Blog Archives

Can You Spot Phishing Emails?

Security researchers at Fortinet recently quizzed their readers about how savvy they were when it comes to identifying phishing emails. Predictably, and depressingly, Fortinet found a large percentage couldn’t tell the tricks from the treats. (The survey was done just before Halloween.)

Phishers are getting more clever over time, and it is harder than ever to separate legitimate email from messages intended to steal your passwords, your money and your pride.

With all of the information on phishing that is available, and the warnings over the years about what to do and not to do, it’s amazing that this is still a problem. But, let’s face it: End users are not security professionals, and many of us go through our email in-boxes without much of a critical eye.

Phishing Email

In addition, phishing schemes are getting more and more sophisticated. It used to be that phishing messages were riddled with grammatical and spelling errors, or just looked wrong. Today, it’s not always easy to pick up on a message with malicious intent. Modern phishers craft their messages carefully, using realistic banner images from the target institution or language that is copied directly from real emails and Web pages.

The growing challenge in discerning email fact from fiction was reflected in the results of the Fortinet quiz, which asked readers to self-select into one of three groups:

  • -Absolute beginner
  • -Your average netizen
  • -Veteran security professional

“As expected, the veterans scored just a little bit better than everyone else, falsely identifying a phishing email just 16% of the time,” the blog reporting the results states. “Conversely, the newbies received bad marks nearly 32% of the time. The middle group marked wrong answers at an average of 21%.”

That is a lot of wrong answers (although, interestingly, one newbie scored perfectly).

Take the quiz for yourself and see how well you can spot the phony emails. But, more importantly, use this exercise as a way to talk to your users and sensitize them to the issues surrounding phishing and its dangers. Security training should be an ongoing affair, providing end users with information about new threats.

“Email is the tried-and-true medium for spammer, and to know that they are still succeeding 20% of the time is a clear call to action for all those security and IT professionals out there.” states the blog. “[Twenty percent] of your organization is at serious risk of clicking on a phishing email today. What are you going to do about it?”

 

MozyPro Online Business Backup

 

Website Lessons Learned from Williams-Sonoma

Is your website as classy as your brand?

For Williams-Sonoma, Inc., the goal is to match great looking Web pages with top-shelf analytics to keep track of customers.

“Data science is brand building here,” said Mohan Namboodiri, VP of Customer Analytics for the San Francisco-based retailer. “We have a heritage of scouring the world for fantastic products,” he told the audience at the Teradata 2013 Partners conference earlier this month in Dallas. “We bring that same sensibility to doing our data analytics.”

While Williams-Sonoma began with a traditional brick-and-mortar store and a mail-order catalogs, the company has “come of age online,” he said.

Namboodiri explained that there are several routines and techniques the company uses to track customers. Here are some of the highlights:

Williams & Sonoma

Segment users by persona

  • Williams-Sonoma groups site visitors into various usage clusters and behaviors. These groups can help Namboodiri’s team understand what different online shoppers are trying to do and how they’re using the site. This both helps inform site navigation and improve conversion rates.

Use cookies to model and score customer behavior

  • Each browsing session is tracked with a unique cookie to determine what customers are doing. Data is used to provide feedback to personas; allowing the company to group customers and test the performance of the personae.

Guide customers based on their actions

  • Various triggers have been programmed to respond to particular customer actions. For example, if a visitor searches for an item that’s put on sale in its stores, he would be guided to the best way to buy. “It could be borderline creepy, but it is a sale and so saving customers money trumps that,” he said.

Apply online data to retail forecasts

  • The more online visitors buy a particular items, the more the company stocks them at retail outlets. This information impacts Williams-Sonoma’s supply chain and even inventory decisions of stores in particular neighborhoods. Namboodiri’s team analyzes these purchases over time to help improve each store’s inventory moving forward. Given the number of different furniture styles, colors, and options, you can imagine this can be quite critical to having the right goods in the right stores.

Like any great Web storefront, Williams-Sonoma recognizes that design and analytics will always be a work in progress. That’s why Namboodiri and his team constantly experimenting with other ideas to keep things fresh. At the Teradata conference, there were no shortage of great ideas. By developing a website that elegantly weaves together design and analytics, good things happen for both company and customer.

 

MozyPro Online Backup for Business

 

The Big Data Business Bookshelf

The Big Data Business BookshelfBig data is everywhere these days, and many of us are trying to come up to speed on the technology. There are several books out now on this topic, and here are some tips for figuring out which ones are worth reading or best for newbies.

