.
3. Stop ignoring your security logs. As your first line of defense, your security logs will point out bad password attempts, unknown username errors, and many other events that should raise alerts to someone trying to gain access to your data that should not have it. Randy Franklin Smith has published a website that clearly defines almost all Windows Security Log Events to help you decipher the activity on your server. Pass this info on if your system Admin is not already monitoring for you.
4. Patch and update your computer as often as you can. If you are a DCG St. Bernard customer, you do not have to worry about this one. We do this automatically for all of your covered machines and we only install the the updates that are "white-listed" (or pre-approved) for you hardware / software environment. For those who aren't as fortunate, Keeping your operating system up-to-date is the number one method of staying protected from exploits that aim to compromise your data. Using products like Microsoft Baseline Security Analyzer or heading over to Secunia are the best ways to stay current.
    
   Visit our website dedicated to IT consulting in Los Angeles if you have any questions.

Posted by Keith Lancaster At 4:21 PM Location Reseda, CA | Permalink | Comments (0)

Category Security Corner
 
From the United States Computer Emergency Readiness Team:

Why are chain letters a problem?

The most serious problem is from chain letters that mask viruses or other malicious activity. But even the ones that seem harmless may have negative repercussions if you forward them:

* they consume bandwidth or space within the recipient's inbox
* you force people you know to waste time sifting through the messages and possibly taking time to verify the information
* you are spreading hype and, often, unnecessary fear and paranoia


What are some types of chain letters?

There are two main types of chain letters:

* Hoaxes - Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks could fall into this category (see Avoiding Social Engineering and Phishing Attacks for more information).
* Urban legends - Urban legends are designed to be redistributed and usually warn users of a threat or claim to be notifying them of important or urgent information. Another common form are the emails that promise users monetary rewards for forwarding the message or suggest that they are signing something that will be submitted to a particular group. Urban legends usually have no negative effect aside from wasted bandwidth and time.

How can you tell if the email is a hoax or urban legend?

Some messages are more suspicious than others, but be especially cautious if the message has any of the characteristics listed below. These characteristics are just guidelines-not every hoax or urban legend has these attributes, and some legitimate messages may have some of these characteristics:

* it suggests tragic consequences for not performing some action
* it promises money or gift certificates for performing some action
* it offers instructions or attachments claiming to protect you from a virus that is undetected by anti-virus software
* it claims it's not a hoax
* there are multiple spelling or grammatical errors, or the logic is contradictory
* there is a statement urging you to forward the message
* it has already been forwarded multiple times (evident from the trail of email headers in the body of the message)

If you want to check the validity of an email, there are some web sites that provide information about hoaxes and urban legends:

* Urban Legends and Folklore - http://urbanlegends.about.com/
* Urban Legends Reference Pages - http://www.snopes.com/
* TruthOrFiction.com - http://www.truthorfiction.com/
* Symantec Security Response Hoaxes - http://www.symantec.com/avcenter/hoax.html
* McAfee Security Virus Hoaxes - http://vil.mcafee.com/hoax.asp

Posted by Keith Lancaster At 3:38 PM Location Sherman Oaks | Permalink | Comments (0)

Category Security Corner

To all Windows users, The recent Win32/Conficker.C Virus was profiled on the TV news magazine 60 Minutes this weekend.  As a result, we are fielding calls about the threat and wanted to assure our clients that they are protected.  If you are a Dependable Computer Guys client with St. Bernard Managed Care for your Servers and Desktop computers, you need to do nothing except leave your machines on overnight tonight, Tuesday, and Wednesday. If you are not a DCG Client or you don't have all of your Desktop Computers on St. Bernard Managed Care, you should take action before Wednesday, April 1st.

Recent history on the "Conficker" virus    On October 23, 2008, Microsoft released MS08-067 (KB958644), which resolves a privately reported vulnerability in the Server service. The Conficker worm, sometimes called Downadup or Kido has infected a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January.   According to the Symantec website, "the Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware's creator. The worm then tries to spread itself to other computers on the same network." This virus affects servers and workstations.   Who is at risk?   Users whose computers are not configured to receive patches and updates from Microsoft regularily are particularly vulnerable.  Those who are not running an up to date antivirus product are also at risk as well as users who do not have a genuine version of Windows from Microsoft, since pirated system usually cannot get Microsoft updates and patches.  What to do if you are infected: Use your Security product (Norton/Symantec/AVG/Sunbelt Viper/Bit Defender, etc) to identify which variant of the worm is on your computer. You can download and run either of the following free tools as well: Malwarebytes Malware Removal Tool: http://www.malwarebytes.org Microsofts Malicious Removal Tool: http://www.microsoft.com/security/malwareremove/default.mspx

