Blog Archives

Security researchers from FortiGuard have identified the top four money-making schemes that malware authors employ to separate you from your cash. This isn’t surprising: spreading malware is just like any other software business: you need word of mouth (or a virus to help transmit things), willing customers who will download your code, and people who will pay money for your product.

The difference is that the malware guys aren’t selling you something that you really need, but something else entirely. It used to be that malware was just about gaining control over your computer, so that you could inadvertently be part of a botnet army that could attack someone else. And while there is plenty of that around, the latest schemes are all about making money directly from those who are infected.

It is as ingenious as it is dastardly. Guillaume Lovet, senior manager of FortiGuard Labs’ Threat Response Team, wrote in his blog post: “Now it’s not just about silently swiping passwords, it’s also about bullying infected users into paying.”

Here are the four top money-makers that Fortinet has observed:

1. The Flash update that tricks users into granting full installation rights. Once it is installed, the malware steals passwords to banking and other online payment sites. Given all the problems with Adobe exploits over the years, this may be disappointing, but isn’t all that surprising.

2. The fake anti-virus popup warning. This looks benign but is actually quite nasty. The popup looks like some legit AV software, but woe on anyone who actually purchases and then installs this stuff: you have just bought and installed malware.

3. Ransomware. This is a piece of software that blocks your PC, and the only way you can unblock it is if you pony up some cash. The blockage takes the form of stopping the boot process or encrypting part of your hard drive. It installs automatically on a user’s PC and then demands its ransom.

4. Nasty Trojan Horses. The latest in Trojan Horse attacks is to trick someone into installing a piece of code on their smartphone, and then working the two-factor authentication in such a way that your banking information is recorded both on your phone and in the PC session which has already been infected. These trojans then siphon off your funds to a third party account.

It’s a scary digital world out there. Let’s just hope we can stay a couple of steps ahead of the bad guys.

USB flash and hard drives and removable media make it easy to carry data around – almost too easy. You can buy 16 GB drives for about $20 these days, and larger ones for not much more.

But with this convenience comes risk. If these items are lost or stolen, someone can have access to your data. Fortunately, some drives offer built-in encryption and free tools like TrueCrypt and Microsoft’s BitLocker To Go can safeguard your data and ensure that no one besides you can read your files. The encryption means that you need to enter a password before you open any of the files on the drive, otherwise all the data is just gibberish.

BitLocker To Go was introduced in Vista, but many users found it too difficult to setup and administer. It is much improved in Windows 7 and in Windows 8. Once you insert your USB drive in your computer, you right-click on the drive and start the BitLocker preparation process. You are asked for a password or a smartcard to protect the drive and where you want to store the recovery key information. It is simple and it just takes a few minutes to perform the encryption, depending on the size of the drive itself.

Note that if you want to read any of the files on your encrypted drive with older versions of Windows such as XP, you can’t.

You should see screens similar to ones the below when you want to decrypt the files on the drive.

Once you set up BitLocker To Go on a drive and a specific computer, you can set things so that it automatically decrypts the drive when it is inserted on that computer, which is a nice touch and makes things very easy to manage.

If you are responsible for your organization’s IT infrastructure and want to enable BitLocker across all the PCs in your company, you might want to review the group policies that are part of Windows here.

If you don’t use Windows, or if you want something more powerful and flexible, then TrueCrypt.org has free open source tools for Mac, Windows, and Linux machines. One of the features that I like is the ability to recover a forgotten password, which is probably the biggest fear in using any of these products. The Windows 7 BitLocker has this recovery feature too. Another feature is that you can encrypt a portion of your hard drive, where BitLocker needs to encrypt the entire drive.

If you want something more powerful than simple password protection, you can link the encryption technology to the Trusted Computing Module chip, (see this video here on TPM) or make use of the built-in fingerprint reader; both are part of most modern Windows laptops.

