Whenever you download and install new apps to your mobile device, be sure to read the permissions it requests so you know roughly what you’re getting into. Often times, you’ll see something fishy that’ll change your mind.

There were some great talks hosted by some of the best minds in infosec and we always leave with our minds blown. We’re hoping to bring some of that back and apply it to small business to keep our customers just that much safer. Here are a few of the lessons we’ve learned this weekend.

1. Turn off wireless radios when you’re in a room with a few hundred hackers.

Con attendance or not, it’s a great idea to keep wireless technologies flipped off when you’re in unfamiliar territory. While we aren’t 100% sure just yet, it’s possible that more than one of our devices was compromised over the weekend due to accidentally forgetting to turn off WiFi, Bluetooth and/or 3G data roaming. We’re looking forward to running forensics on the Android devices in question, but it’s definitely not a good feeling to have to wipe your devices when you’re unsure if you’ve just been owned.

You may not realize it, but even leaving your wireless radios on can leave vulnerabilities open on your mobile devices that could lead to potential compromise. And as we’ve always mentioned, whenever a system has been compromised, it can’t be relatively trusted again until it’s been formatted and had a fresh OS installation performed.

When you leave your wireless radios on, your phone, laptop, tablet, etc. is basically sitting in your luggage or pants pocket shouting out “Hey! I’m looking for my home or office router! Are any of you my home or office router?!” until something responds affirmatively, allowing you to connect. There are certain methods of tricking those devices into connecting to false access points by saying “Yeah, man, I’m totally your home network – here’s an IP address” and allowing it to connect. From there, it’s just a matter of knowing a few Android or iOS vulnerabilities to gain access to the device and go to town.

It’s always a good idea to leave your mobile device wireless radios off when traveling, even if just to save some juice. Be sure to keep them off when they aren’t in use at public hotspots (you know what… just don’t use public hotspots at all) and only connect your devices to access points you know are safe.

More coming soon!

The zingers are flying left and right, but in all seriousness, the threat is very real. It was recently announced that one of the leaders in Antivirus and security software, Symantec, was compromised back in 2006 resulting in the theft of their application source code. We’ve been hearing about countless corporate security breaches within the last year, but what makes this one different is the fact that Symantec owns PCAnywhere, one of the best-selling remote desktop applications on the planet. Symantec is now advising that users disable their software as soon as possible.

Instead, if you have it, just remove it. Now.

Information security is based on trust. When working with closed-source applications, that trust is only as good as the word of the party that certifies it. PCAnywhere, until now, has been more than certifiable based on the credibility of its owner. Symantec’s one of the largest security research firms in America – how could anybody doubt them? The minute there is a reasonable doubt associated with that credibility; however, the security of your information ceases to exist.

When working on critical high-availability secure servers, the only way to truly recover a trust relationship with a compromised system is to format it and import mission-critical data after it has passed security requirements. The same idea applies here. Symantec’s code has been out in the jungle of the web since 2006. I’m still studying to take my CISSP exam, but I’d say there’s a reasonable doubt.

Without a complete incident response, especially for a breach that occurred so long ago, it’s nearly impossible to tell what the complete ramifications of the theft of their codebase could be.

PCAnywhere has lost its trust and it shan’t be getting it back anytime soon. Information security experts are now recommending that users just plain get rid of it and so do we. As for Symantec as a whole, we’ll just have to see how this plays out. For now, though, feel free to let us know if you need help removing the software from your systems and finding a suitable replacement. VPN connections will always be a staple for secure connection methods and if your business incorporates on-premise or any type of decent networking equipment, you should be able to configure an alternate security method quickly and easily.

Hey, you guys use remote desktop software, too!

For those wondering, the system we use, Bomgar, is an in-house, closed-source system that incorporates FIPS-140 grade security standards. None of the connections we use for any client communications is at risk. In the event that our vendor is compromised, each of our clients will be notified immediately and all Bomgar software will be removed from client computer. Luckily, though, nobody’s really got their eye on us.

Onward!

