Bryley Basics: Scammer YGDNS.org

/in , /by

We received a seemingly legitimate email from YGDNS.org professing to square-away the ownership use of our domains, Bryley.com and Bryley.net, in China; the email was marked “urgent” and came with a person’s name, business address, etc.

I queried Mike Carlson, our CTO, who gave this reply:  “No serious problems, but certainly a scam. If you reply you will be offered the opportunity to register the domains along with other overpriced services.

Google search of “ygdns.org.cn” finds a couple well-written articles that indicate that this ygdns group has been doing this for a while, and if you respond take the extra step of calling. The calls are of the type “This needs to be fixed today!”; hoping to get a “yes” from whomever answers the phone by stressing the perceived urgency.

Note the fact that it was sent…with “Please forward… …this is urgent” line. Any legitimate registrar conducting a legally or procedurally required inquiry would send the request directly to you, to me, or our shared network operations mailbox. These are the publicly-available addresses associated with the bryley.com and bryley.net registrations. I’ve checked my mailbox, junk mail folder, and done the same on the network operations mailbox. Nothing from this company.”

So, we did not respond to any inquiries from YGDNS.org and advise the same to all.

Password manager

/in /by

The days of widespread, biometric-based security (voice recognition, fingerprint reading, eye scanning, etc.) are coming, but passwords are still required in many organizations and at most websites.  The problem:  How do I manage (let alone remember) all of the different usernames and passwords I have out there?

Personally, I use Tasks within Microsoft Outlook, which is secured by my network login:  Within a folder I titled “Usernames”, I create a task for each application and website and then copy-in the date and user information.  This limits my “need to remember” to only one complex password (my network login).  However, I must have access to my Outlook account to retrieve all other user information.

There are better tools called password managers.  These are software applications that “help a user organize passwords and PIN codes”1, which are held in a secure, encrypted file or database.  Many include the ability to automatically fill-in a form-based webpage with the username, password, and any other login credentials.

Most password managers can be categorized thus:

  • PC based – Application running on your PC
  • Mobile based – Application running on your tablet or smartphone
  • Token-based – Requires a separate smartcard, memory stick, or similar device to authenticate
  • Web-based – Credentials are located at a website and must be viewed and/or copied from this site
  • Cloud-based – Credentials are web-based, but are securely transferred for processing to an application running on your PC or mobile device

Most password managers are hybrids and many fit into two or more categories, but all share one trait:  You still need a master password to access your information (although some offer two-factor authentication).

Important characteristics include:

  • Access – Accessible from all devices and browsers
  • Detect – Automatically detect and save from any account
  • Secure – Advanced encryption, two-factor authentication, etc.

Pricing varies from free (for the slimmed-down, single-device versions) to annual subscriptions that range from $9.95 to $49.99 per year.

Several publications2 have reviewed password managers; the top performers:

  • LastPass 3.0 – Cloud-based and powerful yet flexible; free version available, but upgrade (at $12/year) to LastPass Premium for mobile-device support
  • DashLane 2.0 – Feature laden with an easy-to-use interface; free version, but $29.95/year to synchronize all devices and get priority support
  • RoboForm Everywhere 7.0 – Cloud-based at $9.95 for first year

Other password managers (in alphabetical order):

  • 1Password for Windows – $49.99 per user
  • F-secure Key – $15.95
  • Handy Password – Starts at $29.92
  • KeePass – Free
  • Keeper – Subscription at $9.99/year
  • My1login – Free for 1 to 3 users; $22 for 4 to 10 users
  • Password Box – Free version with subscription at $12.00/year
  • Password Genie 4.0 – Subscription at $15.00/year
  • PassPack – Free version with subscription at $12.00/year
  • PasswordWallet – $20.00

I like LastPass; the free version is easy to use and my login data is available from anywhere (with Internet access).  Plus, I like having the application locally on my PC (even though my data is stored at LastPass in encrypted format).

1. Taken from Wikipedia at http://en.wikipedia.org/wiki/Password_manager.

2. Recent password managers reviews:

They’re back: Telephone scammers

/in /by

Yes, they have returned:  The IRS and National Grid are both warning of telephone scammers that call and demand fictional, past-due payment.

The IRS scammers1 are very specific; they call and threaten immediate arrest, loss of driver’s license, and seizure of assets.  They may leave a message requesting a callback; follow-up callers may pretend to be from the local police or the DMV.