If you or your company has iPads and other iThings on its network, one of the frustrations is not being able to print from them. In the past, you needed a printer that was designed for AirPrint (Apple has a long list of them here) or you had to try to set up printer sharing with an existing Mac USB printer across your network.

But what if you want to use your existing printer that isn’t on this list? Or want something that you can manage its print output for cost accounting purposes? Or if you don’t want to share a local printer? You have several choices.

One solution is to use Lantronix xPrintServer that can do the job for any network or USB-connected printer. It’s so easy that it will take you longer to read how to do it than to actually implement it. The print server is about the size of an iPhone, and has three connectors: an RJ-45 for your Ethernet network, a USB jack and a power plug. Plug it in and, in a few moments, you are good to go.

If your app has a print dialog icon, you can now start printing from your iThing. The print server will auto-discover any network printer that is on the same network subnet. If you want to print to another subnet, you will have to go through some manual configuration, using the printer’s built-in Web server. If you have iPhones, you will of course need to turn on their Wi-Fi radios and connect to the same subnet to see the print server. Lantronix has this funny short video with the loveable IT guy featured here. As he says, “Try it now.” It will print wirelessly from any iOS device running iOS version 4.2 or later. The home editioncosts $99 and supports two printers. If you want a more capable print server that supports more printers, there is a $150 version of the box.

If you are using the Aerohive Wifi access points, they have recently been upgraded to support Apple’s Bonjour technology and this video explains how it is done. If you have to purchase an Aerohive Wifi network, this isn’t going to be cheap.

Finally, EFI has had its PrintMe cloud-based service for a decade for PCs. The new mobile version extends this functionality to a variety of mobile devices and to a wide variety of printers that can be located anywhere. Pricing is $2,500 for a minimum of five printer connections including a year’s support and maintenance. Again, this is somewhat pricey.

The Lantronix solution is a good compromise of price and features, and is what I would recommend if you have a couple or a large fleet of iPads to support.

While Twitter and Facebook have gotten plenty of attention, the basic bread and butter of any small business is the care and feeding of its email lists to connect its customers, suppliers and partners. The better you are at doing email lists and sending out regular and informative communications, the more business you will have.

You have three basic choices when it comes to list servers: the free, the cheap, and the pricey. While price alone is a good way to decide, there are some other factors that you should consider. I have picked one provider for each price point: Yahoo Groups (free), Mailman hosted by EMWD.com for $4 a month and ConstantContact, which has plans starting at $15 a month. All three have one big advantage over doing email with Outlook or some other desktop client – they automatically handle bounces, or when email addresses go bad. They also avoid the accidental reply-to-everyone mistake. These are probably the two biggest reasons to use a list service.

For all three choices, you need to assemble all your email addresses that you want to start your list with. You can export these from your client email program into a text file, and then bring up the file in a word processor program to clean it up. You can then cut and paste the names into your list program at the appropriate time.

I like Yahoo Groups for community and lists of a few dozen people or fewer, but it has two big drawbacks: First is a problem with setting up large lists quickly. Yahoo only lets you add 10 people a day to your list without asking them to opt-in. A second issue is that the Web list management interface is a bit confusing to figure out, especially for those recipients who want to use them but lack a Yahoo ID.

Mailman is a more professional program and gives you all sorts of control over features. There are many other email list software products, this is just one that I have been using for many years. I recommend the hosting provider EMWD.com. You can have fairly large lists of several thousand addresses without too much trouble, unlike Yahoo Groups. You need to obtain an account for a one-time fee of $10, and this will give you access to its Web-based control panels. This is more complex than Yahoo, but you have more control over things such as the header (what email address is used in the “from” field) and footer (what information goes in the bottom of each message, and can be used to promote your company or products). As I said, each list only costs $4 a month to operate. You might want to check and see if your own Internet provider offers more competitive pricing on Mailman hosting.

