Sunday, November 26, 2006

Who Is Deciding Your Information Security Policy?

If the answer to that question is that your management and your corporate security professionals are setting the standards, then you need to read no further. Have a great day, and check back soon for my next article. However, if you don’t know, or your answer is that you don’t implement in-depth security practices because your users find them too hard – in other words, your users are making your information security decisions - then read on.



First, let me say this: Implementing in-depth information security practices is hard work. In a large enterprise, it takes dedicated, trained staff, and even then your users will still find it cumbersome and inconvenient. Let me also say that most people expect things to be easy, they don’t want to be inconvenienced, and they want it when they want it, without being tied to having to wait for this, that, or the other, and without having to click on any more things than necessary. They don’t want to be bothered by their computer slowing down a little once a week while the scheduled virus scan runs. People don’t want to have to take the time to decide whether to answer “yes” or “no” when their personal firewall prompts them when it thinks something suspicious is happening on their computer. All too often, IT support staffs are saying that they don’t want to make their users do something because the user says it is inconvenient, they don’t know how to do it, and they just don’t want to have to take the extra time to learn how to do it. This is a classic example of how information security practices take a back seat to security unaware users who don’t want to make the effort to keep their company’s data safe. In other words, the end users (security unaware end users) are making the security decisions, like it or not.



Information security involves a variety of safeguards, all the way from perimeter devices guarding your network, right down to the user at the desktop. This is called “defense-in-depth,” the idea that if an attack or other malicious activity gets past one safeguard, at least one of the others will catch it and stop it. Your data is at the center of a bull’s eye surrounded by subsequently progressive outward rings. These protective rings are made up of the user, operating system patches, personal firewalls, anti-virus/anti-malware protection, server access control lists, and perimeter devices such as routers and firewalls. The user plays a very integral part in these defensive layers of information security. You can have all the firewalls, access control lists, anti-virus programs, and computer patches in the world, and still not be safe. Because if your users are willing to give away the keys to the kingdom, either through laziness, ignorance, complacency, or just plain arrogance, then nothing you can do will keep your data safe.



I have actually heard IT support people say that main the reasons why they don’t do certain things is because the procedures are too hard for their users, their users have no clue how to do these things, they have no clue why they are necessary, and that they (the IT people) don’t have time to train them. Back in my customer service days, I would listen to customers as they would go into rages about this stuff being too hard, and that they didn’t see why they had to do it. Let’s face it, people are busy, there aren’t enough hours in the day, and people often get set in their ways. Change represents a scary thing, even if it means learning a new way to keep data on a computer safe. A thing like locking a screen when the computer is going to be unattended is a habit that has to be learned and ingrained into behavior. Much of what this article is about is related to behavior and how to change that behavior. The technical part is easy. It’s changing people that is the real challenge.



Let’s take the first one mentioned above – too hard for the users. If something is too hard, it means that the user hasn’t been trained or is too lazy to learn – or both! I will repeat it again here: security is hard work. So that means that the IT support structure has to get on the ball and provide training and awareness for their users. Conversely, the end user has to get of his or her backside and realize that it is their responsibility to learn how to use the tools of their trade. The computer, after all, is a vital tool that is in use by the vast majority of people in the work force today. I don’t care if you are a doctor, lawyer, biologist, or just a clerk. The fact of the matter is that regardless of your primary specialty, you still have to use a computer to get your work done.



And I’m not even talking about people having to learn in-depth or complicated security principles. They simply have to learn what to click on, what not to click on, and when their personal firewall is telling them about a risky event. Is it really so hard, that if a user gets a message saying that some software is trying to be installed, for them to make a conscious decision that either “yes, it is OK because I am installing software” or “no, this is not OK because all I was doing was checking my email”? Make an educated decision, and click on the appropriate answer. This takes a few seconds at best – is that really taking too much precious time? If they wish to continue to do their jobs, computer users must learn how to operate them and how to interpret simple messages. It is not enough to know how to fire up Outlook and whip out an email, you must know how to interpret your environment and act accordingly.



On to the second idea previously mentioned – users have no clue. No, I’m not saying that people are all a bunch of clueless drones. Well – actually - yes I am. The average computer user doesn’t know much about computer security, and quite frankly, they don’t want to know. All they know is that they have to use the darn thing (the computer) and if anything goes wrong it isn’t their problem. It is IT’s problem to fix. If the computer lets sensitive information get away, then that is the computer’s problem, right? Wrong! The people in IT didn’t click on the malicious link in the email joke that they just received, and the IT staff didn’t leave the user’s computer unlocked when the user got up to go to a one hour lunch break. Not only is it just too hard to resist the temptation to click on that link, but it is also too hard to press the Windows key and the “L” key to lock the screen when they get up. And quite frankly, most people just don’t understand why it even matters. All that hype about computer security, malicious links in emails, and spies wandering the company looking for unlocked screens is just a bunch of rubbish, right? Wrong! The threats are very real and present. Users need to get a clue that they fit in to all this in a very important way. The why? That’s easy – the data they are working with is not theirs. It belongs to a company who can suffer embarrassment, loss of business, or loss of trade secrets of the information gets out. Companies can suffer from loss of business. Governments can suffer from the loss of sensitive information. In either case, it can be disastrous. Even if just a user at home – would the normal person want to risk having their personal and bank account information getting loose on the Internet? Certainly not! Care in computing must be exercised everywhere. The good security habits that one gets into will be useful at work and at home.



Hmmm… so finally, the last point - no time to train the users. All of the problems discussed up to this point can be boiled down to training. Not knowing how to do something or being clueless is not entirely the end user’s fault. Sure, the user has to get over their own laziness and arrogance, but they have to have knowledge to be able to act on it. But I have seen too many IT staffs who think they are protecting their users by not exposing them to complicated or extra tasks. Well – they are just making themselves feel good by trying to make their users like them and trust them. But sometimes good security practices involve a bit of “tough love” and forcing people to do things that seem hard at first. The IT staff can either make the choice to take the time to train their users, or take the time to clean up after their mistakes – it’s a clear choice in my mind. Take the time up front to train users, and keep them knowledgeable through constant awareness activities. Eventually, the training and awareness will sink in. By that time, your users will know what needs to be done (or what not to do) and they will now have a clue why this is all so important.



This may seem like one of my typical rants – you’re right – I’m busted. But how many more times do we have to hear in the news about breaches of corporate information security because of someone who lost a laptop or gave away information. You will notice that most of these events are due to someone doing something stupid – not being aware, not following directives and policies, or being just plain lazy. IT Staffs: train your users, keep barraging them with tid-bits of security awareness, and make them do the things that will keep your company’s data safe. End users: Get off your @$$ and learn why you are the most important link in information security. Security is everyone’s business. The management and security professionals in your company have the education, experience and know-how to make policies that will keep data safe. Don’t second guess them with your lack of knowledge – follow the directions. It’s not that hard!

Sunday, October 08, 2006

Windows to Release New Operating System - Are You Ready?

In the very near future, Microsoft will release their newest version of the Windows Operating System. The release of Windows Vista is due to reach the public around January of 2007. Of course, those of you who know me know that I can't look at anything new in the computer world without scrutinizing its security, support, and maintainability aspects. So, I wanted to take this opportunity to show you what Vista looks like, but also give you an idea of some of the enhanced security and maintenance features as well. This newest release of Windows represents the most radical change in the look and feel of Windows since the jump from Windows 3.x to Windows 95 over eleven years ago. From a security and stability aspect, this new version promises to be more robust. And for those of you who only care about the "eye candy" features and have grown bored with the way Windows XP looks, you too will have some new vivid graphics and gadgets (literally) to keep you happy.





A Word About Hardware:

If you truly want to take advantage of Windows Vista's new graphics and user interface features, you are going to need a fairly hefty computer. If you are buying a new computer, look for the "Windows Vista Capable" logo on the front. You are going to need a fast CPU (dual core would be nice), lots of RAM (1 GB minimum), and lots of video RAM (128 MB minimum). These minimums are mine, not necessarily Microsoft's, by the way. The computer will run fine with Vista on a typical machine these days (3GHz CPU, 512 MB Ram, etc), but many of the graphics features will not work. The user interface (UI) in Vista is code named "Aero," and if you have the more robust system, you can take advantage of a host of new features commonly referred to as "Aero Glass" features. The interesting thing here is that Vista will tailor its performance and feature sets to the hardware it detects in your computer. Better have a DVD drive. So far, I have only seen the ability to obtain installation media on DVD - it is a fairly huge package. I am not certain at this time if Microsoft plans on releasing the installation media on CD as well as DVD. DVD drives are cheap - you will need one anyway.



