Dropbox’s admissions should serve as wakeup calls for users of all online services. We’ve seen cases before where Google and others have rapidly complied with government requests for access to users’ online data. In short, if you put your data on someone else’s servers, unless you have used your own encryption prior to doing so, you should assume that your data could be accessed by someone else.

I use Dropbox myself. I don’t put anything there that is super-secret unless it’s encrypted first, however. How can you do this? A variety of programs exist to enable this. If you only want to use an online storage solution for backups, you can use Truecrypt to easily encrypt files or a volume before it gets backed up. This means I need to have Truecrypt on a Linux, Mac, or Windows PC to be able to decrypt the data should I need to restore it, and I can’t, for instance, use my iPhone to do so. This has never proven to be a problem, however, as I don’t generally attempt to, for instance, restore Quickbooks backups on my iPhone.

As always, there is a tradeoff between security and convenience. What you need to decide is how inconvenient it would be, not if you had to decrypt your data before restoring it, but if someone else got their hands on your data.

Why is important for me to know about malware? In the past, a user had to take some specific action, like opening an email attachment, for
their computer to become infected with malware. Lately, simply visiting a website can cause your computer to become infected. This type of
“drive-by download” is accomplished using features built into web browsers that allow them to run scripts. Scripts are really small computer programs that normally do useful things, like display a video, allow you to choose from a menu and maintain a shopping cart, among others. Unfortunately, scripts can also be used to install malware on your computer without your knowledge or consent.

What can I do to keep my browser safe? We have assembled a variety of measures and tools that you, the computer user, can use to make your web browsing experience safer by limiting the impact of scripts and helping you to avoid potentially harmful websites.

How much will it cost? All of the suggestions can be implemented at no cost.

What’s the downside? We will look at how each recommendation can negatively impact your browsing experience.

General Browser Security Tips
Keep your browser up-to-date. The Bad Guys are constantly identifying new vulnerabilities and weaknesses in browsers and browser makers are constantly releasing updates to fix them. Running the latest version of your browser ensures that you have the benefit of the latest security
technology. If you have concerns or questions about upgrading or run into a compatibility problem, contact IT at the office or your computer
support provider.

Be careful about browser plug-ins. Plug-ins are browser extras–small, downloadable programs that add functionality to your browser. When you browse to a website, you may receive a message onscreen that in order to work with the site, you have to download and install a browser plug-in. “Just click here.” But think before you click. Remember that any software you install will need to be updated, and may contain security vulnerabilities. Do you know that this website and the plug-in are trustworthy? If you don’t know or aren’t sure, don’t click. Do you really need that plug-in? The fewer plug-ins you have installed, the safer your browser will be.

Check that your browser and plug-ins are up-to-date. Qualys has published a website that will do a quick check on your browser to help you identify common security issues. Visit https://browsercheck.qualys.com/ and install the plug-in (Yes, this one’s safe!). Then click the “Scan Now” button. Note that Javascript is also required. An onscreen report tells you whether or not your browser and commonly installed plug-ins are up-to-date and provides you with a convenient way to update any found to be out-of-date.

Consider using Web of Trust (WOT). The Web of Trust is a cooperative venture that warns users of potentially dangerous websites. When you do a Google search, a circular indicator will appear next to each search result that has been rated by the service. Red indicates a site that is probably dangerous, yellow a potentially dangerous site, and green a site that is probably safe to use. Once you’ve logged in to a website, the same indicator appears in the title bar of the browser. Keep in mind that WOT ratings are based on votes cast by members of the Internet community, and while not necessarily authoritative, can provide useful information about websites to avoid. More information:

http://www.mywot.com/

Tips for Internet Explorer

Microsoft’s Internet Explorer (IE) is one of the most commonly used browsers. Protect your computer by running the latest version whenever possible. Right now that’s IE8. If upgrading to IE8 is not possible, here are some tips for improving the security of IE7.
1. Prevent Data Execution (DEP): Bad Guys exploit vulnerabilities in IE to infiltrate your computer with malware masquerading as data. Microsoft has published a “Fix It” site to turn on Data Execution Prevention (DEP) for IE7 at

http://support.microsoft.com/kb/2458511#FixItForMeAlways

Click the button marked “Enable the application compatibility database.”
Note: The DEP fix is not needed for IE8 and later versions.
Ease of implementation: Moderate
Impact on browsing: Minimal

