First off, what if I had a very simple security fix, requiring no new software to be purchased or installed, and with minimal configuration changes, that could block 64% of all Microsoft vulnerabilities reported in 2009? Would you be interested? What if I told you we had a fix that could also prevent 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009? How about blocking 100% of Microsoft Office vulnerabilities reported in 2009? Still not enough? How about blocking 90% of critical Windows 7 vulnerabilities reported to date?

As you should have guessed by now, the fix for all of these is the same: removing administrative rights from end users over their PCs.

While there are still some (poorly written) desktop applications which require administrative rights to run, I have found these to be relatively few in number these days, and once the initial configuration has been done, most programs run just fine as an ordinary user. Despite the additional configuration required by some programs, including hardware drivers, that needs to be done by an admin, the cost of setting these up the right way is generally far less than recovering from the damage caused by a serious malware outbreak.

The press release and the complete report are available from BeyondTrust’s website.

In order to continue to improve our products and deliver more sophisticated features and performance… we will be phasing out support for Microsoft Internet Explorer 6.0 as well as other older browsers that are not supported by their own manufacturers.

It’s about time, and not just for those reasons.

Internet Explorer is arguably the most insecure web browser in current use today. It’s very old, in Internet terms, and really needs to be replaced. If you are still using Internet Explorer, you need to upgrade to IE 7 or IE 8, or switch to another browser like Mozilla Firefox (currently at version 3.6), Google Chrome, Opera, or Safari.

If you are one of those unfortunate folks who are required to use Internet Explorer 6 for a legacy web application, contact your vendor immediately and tell them that they need to change their application to support newer browsers. There is no excuse for continuing to use Internet Explorer when Microsoft itself has recommended that people discontinue its use.

“Between March 19 and March 28 the spyware sent more than 1,000 screen captures … via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well…”

This incident goes a long way to show that the biggest threat can often come from inside. Yes, while the boyfriend was the root cause, had the hospital employee not been allowed to access her personal email from work, her system would not have been infected in the first place.

In a separate news article, Panda Security reports that a hacker site is offering to crack Facebook accounts for the low low price of $100. Setting aside the question of whether the site is a “legitimate” hacking site (who’s to say they won’t just take your $100 and walk away?), I found it interesting that a Facebook account is now worth 3 times the street price of a social security or bank account number, which my sources say are going for $20-35 a piece.

We first chose the Astaro Security Gateway for a client who needed a reliable web content filter, and an email spam filter. They had previously used various patchwork solutions which were not meeting their needs. The Astaro product did everything they required, replacing their aging firewall, providing secure remote access, a web content filter to keep users from accessing websites they shouldn’t, and blocking junk email. When I asked the director how he liked it, as compared to their previous solution, he said he was “Very, very, very satisfied.” That’s the kind of feedback we like.

Usually when we put a UTM in place, clients have one security device in place, but not others. The nice thing is that the Astaro combines multiple services into a single unit. While this does place all of the proverbial eggs in one basket and can lead to a single point of failure for network traffic and security, for small businesses on a tight budget, it does provide an affordable way to get services you might not normally have in place.

The first line of defense offered by the Astaro is its firewall. The ASG can act as your network’s router and firewall, whether your Internet connection is a T1 line, DSL modem, or Cable modem. The device provided by your ISP plugs directly into the ASG, which then connects to the rest of your network.

By default, the Astaro Security Gateway is a “default deny” firewall. This is to say that initially, unless you tell it otherwise, it allows no traffic in or out of your network, which is the most secure, best practice configuration for a firewall. This prevents not only unwanted intrusions from outside sources, but also unwanted extrusions from your system. Whether it’s people running instant messaging or voice chat clients, the hobbyist who’s running his own web server on your company network, or the latest malware which has turned your desktop into a spam sending zombie, the ASG won’t allow it out unless you say so.

If you have remote workers who require access to your system from the road, home, or remote branch office, the Astaro supports just about every type of virtual private network (VPN) out there. Popular choices such as PPTP, L2TP, IPSec, and SSL are all available, and the clients work with Windows, Macintosh, and Linux stations.