But this may not be enough for your purposes. If you want to add Web links in your emails and track who clicks on which link, such as for promotional purposes, then you want ConstantContact. You can try it for 60 days for free, and then depending on how many names are on your list, the price increases from $15 to $150 a month.

The advantage of ConstantContact is that you can send out very snazzy emails, with pictures, color, and those trackable links. The downside is that setting up a list takes some work. They also have some very impressive video tutorials on their site to help you learn more about using lists and social media. You can view these videos (even without an account) here.

Here are a few tips for sending out your emails to your list once you have it setup.

Limit the amount of self-promotional content to less than 20% of what you send out. Keep your emails information-rich and people will want to read them.

Weekly is the best frequency. If you can’t write something weekly, then every other week is a good alternative.

Brevity counts. Keep the emails to less than 600 words. People have short attention spans.

Don’t pile on the Web links. One or two links per email is fine.

Finally, have an archive. Think about archiving all your emails on your Web site. Mailman and Yahoo Groups do this automatically.  Good luck with your lists!

We tend to take it for granted, but you need to treat the Internet Domain Name System (DNS) with the respect that it deserves. And if you have some time to investigate alternatives, you could really enhance your network’s performance and security.

Before I tell you how to do this, let’s have a brief explanation of what DNS is. Think of what a phone book does – it allows you if you to look up someone’s  phone number by referencing their name. The DNS does something similar, except for computers: if you type in “google.com” it translates that name into a sequence of four numbers, called an IP address. In this case, the IP address of google.com is 74.125.95.104.

The overall Internet infrastructure has a series of master phone books, or DNS root servers, located at strategic places around the world and maintained by a collection of public, semi-public, and private providers. They talk to each other on a regular basis; it’s important to make sure that they stay in synch as new domains are added. As you can imagine, if someone wants to “poison” one of the entries, or misdirect Internet traffic to a phony domain, it can be done with the right amount of subterfuge. A famous example of this occurred in2008. In an attempt to prevent YouTube viewers in Pakistan from watching a single offensive video, a Pakistani Internet provider managed to block access to all of YouTube all around the world. A more comprehensive list of the various DNS attacks can be found here on Google’s site.

When you set up your network, typically you don’t give your DNS settings any further thought. If you have a cable or DSL modem, you hook it up and it automatically gets its DNS settings from the cable or phone company’s DNS servers. If you are running a large enterprise network, typically you have your own internal DNS server to provide this service.

There are several alternative providers, including OpenDNS and Google’s Public DNS, among many others that you can see listed here. Why bother? Two good reasons: 1.) they offer better browsing performance, and 2.) they provide better security to stay away from known phishing and malware-infected domains.

Before you pick an alternative DNS provider, you can use this Java program to test the speed of your own DNS vs Google and OpenDNS. Or you can read up on a couple of performance comparisons from Manu-j and Habitually Good here.

You can change your DNS settings for your individual computer or for your overall network. This is typically done at your DHCP server or cable modem or router. Any of the alternative providers offer their services free, and some, such as OpenDNS, offer a lot more than just the mapping of IP addresses too.

Here are the instructions for changing the DNS settings. The whole process shouldn’t take you more than a couple of minutes to read through them and implement the changes:

- OpenDNS

- Google Public DNS

These free services are just the beginning of a new series of other improvements called secure DNS protocol extensions and products, and you can check out these products and read more on this site to understand what is involved to deploy them.

The recent exploits ofvarious hackers in publishing passwords and user lists from Yahoo, Formspring, LinkedIn and others show that the biggest weakness isn’t having the right security technology, but you as a user! While certainly these sites could have done a better job with securing user data, at the heart of these exploits is a glaring lesson that we all can learn: It is time to develop a better password policy and stop reusing them amongst your various online logins.

It isn’t any mystery to why password reuse runs rampant these days. We all have far too many login IDs to keep track of, and the easiest solution is to just reuse the same one (or a limited collection) over and over again. But this makes hacking into your online information child’s play: if someone can uncover the password from one place, they can run it through an automated routine and try dozens of others to see if you reused it. This is indeed what many hackers have begun doing, once they have confirmed one site’s credentials for your login.