Don't hesitate to call us if you have questions.   Sincerely,

Brent Whitfield Dependable Computer Guys, Inc 818 541 9195 http://www.dcgla.com/network

Posted by Keith Lancaster At 4:02 PM Location Sherman Oaks, CA | Permalink | Comments (0)

Category Security Corner
In the super-saturated realm of airport and air transportation security laws, there is a new one brought to us by the U.S. Department of Transportation. Spare lithium batteries -- like the ones you would bring to supplement your notebook or digital camera -- are no longer allowed to be checked in with your luggage. Officials have found that loose batteries may have been responsible for a few fires due to the fact that cargo holds do not have the same climate control standards as the passenger areas.

Posted by Keith Lancaster At 2:49 PM Location Studio City | Permalink | Comments (0)

Category Security Corner
In this issue, we are talking more about personal security rather than your data. By now, it is almost common knowledge that FreeCreditReport.com is not actually free and that leaves the lingering question of "Why is it so hard to find a free credit report despite the Fair and Accurate Credit Transactions Act of 2003?" Whether you'd like to admit it or not, buying a car and a house without an abundance of cash laying around is much easier done with a good credit score. Regularly checking your credit report is the first line of defense when combating and preventing identity theft and Annualcreditreport.com is still the only website that provides all three credit reports once per year with no strings attached. Head over to the website and take that first step necessary to fight identity theft and inaccurate credit reporting.

Posted by Keith Lancaster At 4:15 PM Location Sherman Oaks, CA | Permalink | Comments (0)

Category Security Corner

 
By now you know about all the basic measures you can take to protect yourself from Identity Theft. The only problem is the time and hassle of getting it done. Luckily, there are services that can do a lot of the work for you at a modest price.

Truston guides you through a review of your credit report for suspicious activity. You pay as you need it, and you get a month's access for $20. If you provide an email address, they'll send you important notices, such as a reminder when you're eligible again for a free credit report.

Truston also has plans to offer a step-by-step guide to freezing your credit report. This keeps unauthorized parties from acquiring your credit information. Learn more about it.

Trusted ID and LifeLock offer a comprehensive suite of services starting at $10 a month. These services include monitoring your credit cards, a lock on your personal information, and $1,000,000 in identity theft insurance.

If you want to know whether anyone has tried to use your credit card or social security number, you can do a quick check for free at Stolen ID Search. If the search raises any red flags, Stolen ID Search will tell you what to do next. For a fee, they'll monitor up to 3 numbers (either credit card or social security) and notify you of any suspicious activity.

Posted by Arland Whitfield At 12:48 PM Location Glendale | Permalink | Comments (0)

Category Security Corner

 
4 Steps to Password Security

If you use a common word for your password, your data is vulnerable. Passwords that are in the dictionary can be guessed in seconds by modern code-breaking software. Random letters aren’t much better—they can be cracked within 2 days.

For better password security, you should consider all of the following:

   1. Use mixed-case alphanumeric passwords (random capital and lower-case letters mixed with numbers) that are at least 12 characters in length.


   2. Use a second form of authentication such as number generators and smart cards, whenever this option is available. Consider switching to a bank that offers this feature, if your current bank does not.


   3. Use a different password for each of your most critical accounts. That way, if someone breaks into your bank account, for example, your email will still be safe.


   4. Store your passwords in a trustworthy vault. Firefox, Internet Explorer, and Safari all have secure password managers.

Posted by Arland Whitfield At 1:48 PM Location Glendale | Permalink | Comments (0)

Category Security Corner

USB Flash Drives - Small agents of big security risks

Remember when floppy disks were the main vehicles for transferring data? As virus outbreaks increased, extra precaution was taken when files were opened on unknown floppy disks. An infected file meant a compromised system.

Floppy disks are now obsolete, but infected data can still be moved from one computer to another. Now in a smaller package with a bigger storage capacity, USB storage drives are small enough to fit on your keychain but deadly enough to pose one of the largest security risks to your company’s data. When opened, infected files upload onto your system, allowing an attacker access from inside the firewall, and it's small size makes it easy for insiders to download and pocket your confidential data. iPods and other small portable storage devices also put your system at risk for infection.

Protect your company by setting restrictions and getting the latest update from your security software. Microsoft offers a solution by enforcing group policies that turn off USB ports for storage devices. However, if the USB port needs to be used, the group policy can instead restrict the user and the user’s ability to download files. Products such as Safend and SmartLine’s DeviceLock allow you to blacklist devices, put the devices into ‘read only’ mode or block devices above a certain storage capacity.