The ASG also includes a powerful, flexible web content filter, which can be used to protect your network from malicious websites, as well as to keep users from websites that they should not be using the company network for.

Astaro also includes email security features, including two anti-virus scanners and a powerful anti-spam and anti-phishing filter to keep your inbox free of the needless clutter that comes from these annoyances and threats. Email encryption can also be configured so that if servers you communicate support this feature, your messages can’t be read by anyone in between if intercepted.

Finally, Astaro offers a free trial of their Astaro Security Gateway product, so you can evaluate it without commitment. They even pay the shipping.

Note: Paradigm Consulting Co. is an Astaro reseller. Please contact us if you are interested and we can arrange a demo for you and your network.

Nearly every one of our clients has a place for Linux within their organization. Traditionally, this has been as some form of server (web, file, database, network monitoring, firewall, DNS, etc.). However, with Likewise, the hassle of making a Linux box talk to Windows has been greatly simplified.

While I will not engage in the debate of whether OpenOffice.org is a good replacement for Microsoft Office in a corporate setting, or whether you are better off with or without Microsoft Outlook as your primary email client in this blog post, I will say that just about every organization we work with has staff who only do a couple of very simple tasks with their computer, such as surf the web, send and receive email, occasionally make a word processed document or spreadsheet, and view PDF files. All of these features work perfectly well under Linux, so why not deploy it in your organization?

For one thing, there hasn’t always been an easy way to manage a Linux server’s user accounts from Windows. What this means is if you have a username and a password that you use for Windows, you’d need a separate one for Linux. Multiple usernames and passwords frequently confuse novice users, so this has been a potential hurdle.

Likewise clears this hurdle with ease. Now, you can sit down at a Linux computer, and your Windows username and password, and log in. With a little scripting magic from a Linux expert, it is possible to have your Desktop and Documents folders automatically available to you as well.

The best part is that most Linux distributions still run perfectly well on older hardware. While newer systems struggle to meet the requirements to run Vista or Windows 7, most older systems still in production will run Ubuntu just fine.

Linux has many other benefits. It is virtually immune to the bulk of spyware and viruses currently circulating the Internet today. Is it completely safe? No. However, since 99% of all malware is targeted at Windows, Linux is simply a much smaller target.

Finally, Linux is free. That’s right. Most Linux distributions (Ubuntu included) offer a completely free of charge, fully functional version.You can download a copy and try it, with no changes to your system, in under an hour on a high-speed Internet connection.

There’s no reason not to try Linux in your small business. Give it a shot! It may save you money and time.

Enter Rubber Ducky. This utility presents your system’s performance as an aquarium with five components: water (physical and virtual memory), fish (network traffic), plants (hard drive activity), bubbles (CPU activity), and, of course, the Rubber Ducky.

Each of these components tells you something about your system. If the water level is too high, it means your computer is using up all of its memory, and the poor little ducky will drown. If the water is muddy, it similarly means that your machine is using too much virtual memory. Both of these are symptoms of not enough memory in your computer and are usually easily addressed by purchasing and installing more. After all, you can never have too much memory.

The fish represent network traffic. If you are downloading large files, streaming music, etc., you will see more fish than normal. If your computer is not doing anything, and you see a lot of fish, then something else is probably going on the background (possibly some sort of malware, doing things like using your machine to send spam and viruses), and it may be worth investigating.

The plants indicate hard drive activity. Lots of plants? Your drive may be overused or again, something you don’t know about could be using the drive. Perhaps an automated backup is running, or maybe something has gone wrong.

Finally, the bubbles indicate the CPU usage. Lots of bubbles? Your system is either underpowered or there may be a runaway program that is monopolizing the processor.

While Rubber Ducky System Monitor is not an in-depth diagnostic tool, it does provide a friendly, easy to read display that anyone can easily understand. I recommend this for users who want to understand their system’s performance without having to dive deep into the guts of Windows to do so. Plus, it makes a squeaky sound like a real rubber ducky when you click on it. How cute is that?

