alt tag

Posts from October, 2015


Playing It Safe with Windows 10: Upgrading or Maintaining Your OS with Minimal Pain

Tuesday, October 27th, 2015

windows-831050_640

Now that the dust has settled around the release of Windows 10, your SMB may be looking to increase productivity by upgrading your OS. Still, you should proceed with caution.

The latest version of the operating system offers a more secure computing environment, better disaster recovery options, and an improved user interface that can optimize your operations. However, if it turns out that the software your business relies on doesn’t work with Windows 10, the downsides to an upgrade will quickly outweigh any upsides.  

Before diving in for a full upgrade, test the waters to ensure that:

A) Your existing software still works, or
B) There are compatible, convenient alternatives.

Identify Problematic Software

SMBs often have older software propping up the backbone of their business. Because that software is proven and reliable, dumping it isn’t a move to be taken lightly. Switching to an inferior but compatible product can kill productivity. An IT consulting service can help manage problems like decreased system performance and insufficient hardware to run the new OS by upgrading or replacing systems. If the software doesn’t work in Windows 10, there’s not much you can do to fix it.

It’s a good idea, then, to select one computer, upgrade it to Windows 10, and test all of your usual software before ordering a mass upgrade. Best case scenario, your software will work in Windows 10 as well as it did in the prior version.

If a program doesn’t want to start, there’s a tool at your disposal (included in Windows) that might save the day. “Compatibility Mode,” which can be accessed from the Properties menu located on the program launch icon, resolves many of the software conflicts that prevent older programs from running on newer platforms. You can select which version of Windows you want the computer to try to replicate to work around problems.

However, “Compatibility Mode” is not guaranteed to work—and if it doesn’t, your last option is running programs through virtualization (creating secondary instances of operating systems that run within the main one). Virtualization may work in a pinch for one-off situations, but running it on every computer is far from practical.

Find Compliant Replacements to Balance Security and Functionality

Sticking with older operating systems in favor of new ones becomes an increasing security risk over time, which can put any SMB in the difficult position of choosing a more functional or a more secure solution. A managed service provider can be an invaluable asset when finding software alternatives to replace programs that no longer work on modern operating systems. The OS turnover may provide a great opportunity to switch to a Cloud-based software alternative that’s platform-agnostic—and can put the “upgrade decision” to rest, permanently.

Lessons of Ashley Madison: How “Crackable” Are Your Passwords?

Tuesday, October 20th, 2015

keyboard-283232_640

The well-publicized recent hack of the Ashley Madison website will probably earn a spot in a “Hacking Hall of Shame”—alongside the infamous Sony and Target breaches—for the sheer amount of grief it may cause millions of marriages. Most of the blame lies with the Ashley Madison administrators for leaving their users’ data vulnerable to a full-scale cybertheft. But it also brings to light how many careless users jeopardized their marriages by relying on unsecure, easy-to-guess passwords.

A Word of Warning

Security expert Dean Pierce wondered how many encrypted Ashley Madison passwords he could decipher using a “cracking rig”—a milk crate-sized hardware contraption typically available on the black market for around $1,500. After adding some fairly elementary programming instructions, Pierce’s cracking rig began sifting through the massive volumes of code publicly exposed from Ashley Madison’s servers. In just over five days, he’d already retrieved 4,000 user passwords—about 32 per hour—at which point he decided to stop the experiment.

What were the most common passwords revealed from Ashley Madison’s clientele?

“123456”: 202 users

“password”: 105 users

“qwerty”: 32 users

“12345678”: 31 users

“ashley”: 28 users

If these users carelessly risked their spouse’s trust on the most easily “guessable” passwords, how often did they use similar passwords for social media, retail websites, online bank accounts, or protected data at work? It cannot be stressed enough: Strong passwords are the backbone of personal computer security.

The key to choosing a “crack-resistant” password is to understand how passwords are usually hacked. A typical password consists of a single English language word—a proper name, a noun, or anything else in the dictionary—combined with an “appendage,” most often a suffix, such as:

  • “!” or other punctuation marks
  • One or more digits
  • Common web abbreviations (“4U,” “LOL”)

Malicious hackers around the world equip themselves with sophisticated tools which can test millions of word/suffix combinations per second—much more powerful than the $1,500 cracking rig—until they stumble upon users’ weakest passwords.

Have you used the names of your kids as passwords? You’d be surprised at how many of your personal connections—family members, neighbors, and more—are now easily divulged on various “people search” websites. A determined hacker will assume those names are prime password material. Same for your birthday, phone number, or street number/zip code.

How to Pass the Test

If hackers are on the prowl for predictable words, one strategy for creating a guess-proof password is to use an acronym for a sentence or phrase. For example:

“TCJOTM” for “the cow jumped over the moon”

“ANWYCCDFY” for “ask not what your country can do for you”

…or a description of something else you’ll remember easily.

The more characters in a password—upper and lower case, plus special symbols—the greater the level of security. One useful tool for testing a password is Microsoft’s free password checker. Never settle on a password rated less than “Strong.”

For help with any security-related IT issues, get in touch with us today.

3 Incredible Benefits of Protecting Your Cloud Data with Two-Step Verification

Friday, October 16th, 2015

padlock-303616_640

Online security breaches can be expensive and productivity-killing events. When a nefarious third party acquires an employee password, it’s no party at all.

