If you are still running these at your business or at home, an upgrade is called for as soon as possible.

I applaud this move toward security and productivity. I don’t think it will be a easy task for Google, but I believe it will be worth the effort in the long run.

Does your company need to consider switching away from Windows?

First off, what if I had a very simple security fix, requiring no new software to be purchased or installed, and with minimal configuration changes, that could block 64% of all Microsoft vulnerabilities reported in 2009? Would you be interested? What if I told you we had a fix that could also prevent 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009? How about blocking 100% of Microsoft Office vulnerabilities reported in 2009? Still not enough? How about blocking 90% of critical Windows 7 vulnerabilities reported to date?

As you should have guessed by now, the fix for all of these is the same: removing administrative rights from end users over their PCs.

While there are still some (poorly written) desktop applications which require administrative rights to run, I have found these to be relatively few in number these days, and once the initial configuration has been done, most programs run just fine as an ordinary user. Despite the additional configuration required by some programs, including hardware drivers, that needs to be done by an admin, the cost of setting these up the right way is generally far less than recovering from the damage caused by a serious malware outbreak.

The press release and the complete report are available from BeyondTrust’s website.

1. Warranty.  These computers generally come with a 1 year, limited manufacturer Warranty.  This means that if any part of the computer breaks after that, you can either “fix it yourself” (time and money) or replace the computer.  Unfortunately, the argument that “you can just go down and buy another computer” (money) is not really a good one, since you likely won’t be able to find an exact replacement, and will therefore have to set up the computer again from scratch (time).  When you spend a little money up front to purchase a computer we recommend, we make sure you get a 3 year business-class warranty, which includes free, on-site repair provided by the manufacturer (not Paradigm).
2. Compatibility.  These systems generally come with Windows XP Home, Vista Home Premium, or Windows 7 Home Ultimate.  These operating systems are not compatible with a Windows business network, not to mention other limitations that don’t belong in a business environment. An upgrade to XP Professional or Windows 7 Professional is an unaccounted for cost when you purchase one of these computers.
3. Standardization.  By purchasing a computer that we recommend, you will likely be able to take advantage of our familiarity with that particular product.  Often we will recommend a single line of computers to multiple customers, and in some cases it may even be one that we have deployed and tested in-house.  All computer models have “quirks” associated with them that make them unique, and knowing our way around them means more efficient deployment, maintenance, and troubleshooting- saving you money.
4. No Upsell. Most bog box store sales clerks are paid on commission. We’re not, and our margins are small. Paradigm has always been primarily a service entity, and the only things we sell to our clients are what they need.

”Do not leave a voicemail if you do not reach your sales target. Connections are only made with real people. Your message will be deleted anyway.”

I don’t follow. I leave voicemails. I don’t expect that my voicemail will close the sale, but to not leave a message when someone has put up a facility just for that seems silly to me. I’d also supplement a call with an email, or vice versa, because some people are more responsive to some media than they are to others.

So, I agree on 9 out of 10 points. Keep up the good work, @smallbizlady.

In order to continue to improve our products and deliver more sophisticated features and performance… we will be phasing out support for Microsoft Internet Explorer 6.0 as well as other older browsers that are not supported by their own manufacturers.

It’s about time, and not just for those reasons.

Internet Explorer is arguably the most insecure web browser in current use today. It’s very old, in Internet terms, and really needs to be replaced. If you are still using Internet Explorer, you need to upgrade to IE 7 or IE 8, or switch to another browser like Mozilla Firefox (currently at version 3.6), Google Chrome, Opera, or Safari.

If you are one of those unfortunate folks who are required to use Internet Explorer 6 for a legacy web application, contact your vendor immediately and tell them that they need to change their application to support newer browsers. There is no excuse for continuing to use Internet Explorer when Microsoft itself has recommended that people discontinue its use.

The advice is to have a PC dedicated to online banking. If you weigh the convenience and cost savings of having access to online banking, versus time spent on the phone or traveling to and from a bank to conduct your business, the expense of a PC dedicated to this task, to continue to enable online banking, will likely be recouped within a matter of weeks, if not days.

The three arguments I’ve heard against this are:

• We don’t have enough money in the bank for anyone to want to hack it. (Or, “no one is interested in us because we’re too small.“)
  Then it sounds like you have everything to lose! Isn’t it more important to protect what assets you have, regardless of size?
• We’re protected by our bank’s security.
  No, you’re not. Bank websites get hacked frequently. Don’t believe me? Just do a Google search on the subject. Furthermore, the banks are not required to refund your money! You do not have the same protections as you do with credit cards on bank accounts. Finally, it’s not usually the bank that gets hacked – it’s your computer.
• We can’t afford the expense.
  The cost of a lightweight PC dedicated to this task is most likely lower than most of my clients’ electric bill, heating bill, or liability insurance for one month. You can afford the cost. But can you afford getting hacked and having your assets drained?