A common misconception among users is that we, the “IT guys,” sit in the server room, monitoring every web site visited and email sent, just waiting for an excuse to block the user. Thankfully, almost every information technology-based security mechanism is far more automated than this.

Web content filters generally work in a few different ways.

Blacklists

Content filters subscribe to blacklists of “known” “bad” categories. Here, “bad” can just mean “stuff we don’t want you looking at on our corporate system,” but it won’t actually hurt your computer. Some examples are

• Playboy.com (We don’t want to pay you to look at pornography at work)
• Miniclip.com (We don’t want to pay you to play games at work)
• Facebook.com (We don’t want to pay you to chat with your friends at work)
• Monster.com (We don’t want to pay you to job huntat work).

A blacklist can be a service which your content filter subscribes to, or something manually configured by your administrator. Sometimes websites can be miscategorized, either by your system administrator or by a list that your organization subscribes to.

When this happens, your system administrator can usually adjust accordingly to grant access to allowed websites. For example, one of the content filters we use recently had rustoleum.com classified as Real Estate. Since the company did not want employees surfing for real estate purchases on company time, this site was blocked by the content filter. A quick report to the filtering service reclassified this site and the client was able to access it properly.

Content Inspection

Content filters examine the content of the site for banned or suspicious activities. For instance, there have been several instances where our clients security gateways identified a perfectly valid web site as hostile, because it had been compromised by hackers who installed malware on the site. Rather than allowing our clients’ systems to access the site, and infect themselves with malware, they were blocked.

We had a client trying to access a GE website a few months ago, and they were blocked. Reviewing the error message informed us that the site was infected with malware, and it was trying to infect client browsers! In this case, I had to inform the client that there was nothing to be done other than inform GE that their site was infected, which we did. They eventually fixed this problem. My client was a little frustrated, but I likened this to them wanting permission to wander into a quarantine zone where a serious disease was rapidly spreading, and they had no protection against it.

Extension Blocking

Content filters can block downloading of files by extension. For instance, you may not be allowed to download executable files (EXE, COM, BAT, VBS) files because these are actually programs which can do bad things on your machine, especially if you have administrative rights over it. Sometimes, web content filters will also stop you from downloading common Microsoft Office file formats (DOC, XLS, etc.) as well. Why? Because Microsoft Office supports a powerful macro language, which essentially can turn any document into a program which, you guessed it, can do bad things to your system. Content filters can also block access to streaming media (videos and music) and other content that just isn’t required and only slows things (like employee productivity) down.

Asking for Help or Clarification

Generally, you can find out why you were blocked from a specific website by reading the error message you receive. All good content filters we use and resell have descriptive error reports, telling the user why the site they were trying to access was blocked. Unfortunately, many users don’t use them, and just say “I was blocked! Fix it!” Reading the error message is the first step in understanding what happened. Also, this helps your system administrator understand what happened to more quickly resolve the issue.

Another important thing to is think for a minute why the site might have been blocked. Could there be something wrong with the content filter? Could the site you’re trying to access actually be infected with bad software which could hurt your computer? Could the site you’re trying to reach simply be offline?

Finally, remember is that the people running your content filter are trying to keep the system safe, secure, and stable. They are not going out of their way to make your job difficult. However, we frequently get emails from clients who take that stance from the get-go.  This is not a good way to start off a dialog, as it immediately puts your IT staff on the defensive. Remember why this filter was deployed in the first place, and understand that it’s just doing what it was told, and it can be fixed.

Recently one of our client’s Ghost subscriptions came up for renewal. While Ghost does what it’s designed to do well enough, we were wondering what other options there were out there in the world. Enter FOG.

My boss approached me a few weeks ago and asked me to evaluate this project for use at a client location. I had some experience using Ghost and other imaging solutions, so I knew what he wanted.