2. Turn on the Phishing Filter: Microsoft includes a Phishing Filter in IE that detects when a website is not exactly what it appears to be. If the site you are visiting is on the list of reported phishing websites, IE will display a warning web page and a notification on the address bar. From the warning web page, you can continue or close the page. If the website contains characteristics common to a phishing site but isn’t on the list, IE will notify you in the address bar that it might be a phishing website.
You can turn on the Phishing Filter from the Tools menu in IE.
More Information:

https://www.microsoft.com/mscorp/safety/technologies/antiphishing/at_glance.mspx

Ease of implementation: Moderate
Impact on browsing: Minimal

3. Increase IE Security Settings: The Internet Options menu in IE contains a Security tab that gives you a great deal of control over the behavior of IE when you visit a website. The default setting of “Medium-high” for the Internet Zone will prompt you before downloading any content that IE assesses as unsafe. By changing this setting to “High,” you can effectively block all scripts from running on any web page you visit. While this is the safest possible setting, it can severely impact the performance of a website. To allow scripts to run on sites you trust, you can add them to the Trusted Sites Zone, one site at a time or whole domains at once using a wildcard (*). For example, entering http://*.sans.org would allow you to browse the entire SANS
website without any prompts.
More Information: http://support.microsoft.com/kb/174360
Ease of implementation: Difficult
Impact on browsing: Severe

Tips for Firefox
The comments and suggestions below relate specifically to Firefox 3.6, the current version. The security suggestions below take the form of “Add-ons” that are downloaded and added to Firefox using the Tools menu.

1. NoScript: This add-on blocks scripts from running in Firefox. When you visit a website that wants to run scripts, NoScript will display a warning at the bottom of the screen, and give you the opportunity to allow scripts to run on a temporary or permanent basis. Not allowing the scripts to run can severely impact the performance of many web pages. After you have used NoScript for a while, it will learn about the web pages you visit frequently and will not be as “pesky.”
More information: http://noscript.net/
Ease of implementation: Moderate
Impact on browsing: Moderate to severe

2. HTTPS Everywhere: You are probably familiar with HTTPS from using encrypted secure sites like those for online banking. Many websites offer some limited support for encryption over HTTPS, but make it difficult to use. HTTPS Everywhere attempts to make a secure connection to many of the most popular sites on the Internet even if you don’t specifically ask for it. If it fails to make a secure connection, it defaults to an unencrypted HTTP connection and your browser continues to function as if nothing had happened.
More information: https://www.eff.org/https-everywhere
Ease of implementation: Moderate
Impact on browsing: Minimal

3. Adblock Plus: Adblock Plus is an extension for Firefox, Thunderbird, and several other applications with the primary goal of removing advertisements. It works by comparing ads that are about to be displayed with a set of filters that describe undesirable advertising. When you install Adblock Plus, it sets up a subscription to a basic set of filters that will meet the needs of most users. Many additional sets of filters are available for your use.
More information: http://adblockplus.org/en/
Ease of implementation: Moderate
Impact on browsing: Moderate

*****************************************************************
Patches and Updates Roundup

Operating Systems & Applications

Windows & PC Office: http://update.microsoft.com &

http://www.microsoft.com/security/updates/bulletins/201011.aspx

Mac Office:

http://www.microsoft.com/mac/help.mspx?CTT=PageView&clr=99-0-0&ep=7&target=ffe35357-8f25-4df8-a0a3-c258526c64ea1033

OS X: http://support.apple.com/kb/HT1338

iPad: http://www.ehow.com/how_6256127_update-restore-apple-ipad.html

iPhone, iPod & iPod touch: http://support.apple.com/kb/HT1414

iPod: http://support.apple.com/kb/HT1483

Windows Adobe Reader:

http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

OS X Adobe Reader:

http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh

Flash Player: http://get.adobe.com/flashplayer/

Firefox: http://www.mozilla.com/en-US/firefox/update/

Safari: http://www.ehow.com/how_2033324_update-safari.html

Opera: http://www.opera.com/

Chrome: http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414

Java: http://www.java.com/en/download/manual.jsp

Windows iTunes: http://www.ehow.com/how_2016273_update-itunes-pc.html
OSX iTunes: http://www.ehow.com/how_2016270_update-itunesmac.html