A good place to start is Frank Ohlhurst’s Big Data Analytics: Turning Big Data into Big Money. This is a business process and workflow treatment of the topic: you won’t find any code samples or URLs of open source repositories here. Ohlhurst, who worked with me at CMP and still writes numerous product reviews for the IT trade press, talks about ways to secure your data, structure it, and mine it for value and insights. It is a great book to give your boss.

Next is Big Data Analytics: Disruptive Technologies for Changing the Game by Arvind Sathi, a data architect for IBM. This is another great book for beginners, and identifies use cases, goes into more detail on the business processes and shows some of the main architectural elements of Big Data.

If you’re looking for something short and sweet and also free, try What Is Data Science? by Mike Loukides. You get some concrete examples of different kinds of data analysis tools and techniques and practical, real-world examples galore.

Then there is Enterprise Analytics: Optimize Performance, Process, and Decisions Through Big Data by Tom Davenport and several other authors. It covers a wider ground than some of these other books. It addresses topics including Big Data topics and a variety of other analytic techniques.

A more general overview of the major players behind Big Data is The Little Book of Big Data by Noreen Burlingame. It is a short read but a quick way to see who are the vendors making waves with this technology, including Hortonworks, Cloudera, Datameer and Karmasphere.

If you want to get more down and dirty into the technology, then the Hadoop: The Definitive Guide by Tom White is for you. White will take you through building your first Apache Hadoop cluster, the ins and outs of the Hadoop file system, how to set up MapReduce jobs, and using some of the other tools such as Pig, Zookeeper, and Hive. White works for Cloudera, one of the main commercial forces behind Hadoop.

Once you want to get more training, check out Cloudera University and Hortonworks University: both vendors have extensive programs on a multitude of topics relating to Hadoop and its offshoots, some paid and some for free. And Big Data University has dozens of courses all for free too.

 

MozyEnterprise Online Backup

 

How to make money with malware

Computer VirusSecurity researchers from FortiGuard have identified the top four money-making schemes that malware authors employ to separate you from your cash. This isn’t surprising: spreading malware is just like any other software business: you need word of mouth (or a virus to help transmit things), willing customers who will download your code, and people who will pay money for your product.

The difference is that the malware guys aren’t selling you something that you really need, but something else entirely. It used to be that malware was just about gaining control over your computer, so that you could inadvertently be part of a botnet army that could attack someone else. And while there is plenty of that around, the latest schemes are all about making money directly from those who are infected.

It is as ingenious as it is dastardly. Guillaume Lovet, senior manager of FortiGuard Labs’ Threat Response Team, wrote in his blog post: “Now it’s not just about silently swiping passwords, it’s also about bullying infected users into paying.”

Here are the four top money-makers that Fortinet has observed:

1. The Flash update that tricks users into granting full installation rights. Once it is installed, the malware steals passwords to banking and other online payment sites. Given all the problems with Adobe exploits over the years, this may be disappointing, but isn’t all that surprising.

2. The fake anti-virus popup warning. This looks benign but is actually quite nasty. The popup looks like some legit AV software, but woe on anyone who actually purchases and then installs this stuff: you have just bought and installed malware.

3. Ransomware. This is a piece of software that blocks your PC, and the only way you can unblock it is if you pony up some cash. The blockage takes the form of stopping the boot process or encrypting part of your hard drive. It installs automatically on a user’s PC and then demands its ransom.

4. Nasty Trojan Horses. The latest in Trojan Horse attacks is to trick someone into installing a piece of code on their smartphone, and then working the two-factor authentication in such a way that your banking information is recorded both on your phone and in the PC session which has already been infected. These trojans then siphon off your funds to a third party account.

It’s a scary digital world out there. Let’s just hope we can stay a couple of steps ahead of the bad guys.

 

MozyHome Online Backup

 

Encrypting/safeguarding your USB drives and removable media

USB flash and hard drives and removable media make it easy to carry data around – almost too easy. You can buy 16 GB drives for about $20 these days, and larger ones for not much more.

But with this convenience comes risk. If these items are lost or stolen, someone can have access to your data. Fortunately, some drives offer built-in encryption and free tools like TrueCrypt and Microsoft’s BitLocker To Go can safeguard your data and ensure that no one besides you can read your files. The encryption means that you need to enter a password before you open any of the files on the drive, otherwise all the data is just gibberish.