For my tests and the screen shots you will see in the full article, I am running Windows Vista Ultimate Release Candidate 1 (RC1) on a 2.93 GHz Intel CPU, 1GB of RAM, and an NVIDIA GeForce FX 5500 video card with 256 MB of video memory. The final release version may have slightly different features and screen appearances than those seen below. RC1 is drastically more stable than Beta 2 was, and has a slightly different look and feel than Beta 2. If this is any indication, then there will be some slight enhancements and bug fixes in the final release versions.





The Vista Upgrade Path:

Vista will be available in several different versions (six versions to be exact) for home and for business. There will be a version that has more multimedia features, and versions that have more business and networking features. Windows Vista Ultimate (the version I will show you here) will have it all. If you are running an older version of Windows, you are out of luck - there will not be an upgrade path for you - you will have to install from scratch. If you are still running one of these older operating systems, you probably need a new computer anyway. You will need to be running Windows XP Home or Professional to be able to perform a direct upgrade, all others will require a clean install. Note: If you are already running Vista Beta 2 or RC1, you may have to do a clean install. In my testing, I was not able to upgrade from Beta 2 to RC1 without failure. Clean installs will always give a better, more stable installation anyway.





You may want to wait a bit before rushing right out and buying/installing the upgrade, however. Make sure all of your applications will work properly with Vista. Your antivirus software may or may not work with Vista. Remember - Vista is a drastically different operating system - so viruses that affect previous versions of Windows do not affect Vista. For that very reason, many antivirus applications would not even install on my test box because they would not run on Vista. One great feature is that your Windows Security Center will tell you if you are missing an antivirus application, and will give you a web link to antivirus applications. In my tests, I found a great deal of difficulty just finding an antivirus program that would install - but as I mentioned above, Vista will take you to the site of a compatible application.



If you use other types of maintenance programs, such as Diskkeeper for defragmenting your drives, those programs probably won't work either. This article from Microsoft will give you a pretty good step-by-step process and list of issues to consider when upgrading to Vista. According to one eWeek article, the best way to go is to not do an upgrade but back up all your stuff and do a clean installation. Application compatibility is a more complex issue with Vista, but Vista offers compatibility wizards to help you make an assessment.





A Final Word:

If you want to upgrade to Windows Vista, make sure you have a fairly powerful computer, and go out and do some research so that you know all of the requirements and pit falls. Once you are satisfied that you want to make the leap to the new O.S., go out and buy yourself a good video card and a wide-screen monitor. Vista takes good advantage of the new wide-screen monitor formats. Quite honestly, you will be fairly disappointed if you try to look at Vista on your old 15" CRT or even one of the smaller LCD monitors. I tried it initially on a 1024 x 768 resolution monitor, and was left wanting for more. You will needs lots of RAM and a hefty video card to be able to use all of the aero glass features. If you are buying a new computer anyway, research a 64-bit machine and make the leap to one of the Windows Vista 64-bit editions. As Vista is making its appearance, so are the powerful 64-bit machines. I think we will be finding that future applications will cater to the 64-bit systems and operating systems.




Read full article with more screenshots...

Tuesday, September 19, 2006

It’s All About The Social Engineering, Baby!

I’ve said it a number of times, and at the risk of sounding like a complete cynic, I will say it again: The biggest threat to computer (and information) security is the people who use them. Or, more appropriately, people who use computers and information technologies in a significantly “unaware” state. To give you an idea what I mean, let’s take another fairly ubiquitous implement in our society, the automobile. Why are there so many accidents? It’s not the bank robbers or the murderers and rapists (in other words, “criminals”) causing them. They are caused by everyday people not paying attention to those around them, people who think that rules of the road don’t apply to them, and even, dare I say, people who just don’t give a damn about those around them. I mean, why is it that people can get into horrific accidents driving down a completely straight piece of highway, like I-25 here in Colorado? It’s because people jump in those 2,000 pound pieces of hardware and just blast off down the road as if they were the only ones on it, completely oblivious to anyone else who may be around. As long as they get where they are going, they don’t care how they got there, and as long as no one else causes them inconvenience, whatever they do is fine.



Well – our love of computers is the same way as our love of the automobile. Computers and communications devices (such as cell phones) are such a ubiquitous and necessary part of our daily lives, that to go without email or our phones for even one minute would be disastrous. And our ability to click on any Internet link we want, and forward every email joke we get had better not be impeded in any way. This idea is at the very heart of many cyber-attacks these days. The bad guys know that people can be duped into just about anything – spreading email here, clicking on a link there, giving out information over the phone. It is very easy for the bad guys to plant a very innocent looking email, spam it out to the whole world, and then sit back and watch as the ignorant masses of scurrying mice blindly follow the bread crumbs. This, in essence, is what “social engineering” is all about. Social engineering encompasses a wide variety of things, such as me pretending to be the help desk and calling you up to get you to give me your network account password. Or diving through your trash to find out what usernames and passwords you had scribbled down and unknowingly thrown away. Or, how about me the nosey passerby shoulder surfing while you arrogantly (and show-off-ishly) flaunted your laptop in a busy airport or coffee shop? You know, in all my journeys through airports, I have gathered more information from listening to people yell into their cell phones that, if I were a bad guy, could be used against them (and their companies). I sat waiting for a flight from Rochester, NY one time and listened to some guy give an entire performance review over his cell phone – he wasn’t discreet or quiet about it at all. Social engineering is what gets you to give up your social security number and birth date when you reply to some scam offering you a refund from the IRS or an online deal that you just can’t refuse.



The above are all examples of social engineering, and there are many more. The bad guys rely on egos and ignorance getting in the way of security awareness. Those that would attack you know that you are either trying to show off how important you are or that you are just plain ignorant of information security techniques. They will use a variety of very simple techniques against you to steal your data, launch code to wreck your computer, or turn your computer into a zombie to proliferate other attacks. The bad guys use clever emails and lures to malicious web sites to launch attacks more often these days than most any other types of attack. In fact as of this week, there is a new flaw in Internet Explorer, and according to this article at ZDNet, porn sites are already exploiting it. The really stupid and lazy attackers will just get you to do their work for them and simply tell you that there is a security vulnerability or virus on your computer, and tell you to delete certain files. They will then get you to email all your friends and tell them delete these same legitimate files (this is known as a virus hoax) which will then render all of your computers unusable the next time you reboot. Essentially, social engineering (in the bad sense) is all about getting people to do things that the attacker wants them to do.



If you were to look at the majority of the descriptions for most vulnerabilities that are fixed by recent patches, you would see that the patch itself fixes a vulnerability caused by a programming flaw, but that it is only exploited when the victim opens an infected email, opens an infected email attachment, or is lured to a malicious web site. In many cases, the exploit is not “WORMABLE” and simply relies on a cleverly crafted email, attachment, or image file getting onto the victim’s computer so that it can do its thing. The attackers know that they can get you to visit a web site or open an email, and that they can certainly rely on you to forward it to all your friends.



So lets talk about “good” social engineering. One of the greatest challenges facing IT security professionals is to get people to change their behavior and attitudes towards information security. To most people, the security people are just the Gestapo out to spoil their fun and keep them from doing their job. We are the source of inconvenience because it just doesn’t seem reasonable that the threats really are out there. It’s all a big myth. I’m here to tell you that the only myth is believing in the false sense of security because of the “it can’t happen to me” syndrome. When your IT support people or your friendly bloggists bombard you every day with hints and tips about locking your keyboard when you get up from your computer, telling you not to open email attachments, or not to write down your password on sticky notes – that is the form of social engineering we are trying to use to get you to change your habits a little. We aren’t trying to keep you from being productive. On the contrary, we are trying to keep you from becoming a victim.