Hardware quality

The computer you see on the shelf for $500 is the cheapest thing that vendor can build. They literally can’t go any lower. It’s designed for the budget home user and, in an ideal world, would never find its way into the offices of a business.

Anywhere.

But again, I digress.

Think about the last time you worked with a client for literally as little return as you possibly could. How would you rate that experience? Be completely honest with yourself for a moment. As much as you may have liked the client or done your best, no matter the circumstance, to complete the job, nine times out of ten depositing a check that just breaks you even leaves a lot to be desired. Unless you really are a saint and only in business to give back. In which case, I’ve got a job for you.

Everybody wants to make enough to have a decent living and it’s no different for computer manufacturers. They make very very little on each one of those bargain computers and (once you’ve worked with them enough you start to realize) those vendors don’t give one lick about how they work after they’re paid for. Some people have had great experiences purchasing this way, others not. It’s a grab-bag. They’ve essentially bought up all the left-over hard drives that had a lower-than-standard quality rating from Seagate (looking at you, 7200.11 and 12) or any other manufacturer with the lowers rates at a huge bulk discount and slapped ‘em in all those puppies. Maybe they’ll grab some of those AMD processors that were supposed to be quad-cores but never really worked right (I know it’s an old link – we love to hate on AMD – they just make it so easy) so were integrated as dual or triple-cores instead.

It’s the difference between buying a motherboard made by Intel and one made by Hyundai (not the car maker, but still low quality).

Sure, there’s a 3-year warranty, but most people will end up claiming repairs on that warranty more than once in that time period solely because of faulty hardware. Anybody who has gone through the process knows that the service is inevitably poor. What they may not realize is that it’s a different service department and process than what most business customers may be using – because they paid next to nothing for it.

We seriously love the new Dell Optiplex line. We partner with Dell, HP and Lenovo, but there are our top choice.

Ok, so what’s the difference?

It’s massive. Computers built for business incorporate higher quality hardware standards across the board. There’s really no way to dispute it. Business machines are built to avoid downtime. When businesses experience downtime, it’s far more expensive than if your grandmother can’t get to her email. For this reason, computers, networking equipment, servers and most business-grade computing hardware is built so that you’ll have to deal with their warranty department or your own IT department for repairs a great deal less.

Many vendors have different levels of business-minded hardware. Dell has the budget-friendly Vostro line which still incorporates higher-grade components, the more reliable and powerful Optiplex line (we’ve seen even the small form factors never have a problem for 6 years) and the ridiculously over-powered workstation line, the Precision models. Each one offers different features, but they all take quality standards into strong consideration when engineering them. High quality manufacturers like Apple will actually work directly with their vendors to ensure a certain level of reliability before signing supply contracts. Dell, HP and Lenovo do the same for their workstation and server hardware.

Manageability, Security, and Upgradeability

Beyond just the facts of life (computers break), business-minded computer hardware is built for ease of manageability. This may not mean much for the mom-and-pop fishing shop with two POS (that’s point-of-sale, not the other one) computers, but it makes a world of difference for a fleet of them out in the field. Intel has started offering professional management tools called vPro ingrained into their chipsets to allow remote management of not only software features and security measures, but also hardware-based access to decrease troubleshooting and support times.

Intel's vPro technology is only available on business-minded hardware.

These types of hardware-based measures allow administrators to set global policies for data encryption, remote locking, disable USB storage functions to prevent thieves from copying data and more. Think about it – your sales guys are probably going to save their username and password into the default Windows VPN credentials box so they don’t have to type them in each time they’re on the road. Once that computer is stolen, anybody can open it up, connect to your office and go to town or rip the hard drive out and copy its contents. With data encryption and remote locking, it’s no big thing. It shouldn’t keep you up at night… that’s our job.