BitLocker To Go was introduced in Vista, but many users found it too difficult to setup and administer. It is much improved in Windows 7 and in Windows 8. Once you insert your USB drive in your computer, you right-click on the drive and start the BitLocker preparation process. You are asked for a password or a smartcard to protect the drive and where you want to store the recovery key information. It is simple and it just takes a few minutes to perform the encryption, depending on the size of the drive itself.

Note that if you want to read any of the files on your encrypted drive with older versions of Windows such as XP, you can’t.

You should see screens similar to ones the below when you want to decrypt the files on the drive.

Encrypting and Safeguarding USBs

Once you set up BitLocker To Go on a drive and a specific computer, you can set things so that it automatically decrypts the drive when it is inserted on that computer, which is a nice touch and makes things very easy to manage.

If you are responsible for your organization’s IT infrastructure and want to enable BitLocker across all the PCs in your company, you might want to review the group policies that are part of Windows here.

If you don’t use Windows, or if you want something more powerful and flexible, then TrueCrypt.org has free open source tools for Mac, Windows, and Linux machines. One of the features that I like is the ability to recover a forgotten password, which is probably the biggest fear in using any of these products. The Windows 7 BitLocker has this recovery feature too. Another feature is that you can encrypt a portion of your hard drive, where BitLocker needs to encrypt the entire drive.

If you want something more powerful than simple password protection, you can link the encryption technology to the Trusted Computing Module chip, (see this video here on TPM) or make use of the built-in fingerprint reader; both are part of most modern Windows laptops.

 

MozyHome Online Backup

 

How to print from your iPads

How to print from your iPadIf you or your company has iPads and other iThings on its network, one of the frustrations is not being able to print from them. In the past, you needed a printer that was designed for AirPrint (Apple has a long list of them here) or you had to try to set up printer sharing with an existing Mac USB printer across your network.

But what if you want to use your existing printer that isn’t on this list? Or want something that you can manage its print output for cost accounting purposes? Or if you don’t want to share a local printer? You have several choices.

One solution is to use Lantronix xPrintServer that can do the job for any network or USB-connected printer. It’s so easy that it will take you longer to read how to do it than to actually implement it. The print server is about the size of an iPhone, and has three connectors: an RJ-45 for your Ethernet network, a USB jack and a power plug. Plug it in and, in a few moments, you are good to go.

If your app has a print dialog icon, you can now start printing from your iThing. The print server will auto-discover any network printer that is on the same network subnet. If you want to print to another subnet, you will have to go through some manual configuration, using the printer’s built-in Web server. If you have iPhones, you will of course need to turn on their Wi-Fi radios and connect to the same subnet to see the print server. Lantronix has this funny short video with the loveable IT guy featured here. As he says, “Try it now.” It will print wirelessly from any iOS device running iOS version 4.2 or later. The home editioncosts $99 and supports two printers. If you want a more capable print server that supports more printers, there is a $150 version of the box.

If you are using the Aerohive Wifi access points, they have recently been upgraded to support Apple’s Bonjour technology and this video explains how it is done. If you have to purchase an Aerohive Wifi network, this isn’t going to be cheap.

Finally, EFI has had its PrintMe cloud-based service for a decade for PCs. The new mobile version extends this functionality to a variety of mobile devices and to a wide variety of printers that can be located anywhere. Pricing is $2,500 for a minimum of five printer connections including a year’s support and maintenance. Again, this is somewhat pricey.

The Lantronix solution is a good compromise of price and features, and is what I would recommend if you have a couple or a large fleet of iPads to support.

 

Mozy Mobile App

 

How to get started using email lists

Getting Started with Email ListsWhile Twitter and Facebook have gotten plenty of attention, the basic bread and butter of any small business is the care and feeding of its email lists to connect its customers, suppliers and partners. The better you are at doing email lists and sending out regular and informative communications, the more business you will have.

You have three basic choices when it comes to list servers: the free, the cheap, and the pricey. While price alone is a good way to decide, there are some other factors that you should consider. I have picked one provider for each price point: Yahoo Groups (free), Mailman hosted by EMWD.com for $4 a month and ConstantContact, which has plans starting at $15 a month. All three have one big advantage over doing email with Outlook or some other desktop client – they automatically handle bounces, or when email addresses go bad. They also avoid the accidental reply-to-everyone mistake. These are probably the two biggest reasons to use a list service.