Many online businesses have begun using Two-Step Verification, also known as Two-Factor Authentication, to introduce an extra layer of protection against hackers and other cyber villains.

A number of juggernaut tech companies rely on some form of Two-Step Verification to store and exchange private information, including Apple, Google, Microsoft, Dropbox, Evernote, Yahoo, and PayPal. Two-Step Verification works by controlling which computers, tablets, phones, and other devices can access online accounts, requiring a user who’s logging on for the first time on a new device to enter an authorization key. Account owners assign a specific authentication key to each device—whether a cell phone or USB dongle key—which the user receives via text message, telephone call, or application. The key is time-sensitive, so any given key code only works for a short duration. If an account owner discovers a breach, all they need to do is sign on to the account with an already approved device and change the password.

Still wondering whether Two-Step Verification is right for you? Check out this list of benefits:

  1. Stolen Passwords Are Relatively Useless

If someone steals a password for an account that uses Two-Step Verification, that password is entirely useless unless the crook stole the authentication device as well, or has access to systems already approved for use. If they have the device but not the password, they’re also not getting through. In other words, the key and password are useless without each other.

  1. Control Which Machines Access Accounts

Two-Step Verification makes it so an account owner can choose which devices have access to confidential accounts. For example, a business may opt to enable access to specific devices for employees, but withhold the authentication key to prevent people from enabling access on unapproved devices. Alternatively, someone may opt to sync their workstation and personal laptop via the Cloud to work seamlessly between the two devices, but keep the laptop unauthenticated for confidential accounts because it poses a higher security risk. The workstation would act as an intermediary device in this case.

  1. Brute Force Hacks Fail

Brute force hacks systematically guess passwords and keys until they find the one that works. Since Two-Step Verification systems change the key after short intervals, brute force hacking procedures have to start from the beginning each time the interval elapses. The key is a moving target, which makes a brute force hack contingent on luck. The hack will almost certainly be identified and blocked before it cracks the code.

The downside? Two-Step Verification can be a bit tedious to configure. And because it prevents bad things from happening instead of making good things happen, it may feel like an unrewarded effort.

A managed service provider can help your business develop and implement a Two-Step Verification plan today. Two-Step Verification can streamline data sharing and increase productivity, saving you time and money by preventing security breaches over third-party platforms. Get in touch with a trusted local IT consulting service to protect what’s most important to your business.

The “Redirect to SMB” Bug: New Windows, Same Danger

Tuesday, October 6th, 2015

bug-162019_640

The big news out of Microsoft over the past couple of months is the much-ballyhooed release of Windows 10. While “Win10” finally addresses those annoying shortcomings of its predecessor Windows 8 (as we’ve discussed), it still hasn’t corrected a dangerous security flaw known in cybersecurity circles as Redirect to SMB—a hidden vulnerability which has plagued all versions of Windows since 1997.

The original basis of Redirect to SMB was frighteningly simple: A victim simply needed to be duped into clicking on a URL (in a phony website or malicious email) that began with file:// rather than the usual http:// (e.g., file://12.34.567.89 or file://example.com). This would cause the victim’s computer to directly link to the attacker’s server via Server Message Block protocol (SMB), which would render the victim’s computer under the attacker’s control, and ultimately allow access to the victim’s entire login credentials—usernames and passwords—for every protected business or personal account on the Internet.

Redirect to SMB 2.0: Self-Service Cyber-Attacks

This past April, cybersecurity firm Cylance revealed they’d uncovered a potentially devastating new dimension to Redirect to SMB—which requires no additional trigger action on the part of the victim. Windows regularly issues automated “pings” via HTTP/HTTPS authentication for availability of updates and other routine background tasks. Cylance discovered that these pings could be redirected from the legitimate HTTP destination to a rogue SMB server, enabling the attacker to swipe those valuable user logins.

These threats aren’t limited to the Windows operating system itself. After extensive testing, Cylance found exploitable Redirect to SMB vulnerabilities in over 30 “self-updating” Windows-based software products, including common applications you’ve probably used this week:

  • Adobe Reader
  • Apple Software Update (installs QuickTime and iTunes updates)
  • Microsoft apps including Internet Explorer, Windows Media Player, and Excel 2010
  • Antivirus programs from leading vendors including Norton, AVG, and Bitdefender

“It Can’t Happen To Me”Until It Does!

Microsoft announced plans to deliver a security patch for Redirect to SMB way back in 2007, but has since publicy downplayed the likelihood of such attacks. (Of course, we remember how the Empire downplayed the likelihood of a direct hit to a small exhaust port destroying the Death Star!) We’ve talked at length about the legions of hackers around the world who’ve dedicated themselves to hijacking your computer. They read the same news reports we do, and we’d be surprised if some form of Redirect to SMB isn’t on a crook or two’s agenda.

In the meantime, the most effective “workaround” against Redirect to SMB is to manually reconfigure a couple specific TCP ports in your firewall to restrict all outgoing SMB communication. You’ll block most external SMB-based attacks, but other useful Windows features may be affected.

The release of Windows 10 was a welcome event, but remember that it’s still not perfect. Rejoice over the return of the “Start” button—but keep security in mind. If you need help protecting your company against threats, get in touch today.