Bottom line – the bad guys are trying to “social engineer” your behavior so that you will fall into their trap. They can then laugh at you while they point you out to all their friends (and get the news media attention they crave), telling them how they “stuck it to the man” and screwed up a bunch of computers. The IT security people are trying to “social engineer” your behavior so that you won’t make an ass of yourself, or worse yet destroy the company’s network or compromise proprietary information. If you get attacked at home because you were complacent about your own computer security, then it may take you awhile to get back your system up and running. And it might take awhile for you to get over the embarrassment that you feel because you unknowingly passed along the attack vehicle to your friends. But if you get attacked at work because you just didn't care to be bothered by computer security requirements and even spread the attack to the entire network, embarrassment will be the least of your problems. The security people have an obligation to keep you informed. You have an obligation to heed the warnings and do the right thing. In other words, you have an obligation to stop being ignorant and be as vigilant with your information technology as you should be while driving down the road in that 2,000 pound weapon of yours. Use some due diligence, as we call it, and be aware. Security is everyone’s business!


Saturday, September 02, 2006

Microsoft is (Still) Not the Problem

Ahhhh - Fall is in the air and it is time to wrap up another summer! I want to start out this fine September by following up on an article I published on my main web site awhile ago. In that article, I mentioned that Microsoft was getting a lot of bad press because their products were always being attacked, and because they released so many patches. In following up and to set the stage for this article, I would just like to say that this has been a fairly interesting summer for Microsoft with the release of over thirty new patches for Windows, Internet Explorer, and Office products between June 2006 and August 2006 alone. All in all, we are up to numbered security patch MS06-051 (the 51st patch of 2006), plus several other patches that don’t fall under that numbering system. But let’s not forget that the folks at Firefox gave us at least two new releases this summer also, not to mention patches from Symantec, McAfee, and Intel (Intel/PRO Wireless Drivers). I’m not going to use today’s post as a forum to pit one browser against another or even one operating system against another. I just wanted to point out that there have been a lot of new patches all the way around, but that this high volume of new patches isn't necessarily the problem we are facing. In that previous article, I wrote that:

“Of all the people who regularly bash Microsoft for giving us an operating system with so many holes, I am probably one of the worst offenders. However, I recently had the opportunity to hear a talk by "Hacking Exposed" author Stuart McClure. He made a very interesting point - Microsoft is not the problem. There is so much talk about using the Linux operating system and alternative web browsers such as Mozilla FireFox. The point he made is that those systems also have security holes as do the Microsoft products.”



Download the best firewall

In spite of all these new patches this summer, I would like to say that I still believe that Microsoft is (still) not really the problem here. What I do see as the problem(s) are people who have too much time on their hands (the bad guys) and security unaware end users. The fact of the matter is that software code, no matter who writes it, is going to have flaws that are eventually discovered and exploited. It just so happens that Microsoft has the larger market share, so the bad guys are attacking where they know they can do the most widespread damage. So we know where the bad guys are presenting the problem – where they can do the most damage, and in doing so what will get them the most publicity.



So now let’s talk about the end user part of the equation. It’s a foregone conclusion that the software has flawed code, and always will. But let’s face it; Microsoft and other vendors find their flaws (or have the flaws reported to them), they fix the flaw and release a patch. It is now up to the end user (or the IT support structure in corporate environments) to make sure that the patches are getting applied in a timely manner. Are you setting your Automatic Updates to download and install your patches, or do you at least visit Microsoft Updates regularly to get them manually? How about your other (non-Microsoft) software – do you keep an eye on settings that will allow automatic updating for those as well? Since we’re on that subject, even if you do have your Automatic Updates set to auto/auto, when you have some down-time, why not visit the Windows Update site on your own. Check every once in awhile and make sure for yourself that you aren’t missing any critical updates. Just as you should be manually checking your antivirus and anti-malware definitions every so often to make sure your update engines are working properly and that your system is in fact getting the updates as it should be.



null


So what happens when a patch goes bad and breaks your computer or an application? Are you simply throwing up your hands immediately, screaming how %$#@& Microsoft is always breaking your computer? This is another example, in my opinion, where the end users are the weak links in this whole patching and updating game. Far too many people scream and curse at Microsoft when a patch goes bad on their system instead of taking a few moments to calmly find a solution to the problem. The solution, by the way, is as close as your telephone: 1-866-PCSAFETY. That is Microsoft’s hotline for solving patch related problems. If the problem is caused by a security patch, the call is free of charge. The problem may be isolated to just your particular configuration, and it may be a simple matter of uninstalling and reinstalling the patch. If enough people call with the same problem, then Microsoft knows that there is something wrong with the patch itself, and will quickly release a fix. But in order to do so, Microsoft has to know about it! They don’t read minds any better than I do – the end users that are seeing the problem have to report it so that something can be done about it.



I have been in the patching business quite awhile; I test and deploy patches that are applied to an enterprise of over 10,000 nodes, and I have yet to see consistent strings of patches that break computers. I do, however, see occasional problems come up on individual systems. I am telling you the same thing that I preach time and time again: Do some troubleshooting, find out if it is an isolated problem or a widespread problem, and call the Vendor and get the problem documented.



ThinkPad Performance Sale!


The other thing that I am absolutely sure has to be made clear is that the nature of the majority of the attacks in recent history rely on luring users to bad web sites or opening infected emails to expose themselves to the risk. Most of the time, you aren’t in danger of the flawed code on your computer being exploited unless you do what the attacker wants you to do to unleash the attack. The attackers have gotten too lazy to make their attacks “wormable” – and why should they? Why go to the trouble to write the type of code needed to make computers proliferate the attacks, when they can reply on security unaware users to do it for them? All those emails with attachments that you blindly pass on to all your friends, and all those emails with links that you blindly follow: did you ever once stop to think about whether or not they contain potentially harmful content? This is why, in my humble opinion that much of the blame for the proliferation of harmful code rests squarely on the shoulders of the people clicking the mouse buttons.



So to summarize – I will say it again: Given enough time, the bad guys will find and exploit flaws in anything. This problem is not limited to Microsoft. It is just that Microsoft has the largest market share and will earn the attacker the most press time. This summer, I have seen patches come out for Microsoft products, UltraVNC, Symantec antivirus, McAfee antivirus, Firefox (multiple), Intel/PRO wireless network card drivers, as well as a few other products. So don’t blame Microsoft – blame the bad guys, and blame yourself if you’re not keeping your systems patched. You can also give yourself a little of the blame if you are blindly clicking on the email “Forward” button or those links in your email when you don’t know what they are or where they came from.



Upgrade to Firefox 1.5!


Get Thunderbird!



Thursday, August 31, 2006

Who’s Computer is it, Anyway?! (Part 2)

Okay – here’s the scenario (again): Same as Part 1 - Corporate environment, computer is provided by the company, all of the initial software on the computer is installed by the company. The user signed an Acceptable Use Policy statement acknowledging their responsibilities with regard to computer use and security. The company’s acceptable use policy says something about “…only approved software…” The end user is the only user of the computer. Employees are allowed to use the Internet (i.e. the web browser), applications, and email for business purposes and for limited personal use.

null

More on those neat little freebies – but this time, it is not just a seemingly innocent browser toolbar. There are other free tools out there, commonly known as “peer-to-peer” (P2P) applications. Seems our carefree and gadget crazy employee from last time really likes music, so I will just concentrate on the P2P apps that allow you to download music files (MP3s), but there are many others. The way these applications work is that you install some software (free of course) on your computer, which then has the ability to connect to everyone else on the Internet who has that same software. The reason they call it peer-to-peer is because users don’t actually download the files from a central source, but from each other. The user enters the search terms of the music they are looking for, and the P2P software finds the other users who are online that have that music. The user can then choose to download the files they want. When the download is started, parts of the file can actually come from multiple peer users, speeding up the download process. Downloading MP3 files is great – the users can listen to them on their computer at work, providing they aren’t distracting coworkers, and they can even take them home at the end of the day. Ah, piracy has never been so easy!