And while IT managers can lock down their own email and database and Web servers with various internal policies, that doesn’t help matters if you reuse the same passwords (or even email addresses, as was discovered with the Yahoo hack) on online sites for your personal e-shopping and electronic banking. All it takes to gain access to your own network is to find an online site with weak password security and then trust that someone has reused the same password elsewhere.

A recent Washington Post poll found that 16% of all Internet users regularly reuse their passwords. It is time to stop this practice, and understand the dangers of password reuse. As Google says, “When you use the same password across the Web, a cyber criminal can learn the password from a less secure site and then use that password to compromise your important accounts.” The search giant has lots of great recommendations on personal password use on its UK blog.

Recently, one blog jokingly posted that children are being warned that the name of their first pet should contain at least eight characters and a digit. There is some truth to that, as many of us use our pet names in our passwords. 

While it is easier said than done, you need to limit the reuse of passwords and avoid using common words. Make sure that your passwords contain a mixture of upper- and lower-case letters, and include at least one number. (Or at least add these things to your pet’s name.) And if you are responsible for your IT operations, please enforce minimum complexity standards and educate your end users about the dangers of password reuse.

Now that you can get solid state hard drives (SSDs) on most laptops, it might be timely to consider purchasing one. These drives are somewhat of a misnomer: there is no rotating media, unlike the vast majority of hard drives that you have used since your first PC. Instead, they contain a bank of memory chips, like the ones used in PC memory (RAM). They have two issues: the capacity of the hard drive is generally less than the traditional disk. While it’s rare to find a laptop that has less than a 350 GB hard drive, it’s unusual to find SSDs with more than 256 GB of capacity. They also cost more money too.

In June, Apple announced new MacBooks with SSD options: previously, they were only available in the MacBook Air models. Here is an example from Apple’s website showing the options available and the SSD will cost you at least $200 extra):

Apple MacBook Pro hard drive options

They are also available as options from Dell and other PC makers. Here is a screenshot from the Dell ordering website where you can see you’ll end up paying up to $230 extra for the SSD:

Dell.com Lattitude hard drive options

So given that you will pay more for less storage, why bother? One big reason is performance. Your websites will load a lot faster. You can switch from one window to another in an instant. If you are doing tasks such as video or photo editing, you will notice that your computer works much faster when it has to save or read your files. To get an idea of the various manufacturers’ price/performance, check out AnandTech’s benchmarking page here.

You can also get a better-performing hard drive for less money than an SSD. On the screenshots above, you can see Dell offers a 7200 rpm drive for less than the SSD. This number refers to the speed of the rotation of the drive: traditional drives usually operate at 5400 rpm.

You can also buy a laptop with the smallest traditional rotating media and replace it with an after-market SSD too, if you are handy enough and patient enough to re-install the apps and operating system.

So, should you take the SSD plunge? If your storage needs are modest, or if you can offload your biggest files to an external drive, and if you want the lightest laptop and don’t mind spending the extra dough, then yes. Figure on spending at least $900 to $1,200 for current SSD-enabled laptops. If you need more than 128 GB of storage or are price-sensitive, then wait and stick with traditional rotating media for now.

Pixar’s Toy Story 2 was almost inadvertently deleted due some careless key strokes and a bad backup. Check out the nerve-wracking video on Tested.com.

Like many of you, I have also lost data from time to time as a result of stupid decisions, or a misplaced command (as with the Pixar folks) or even worse circumstances. It is worth recounting some of those tales to show you how important it is to start thinking about your backups.

Backups usually only matter when you lose something, and then you go into a panic state trying to figure out what you actually lost and where you can retrieve the most recent copy of your files. A survey from Mozy found that a mere 15% of small companies actually use cloud backup to protect their business. So why not take some time now and come up with a solid backup strategy for all of your data? Obviously, using a cloud-based backup service such as Mozy is one part of the picture, but you should also consider some other things. Here are a few things I’ve learned from my past mistakes.

