October 6th, 2011
While it seems that PC’s and Mac’s seem to require patches and updates very regularly, don’t become complacent. Updates are provided free and automatically for a reason. A recent study of Windows Malware infections showed that most exploits target patched security vulnerabilities and (somewhat surprisingly if you believe everything on the internet) most of these are not actually Microsoft’s doing. The most likely entry points for malware into your system (in descending order) are flaws in Java, Adobe Reader, Adobe Flash Player and MS Internet Explorer. Only one of those is Windows only…
Java installs an automatic update notification when it is installed, run these updates!
Adobe runs automatic update checks as well for Reader and Flash, install these updates! One word of caution though for businesses with a caching proxy server, beware of the Adobe Updater fundamental coding flaw that Adobe won’t acknowledge. Adobe Updater is very impatient, if it does not start receiving its update within 15 seconds, it will request it again. If you have a caching proxy server (running Anti Virus checks on downloaded files for example), make sure the Adobe update sites are either blocked (install updates manually for the business) or exempt from scanning or it can burn your internet bandwidth very quickly (until you stop it). All Adobe needs to do is check for a proxy server in the internet settings and if there is one, extend the timeout. They haven’t yet.
Finally, dont use Internet Explorer unless you have to. Microsoft Cloud Service web interfaces such as Sharepoint work best with Internet Explorer and some systems management tools with web interfaces require it due to custom Active-X controls (Blackberry Server Express for example). A better alternative is to use Mozilla Firefox or Google Chrome and for even more protection in Firefox, install the “NoScript” plugin.
Finally, make sure you patch Windows and Mac’s all the time. It is pretty rare these days that patches break things but it does still happen from time to time. In a business environment, make sure you test updates properly before deployment. Home users should do a web search on the updates to see if people are reporting problems.
UPDATE: February 5th 2012.
I should have mentioned to make sure you keep your website back-end up to date if you use a content management system (or even just a database). There are many vulnerabilities in every CMS, they are usually patched quickly but if you dont apply the patches, you will become the victim of an automated hack. A client recently had their website hacked, fortunately it was a relatively benign, albeit alarming hack. The vulnerability was traced to a very old version of WordPress that was not even being used that was installed in a subfolder on the website and had been forgotten about. The hack installed a small shell onto the web server which give full control of the whole site, not just the old WordPress blog. Their main blog was up to date. Plugins are also likely points of entry into your web site, keep them up to date as well.
January 6th, 2010
If you have personal or sensitive business information, especially on a portable device such as a laptop, USB stick or portable hard drive, you should consider encrypting this data. If you lose any of these devices, any un-encrypted data on them can quickly and easily fall into the wrong hands. One solution is a free and relatively easy to use encryption utility called TrueCrypt which can encrypt to some of the most secure levels of encryption available.
You have a couple of encryption options from complete system encrytion (fully secured laptop), an entire physical drive or the more simple and user friendly encrypted virtual hard drive which is simply a file on your device that appears as a hard drive when you put in your password. You decide what data will be stored in the encrypted file. It is not as secure as a fully encrypted system but is a far better option than nothing at all and will take an enormous amount of effort to decrypt without the right password. I generally have an encrypted volume on any portable device and any personal or important information sits in that. I also keep the TrueCrypt installer on an unencrypted part of the drive so I can install it if required (I also use a portable version that does not need to be installed)
Windows Vista and Windows 7 high end versions (Ultimate) have BitLocker encryption built in if you want to encrypt your laptop. While this is built in, you have to have bought the expensive OS’s and the encrypted data is not as flexible. With a TrueCrypt “Volume”, it can be mounted on pretty much any operating system (Including Linux and Mac) and can be put on a USB stick or portable hard drive which makes it portable. It cannot be read unless the right password is used.
With encryption though, the end user is the most likely weak point.
TrueCrypt can be downloaded from http://www.truecrypt.org/
December 5th, 2009
I am generally concerned with the use of very simple passwords that I come across regularly.
I recently ran a password cracking tool over all passwords in one workplace to get a feel for how secure their passwords were. The results were not ideal considering there were less than 70 staff.
- 19 passwords were found within 1 second;
- 40 within 30 seconds;
- 52 within 60 seconds;
- 55 within 3 minutes.
Passwords discovered (apart from the ones which were the users own name) included:
- abc123
- surfer
- thursday
- fuel01
- bulldogs
- password
- pink01
- gold65
- mushroom
And the list goes on. If you recognise any of these passwords as similar to your own, you should recognise why there is a need to make passwords a bit more secure. Sometimes the people with the extremely simple passwords have remote VPN access directly into the work network which is a massive security issue and puts the entire network at risk.
There are great security differences between a non-secure password (eg apple12) and a (more) secure password (ApP!e1@).
You need to make up a password you can remember. Use a pass-phrase to help, use a combination of upper and lower case, numbers and special characters. Use substitute characters, eg use 1 instead of i. If you normally have two numbers at the end of you password, randomly substitute the number’s special character, eg instead of 24, use @4 or 2$. I dont want to make this so hard you end up writing down your password and sticking it on your screen so you get it right as this kind of defeats the purpose.
An example of a strong complex password is M2dn@saR3x which could be remembered with the pass-phrase – “my two dogs names are spot and rex” or “M(y) 2 d(ogs) n(ames) @(re) s(pot) a(nd) R3x
Your password protects your IT, the longer and more complex the better. Security paranoid people recommend 20 characters or more but in reality, make sure they are a minimum of 8 characters long and as varied as possible and change them regularly (a few times per year or more often).