Well, here’s the catch: For one thing, downloading copyrighted files from any source without paying for them is illegal. Remember last time I mentioned getting your employer in trouble by installing supposedly “free” software that actually had to be licensed? Well P2P software opens your employer up to a whole new batch of liabilities. We can safely assume (my opinion here) that most people that use P2P software to download music know it is illegal, but do it anyway. This makes the crime more blatant and premeditated, in my mind, and seems to result in harsher consequences. Since you are on company time and on company property, you are now (using a legal term here) under the “scope of employment” which allows prosecuting parties to hold your employer accountable as well as you. The employer should have known that the employees were using company network resources and company computers for downloading illegal music. If the employer is practicing due diligence, they would be checking their network for P2P traffic and scanning their servers for potentially illegal file types.

Even if you are using one of the new and improved “pay as you go” services and pay for the music instead of committing piracy, you are still creating problems on a networking infrastructure. So now let’s take the whole “who’s computer is it anyway?” question a little further and ask who’s network is it anyway?” The other thing about P2P software is that it creates network traffic – a LOT of network traffic. When I was teaching, our students were all required to have laptop computers in support of the curriculum. We had full Internet access for them, email, and wide open – no restrictions. Very early on in our experience with student laptops, we found that it didn’t take them long to discover Napster and Kazaa. While teaching class, I could look out and see the sea of dopey looks as these people were downloading tune after tune (not paying attention to the Instructor, of course). The magic question of “Hey!!! How come the network is so slow between the hours of 11:00am and 3:00pm??” popped up. It was because several hundred students were all downloading massive volumes of MP3 files and choking our network. Not only that, but our file servers hard drives were swiftly running out of space because of all the MP3’s being stored in student Home folders. Imagine that same problem, not in an academic setting, but in a business setting where real work is supposed to be getting done. These types of activities have the potential to hog bandwidth, take up valuable file server space, and are probably robbing employers out of productivity from their employees.

So now for the security aspects of this issue: P2P software is known to be a large source of security vulnerabilities and exploits. Software like this creates a pretty big opening into the hosting computer making it possible to spread viruses, WORMS, denial of service attacks, and other attacks that allow full control of a compromised computer. In fact, having this type of software may cause your company to fall out of compliance for various legislative act requirements such as those contained in HIPAA, Sarbanes-Oxley, or GLB.

Again, as in the case of the company owned computer – it’s not the employee’s network, it is the company’s network. The employer has the right – scratch that – the obligation to protect their network from performance degradation and unauthorized use. They also have a legal requirement to ensure that all of their information technology resources are in compliance with various regulations – and that includes making sure that the software installed on company owned workstations isn’t causing security or performance problems. Be a good employee – do what you want to your computer at home (you’re going to anyway), and leave your company resources for doing business. Failure to keep this stuff of your employer’s machines has the potential to hurt them, but also has the potential to hurt you more than you can imagine.


More Information:

SearchSecurity.Com Article: Are P2P Applications Worth the Risk?

DHS: Unauthorized P2P Programs on Government Computers

Article: Instant Messaging and P2P Vulnerabilities in Health Organizations

Who’s Computer is it, Anyway?! (Part 1)

Tuesday, August 29, 2006

Who’s Computer is it, Anyway?! (Part 1)

Okay – here’s the scenario: Corporate environment, computer is provided by the company, all of the initial software on the computer is installed by the company. The user signed an Acceptable Use Policy statement acknowledging their responsibilities with regard to computer use and security. The company’s acceptable use policy says something about “…only approved software…” (more on that in a bit). The end user is the only user of the computer. Employees are allowed to use the Internet (i.e. the web browser), applications, and email for business purposes and for limited personal use.

Having remembered all that (yeah - right!), the employee is out cruising the Internet. They haven’t broken any company policies yet, they come across this site with a really cool toolbar for the browser, and best of all, it is FREE! It blocks pop-ups, gives enhanced search capabilities, even has a news feed reader and chat client. So they install that neat toolbar – free download, couldn't possibly be a problem, who’s gonna know? They may have just crossed over the line with company policy, it’s probably a minor infraction, no big deal.

Now it gets better: One day shortly after installing that cool new toolbar for the web browser, the employee tries to access a web site that they normally need to access to do their job. Certain functionality of that web site depends on scripting and pop-ups (authorized ones), but strangely they don’t work right. Hmmm – they reload the web site, check access to other web sites, and if they’re really savvy, they check pop-up settings and security settings in the native browser. All good, what can be the problem? Frustrated by this time, the angry employee finally calls the company’s help desk and reports the problem. The technician, having seen this problem before, and after checking the normal browser settings that the user just checked themself, asks the five dollar question: “Do you have any other browser toolbars or pop-up blockers installed?” Let’s just assume this employee is at least an honest person and reports the Google or Yahoo toolbar that they just installed. The technician states that the employee will have to uninstall the toolbar for the web site that they are trying to access to work. This infuriates the employee and they state that there must be SOME way to make it work with that toolbar. The technician promptly replies that the toolbar is NOT supported software, and that it is in fact NOT even approved software (remember that acceptable use policy?). “NO! %$#@&* - it, this is MY computer and I will do what I want with it!!!” shouts the now livid end user.

Here’s the bad news, folks: It is NOT the employee’s computer. It is the company’s computer. Those neat little toolbars and all those other cool freebies on the web are great for the computer at home, but have no place on computers at work. And here are the issues: 1) By having to muck about through trying to fix unsupported and unapproved software, we are making our help desk people do extra work that they shouldn’t have to do, and is probably against the service level agreement that the business unit has with the company. 2) By installing these things, we are possibly creating a security risk for our system and our corporate network by inviting in spyware and potential vulnerabilities. 3) We are opening our company up to all kinds of liability issues regarding software licensing (“FREE” does not necessarily mean free for use in a corporate environment), and information assurance (the spyware in that free toolbar may be a blatant violation of security policies).

The reason why there is an approved software list is because some pretty smart people figured out 1) What software licensing would cost for the organization to have certain software, 2) They have a pretty good idea what software works with all the other software on the machine, and 3) They know that there are certain information security “best practices” that need to be followed.

My final rant in today’s post is that the above scenario is all too common in today’s corporate environment. I am sick and tired of hearing about people bitching and whining because their computer is “…always broken,” and that “…these ^&%$#@ computers are no good.” Let me give you my $.02 worth: The reason they are always broken is because of security unaware and clueless computer users constantly installing this kind of crap on their company’s computers, and then ragging on tech support for not fixing it for them. I take exception to some blathering idiot taking out their rage on tech support people who had nothing to do with that user mindlessly horking up their computer. These morons break their computers, some do it every time they touch one – the help desk should make THEM re-image and reconfigure that machine once. That will give these people a good idea what it’s like to have to deal with and clean up after clueless people who break computers because of their own ignorance and gadget lust. Go see my "Know Your Computer" and "Are You a 'Responsible' Computer User?!" articles for more about what users can do to improve their own computing experience.

Disclaimer: I used the term “Help Desk” in this article ONLY because it is the term that most people are still familiar with. The correct term is “Service Desk.” I mention this disclaimer lest the ITIL folks come find me and revoke my ITIL certification :) For more information on ITIL, please go here. You will find a wealth of things in the ITIL world about service desks, service support and delivery, and best of all service level agreements, service security, and service management. Solid ITIL practices are why the service desk people are not your enemy - they are doing their job!

More ITIL Links

Who's Computer is it, Anyway?! (Part 2)

Upgrade to Firefox 1.5!

Saturday, August 26, 2006

Using a Host Based Firewall

Even if you have a hardware router, you could still benefit from a host based firewall on each of your computers. Host based firewalls also go by the familiar name of “personal firewall.” You already have a pretty good one built in if you have installed Service Pack 2 on your Windows XP computer. However, the built-in Windows Firewall lacks some features that some of the other third-party firewalls, such as ZoneAlarm or McAfee have.

So why do you need a host-based firewall anyway? Three words: Defense-in-Depth! A basic tenet of computer security is that no one measure will be able to prevent every type of attack. But having a variety of measures (layers) in place will be able to stop most of them. You have a router at the perimeter, you keep your patches up to date, you use antivirus and anti-malware solutions, and you have a host based firewall in place to intercept all other traffic. Here is an example: I have a Linksys router performing firewall duties at my perimeter. However, looking at my McAfee firewall logs I see that certain events got through, but were intercepted and stopped by my host based firewall.




