If you are still running these at your business or at home, an upgrade is called for as soon as possible.

I applaud this move toward security and productivity. I don’t think it will be a easy task for Google, but I believe it will be worth the effort in the long run.

Does your company need to consider switching away from Windows?

We’ve heard the same thing before. In 2007, when Facebook introduced Beacon, there was a an outcry from the Facebook community. Facebook responded with the governance council, then, a couple of years later, introduced new and better privacy controls. The default setting for these? Everything was open to everyone. Who do they think they are fooling? Apparently about 400,000,000 of us Facebook users, that’s who.

Once again, due to a large public outcry, this time by a number of web-celebs who threatened to, or actually did, deactivate their Facebook accounts, Zuckerberg and company again responded, and promised to fix the issue. I can’t help but think this is like a bad relationship with a partner (Facebook) who, despite repeated promises, just can’t seem to keep promises or stop taking advantage of the other (you).

As always, assume that anything and everything you post to Facebook is public. Period. Forget “privacy settings” which give you a false sense of security. They can be changed at any time. Your personal information can be shared by Facebook (and other online services) any time they feel like it. They’ve done it before, and I’m convinced they’ll do it again.

First off, what if I had a very simple security fix, requiring no new software to be purchased or installed, and with minimal configuration changes, that could block 64% of all Microsoft vulnerabilities reported in 2009? Would you be interested? What if I told you we had a fix that could also prevent 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009? How about blocking 100% of Microsoft Office vulnerabilities reported in 2009? Still not enough? How about blocking 90% of critical Windows 7 vulnerabilities reported to date?

As you should have guessed by now, the fix for all of these is the same: removing administrative rights from end users over their PCs.

While there are still some (poorly written) desktop applications which require administrative rights to run, I have found these to be relatively few in number these days, and once the initial configuration has been done, most programs run just fine as an ordinary user. Despite the additional configuration required by some programs, including hardware drivers, that needs to be done by an admin, the cost of setting these up the right way is generally far less than recovering from the damage caused by a serious malware outbreak.

The press release and the complete report are available from BeyondTrust’s website.

1. Warranty.  These computers generally come with a 1 year, limited manufacturer Warranty.  This means that if any part of the computer breaks after that, you can either “fix it yourself” (time and money) or replace the computer.  Unfortunately, the argument that “you can just go down and buy another computer” (money) is not really a good one, since you likely won’t be able to find an exact replacement, and will therefore have to set up the computer again from scratch (time).  When you spend a little money up front to purchase a computer we recommend, we make sure you get a 3 year business-class warranty, which includes free, on-site repair provided by the manufacturer (not Paradigm).
2. Compatibility.  These systems generally come with Windows XP Home, Vista Home Premium, or Windows 7 Home Ultimate.  These operating systems are not compatible with a Windows business network, not to mention other limitations that don’t belong in a business environment. An upgrade to XP Professional or Windows 7 Professional is an unaccounted for cost when you purchase one of these computers.
3. Standardization.  By purchasing a computer that we recommend, you will likely be able to take advantage of our familiarity with that particular product.  Often we will recommend a single line of computers to multiple customers, and in some cases it may even be one that we have deployed and tested in-house.  All computer models have “quirks” associated with them that make them unique, and knowing our way around them means more efficient deployment, maintenance, and troubleshooting- saving you money.
4. No Upsell. Most bog box store sales clerks are paid on commission. We’re not, and our margins are small. Paradigm has always been primarily a service entity, and the only things we sell to our clients are what they need.

While these sites had no intention (or maybe even knowledge) of this, it goes to underscore a point that, while you may trust Google, Yahoo!, Fox, Facebook, eBay, etc., as trustworthy sites, the bulk of the content that these sites serve up is not coming from them – it’s coming from third parties, such as ad networks, which you don’t necessarily trust, or even know.

To protect yourself from this sort of attack, I recommend the following:

• Limit unnecessary web surfing, especially at work and doubly so for machines and networks which handle sensitive information. If you don’t go to the site in the first place, you can’t get infected.
• Make sure you are using a recent “alternative” browser, such as Firefox or Chrome. While this is no guarantee of safety, Internet Explorer is still the main target for browser-based attacks. Using an alternative platform may lower this risk by lowering your profile.
• Run extensions such as Adblock Plus and NoScript. These disable active programming on websites by default. Note: This does mean more work for you, as the bulk of websites you hit will not work until you enable the scripting components on the pages. However, you are much, much safer from this type of attack.
• Keep your operating system and all other software on your computer patched and up to date. Many of these sorts of attacks rely on flaws in software installed on your computer. If the flaws are patched, then you are less vulnerable to the attack.
• Know what your anti-malware program and operating system alerts look like. Many of these “drive by downloads” rely on tricking the user into installing malware by popping up fake notices telling them that their system is infected, and needs to be scanned. What they are really doing is tricking the user into running the malware in the first place! Don’t be fooled! Learn what your software really is likely to say in the event of malware detection, and how to respond appropriately. If you have any questions, contact your IT staff before taking any action, including clicking on links or closing windows.
• As always, drop those admin rights.