For all three choices, you need to assemble all your email addresses that you want to start your list with. You can export these from your client email program into a text file, and then bring up the file in a word processor program to clean it up. You can then cut and paste the names into your list program at the appropriate time.

I like Yahoo Groups for community and lists of a few dozen people or fewer, but it has two big drawbacks: First is a problem with setting up large lists quickly. Yahoo only lets you add 10 people a day to your list without asking them to opt-in. A second issue is that the Web list management interface is a bit confusing to figure out, especially for those recipients who want to use them but lack a Yahoo ID.

Mailman is a more professional program and gives you all sorts of control over features. There are many other email list software products, this is just one that I have been using for many years. I recommend the hosting provider EMWD.com. You can have fairly large lists of several thousand addresses without too much trouble, unlike Yahoo Groups. You need to obtain an account for a one-time fee of $10, and this will give you access to its Web-based control panels. This is more complex than Yahoo, but you have more control over things such as the header (what email address is used in the “from” field) and footer (what information goes in the bottom of each message, and can be used to promote your company or products). As I said, each list only costs $4 a month to operate. You might want to check and see if your own Internet provider offers more competitive pricing on Mailman hosting.

But this may not be enough for your purposes. If you want to add Web links in your emails and track who clicks on which link, such as for promotional purposes, then you want ConstantContact. You can try it for 60 days for free, and then depending on how many names are on your list, the price increases from $15 to $150 a month.

The advantage of ConstantContact is that you can send out very snazzy emails, with pictures, color, and those trackable links. The downside is that setting up a list takes some work. They also have some very impressive video tutorials on their site to help you learn more about using lists and social media. You can view these videos (even without an account) here.

Here are a few tips for sending out your emails to your list once you have it setup.

Limit the amount of self-promotional content to less than 20% of what you send out. Keep your emails information-rich and people will want to read them.

Weekly is the best frequency. If you can’t write something weekly, then every other week is a good alternative.

Brevity counts. Keep the emails to less than 600 words. People have short attention spans.

Don’t pile on the Web links. One or two links per email is fine.

Finally, have an archive. Think about archiving all your emails on your Web site. Mailman and Yahoo Groups do this automatically.  Good luck with your lists!

 

MozyPro

 

Don’t mess with your DNS

Don't Mess with Your DNSWe tend to take it for granted, but you need to treat the Internet Domain Name System (DNS) with the respect that it deserves. And if you have some time to investigate alternatives, you could really enhance your network’s performance and security.

Before I tell you how to do this, let’s have a brief explanation of what DNS is. Think of what a phone book does – it allows you if you to look up someone’s  phone number by referencing their name. The DNS does something similar, except for computers: if you type in “google.com” it translates that name into a sequence of four numbers, called an IP address. In this case, the IP address of google.com is 74.125.95.104.

The overall Internet infrastructure has a series of master phone books, or DNS root servers, located at strategic places around the world and maintained by a collection of public, semi-public, and private providers. They talk to each other on a regular basis; it’s important to make sure that they stay in synch as new domains are added. As you can imagine, if someone wants to “poison” one of the entries, or misdirect Internet traffic to a phony domain, it can be done with the right amount of subterfuge. A famous example of this occurred in2008. In an attempt to prevent YouTube viewers in Pakistan from watching a single offensive video, a Pakistani Internet provider managed to block access to all of YouTube all around the world. A more comprehensive list of the various DNS attacks can be found here on Google’s site.

When you set up your network, typically you don’t give your DNS settings any further thought. If you have a cable or DSL modem, you hook it up and it automatically gets its DNS settings from the cable or phone company’s DNS servers. If you are running a large enterprise network, typically you have your own internal DNS server to provide this service.

There are several alternative providers, including OpenDNS and Google’s Public DNS, among many others that you can see listed here. Why bother? Two good reasons: 1.) they offer better browsing performance, and 2.) they provide better security to stay away from known phishing and malware-infected domains.

Before you pick an alternative DNS provider, you can use this Java program to test the speed of your own DNS vs Google and OpenDNS. Or you can read up on a couple of performance comparisons from Manu-j and Habitually Good here.

You can change your DNS settings for your individual computer or for your overall network. This is typically done at your DHCP server or cable modem or router. Any of the alternative providers offer their services free, and some, such as OpenDNS, offer a lot more than just the mapping of IP addresses too.