Some of the added features of the other third-party products are the ability to more granularly configure program exceptions for allowed behavior, configure outbound as well as inbound blocking, and collect event log information. As far as the inbound events, the Windows Firewall allows you to configure applications and ports to allow. But as far as outbound events, the Windows Firewall won’t be able to allow configuration of those until Windows Vista hits the streets.

Installing a host based firewall doesn’t come without some complexity. You are going to have to be a little patient while the firewall is learning. It will alert and prompt you many times when something is trying to go outbound, and you will have to tell it to remember whether or not each item is acceptable. Likewise, on the inbound events, most firewalls will just outright block them, but will alert you. You will then have to see what it is and make appropriate configuration adjustments. Once you have done all this for several days, however, you will find that the alerts are les and less frequent, and the firewall will be pretty low maintenance after that. You will also need to keep your firewall up to date, just like your antivirus software and patches.

Defense-in-depth is a vital necessity for keeping your computer and your data safe. Host based firewalls will add to your other protective measures and help keep the threats minimized.

SANS Handler Diary Article

Thursday, August 24, 2006

Another Firefox Vulnerability - Already?!

Firefox’s latest browser, version 1.5.0.6, already has a new vulnerability.

National Vulnerability Database Article

Look to the left of this article – below my profile, and you will see that I am a big Firefox fan. I still use Internet Explorer, and Opera, and Netscape, yada yada yada, however, because I do a lot of testing. I just want to say that I am not writing this post to slam any particular browser or boost one over the other. But I have to wonder – and this is for all the little computer nerds who work in Best Buy, constantly parroting the virtues of Firefox to every customer they see – why is it that all these new vulnerabilities in Firefox practically go unnoticed while the Internet Explorer vulnerabilities get all the press?

In the last three weeks or so, Firefox has released two new versions, presumably to cover security holes and add features. The only reason I found out about the latest Firefox vulnerability is some micro-font text on a Dark Reading Weekly page – not a front page press item to be sure. I’m sure this will be published on Secunia and SANS very soon. But because the kids at Best Buy tell you matter-of-factly that Firefox is the only way to go, and just because Firefox doesn’t get the big press, doesn’t mean you are always safe and never need to pay attention to staying up to date.

Anyway, my point in all this is that people fall into a false sense of security because they hear so-called “experts” blather on about how Firefox is far superior to Internet Explorer from a security standpoint. People blindly follow this advice, thinking that they will never, ever, ever, ever have to worry about anything from now on. This notion is putting a patently false idea into your heads. Regardless of what products you use, you always need to stay vigilant for security flaws and apply updates when they are available.

The bad guys are getting bored with Microsoft – due diligence and proper risk analysis means that you are evaluating all of your software and keeping them up to date. Stay safe with all parts of your system!

Thursday, August 17, 2006

UltraVNC Updated Due to Vulnerability

For those of you that use UltraVNC for remote computer control, you should know that you need to update now. There is a critical security vulnerability in UltraVNC 1.0.1. A new version, UltraVNC 1.0.2 is now available for download.

The upgrade is painless and installs right over the top of version 1.0.1. I also tested my current version of UltraVNC SC (Single Click), which is a simple utility that you can configure and send to your family, friends, and customers to make remote connection easy. The old SC works just fine with the new version of UltraVNC.

For more information and to download the new version, see the Sourceforge UltraVNC web site.

For information on the vulnerability, see this Neohapsis article.

Wednesday, August 16, 2006

Random Lockups and Restarts - Means Your Computer is Getting "Stupid?"

There is nothing more frustrating than working on an elaborate document and all of a sudden the computer reboots. I told you to save often, right? Well, that's another story. You can't possibly anticipate every single type of computer failure. You can only do your best, save your work when you can, and plug along like the rest of us.

Computer lockups (crashes) and especially random and sudden reboots are very difficult to troubleshoot and solve. Usually, however, these symptoms are an indication that you have a failing hardware component somewhere. Either the hardware is failing outright or the software drivers that make the hardware work have become incompatible. In some instances viruses and malware can corrupt drivers, make pieces of software incompatible with the system, or wipe out critical system files.

Read More

Friday, August 11, 2006

U.S. Tops Porn and Spam Proliferation

Awhile ago I mentioned an article that talked about how the United States was tops in SPAM and forwarding SPAM type email. Well, here we are again with a related article, and the United States ranks number one in another area – child porn sites!

Let’s take a look at the security side of this whole thing. Whether you are forwarding SPAM, or visiting porn sites, you are putting yourself (and others) at risk for a whole myriad of things, including the risk of being caught with illegal files on your computer and the proliferation of viruses. Besides being just plain disgusting, many porn sites contain malicious code that can install malware on your system, hijack your address book, and email infected messages to you and everyone you know. From there it is an endless cycle of being infected and trying to clean it all off of your system, getting re-infected, cleaning it off again, and on and on.

What – did you think the creators of porn sites were just a bunch of stupid sex addicts, pedophiles and womanizers? They use clever coding in their site pages, and employ crafty and malicious tactics to get more traffic to visit their sites. They generate revenue because they know that some desperate person will sign up and are a regular (often paying) visitor. But what about that single new customer (should we call these creeps “customers?”) who signs up? They now have an email address book that can be used to email malicious, if not disgusting emails to others. And those recipients have address books, and so on, and so on, and……. I think you get the picture. The actions of one potentially affect the many.

You already know my stance on mindlessly forwarding every single email you get. Not only does it fill up my email box, but in many instances you are sending me unsubstantiated garbage with half truths and bogus tales. But all that aside, I don’t need the viruses and malware, and I suspect neither does anyone else. All my ranting aside – if you are going to forward that stuff, at least do us all a favor and use an antivirus package that scans your emails and attachments. When the viruses are stopped, at least then the plethora of forwarded emails is a little easier to put up with.

What you do in the privacy of your own home is your business. But make sure your email address book doesn’t have my address in it, and please don’t send me any SPAM. I don’t need any pictures of wanna-be porn stars, and I don’t need the viruses.


More Information:

Thursday, August 10, 2006

“Bring Your Computer in For a FREE Health Check – a $40 Value!”

Okay – so I was watching TV and this commercial came on for some store (probably an electronics store or something). I wasn’t paying attention, when all of a sudden they blurted out “Bring in your computer for a free health checkup, a $40 dollar value.” That got my attention because I am wondering just what it is that Geek Squad (or whomever) is going to do to my computer to justify $40 worth of work. Obviously this is a “loss-leader” to get you in the door to buy more stuff. Or perhaps – you get the health checkup only to find out that your pathetic computer is just short of dead and you desperately need a brand new one!

Let's talk about computer "health" just for a second. Many equate computer health with its ability to run like the wind. Computer health is as much a matter of security as it is performance. Many of the tools I mention in this article will help speed up your computer because they get rid of viruses and malware, as well as to eliminate clutter and organize your file structure. Viruses, malware and unpatched systems all contribute to vulnerabilities that can allow your computer to be open to attacks that affect safety as well as speed. These vulnerabilities can enable an attacker to inject clutter and unwanted services, not to mention processes meant to do you harm. Likewise, fragmented hard drives and unneeded temporary files can make your computer work harder and slow it down over time. Computer health, then, is a matter of looking at the whole system and optimizing all aspects of its operation.

So now to the heart of the article - If you are feeling generous, just send me the $40 because I am about to save you the money many times over. Remember awhile back, I said something about “knowing thy computer?” Well – that includes knowing how to do the basic things to take care of that expensive, electronic door-stop of yours. You should know how to do basic things such as making sure your virus definitions are up to date, doing a virus scan regularly, making sure your patches are applied, and checking for spyware. Given the threats these days, the aforementioned items should be done daily. Some less frequent, but still needed computer “health” activities involve running a Disk Cleanup and a defrag now and then.

All of the above have been made extremely easy for you. Virus signatures, scans, anti-malware maintenance, and applying security patches have practically automated themselves – all you have to do is set them and forget them.