”Do not leave a voicemail if you do not reach your sales target. Connections are only made with real people. Your message will be deleted anyway.”

I don’t follow. I leave voicemails. I don’t expect that my voicemail will close the sale, but to not leave a message when someone has put up a facility just for that seems silly to me. I’d also supplement a call with an email, or vice versa, because some people are more responsive to some media than they are to others.

So, I agree on 9 out of 10 points. Keep up the good work, @smallbizlady.

The diNovo Mini is small, only about 6″ wide by 3″ high with the cover closed – about the size of a Hewlett Packard financial calculator, with keys sized a bit larger than a Blackberry or a Sidekick. It has all of the standard keys of a QWERTY keyboard, plus Ctrl, Shift, Alt, and Super (Windows) keys. It also has standard media controls, including volume, pause/play, previous, next, and stop buttons for controlling apps like iTunes, Windows Media Player, or VLC. Although it lists Windows operating systems under system requirements, the unit works perfectly with Mac OS 10.6, and, while I haven’t tested it, I bet it would be fine with most Linux distros as well.

What I found most useful about the unit was the combination trackpad/arrow keys in the upper left of the device. A toggle switch allows you to turn the circular trackpad (like the rectangular ones you find on notebook PCs) into a cursor pad not unlike what you find on video game controllers (instead of the traditional four directional arrow keys). It takes a little getting used to, but is fairly easy to grasp after a few minutes of playing with the device. While I certainly won’t be composing any long audit responses, doing graphics manipulation or programming with this for any significant length of time, it’s ideal for controlling a media center PC, light web surfing, or replying to a quick email – anything you might do on a smartphone or even a netbook.

The unit has excellent range, allowing me to control my PC via its Bluetooth connection from anywhere in the living room. It also has a built in rechargeable battery, and a 3 year hardware warranty, so no more wasting disposable batteries for the remote control.

The diNovo Mini retails for $149, but can can be found cheaper at various online retailers.

4. What characters should you use in a password to make it strong?
a) Letters only
b) Numbers only
c) Letters and punctuation
d) All of the above
Answer:  (d) – The more complex a password is, the harder it is for a
person to guess it.  Some systems and websites may not allow you to use
all of the punctuation symbols, but most allow some of them.

5. How long should a strong password be?
a) Five characters
b) Eight characters
c) As long as possible
d) Size doesn’t matter
Answer: It depends! For technical reasons, a minimum length of 8
characters is recommended. But not all eight-character passwords are
equally strong. For example, “football” wouldn’t be hard to guess, but
guessing the 8 characters of 7xkM*vh$ presents a real challenge.

6.  Now that you are an expert, choose the strongest password from this list:
a) Mickey.Mouse
b) M1ck3y.m0u53
c) 3.1416**
d) Ad@46-Hiz
e) Aristotle
Answer: (d) – (a) is obviously easy to guess, even though it’s long
enough; (b) is “hacker-speak” for Mickey Mouse – a bad idea; (c)
contains no letters – and it’s the approximate value of Pi; and (e) is
a proper name.

Strong password checklist

• at least 8 characters
• at least one number
• at least one uppercase and one lowercase letter
• at least one symbol (examples: &, !, @, #, $, ^, *)
• no proper names or words (English or otherwise)
• no personal information, like your SSN, phone number, or date of birth
• no repeating characters
• no easy-to-guess patterns like 123qwerty
• no well-known mathematical values (like Pi) or equations (E=mc2)

Tips

• Treat passwords like your toothbrush: Choose a good one and replace it regularly.
• Change your passwords at least every 30 days.
• Use a passphrase. Choose an easily remembered phrase like “Liberty and Justice Forever” and use the first one or two letters of each word with some punctuation and numbers in between. Example: Li.an1Ju*Fo.
• Use a password pattern. Pick a starting point on the keyboard, trace out an easily remembered pattern, and add some twists. Example: The eight-character pattern 1qscvhU* describes a “V” on your keyboard starting with the number 1 key, with the added twists of an uppercase U and an asterisk.
• Use a password manager.  If you use Firefox, for example, you can have your browser remember your passwords. Then be sure to set a strong master password in Firefox to protect your “remembered” passwords.
• Other versatile, no-cost or low-cost password managers include Roboform and KeePass.

This material is reprinted, with permission, from the February edition of the SANS Ouch! newsletter.