This is the same advice we gave on this blog last year. It’s sound. It’s simple. It’s cheap. Get a new netbook for a couple hundred dollars and use that for online banking. Is this not worth the risk of your business losing tens of thousands of dollars from its bank account? Please, if you do online banking at home or at work, at the very least, practice it from a non-Windows computer not running Internet Explorer. Better yet, prove me wrong and get a cheap PC and dedicate it to your online banking needs. Never go to any website other than your bank’s with it. Another alternative would be to boot from a live CD of your favorite Linux distribution, such as my favorite, Ubuntu.

References:

• http://lastwatchdog.com/american-bankers-associations-small-business-warning/
• http://itknowledgeexchange.techtarget.com/security-corner/aba-recommends-using-dedicated-pc-for-online-banking/
• http://news.softpedia.com/news/Small-Businesses-Should-Conduct-Online-Banking-from-Dedicated-Computers-131086.shtml
• http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=1#sID200
• http://content.usatoday.com/communities/technologylive/post/2010/01/online-banki
  ng-precaution-for-small-and-mid-sized-businesses-draws-attention-/1
• http://www.upi.com/Top_News/US/2010/01/01/Businesses-warned-about-online-banking
  /UPI-81761262329630/

Let’s assume, for argument’s sake, that Google does abide by its own code of conduct and isn’t evil. They’re still amassing a staggering amount of data about nearly every Internet user. Now, with more and more companies “Going Google,” Google has access to data that it wouldn’t in the past. Now, they aren’t just indexing your website, blogs, or even chats and emails. Now they’re indexing your corporate documents – you know, the sensitive things you’re “not supposed to send via email?”

While I am quite confident in Google’s security capabilities, no one is perfect. And like my aikido instructor used to say, there’s always someone stronger, or quicker than you. Last week, Google met its security match when their servers were hacked.

While I won’t delve into the economic and political issues which revolve around this hack (see footnotes for plenty of reference links), there are plenty of lessons we can take away from this:

• By most accounts, Google’s servers were hacked by good, old-fashioned social engineering:
  

  “Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees…”

  This means that the attackers were not hammering through firewalls or reprogramming routers – they had people click links on what they thought were legitimate emails and exploited security flaws in common desktop software to gain access.

• Users accounts which were hacked were most likely running with administrative privileges over their desktop systems.
• If Google can be hacked, anyone can. By extension, if your data is with Google, you can be hacked as well.
• Trusting Google does not just mean “trusting that Google won’t do anything evil with my data.” It also means “trusting Google will never make a mistake which accidentally opens my data up to anyone else.”
• Substitute the word “Google” with any popular online service or enterprise firm that has a lot of (your) data (e.g. Facebook, Salesforce, Amazon). This is not a problem just with Google.

References:

• Researchers identify command servers behind Google attack
• Adobe Reader vuln hit with unusually advanced attack • The Register
• IE zero-day used in Chinese cyber assault on 34 firms • The Register
• Google may exit China after ‘highly targeted’ attack • The Register
• Google May Pull Out of China After Cyber Attack
• NY Times Article on Google/China Hack
• Official Google Blog: A new approach to China
• China Defends Internet Censorship
• Ballmer doesn’t get why Google is upset about attacks | Googling Google | ZDNet.com
• US will complain to China about Google hacking • The Register
• SANS Internet Storm Center Diary



While the content is good, it is rather elementary, so if you are already familiar with Facebook, you’ll probably be better served by something else. I bought the book to see what sort of insight it would give for business applications, but I found the chapter on this topic to be short and not very enlightening. Also, I found the topics of privacy and security to be a bit lacking. The best advice they have is to not post anything that you wouldn’t want your grandma to see, because it may come back to haunt you. However, they also recommend you install lots of applications, without stressing that installing Facebook apps (of dubious nature) is a quick and easy way to get your account hacked.

While it was published nearly two years ago, the majority of the book is still up to date and current. However, some things have changed recently, especially with respect to default privacy settings, covered in the privacy chapter.

Also, the book is a little expensive, given its size. However, if you are just getting into social networking and Facebook, it does provide a good overall view of the service to newcomers.

If you have not yet looked at one of these other browsers, I strongly recommend you do. If you are wedded to Internet Explorer, then you should at least be on version 7, if not 8. Also, several of our clients have been told that they must use Internet Explorer for an application that they use which requires it. What’s shocking is that several of my clients have vendors who insist that they continue to use IE 6! This, despite the fact that it’s easily the least secure mainstream browser still available today. If you are unlucky enough to be in this group, I strongly recommend you put pressure on your vendors who are requiring IE 6, and tell them to support current versions, or better yet, make their application less browser-specific so that it works with other platforms like Firefox, Chrome, Opera, and Safari.