Files Aren’t the Only Thing to Back Up

One of the most important things that I do is write a weekly email newsletter to my clients and potential clients. I have been doing it for 16 years or so. The LISTSERV was once maintained by a friend of mine, on a machine sitting in a second friend’s basement. Well, that arrangement wasn’t working for me when the basement flooded and the machine had to be taken offline. I realized that the only thing that I didn’t have a backup copy of was the actual email names on the list itself, which were easily obtained by sending the listserv a simple command. Luckily, the server was eventually brought online and I could get the names from it. Now I send that command every week to get a fresh copy of my subscribers. This could happen to you: part of a good backup strategy is remembering things such as my email list that don’t fit into neat categories or simple files that are on your own hard drive.

Keep Backups of Backups

Another time I lost my laptop from the trunk of my car: I was in a suburban shopping mall and someone saw me put some packages in the trunk before I headed back for some more shopping. Luckily, most of what was on that laptop was backed up, or so I thought. My emails were using Lotus Notes, which automatically backs up the entire stream on my company servers. When I got a replacement, some of the email addresses were missing. Where did they go? No one knew. This shows that you should never take anything for granted, and have backups of your backups.

Don’t Trip Up on Trips

As a result of losing my laptop in this way, whenever I travel I think about what happens if it were to be stolen or lost? I try to always have a backup of the new work that I created when on the road on some other device: such as in the cloud or on a USB stick that I carry separately.

How often have you been working on a document, only to have the computer freeze up and lose some work? This is a minor nuisance, and most modern versions of word processors have auto-save features, but still. Be prepared.

Test Your Systems!

How did it end for Pixar? Luckily, one team member had made her own independent backup copy and took it home. This gets across my final point: always test your backups to make sure they are actually current and you can restore something from them.

If you’re like me, you probably hate attending business meetings. Luckily, a number of useful Internet-based tools can help workgroups schedule and run them more effectively. All of the tools here work within most popular Web browsers, and most of them are available for free or for fairly low monthly fees. The challenge is in understanding which tool suits a particular situation, because not every meeting is held under the same circumstances. Let’s look at some of the differences.

Synch Your Calendars

Certainly the most common situations are those where you want to synchronize a common calendar, such as between someone’s PDA and his Microsoft Outlook desktop, or between a boss’s calendar and an assistant’s. Many services can make sharing calendars between work team members (or even between family members or friends) easier. Both Google Calendar (shown below) and Yahoo Calendar offer free calendar sync, and numerous other products–including Apple’s iCal for its computers and iPhones, along with NuevaSync–work with both services. BusySync and Spanning Sync also can synchronize Apple’s iCal calendars with Google Calendar.

Let Clients Setup Their Own Appointments

What if you want your clients or any other people not employed by your company to book your time directly? In the long-ago past, appointment secretaries would be in charge of the boss’s calendar and would set up meeting times with pencil and paper. Now you can point clients and outside colleagues to self-service appointment Web sites, such as BookFresh,  Tungle.me or TimeDriver. These sites can display your staffers’ free and busy times, as well as what remaining time “inventory” is available for appointments. They also send out e-mail notifications, and they don’t require any special software beyond a Web browser to confirm the appointment. You can easily adjust the schedule when you are going out of town or are otherwise unavailable, too. These services are available for a reasonable cost: TimeDriver has a free 90-day trial and is $30 a year thereafter; BookFresh offers three different plans, including a free one that allows two monthly bookings. Tungle (shown below) is free for the moment.

Set Up a Common Meeting Time

How about a situation where you want to arrange a common meeting time for people coming from different companies? A meeting organizer could send out an e-mail notification with a series of possible open times, and ask each participant to check off which of those times work for them. But if you have ever tried to organize this kind of meeting, you know how quickly you can get buried under all the back-and-forth e-mail responses.