The biggest change going from Ghost to FOG is that FOG uses a Linux server and Ghost requires Windows. Right away, this can save money on licensing fees, as you don’t need to dedicate a Windows server license (usually around $700 or more) to the task. All of the other tools are roughly the same.

Using FOG definitely shows Ghost’s age. You can only manage a Ghost session through the GhostCast interface which is an application that runs on the Ghost server. By contrast, the main FOG interface is a very slick web page. From here you can manage computers that have been registered with the FOG server, groups of computers, images and tasks that have been started.

I already mentioned that FOG has more features than Ghost. From the FOG boot menu (which is handled completely over the network) you’re given options to register a system with the FOG database or run a memory test (useful to diagnose certain hardware problems). From the FOG management interface you can also set other “tasks” to go when you connect a machine to the FOG server like, “deploying” an image, creating an image, Virus Scan (Using Clam AV), drive wipes, disk test (for errors), file recovery and more. FOG even has a mobile version for handheld devices with a modern web browser (smartphones, iPhones, and other PDAs).

If you need any more reason to switch form Ghost to FOG , how about the fact that FOG operated faster than Ghost? In our tests, I was able to image multiple machines in the time it took me to image one with Ghost. Bear in mind these aren’t “official” benchmarks, but 6 clients in around 10 minutes is great when compared to Ghost, which took 7 minutes a single machine.

If that doesn’t interest you, how about a cost comparison? FOG is Free, Open Source Software (FOSS). There are no license fees, and no cost for obtaining the software (although we do suggest donations to open source projects that you find useful). With Ghost you have to purchase the software, purchase licenses, purchase annual support contracts, and Ghost is also slower than FOG so you end up paying for more in labor costs.

In summary, FOG is free (both gratis and libre), open source, fast and has more features than Ghost. If you use computer imaging, we highly recommend looking at FOG for your company’s use.

1. Greeting cards are a waste of time and resources. I can think of no reason that these are required in a business setting, as they just waste time and other resources.
2. In order to send an electronic greeting card, you normally are asked for the recipient’s email address, and possibly your own. By supplying this information to XYZ greeting card site, you’ve just opened up an avenue for junk email (spam) to yourself and the recipient.
3. Fake electronic greeting cards are a prime vector for email attacks and the spreading of malware. By getting people to click on a link that claims to be a greeting card, the user is likely to want the program to run, not knowing what it really is. I’ve personally had clients ask, repeatedly, that I install Adobe Flash Player on their systems so they could open a greeting card, despite my repeated protests. Sure enough, a few weeks later, their system was infected by malware as a result.

In summary, stop sending electronic greeting cards. If you absolutely must open one that you’ve received, then you can… wait… No, scratch that. There’s no reason for them.

I highly recommend that your company’s acceptable use policy prohibits the sending or viewing of electronic greeting cards, and that your content filtering system be tuned to prohibit these sites whenever possible.

How can you tell if your machine could benefit from a memory upgrade? First off, if you hear your computer’s hard drive running hard, or see the hard drive indicator light on a lot, particularly if you have multiple applications running, that’s  a good sign. Another is to use the Task Manager, a utility included with all versions of Windows, to see how much memory your computer is using. The best time to do this is to during the middle of your work day, when you have the most applications running. In Windows, simply press Ctrl-Shift-Esc and you should see something like the image to the right. Pay attention to the “Available” number under “Physical Memory.” If this number is lower than, say, 256,000, your machine could probably benefit from a memory upgrade.

Techspeak alert! Note that if you have a standard, 32-bit version of Windows (2000, XP, 2003, Vista, 2008, or 7), the maximum memory that your system can use is 4GB, minus the amount of memory used by your video card. So if you have a fancy video card for gaming or CAD or some other applicaiton which requires a high-end card, however much memory is on that card counts against the total amount in your system. If you find that you need more than 4GB of memory in your system, then you need to run a 64-bit version of Windows to use it, otherwise your computer will simply see 4GB as the maximum available, unless your computer supports Address Window Extensions to do some backflips to allow it to see more than 4GB of memory.