Here are the instructions for changing the DNS settings. The whole process shouldn’t take you more than a couple of minutes to read through them and implement the changes:

- OpenDNS

- Google Public DNS

These free services are just the beginning of a new series of other improvements called secure DNS protocol extensions and products, and you can check out these products and read more on this site to understand what is involved to deploy them.

 

MozyHome with Stash

 

Time to stop reusing your passwords

Time to stop reusing your passwordThe recent exploits ofvarious hackers in publishing passwords and user lists from Yahoo, Formspring, LinkedIn and others show that the biggest weakness isn’t having the right security technology, but you as a user! While certainly these sites could have done a better job with securing user data, at the heart of these exploits is a glaring lesson that we all can learn: It is time to develop a better password policy and stop reusing them amongst your various online logins.

It isn’t any mystery to why password reuse runs rampant these days. We all have far too many login IDs to keep track of, and the easiest solution is to just reuse the same one (or a limited collection) over and over again. But this makes hacking into your online information child’s play: if someone can uncover the password from one place, they can run it through an automated routine and try dozens of others to see if you reused it. This is indeed what many hackers have begun doing, once they have confirmed one site’s credentials for your login.

And while IT managers can lock down their own email and database and Web servers with various internal policies, that doesn’t help matters if you reuse the same passwords (or even email addresses, as was discovered with the Yahoo hack) on online sites for your personal e-shopping and electronic banking. All it takes to gain access to your own network is to find an online site with weak password security and then trust that someone has reused the same password elsewhere.

A recent Washington Post poll found that 16% of all Internet users regularly reuse their passwords. It is time to stop this practice, and understand the dangers of password reuse. As Google says, “When you use the same password across the Web, a cyber criminal can learn the password from a less secure site and then use that password to compromise your important accounts.” The search giant has lots of great recommendations on personal password use on its UK blog.

Recently, one blog jokingly posted that children are being warned that the name of their first pet should contain at least eight characters and a digit. There is some truth to that, as many of us use our pet names in our passwords. 

While it is easier said than done, you need to limit the reuse of passwords and avoid using common words. Make sure that your passwords contain a mixture of upper- and lower-case letters, and include at least one number. (Or at least add these things to your pet’s name.) And if you are responsible for your IT operations, please enforce minimum complexity standards and educate your end users about the dangers of password reuse.

 

MozyHome

 

Should your next laptop have a solid state hard drive?

Now that you can get solid state hard drives (SSDs) on most laptops, it might be timely to consider purchasing one. These drives are somewhat of a misnomer: there is no rotating media, unlike the vast majority of hard drives that you have used since your first PC. Instead, they contain a bank of memory chips, like the ones used in PC memory (RAM). They have two issues: the capacity of the hard drive is generally less than the traditional disk. While it’s rare to find a laptop that has less than a 350 GB hard drive, it’s unusual to find SSDs with more than 256 GB of capacity. They also cost more money too.

In June, Apple announced new MacBooks with SSD options: previously, they were only available in the MacBook Air models. Here is an example from Apple’s website showing the options available and the SSD will cost you at least $200 extra):

Apple MacBook Pro hard drive options
Apple SSD Options

They are also available as options from Dell and other PC makers. Here is a screenshot from the Dell ordering website where you can see you’ll end up paying up to $230 extra for the SSD:

Dell.com Lattitude hard drive options

Dell SSD Options

So given that you will pay more for less storage, why bother? One big reason is performance. Your websites will load a lot faster. You can switch from one window to another in an instant. If you are doing tasks such as video or photo editing, you will notice that your computer works much faster when it has to save or read your files. To get an idea of the various manufacturers’ price/performance, check out AnandTech’s benchmarking page here.

You can also get a better-performing hard drive for less money than an SSD. On the screenshots above, you can see Dell offers a 7200 rpm drive for less than the SSD. This number refers to the speed of the rotation of the drive: traditional drives usually operate at 5400 rpm.

You can also buy a laptop with the smallest traditional rotating media and replace it with an after-market SSD too, if you are handy enough and patient enough to re-install the apps and operating system.

So, should you take the SSD plunge? If your storage needs are modest, or if you can offload your biggest files to an external drive, and if you want the lightest laptop and don’t mind spending the extra dough, then yes. Figure on spending at least $900 to $1,200 for current SSD-enabled laptops. If you need more than 128 GB of storage or are price-sensitive, then wait and stick with traditional rotating media for now.

 

Mozy Stash - Mobile