Finally, just take a moment to imagine you’re trying to sell your business. Interested parties will want full documentation on all network assets. *It’s always a good idea to let your IT guys talk to their IT guys to maintain security throughout the process* but imagine the value you demonstrate when all your staff is working with reliable hardware with extended availability. Bargain PC’s are often times maxed out already or only allow certain types of upgrades. Business models will usually allow you to upgrade to a level you didn’t realize was possible, keeping hardware alive much, much longer and adding value to your business. Just imagine walking into a company you’re interested in purchasing and finding out every person was using a Pentium III computer with a maximum RAM capacity of 1GB. It means an overhaul as soon as you take ownership.

There’s a lot to think about when purchasing business computing assets and we’re always here to help out. Please don’t walk away thinking we won’t help you if you’re positive a store-bought computer is all you’ll need. We’ll always make sure it’s properly integrated on your network. Just make sure you know what you’re getting into first. Sometimes opting for a bargain PC is doing you more harm than good.

Sometimes we have clients exclaim at the cost of the quotation and it catches us off guard. We only want the best for our clients and we do our best to make solid suggestions – every now and then we get wrapped up in making sure our suggestions incorporate only the newest hardware so they’re up to date as long as possible. We don’t see much value in quoting out an Intel Core 2 Duo that was designed 3 years ago when a brand new Intel Core i3 or i5 is only a bit more and will last them longer at this point. Sometimes the client is expecting that Core 2 to keep down costs, though. It’s always a balancing act.

Often times, clients will see a crazy awesome Core i5 or i7 name-brand computer at Best Buy or online with a 1 Terabyte hard drive and 24 Gigabytes of RAM and a 1.3 Gigawatt power supply that also turns back time and makes toast just the way they like it (Please note: those things aren’t real. Do not make toast with your computer. It will taste like plastic wrap.) Sure, those computers are great buys. There’s nothing wrong with them and we will always help clients integrate them properly. Something many people don’t always realize when they see those deals is that they absolutely are not designed or built for business. The dude in blue might tell you otherwise, but what exactly is his job there anyway? They’re designed to sell above all else.

The most attractive model on the shelf isn't always the best for business.

Purchasing computer equipment for your business should be done with the same mindset as buying a new car. Obviously, buying the least expensive Daewoo will get you to point B. Going for a well-built Impala will, too. But that’s not the only reason you choose a specific car. Price is only one factor, with others playing just as important a role. It has to last, have a great warranty and be made with quality parts that get the job done in a realiable fashion over the long-term. Each one will have bells and whistles, which are great, but not what’s important. You’re not showing your office computer off to your friends, so don’t get wrapped up in the marketing and buzzwords.

We always recommend and quote business-grade computing equipment (unless otherwise specified) and certainly take the price into consideration. We don’t always recommend the cheapest thing, though. Sometimes the cheapest desktop or laptop is just perfect for the job – and we have clients using those units for certain tasks. When it’s time to invest in computers that your staff are going to use on a long-term basis to complete their daily responsibilities, though, it’s another story. Price is, of course, important – we wouldn’t be here if we told everybody to buy top of the line or go home – but that initial investment is less painful once you’ve had a cheap computer fail on you within 2 years right when you’ve got a quarter-end report due.

In the coming days and weeks, we’ll be spending more time breaking down each aspect of the PC and how great consumer deals don’t always add up to great business value.

Continue to Part 2: Hardware

January 18th marked the first time in recent memory (granted, I was born in 1983) that we’ve witnessed Furtune-500 corporations, information security professional and the general populace (I’ve heard some of my most technically un-inclined friends complain about SOPA to my amazement) all join together in a powerful outpouring of fiery opposition to legislation on the floor of Congress. Sure, it may seem like business as usual for corporate America to stonewall the legislative branch of government over bills we know little about or IT gurus to complain over new draft standards put to market without official oversight (802.11n draft, anyone?), but when was the last time you legitimately could not read a Wikipedia article, look through classifieds on Craigslist, waste time on Reddit or troubleshoot your own WordPress blog — all in the same day?

We’ve just witnessed the the web in revolt. The way the digital world interacts with government has changed forever.

More of our thoughts in the days to come.

If you’ve found something similar to your password in the list above, it means it’s time to change it. Like…yesterday.

• Length. Make your passwords long with eight or more characters.