Security Suites

Symantec:

http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002021908382713

Norton:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95

McAfee: http://www.mcafee.com/apps/downloads/security_updates/dat.asp

Kaspersky: http://www.kaspersky.com/avupdates

AVG: http://free.avg.com/us-en/download-update

Panda: http://www.pandasecurity.com/homeusers/downloads/clients/

PC Tools:

http://www.downloadatoz.com/pc-tools-internet-security/smart-update.html

BitDefender:

http://www.bitdefender.com/site/view/Desktop-Products-Updates.html

Avast: http://www.avast.com/download-update

Webroot: http://support.webroot.com

Trend Micro:

http://esupport.trendmicro.com/Pages/How-to-update-Trend-Micro-Internet-Security-Pro-2010.aspx

Microsoft Security Essentials:

http://www.microsoft.com/security/portal/Definitions/HowToMSE.aspx

***********************************************************************
Copyright 2010, SANS Institute (http://www.sans.org)
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzer,
Alicia Beard, Alan Paller
Reprinted, with permission, from the November 2010 SANS Institute Security Newsletter for Computer Users.

Tech support staff will often instruct users to take a specific action, such as “log off your system” or “power on the system.” Confusion between these terms can cause problems and waste the time of the support staff and the end user, so these are good, simple terms to understand.

To shut down a system means that, when the process of shutting down is complete, the machine is powered down, and it will not come back up again without a someone taking further action, e.g., powering it back on again. If you expect your system will be needed for maintenance or remote access by someone else, shutting it down effectively prevents this.

To restart a system means that the computer goes through a complete shutdown process, then starts back up again. This is frequently required after software installations or during troubleshooting.

To log off a system means that the user who is currently logged on has their session end, but leaves the computer running for someone else to use. This is faster than a full restart and, generally, a better choice during the course of the business day when a system is shared between multiple users.

Similarly, to power on a system means that you simply press the power button and let the system come up to a login prompt. If you enter your username and password, you have gone a step further and have logged on.

If support staff instructs you to take a specific action, it is in everyone’s best interest that you do exactly what was suggested, and not something else. For instance, if you are instructed to “power on” your system, just power it on, but do not enter your username and password. Similarly, if you are requested to log off, just log off, but do not shut it down.

If you are still running these at your business or at home, an upgrade is called for as soon as possible.

I applaud this move toward security and productivity. I don’t think it will be a easy task for Google, but I believe it will be worth the effort in the long run.

Does your company need to consider switching away from Windows?

First off, what if I had a very simple security fix, requiring no new software to be purchased or installed, and with minimal configuration changes, that could block 64% of all Microsoft vulnerabilities reported in 2009? Would you be interested? What if I told you we had a fix that could also prevent 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009? How about blocking 100% of Microsoft Office vulnerabilities reported in 2009? Still not enough? How about blocking 90% of critical Windows 7 vulnerabilities reported to date?

As you should have guessed by now, the fix for all of these is the same: removing administrative rights from end users over their PCs.

While there are still some (poorly written) desktop applications which require administrative rights to run, I have found these to be relatively few in number these days, and once the initial configuration has been done, most programs run just fine as an ordinary user. Despite the additional configuration required by some programs, including hardware drivers, that needs to be done by an admin, the cost of setting these up the right way is generally far less than recovering from the damage caused by a serious malware outbreak.

The press release and the complete report are available from BeyondTrust’s website.

If you have not yet looked at one of these other browsers, I strongly recommend you do. If you are wedded to Internet Explorer, then you should at least be on version 7, if not 8. Also, several of our clients have been told that they must use Internet Explorer for an application that they use which requires it. What’s shocking is that several of my clients have vendors who insist that they continue to use IE 6! This, despite the fact that it’s easily the least secure mainstream browser still available today. If you are unlucky enough to be in this group, I strongly recommend you put pressure on your vendors who are requiring IE 6, and tell them to support current versions, or better yet, make their application less browser-specific so that it works with other platforms like Firefox, Chrome, Opera, and Safari.

All of your email in one inbox

As for new features, the first thing I noticed was the option to display all of your accounts’ inboxes in one location, just as recent versions of Apple’s Mail have. For instance, if you have a work email address and a home email address, and you check them both with the same email client, you can now view all new messages in a single inbox. I’m sure that fans of GTD will applaud this move. As for me, I wasn’t totally sold on this feature, but after experimenting with it for a day or so, I started to like it. If the goal is to be notified of new email from various sources, this definitely meets it. However, if you like keeping things separated (for example, not getting distracted with personal emails while at work, or bothered with work while at home), this isn’t necessarily for you.