You can do all these things yourself; forget about lugging your computer down to the pimply kid at Geek Squad, and save yourself $40 in the process. Here’s your computer “health checkup” routine:

  • Visit Windows/Microsoft Updates and make sure your patches are up to date. Just open a web browser, select “Tools” and then select “Windows Update.”
  • If you haven’t installed Microsoft Updates, do so now – you will see the link on the left side of the Windows Updates screen using the procedure above.
  • Open your antivirus program and make sure your virus signatures are up to date. Given the number of AV programs out there, the procedure for this will vary.
  • Open your antivirus program and do a scan on your system. Better yet, make sure it is scheduled to do the scan regularly.
  • Open your anti-malware program and make sure your malware detection signatures are up to date. Given the number of anti-malware programs out there, the procedure for this will vary.
  • Open your anti-malware program and do a scan on your system. Better yet, make sure it is scheduled to do the scan regularly.
  • Go through your “My Documents” folder and archive everything you haven’t used in awhile.
  • Copy all that stuff to CDs, external storage, or a secondary hard drive. Make sure it copied successfully and then delete it from your computer’s main (system) hard drive.
  • Do a Disk Cleanup – see my procedures article for doing that. Better yet - Automate it!
  • Run a Check Disk – Right click on My Computer, select Properties, right click on your disk drive(s), select Properties, then Tools, then click the Check Now button under error checking.
  • Do a DEFRAG – see my procedures article for doing that. Better yet – Automate it!

These are some extremely easy things you can do to keep your computer healthy. Do them regularly and better yet make your computer do them on its own. Performing these things on a regular basis will keep your computer running well, and save you $40 trips to the neighborhood computer store.

P.C. Health Checkup Summary Checklist (Do these things in this order):

  • Windows/Microsoft Updates – set to automatically download and install.
  • Virus signatures current and scan computer – set to automatic, periodic scan.
  • Anti-malware signatures current and scan computer – set to automatic, periodic scan.
  • Archive all unneeded files and clean out “My Documents” folder
  • Disk Cleanup – you can automate this also.
  • Run a Check Disk to make sure your hard drive is healthy.
  • Disk Defragmentation (DEFRAG) - you can automate this also.
  • Mail me the $40 the first time you do this, but then it’s free after that :) – I am kidding, of course.

Wednesday, August 09, 2006

URGENT: Patch for MS06-040 Immediately

Microsoft Critical Patch MS06-040 is being listed as a "Patch Now" patch by SANS Internet Storm Center.



Microsoft is listing MS06-040 as "Addresses a critical security problem."





Test and patch your systems as soon as possible. If you have to prioritize your patches (because there are so many this month), test and apply MS06-040 first, and then test and apply MS06-042. More info as I get it. You can read more about this also at:

http://www.patchmanagement.org

http://isc.sans.org/diary.php?storyid=1573

http://isc.sans.org/diary.php?storyid=1574

Tuesday, August 08, 2006

Are You “Giving Away” Your Personal Information?

Sooner or later you have to dispose of that old computer. Maybe you will throw it away (shame on you!), or you will do the right thing and recycle it (much better), or you are giving it away to a non-profit organization (bless your soul). Just a sidebar plug here – but if that old computer is still serviceable and in working order, why NOT give it to a non-profit agency or a needy family? Many agencies will gladly take that old computer, go through it to make sure it is good to go, and give it to someone who needs it. Think of the disadvantaged kid who gets your old computer, gets more out of their education, and then one day becomes a doctor who saves your life.

I have digressed. Anyway – when you give that computer away, what was on the hard drive when you gave it away? Tax records, some private letters, account numbers and passwords? Oh – but you deleted all of your files, all of the stuff in “My Documents” and it is all set to give away. Well alrighty then – no worries. Here’s the bad news. When you deleted all those files, you only deleted the reference to them in the part of the hard drive that indexes them for retrieval by your system. The data is still there, and anyone with the right tools can retrieve it. In other words, it’s like ripping out the table of contents in a book you plan to give away. You have torn out the pages that tell you where to easily find what you are looking for. But if you keep turning the pages in the book, you will see that all of the words are still there, and you can read the pages just as if nothing else were missing from that book.

It is absolutely necessary that you completely delete anything on your computer that might disclose personal data, such as social security numbers, birth dates, tax records, or even personal letters. Either that or remove the hard drive and destroy it. But you want to give away a complete computer, don’t you? So the lucky recipient will be able to put together a complete system for someone to use, and spend less money doing it.

Well – here’s the good news. Many of the tools you need to obliterate all of your personal data are free or very inexpensive. Many of them will even erase a hard drive to strict Department of Defense (DoD) standards for disk erasure. I can’t emphasize enough: you MUST obliterate everything on that hard drive before you get rid of it. Anything and everything can be used against you by a crafty hacker. There are things buried deep in your operating system that contain information that you may not be aware of.

If that hard drive has failed, be sure to remove it before you give the computer away. Even if the electronics have failed, the drive can still be opened up and all of the contents retrieved. Remove it and destroy it. Take the drive apart and completely destroy the platters. You can use strong magnets or better yet a device called a “degausser” to erase the data if necessary. Whatever you do, be sure you are not giving away your personal data just because you thought you erased everything on that ard drive.


Additional Resources:

http://www.pcworld.com/downloads/file/fid,22920;order,1;page,1;c,All%20Downloads/description.html (PC World Article)
Church Crosstalk Killdisk
Darik’s Boot & Nuke

Sunday, August 06, 2006

Do You Have a Method For Testing Patches in the Enterprise?

In light of Microsoft’s release of over thirty patches this summer, I figured it was time to discuss security patch testing methodologies. There are at least two basic schools of thought about when, how and even why to test new patches when they are released by the vendors. It all boils down to risk analysis. You are weighing the risks of being hit with an attack that one of these patches could have prevented with the risk of potential damage that the patch itself could cause when applied. After all, the business of business is business. Either one of those risks could cause your network or individual computers to be inoperative and keep your customers from doing their work and adversely affect your business.

Read the full article

Friday, August 04, 2006

Hotfixes, Patches and Updates – Oh My!

This has been a very busy week in the world of computer patching and updates. And we can’t just blame it on Microsoft.

Well – we can credit a huge share of upcoming patches to Microsoft. Next week on “Patch Tuesday” Redmond is releasing ten security patches for Windows, two for Office products, two non-security patches, and the regular Malicious Software Removal Tool release. In case you haven't been keeping track - that's over 30 new patches this summer alone!


Summary
=======
On 8 August 2006 Microsoft is planning to release:

Security Updates
. Ten Microsoft Security Bulletins affecting Microsoft Windows.
The highest Maximum Severity rating for these is Critical. These
updates will be detectable using the Microsoft Baseline Security
Analyzer and the Enterprise Scan Tool. Some of these updates will
require a restart.
. Two Microsoft Security Bulletins affecting Microsoft Office.
The highest Maximum Severity rating for these is Critical. These
updates will be detectable using the Microsoft Baseline Security
Analyzer. These updates may require a restart.

Microsoft Windows Malicious Software Removal Tool
. Microsoft will release an updated version of the Microsoft
Windows Malicious Software Removal Tool on Windows Update, Microsoft
Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update
Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
. Microsoft will not release any NON-SECURITY High-Priority
Updates for Windows on Windows Update (WU) and Software Update
Services (SUS).
. Microsoft will release two NON-SECURITY High-Priority Updates
on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins,
products affected, restart information and severities are subject to
change until released.



Can’t let Microsoft have all the fun. The Firefox browser people have released yet another update for their ever-growing-in-popularity browser. This makes two updates in as many weeks.

Mozilla has released version 1.5.0.6 of Firefox, approximately 1 week after releasing version 1.5.0.5. This release addresses an issue with playing windows media content in the Firefox browser. More information
here:
http://www.mozilla.com/firefox/releases/1.5.0.6.html


McAfee has released an update for their security center products:

McAfee has released a patch for Security Center products including:
antispyware, internet security suite, personal firewall plus, privacy service, quickclean, spamkiller, virusscan, and wireless home network security. Description of the issue from McAfee:

"This attack requires the consumer to perform certain actions in order to be exploited. For example receiving an e-mail from an un-trusted source and clicking on a malicious URL. McAfee suggests that a consumer not click on any URLs in an email that comes from an unknown or non-trusted source. A successful exploit of the security flaw would allow an attacker to remotely execute arbitrary code on the machine running the indicated software. These arbitrary commands would be limited to the privileges of the user which the product is running as on the machine. In order to accomplish this exploit, a user would have to force internet explorer to render a malicious web page which has been generated by the attacker. The attack requires reverse engineering of the software as well as the assistance of the user."