October 18th, 2009
Regular backups are very important for anyone, especially businesses. While a home user may lose some music or photos if their backups are not up to date, a business may lose invoices, orders, emails etc which cannot be replaced and may have a long term effect on the business.
You really cannot go too far with backups, depending on your risk profile and budget, your backups may be a simple file copy once per day or real time backups pushed to multiple locations. Obviously the more you do the more it will cost but the lower the risk of data loss if something happens.
Before I go into the options, don’t think that it wont happen. It will. Hardware fails, computers die, laptops get dropped or stolen, power spikes occur etc. If you go into this expecting the worst, you are usually in better shape when it happens than those who are not ready for it. Once you have had a significant failure and your backups are not good enough, you tend to take it more seriously in the future.
* Hard Drive Backups
As a bare minimum, and I mean bare minimum, a portable hard drive is a cheap and convenient option to back up your data from one or more locations. It can be a bit manual and does require some discipline but is much easier than burning to CD/DVD. Many come with backup tools but having seen some of them in action, I recommend using a simple backup script to maintain full control over the backup process. Windows (from Vista onwards) ships with a utility called Robocopy which, while small, is one of the best free applications ever to come out of Microsoft. Older versions of Windows can also use it but it needs to be downloaded as part of the Windows 2000 or Windows XP “Resource Kit”. To use it, simply create a folder (call it “scripts”) and create a blank text file, call it “backup.bat”. If you have Windows XP or earlier, you need to put the robocopy.exe file into the same folder. You need to edit backup.bat (right click and edit or it will try to run it). The way you use it is to call robocopy, give it a source location and a destination location and tell it what you want it to do, one command per line. eg robocopy “c:\email” “f:\email” /MIR will use robocopy to “MIRror” the c:\email folder to f:\email assuming that your portable hard drive is allocated drive F:. The /MIR or “mirror” option will delete target files if they no longer exist in the source. This is useful to ensure your backup drive doesnt grow bigger than your data drive but you run the risk of data being lost if the source file get accidently deleted then a backup is run. A better option for a portable hard drive is to have two backups pushed to it, one with the /MIR switch to mirror it and one without which will copy changed files and new files but will not delete anything.
Other Robocopy options can make your backups work better or be a bit more flexible. eg
- robocopy “source folder” “destination folder” /MIR /w:2 /r:2 will wait for two seconds (/w:2) and retry twice (/r:1) if a file is in use and cannot be copied. The defaults are wait 30 seconds and retry 1,000,000 times which will not always be useful.
- robocopy “source folder” “destination folder” /S /log:logfile.txt will copy from the source to the destination including subdirectories (/S) (but not empty subdirectories use “/E” if you want empty subdirectories as well) and will log everything it does to logfile.txt
- robocopy “source folder” “destination folder” /S /XF *.txt *.tmp will copy but will exclude files (/XF) that end with “txt” or “tmp”
Other useful switches are /XD (eXclude Directory), /MOVE (MOVE files and folders, ie delete from source after copying) and /PURGE (delete destination files that no longer exist in the source – used with /E has same effect as /MIR)
A full list of Robocopy options can be found by opening a command prompt and typing “robocopy /?”
The next step up from a USB/eSATA hard drive for disk based backups is a NAS (Network Attached Storage) device. This can be a single drive like the USB connected on or can be a RAID array connecting via NAS, FTP, iSCSI etc depending on your needs and budget. Openfiler can convert pretty much any hardware to a NAS device that Robocopy or another backup system can access for backup storage.
* CD/DVD backups
If you need or want archives of your data for long term storage, DVD backups are cheap and relatively reliable (CD’s as well but since DVD burners and blank DVD’s are so cheap, there is little point persevering with CD’s). A standard blank DVD holds 4.3GB of data which should cover most of your important stuff (documents and emails) for some time. They take up very little space and are readily readable. They do, however, require more work to create, the process cannot be as automated. DVD burning software like Infrarecorder is required (most DVD burners and PC’s will come with some form of burning software which will usually suffice). You will need to know where your data is stored and how much space it takes up.
* Tape Backups
If you have a lot of data and need archiving, the most cost effective solution is a tape backup unit. They are relatively expensive to buy but in Dollars per Megabyte, they are very cheap. The tapes are also very portable which makes it easy for you to transport your data if required (having the most recent tape in your bag each night is better than leaving your tapes onsite if there is a fire!). Tape drives run from a few hundred dollars for slow DAT format tape drives which will do 20GB or so, up to a few thousand for a high speed LTO 4 format tape drive that can hold over 1000GB of data on a single tape (the tapes are more expensive too). They also go much, much higher than this if you decide to opt for a tape library where the backups can span multiple tapes and tape changes are done automatically but I am not going to go into Enterprise class tape libraries here. My rule of thumb is to calculate the storage space you need now, at least triple it and buy a tape system accordingly. While it is possible, I strongly recommend ensuring that your backups dont run longer than a single tape over the lifespan of the tape unit and tapes (you should be able to assume that a DAT drive will last at least 3 years and LTO 4-5 years, the tapes will last longer than this).
* Offsite Backups
There are a number of backup services which, for a fee, provide a quantity of space on the internet where you can upload your files to keep a copy offiste where you can access them as you need them. While they are generally considered reasonably secure, if you are uploading sensitive information, your data should be secured before uploading. Zip archives can be secured with powerful encryption, 7Zip has this functionality built in, simply select the encryption option and put in a secure password and the file will be both compressed (for easier upload) and securely password protected.