It is also important that every company desktop or personal laptop brought in from home or from working on the road, have security software installed that can stop infected programs from accessing your system. Run a Spyware Doctor or Symantec security software sweep to remove any downloaded spyware or adware.

Most importantly, education is the key to protecting your data. Inform your employees of the risks associated with using these storage devices and media, including USB flash drives and memory cards.

Posted by Arland Whitfield At 2:07 PM Location Glendale | Permalink | Comments (0)

Category Security Corner

Five easy ways to protect your business from internet fraud.

Many internet hackers prey upon users who are too complacent or just too busy to keep their guard up. However, if you do nothing else to protect yourself from online fraud, at least take care of these simple measures:

1. Install anti-virus software and anti-adware/spyware software.

2. If you are not behind a firewall, activate it and make sure that only the necessary incoming/outgoing connections are allowed.

3. Keep your operating system and browser updated. If you don’t know how to do this, just go to the website of the company that produces your system and browser (i.e. Microsoft Updates if you’re using Windows) and look for an "Updates" link, which should be easy to find. You can also set your computer to update automatically.

4. When you get emails from unfamiliar sources, do not open attachments or click on links. Even familiar sources may have infected files so use caution when opening attachments.

5. Don’t download freeware or shareware from sites or sources you’re not familiar with.

Posted by Arland Whitfield At 2:31 PM Location Glendale | Permalink | Comments (0)

Category Security Corner

Upgrade to the latest in WiFi security.

If your wireless access point (WAP) is more than 6 months old, it is likely that your WiFi connection is not secure.

It’s easy to breach the original Wireless Protected Access (WPA) standard unless you have a super password with more than 21 characters and words that can’t be found in a dictionary.

And the prior security standard, Wired Equivalent Privacy (WEP), can be broken through in seconds.

If you haven’t already done so, we strongly recommend you use the latest defense, Wireless Protected Access 2 (WPA 2). Here’s how:

First, download WPA2 hotfix for Windows XP. Also check the “hardware, optional” category to see if you need to update your wireless drivers.

Next, go to the website of your WAP’s manufacturer and update the latest firmware for your WAP. You can find most manufacturers’ websites here.

If your WAP can’t support WPA 2, get a new one. It shouldn’t cost more than $40, and you’ll have far more security and privacy.

Now use your web browser to log into your router’s administration page and change security settings to WPA 2 Personal.

If you’re asked to choose an algorithm, use TKIP+AES. Choose a pass phrase (the best ones are long, with letters and numbers in combinations that can’t be found in the dictionary), save your changes, and you’re done.

Posted by Arland Whitfield At 2:47 PM Location Glendale | Permalink | Comments (0)

Category Security Corner

Every now and then I get email rejection messages for emails that I never sent. Does this mean I have a virus? How can I stop this from happening?

You don’t have a virus. Somebody else does, and the program harvested your email address from their system.

Unfortunately there’s little you can do about the situation. Here’s how it works.

An email-based virus gets into somebody’s system and sends itself to everybody on the victim’s contact list. But instead of putting the victim’s address as the “from” address, the program randomly selects a different address for each email from his address book.

This way, when some of these messages are bounced, the rejection emails don’t all go back to the victim. And by random luck, one or more of them go to you.

Rest assured that the cause of the problem is not in your system.

Posted by Arland Whitfield At 2:58 PM Location Glendale | Permalink | Comments (0)

Category Security Corner
Are you looking for a small utility program for creating and storing difficult to crack passwords? Password Safe may be the program for you. Passwords are stored in highly-encrypted database that can be unlocked with one master password. Your usernames and passwords are stored in a local database for easy retrieval later. Download Password Safe, a free, open-source password manager recommended by PC World magazine.

Posted by Brent Whitfield At 5:22 PM Location Hollywood | Permalink | Comments (1)

Category Security Corner

Possibly the easiest and most important measure you can take is to use strong passwords. The best ones have at least 12 characters, cannot be found in a dictionary, and include numbers, lower-case, and capital letters. Alphanumeric passwords can take weeks to crack (compared to the mere seconds it takes to nail a password that can be found in the dictionary), and by mixing upper and lower case letters this decoding time can expand to a year or two. In other words, if your password is in the dictionary, don't use it!

You might not be as secure as you think. Some password-cracking tools work nearly a thousand times as quickly as they could ten years ago. Bill Gates recently admitted that password systems “simply won’t cut it” in the future. Luckily, there are some simple ways to protect yourself.

Obviously, a second form of authentication offers you one of the best ways to cover this vulnerability. Many banks offer additional security beyond the password. Use it whenever it’s available.

Another critical means of defense is to have different passwords for each system. This way, if someone hacks into your company email, for example, they won’t be able to access your online banking.