More information in their security bulletin here:
http://ts.mcafeehelp.com/faq3.asp?docid=407052


And finally, if you have a laptop (or other computer) that uses the Intel/PRO series of wireless chipsets, your drivers are likely to be vulnerable to attack. Follow the links below to find the correct driver download for your affected products.

This is not going to be fun or easy to fix. On 8/1 Intel released information about wireless driver and proset software vulnerabilities which affect the 2100 and 2200 Intel wireless components which are in every single Dell laptop we have. The driver vulnerabilities are critical and can be used to take over full control of a machine. Details at:
http://support.intel.com/support/wireless/wlan/sb/CS-023068.htm

Anyone doubting their criticality should read:
http://www.theregister.com/2006/08/03/wifi_driver_hack/
It is recommended by Intel that users check with their manufacturer (Dell) to see if they are going to release their own version of the drivers since manufacturers have the option of making changes which could cause problems with the Intel OEM drivers. I checked Dell's website and as of today they don't have a new version so communication needs to be made with Dell to determine if and when they will be releasing new ones, and if they aren't, whether their will be any problems with the OEM drivers.


Happy patching, folks. Be sure to test these patches and patch quickly.

Thursday, August 03, 2006

My Computer is Really Slooooooow!

You may have heard before, from me or others, about doing periodic maintenance on your computer, including running Disk Cleanup and Defrag. These built-in tools will help speed up your computer and make disk operations more efficient. You may also know that viruses and malware can slow your computer down. So just to be extra careful, you keep you keep your antivirus definitions up to date, and do regular virus and spyware scans. An overly full hard drive makes it hard for your virtual memory to work efficiently. You need disk drive space so that your physical memory can “swap” paging files with the virtual memory set aside on your hard drive. So you clean off some unwanted programs and archive those documents and pictures that you want to save but no longer use frequently.

You have checked all those things, so why is your computer still running slow and sluggishly? Now it may be time to do a little troubleshooting to find out what is slowing down your system. You could have an application causing problems, or it could be a virus or other malware. A recently applied patch could also be causing an application to run improperly. To find out what is going on, you will have to take a look at graphical performance indicators as well as a list of running processes. This is tricky, because even if you see which process is causing your problems, you won’t know if it is good (normal) or bad (caused by a virus) unless you do some additional research and find out what they are. Even I don’t pretend to know what they all are just by looking at them. I spend a lot of time researching processes to find out what they are and how to fix them if they are causing a problem. Troubleshooting computer problems is not always easy – that’s why us computer geeks aren’t worried about job security quite so much :) I have listed some resources below for you, however, so you won’t have to spend so much time researching these things.

Read the full article

Wednesday, August 02, 2006

My Loooooooong Email Has Gone Missing!

Email is the medium of choice these days for corresponding. What used to be an informal method of messaging has evolved into a more formal means of sending communications. We used to send off those one-liners that took only minutes to write. Now we are sending entire letters via email. With the advent of the digital signature and the return receipt, we now even have the proof of delivery and non-repudiation issues covered. People are even organizing their email folders filing their emails away for later reference and for keeping track of long threads of discussion.

Having said that, I notice that more and more I will hear someone say that they had spent the last hour or so composing an email only to hit a wrong key and have it disappear before their very eyes. This has more to do with the way many email programs save works in progress. Many of the less sophisticated programs, which many people use, do not automatically save the email as you go along. I use Microsoft Outlook at home, which will save my work in progress in the “Drafts” folder, even if I don’t consciously save it myself. If I accidentally exit out of the email program, I will be prompted to save it before the exit. I also use Lotus Notes at work, which does not save my drafts unless I make a conscious decision to save it before I exit. I have lost a few emails myself with Notes, whereas my Outlook at home has been fairly safe. The other thing to worry about is whether or not you can maintain a permanent copy of your email, or whether or not you can get to it to edit it, even if you are offline. Many web-based emails such as Yahoo and HotMail are convenient, but they don’t store anything on your local computer. Te service provider may even purge documents after a certain length of time.

Rather than scramble around to find an email program that will keep you safe from your own fat fingers, there are some measures you can take to keep from losing a long email. First of all, if you know you are going to write a long email, and your email program doesn’t auto-save for you, save it into your “Drafts” folder right away, and then hit “Save” periodically as you go along. One even better way to do it, especially if you have a long, formal email that you need to draft, is to not draft it using your email program at all. Compose your lengthy message with a word processor, such as Microsoft Word, or whatever word processing program you have installed. Save your letter right away in a “Letters” folder or something. When you are all done, simply highlight all the text and copy it into a new email document. This will give you two benefits: 1) You will now have a permanent copy of your long letter somewhere on your computer besides your mail file (which may or may not be resident on your machine). 2) Your word processing software probably has better spell and grammar checking features than your email program – which means your formal letter is sure to be correct in every way. If you lose your outgoing email, or need another copy of what you wrote, you can retrieve your permanent document and even resend it if necessary.

Just a little tip to help you keep from losing your mind when typing (and losing) those long emails. Save immediately and save often. If you can’t do that in your present email program, then break out the word processor!

Tuesday, August 01, 2006

Oh No – You Mean My Wireless Home Network is At Risk?

If you are like me, you were too lazy to run network wiring in your house when you moved in. You have a computer, kids have computers, spouse has a computer. Cripes, these days even the dog has his own computer. So what to do about all of these connectivity issues? In my last house, I took the time to run network cabling so that there were data jacks everywhere. I thought we would need them – even in the kitchen (I’m such a geek!). Well, never again. The wireless age is here, and that was just too much work. I guess it is time to finally get with the program and make all my computers wireless. All my neighbors have: From where I sit in my office on the second floor of my house, I can see at least five networks from here. I wanna be wireless too. That way I can be like those cool yuppies, and sit on the deck with my suntan lotion, a cool frappuccino, and my laptop – surfin’ the Internet and checkin’ stock quotes.

So now that my wireless network is all set up, no worries, right? I mean so what if someone in the ‘hood steals a little of my signal, connects to my network and surfs for themselves. The cable company won’t know and the bandwidth they steal probably won’t affect me! Well – here’s the deal with that: If anyone can get on your network and surf the web, then that means that they can also get to the files on your computer(s) if they are smart enough – and these days it doesn’t take much to hack into an unprotected system. They are completely bypassing your firewall and they are now on the inside. Inside and free to get to all of your personal information, tax records, personal letters, email files, you name it.

Wireless security is such a big deal these days because everyone is setting one up. Let’s face it, setting up a wireless network in your home or small office is waaaay easier than running network cabling and making all that mess. But they key thing to remember is that your network traffic is now traveling over free space. Anyone with a laptop and some wireless sniffer software can eaves-drop on you and steal your signal, your data, or hack into your computer.

The subject of wireless security is far more involved than I can write in this little blog. I thought it worthy of a full-page article on my main web site. Check it out – I think there may be a few tips you can use to make your new wireless network more secure. There's a lot more to consider than you would think - and many creative ways to help keep the bad guys out.

Read The Full Article

Sunday, July 30, 2006

A Little Preventive Maintenance for your Computer:

It is the hottest time of the year here in Colorado. With record temperatures all over the country, there are all sorts of heat related problems including fires, heat exhaustion, and fatigue. Heat has a way of affecting your computers in bad ways as well. Just as you feel kind of worn down and sluggish from the heat, your computers have similar problems. When they get too hot, they will do anything from rebooting themselves without warning, to ‘blue screening,” to shutting down (for their own protection), or even just outright failing. The central processor (CPU) and memory components are most susceptible to heat related problems. There are some things that you can do periodically to prevent these things from happening, and even prevent costly damage to your machine. Your machine has some built in self-protection measures, but you need to periodically make sure that these built-in measures are able to do their job properly.