Tabbed emails

While setting up Thunderbird, you are presented with the option to synchronize IMAP accounts onto your local hard drive. This is a great feature if you travel and don’t have an Internet connection, but still want to be able to read your email while offline. I did note that it took a very long time to synchronize my Gmail account, which has gigabytes of saved email on it, but that’s to be expected. I was able to use Thunderbird while the sync was going on, so it did not bother me.

The first thing I noticed was that the user interface has been simplified, with some of the button clutter removed. Also, by default messages open in new tabs, as opposed to new windows. While I am very used to this method of presenting information in web browsers (as Firefox has had this feature for years), I haven’t quite gotten used to it in email. However, I’m starting to like it more as I use it.

Thunderbird 3's new search

Thunderbird’s new search engine is immediately noticeable the first time you search your inbox for something. The results are presented in a new fashion, but more importantly, Thunderbird indexes all of your messages for faster search results, and you don’t have to search folder by folder for messages, as it will go through all of them for you. While I use Gmail for most of my email, I still like using Thunderbird as the client. However I frequently have found myself going back to the Gmail web interface when I need to search for a lost message. Hopefully this will no longer be necessary with Thunderbird’s new search capabilities.

Also, taking another page from the Gmail book, Thunderbird now lets you archive your email by pressing ‘A’ while reading any message. While I generally file all of my emails away (in folders in Thunderbird or with a label, then archiving in Gmail) sometimes I don’t have a particular folder or label to apply to an email. I know I don’t want to delete it, but I also don’t want to stick it in a file. I just want it gone… until I want it back again. That’s what archiving is for. This is another feature I’ve found myself logging in to the Gmail interface for. Unfortunately, Thunderbird’s archive feature is different from Gmail’s, so when I archive an email in Thunderbird, I still need to sign in to Gmail’s web interface to archive it there. However, if I never used the Gmail interface, this would not be an issue.

It is worth noting that I did have some stability problems with the beta and release candidates in late November, however they all seem to have been sorted out and the release version is rock-solid on Mac OS X and Linux. I have not yet tested the Windows versions, but I have high hopes. This is a noteworthy improvement to Thunderbird which I am grateful to have. In short, if you do not require connectivity to a Microsoft Exchange server (for calendar, contacts, and other non-email data) I recommend you try Thunderbird 3.

Oh, did I mention that it’s free?

Nearly every one of our clients has a place for Linux within their organization. Traditionally, this has been as some form of server (web, file, database, network monitoring, firewall, DNS, etc.). However, with Likewise, the hassle of making a Linux box talk to Windows has been greatly simplified.

While I will not engage in the debate of whether OpenOffice.org is a good replacement for Microsoft Office in a corporate setting, or whether you are better off with or without Microsoft Outlook as your primary email client in this blog post, I will say that just about every organization we work with has staff who only do a couple of very simple tasks with their computer, such as surf the web, send and receive email, occasionally make a word processed document or spreadsheet, and view PDF files. All of these features work perfectly well under Linux, so why not deploy it in your organization?

For one thing, there hasn’t always been an easy way to manage a Linux server’s user accounts from Windows. What this means is if you have a username and a password that you use for Windows, you’d need a separate one for Linux. Multiple usernames and passwords frequently confuse novice users, so this has been a potential hurdle.

Likewise clears this hurdle with ease. Now, you can sit down at a Linux computer, and your Windows username and password, and log in. With a little scripting magic from a Linux expert, it is possible to have your Desktop and Documents folders automatically available to you as well.

The best part is that most Linux distributions still run perfectly well on older hardware. While newer systems struggle to meet the requirements to run Vista or Windows 7, most older systems still in production will run Ubuntu just fine.

Linux has many other benefits. It is virtually immune to the bulk of spyware and viruses currently circulating the Internet today. Is it completely safe? No. However, since 99% of all malware is targeted at Windows, Linux is simply a much smaller target.

Finally, Linux is free. That’s right. Most Linux distributions (Ubuntu included) offer a completely free of charge, fully functional version.You can download a copy and try it, with no changes to your system, in under an hour on a high-speed Internet connection.

There’s no reason not to try Linux in your small business. Give it a shot! It may save you money and time.