The free services SetMeeting.com (from Meeting Agent) and Doodle.com are useful in this respect. SetMeeting.com’s biggest weakness is that once you initiate the process it doesn’t allow you to change the meeting location without canceling and starting from scratch. Doodle, which is less sophisticated and has fewer features, is really more of a polling device to help you find a common time; but you may find it attractive if that’s all you wish to do.

As you can see, there are a variety of simple websites that can be used to enhance your meetings. Now if only there was an app that could make the actual meetings shorter.

If you are part of a business, sooner or later you want to be able to collaborate on a database with a colleague or customer. In the past, the easiest way to share a small database was to create a spreadsheet and email it to your collaborators. While this isn’t the best method, it has withstood more sophisticated competition.

For many people, the spreadsheet is still one of the most popular low-end database applications. The rubric of a table of rows and columns is easily understood and can easily be used as a way to view records and fields of a database. Plus, you don’t need to design special reports to view your data entries, and you can easily sort your data without having to create data dictionaries or other database structures, just use the appropriate Excel commands.

But emailing attachments can get tiresome, particularly if you have more than one collaborator. Having a specialized service that can share this data makes it easier, and you always have the current version of the data you are working on. Enter the online spreadsheet/database service provider.

Using these online spreadsheet services is very straightforward: you either copy and paste data or take your spreadsheet and upload it to the service, after creating accounts for you and your collaborators. Then you can make changes via your Web browser, no other software is required. Some of the services allow for more bells and whistles. Setup time is minimal; your data is properly protected by the service and safe from harm. And you don’t need to learn any Web/database programming skills either.

Pricing and support

When you decide on the particular service, it pays to read the fine print about pricing. There are discounts for annual subscriptions on most services. All of these services have 14-day or 30-day free trials to get started, so you can get a feel of what is involved in manipulating your data and how easy it is to make changes, produce reports, and receive notifications. TrackVia has a free plan that is a great way to get started with these services.

The downside is that some of these services can be pricey, as you add collaborators or different spreadsheets. Each service has different ways to count actual “users”. For example, if you want to jointly edit the same spreadsheet with two others — that usually counts as a three-user license. But if you want others to just view your data but not change it, these users usually don’t consume additional licenses.

Customer support can be extra too. TrackVia, HyperBase, and QuickBase all include phone support in their offerings, and TrackVia actually emails you automatically with the name and phone number of an account rep should you need additional help.

Distinguishing features

Let’s touch on some of the services’ distinguishing features. First is how they notify you of changes to your file’s content. Some services give you more control over how they will email you when one of your collaborators has made changes. Another feature is publishing your data, if you want to invite others to view it. While this throws all hope of security to the winds, for less-secure information it is a great way to start a collaboration process. Some services can design very sophisticated reports while others show you your data in the familiar grid layout that Excel uses.

Another thing to look for is how each service loads your data: with some, you can upload an Excel file from your hard drive, while with others you have to either import a comma separated file or manually cut and paste your data from your spreadsheet. Why is this important? If you have more than a simple table of numbers, cut and paste will probably not work and you will have some cleanup to do after the import.

Finally, there is the consideration of how much control they give you over the look and feel of your data. Some of the services, such as TrackVia and QuickBase have dozens of pre-built templates to help you get started with organizing your data, such as client contacts, issue tracking, or expense reports. The others you are left to be your own designer.

One caveat: Web services are constantly being changed, especially prices, as the vendors tweak their offerings. This analysis is based on what we saw in mid-April 2012, so do spend some of your own time checking out particular features that are deal-makers or breakers for you.

So what services are available?

Smartsheet.com $16/mo for 10 spreadsheets 3 GB

HyperBase $600 per year for 5 users 

TrackVia.com Free for 5 users and 1 GB, paid plans available

Intuit QuickBase $299/mo for 10 users 1 GB for entry plan