   

• Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing “and” to “&” or “to” to “2.”

   

• Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.

   

• Variety. Don’t use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.

   

The research shows that the popularity of the Macintosh platform doesn’t necessarily spur the creation of new malware, but instead shows that bursts of development follow a still unknown pattern. Needless to say, users should expect more of the same throughout the coming year.

While they may be user-friendly, it’s still important to secure your Mac! Make sure you run system updates in a timely manner and don’t mount any DMG’s if you’re unfamiliar with their source. People attack certain types of systems when they have reason to do so. While the research shows that reason is not yet its popularity, finding an unpatched system is always an invitation for an attacker.

Check out F-Secure’s breakdown here.

Many of you know that we have a keen interest in finding and eliminating opportunities for unauthorized access to sensitive data. We spend good portions of our time testing new technologies in our home and office labs and love to bring our findings to the workplace. One of our hobbies through the years has been wireless penetration – monitoring wireless signals with the intent to trick access points into giving us access to a network. In these blog entries, we hope to help shed some light on common wireless networking mistakes, why they present security problems, and how to go about ensuring that your assets are safe. Today, we’re going to start with a quick introduction by explaining why you should stay far, far away from WEP encryption for your home and business.

One of the problems with WEP is the way that it establishes encrypted connections. It utilizes an RC4 cipher (the encryption method) and an IV (an unencrypted key used to initialize the encrypted stream) in a way that allows attackers to record the transmission of data and use it to decrypt the security key. This means that the only thing an attacker needs is for you to use your network – surf the web, transfer files, anything! Once they have recorded enough data, they can easily establish the key. As time went by, researches discovered ways to falsely inject IV’s into a wireless network that wasn’t experiencing much traffic an exploit an inherent flaw in the design to trick the access point into confirming the transmission and passing a packet back to the source. This allowed attackers to decrease the amount of time and passed data required to crack the network.

Jumping back to now – 2012 – automated tools for cracking WEP encryption are widespread, easily available and free.  Modern computers (even low-power netbooks) can crack a WEP network in less than a minute. Sites all over the Internet explain how to do it, too. Once an attacker gains access to a wireless network, they have essentially bypassed a major part of your security. Supposing there are not more firewalls in place between them and their target, gaining access to a wireless network often means complete access to a person’s home or business. From there it’s just a matter of setting up shop and finding the information they came for – all without even having to knock on the door.

Folks – WEP is bad. If you have devices or computers that aren’t compatible with newer wireless encryption standards, they should really be left behind or configured with newer peripherals that add the compatibility. Standards like WPA and WPA2 add significant security to home and business wireless networks and should always be configured over WEP. When you purchase a new access point or have a Verizon or Comcast technician install a new unit, be sure to either configure it yourself before connecting devices and getting discouraged by having to reconfigure everything, or have the technician configure it on day one. (Here comes the shameless plug) We’ll also be more than happy to talk to you about your wireless configuration, whether it be for your home or your office. Many times we can reconfigure your wireless encryption settings by setting up a remote screen sharing session with a computer connected to the network. As always, though, you can feel free to give us a call anytime if you’re unsure about your configuration.

Next time we’ll go into the security vulnerabilities of newer wireless protocols and what you can do to defend your network assets. Also stay tuned for our upcoming article about protecting your data when using public wifi.

Just recently, though, Google has devised a way to log into your account in a much more secure manner at public computers. Venturing over to http://accounts.google.com/sesame will create a unique QR code within your web browser. Use your smartphone to scan the code and open the webpage address it contains. Remember not to close the page you scanned the code from on the public computer just yet. On your smartphone, type your username and password into the login screen once it loads. Give it a moment to process and Google will automatically log you into your account on the public computer.

Voila! You no longer have to worry about pesky keystroke loggers when you need to use a public computer. Just don’t forget to sign out when you’re done!

**Edit** – My good pal, Craig, just brought something to my attention. If you’ve got access to your Google account on your smartphone, what’s the need for a public computer? It’s a good point – but you never know. It’s always good to have more security avenues available.