Read full article...


CNET Article: Clean up your Grungy PC

Gonzo's Garage Computer Page

Friday, July 28, 2006

Web Browser Updates

On the web browser front, there are a few updates you need to be aware of. First, for the Firefox user’s version 1.5.0.5 is now available. This update fixes a few security holes. I’m a big Firefox fan, but it sure seems to me that they have released a lot of updates lately. Are the hacker kiddies finally getting bored with Microsoft and going after someone else?

For you Internet Explorer users – this is a biggie. Internet Explorer 7 will be hitting the streets sometime this coming fall. The thing to be aware of is that IE7 will come to you as part of the regular Windows Updates in whatever month it is released. But even if you have your automatic updates set to auto/auto, you will be getting an IE7 prompt, with the choice of whether or not to install it. I am telling you this now because IE7 is a completely different looking creature than your present IE6. It will feature tabbed browsing, anti-phishing filters, the ability to subscribe to RSS feeds (no separate reader required), and a whole new look and feel. I have been using the beta version of IE7 for quite some time now – and it is pretty cool looking. I would just warn you that you need to make sure it will work with all of your web applications. The learning curve will be slightly higher on this new browser.

More Information Here

For you corporate folks (and even home users), if you don’t want IE7 even offered to you, Microsoft plans to provide a blocking tool that you can apply to keep your computer from getting IE7 automatically.

The new Firefox version looks and feels the same, just has a few security holes plugged. Hmmm…. Firefox - security holes? Could it be? The new IE7 will be very different, however. You will need a little time to get used to it and get used to where all the buttons have moved, but you will be very pleased with the new browser.

Thursday, July 27, 2006

SPAM - Are You Part of the Problem?

I feel like griping about something today – so I’ll gripe about SPAM. I’m sure you have noticed that every day your email inbox fills up with messages from people selling everything from online dates to Viagra to pharmaceutical products or even the latest hot stick tip. Friends and family even bombard you daily, telling you the latest jokes, admonishing you to pass on a message - or risk bad luck for the next ten years if you don’t. I am mentioning this because I read an interesting article about how the United States is listed as one of the top SPAM relaying countries in the world.

http://www.newsfactor.com/story.xhtml?story_id=44780

We are spreading SPAM at an incredible rate. We can’t just blame it on the online marketers and scam artists. We are blindly relaying thousands of messages with cute cartoons, jokes, warnings about going to hell if we don’t forward this prayer to 10 friends.

Now to be honest with you – I think all that email that we forward is just innocent fun. A lot of those stories are real tear-jerkers, and at least make us stop and think. But one thing that we should pay attention to a little more is the validity of some of it. I saw one the other day that talked about how Mars was going to pass earth at its closest point in 5,000 years, and be as big as the moon to the naked eye. The email is taken out of context - what they mean is that with 75x magnification that Mars will look as big as the moon - but that's not even the point. The event of Mars coming this close to the earth happened two or three years ago. I have been getting an in-box full of this one this whole week. Mars is over 35 million miles away. C’mon – does that really sound plausible to you that Mars would appear as large as the moon to the naked eye?!

Another of my favorites is the one about the lives of the soldiers who guard the Tomb of the Unknown Soldier. Some pretty interesting facts, mingled in with some hyperbole about how they can never drink alcohol or swear for the rest of their lives. Those specifc points turned out to be false, by the way. Or the one about Paul Harvey's essay on school prayer. The email makes some really good points, but it wasn't written by Paul Harvey. The points that the essay make are valid, but is it somehow more credible because Paul Harvey was the one who wrote it? Why not just give the true author credit? Read up on some of these hoaxes before you pass them on. One good site to check is http://www.snopes.com/. Many of these hoaxes are listed there.

The other issue I have is that if people get in the habit of blindly forwarding everything, then they won’t think twice about passing along cleverly crafted messages that can do damage and spread viruses. Even worse - emails of virus hoaxes telling you to delete critical files from your computer are worse than real viruses. The lazy-ass virus perpetrators are too stupid to write their own virus code, so they just get YOU to do their damage for them, and they know that YOU will forward this hoax to all your friends and get them to blindly follow the instructions and hose up their computers.

Furthermore, and as the article I linked above puts it so well, people will believe anything that comes in a nicely packaged email. Get in the habit of maybe scrutinizing this stuff a little, and be more selective about the stuff you pass on. I’m looking at this from purely the perspective of the security geek that I am - so go ahead and call me a party pooper.

This is a problem we’re all going to have to live with, but let’s not be part of the problem. At the very least, keep your email filters tuned up, your virus programs up to date, and be a little more selective about what you pass on to others.

Gotta run - someone just sent me an email about Mars coming close to earth and appearing as big as the moon next month - where's my camera?!

Tuesday, July 25, 2006

“Help – The Internet is Broken!!”

Well – actually – the Internet isn’t broken. If it was, I would be the first one running down the street and proclaiming the end of civilization as we know it. What is broken though is your connection to the Internet. In fact, even as I am writing this, I am unable to receive email and I can’t get a page to display on my web browser. I guess this would be a good time to discuss what to do in a crisis situation such as this.

Troubleshooting an Internet connection is as simple as following the layers, starting at layer 1 and moving on to layer 7. What the heck are these layers?! Network engineers, a long time ago, described a networking model called the OSI model. Without an advanced networking lesson, I will summarize by saying that layer 1 is the physical layer – cables, wires, and voltage. Layer 7 is the application itself – email, web browsers, and anything else you use on your computer. The layers in between represent things like network addresses, networking protocols, encryption, and communication session setup.

Lets start at layer 1: Is your network cable plugged in? Is your phone cord plugged in if you use dial up? If you use a cable or DSL modem, is the cable or network light on, off, or blinking? Is the cable modem connected to the cable itself? Is the power even on?

Take my problem today, for example. I have a cable modem. The power light is on, but the “Cable” light is not on. That means that the cable modem is not getting correct data to sync up and get good network connectivity from Comcast. I also have other indicators – my router is telling me that it is able to talk to the computer, and it says it sees voltage from the cable modem. What I have done is segment the problem and narrowed it down to which piece of equipment was having the problem – in this case the cable modem. Some things you can do in a case like this. Power cycle the modem, power cycle the router (if you use one), and see what information the status lights give you.

Also, check the router's admin console to see if it is pulling good information from the cable modem. If the router is successfully talking to the cable modem AND the cable modem is getting good network information from the provider, then the router status page will usually tell you that your router has good connectivity. If you do a release and renew and you get what looks like a good address, then that part of the network is fine. If it comes back all zero's then either the modem is bad or your provider is having a network outage.

If the modem and router (if you use them) are OK, then it is time to start checking your computer. For the most part, your computer represents layers 2 through 7 in our troubleshooting, but usually, the problem is at layers 3 or 4. Do you have a good network address, also known as an IP address? If you are using what is known as a dynamic (DHCP) address, then it is a good idea to know what it looks like when it is correct. Go to a command line (Start, Run, cmd) and type in “ipconfig /all” (no quotes). Your address will be four numbers separated by dots, such as 24.120.83.124:

As I mentioned – you need to know what it looks like when it’s working to know if it’s wrong when it’s not. Usually, if you have all zero’s or a number that starts with a 169, then you usually aren’t “pulling” a good address from the provider or your router. If you use a router, the address will usually come from your router, and be something such as 192.168.1.2. If you do not have a router and connect straight to your cable modem, your service provider will give you an address and it will be any number of addresses – find out what it is now so that you know what to look for later.

If all that is correct, then you may have another deeper problem. Usually rebooting the computer will clear this up. If it doesn’t, call your service provider. They will usually tell you if the problem is related to a service outage (which can also cause the problem with not getting a good address) or possibly your computer.

The bottom line – start at layer 1 – power cords, cables, modem and router lights, and then move up the layers looking at network addresses. If this still doesn’t solve it, reboot. And that includes the cable modem, router (if you use one), and your computer, in that order. If it still isn’t working, call your ISP for help – it’s their job.

Whoops – gotta run – my cable modem light is back on – time to go surfing.