In addition to these measures, many browsers such as Firefox, Internet Explorer, and Safari have built-in browser password managers. By storing your digital keys in a password vault, you add another layer of protection.

Posted by Brent Whitfield At 5:13 PM Location Glendale | Permalink | Comments (0)

Category Security Corner

 
According to the FBI, nearly 300,000 laptops are stolen each year. If you have sensitive data on your laptop, it's critical that you protect it.

There are products in the $100 range that can make this almost effortless. Two that we recommend are SecurStar Drive-Crypt Plus and PGP Whole Disk Encryption.

The beauty of this software is that your files are only encrypted on your hard drive. You won't need to send a password every time you email a sensitive document, because the recipient will get an unscrambled version.

One caveat: These products let you select individual files, batches, or the entire hard drive for encryption. While you may feel tempted to secure your entire hard drive and have done with it, keep in mind that this will slow down your performance.

But when you need to add a strong layer of security for your most critical private information, encryption is a powerful tool.

Posted by Arland Whitfield At 12:29 PM Location Glendale | Permalink | Comments (0)

Category Security Corner

 
When it comes to secure Wi-Fi, the weakest link in your network chain could be an open and vulnerable home Wi-Fi network linked to the office. If this home user has remote access to your network, then your network is vulnerable. Once an intruder enters this open network, they can access your company information, steal passwords, or send viruses and spyware.

Many home networks are breached through file sharing programs. An intruder on your wireless LAN can have access to any file, whether personal or business-related, if it's file sharing enabled. File sharing is enabled as the default position in Windows XP Home Edition, and it's easy to bolster your security by disabling it.

Disable file sharing by clicking on Start and then going to Control Panel. Click NetworkConnections and then double-click Local Area Connections. After hitting the Properties button, a dialogue box will open with checked boxes. Uncheck the box "File and Printer Sharing," click OK, and you're done.

However, disabling file sharing won't protect your unsecured wireless connection. Another user could use it to run illegal operations like downloading child pornography, exchanging copyrighted material such as music and movies, and hacking into other computers.

Any activity done through your connection could be linked to you. This could lead to subpoenas, months of legal hassle, and the confiscation of your computer.

Likewise, if you piggyback on another person's open Wi-Fi network, you may be subject to prosecution. There aren't many legal precedents for this, but these are WiFi poaching cases pending in Michigan, Florida and Great Britain.

You may not plan to harm anyone, but the legal environment is changing around this issue. In the future, it may be considered trespassing or theft.

Remember, your wireless security has ramifications beyond your company walls.

Posted by Arland Whitfield At 12:22 PM Location Glendale | Permalink | Comments (0)

Category Security Corner

 
Many business owners, CEOs, and upper-level employees have been bombarded with professionally written email campaigns that are pure scams. Recently we have received some of these ourselves.

For example, we received one that included an attached document named proforma_invoice.doc. The message included a description of the invoice, a request for an evaluation and a reply, and a physical address in Fullerton.

This is the latest phishing technique. It looks legitimate, with correct names and flawless grammar and spelling.

These criminals select their targets carefully, do their homework, and hope to get a good return for their efforts. They target individuals who may offer a big payoff, and put in the extra effort to increase the chances of fooling someone.

These emails will try to trick you into downloading an attachment. Then trojans and other malware can steal sensitive information from your system. In addition to bills and invoices, fake emails have come disguised as complaints from the Better Business Bureau and IRS investigations.

In some cases the attachment itself is a harmless document, but contains an icon which activates spyware when you click on it. Don't bet that your anti- virus software will catch it--these tricks are still new and are likely to foil your software.

If you receive email scams, report them to the Federal Trade Commission by forwarding the message to mailto:uce@ftc.gov.

This may be a new cyber hassle that we'll all have to live with. Be wary of any attachments or links from sources you can't positively identify. Use the best security you can get, but never expect it to replace common sense.

Posted by Arland Whitfield At 11:35 AM Location Glendale | Permalink | Comments (0)

Category Security Corner

So, everyone knows it's a bad idea to use passwords which are commonly found in the dictionary - same for names of family members. One way to create an easy-to-recall but hard-to-figure-out password is to create your own formula for creating unique passwords. One example is to combine family names, with birthdays, and memorable words in unique ways. For example, try using your pets' name with your child's name spelled backwards. Capitalize the first and last letter of each name, and finally, separate the two words with a "!" or "~" or meaningful number. Create your own formula - it's fun and will make your online computing safer. Once you commit the formula to memory you can easily adapt it to new passwords as needed. For more great ideas on creating "perfect passwords," check out this PC World Article.

Posted by Brent Whitfield At 1:24 PM Location Glendale, CA | Permalink | Comments (0)