Characteristics of these scams can include2:

  • Scammers use fake names and IRS badge numbers. They generally use common names and surnames to identify themselves.
  • Scammers may be able to recite the last four digits of a victim’s Social Security Number.
  • Scammers “spoof” or imitate the IRS toll-free number on caller ID to make it appear that it’s the IRS calling.
  • Scammers sometimes send bogus IRS emails to some victims to support their bogus calls.  (Note:  The IRS does not use email to contact taxpayers.)
  • Victims hear background noise of other calls being conducted to mimic a call site.

Best advice:

  • Do not engage the caller in a conversation
  • Do not provide personal information
  • Hang-up the phone immediately
  • Call the IRS at 800-829-1040

National Grid3 will call and request payment and will notify of potential for service interruption due to non-payment, which makes it tougher to separate a legitimate call from a scammer.  If in doubt:

  • Ask the caller to provide the last five digits of your National Grid account
  • Do not provide your account number or any other personal information
  • Contact National Grid at 800-322-3223

1. Thank you to Nancy Goedecke, EA, of Taxes and Money Management who provided the notice on the IRS scammers.

2. Taken from http://www.irs.gov/uac/Newsroom/IRS-Releases-the-“Dirty-Dozen”-Tax-Scams-for-2014;-Identity-Theft,-Phone-Scams-Lead-List.

3. Taken from National Grid’s July/August 2014 issue of WeConnect.

Maintaining your dynamic website

/in , /by

Guest writers: Al Morel, Carlos Ramos, and Dan Rouse of www.CommAreUs.com

Your car, house, and most things in life, take some amount of maintenance. Add to that list your website. A website can be comprised of thousands of files working with all kinds of tools and underlying code.

The days of ‘static’ websites, i.e. built with just HTML, is essentially over for most organizations. This article will speak to the steps to take when using a Content Management System, CMS, such as WordPress.

Your essential strategy is: BackupandUpdate.

Backup

This is your ‘get out of jail free’ option. Even if your website gets totally hacked, you forget to pay your hosting bill, the data center in Utah gets hit by a meteor, you should still be able to roll back and get your website back up.

With a dynamic site, it’s a little trickier because you have the site files such as the HTML and images, graphics, etc. And then there’s the database files, which in the WordPress scenario, starts at several thousand files.

The traditional method of backing up a site involves the lengthy process of manually backing up all your site’s files, exporting your database, and finally moving everything somewhere safe. There are software additions (called ‘plugins’ in the WordPress world) that will simplify this process and even automate it for you.

We add a plugin with all of our builds that lets you quickly backup, restore, and migrate a site – often times with only a single click. Most backup plugins will offer two different types of backups: full and database. Full covers all site files and the database, the database option only includes the database. The full backup is the safest bet and is generally the recommended option, however the database only backup might be more appropriate if you’re simply experimenting with settings on a plugin, or some other activity that only involves the database.

One key feature and advantage over manual backups, is that using a backup plugin allows you to set up an automatic backup schedule. For example, we recommend our clients schedule a weekly backup of the database and a monthly full backup. Manual backups can also be performed whenever needed.

In addition, most plugins have the capability to back up the site to your hosting server and to another source as well. So you can have redundant backups to a third party service such as Amazon S3.

 

Update

It is critical to schedule regular updates of your website as well. In WordPress, there are regular updates to the core code and also plugins. Your administrative interface or ‘dashboard’ will tell you when to update.

It goes without saying that no update (WordPress or Plugin) should be done before a full backup has been made.  Your dashboard will go to great lengths to tell you to backup first, so don’t ignore them! Although we haven’t seen many updates go wrong, it can happen.

Generally, we recommend to our clients that updates be applied as soon as they are available for security and stability reasons.

Once you have your backup completed, proceed to the Updates screen in the WordPress Dashboard. From here you can update WordPress, plugins and your themes. If you have an update to WordPress and plugins waiting, perform the WordPress update first, then proceed to update your plugins.

It’s worth noting that in recent WordPress releases (security and maintenance related) are installed automatically to promote better security.

 

The problem with Heartbleed

/in , /by

Heartbleed is a much-publicized security flaw in the OpenSSL cryptography library; an update to this OpenSSL flaw was published on April 7th, 2014, which was (coincidentally?) the same day that the flaw was disclosed.

OpenSSL runs on secure web servers certified by trusted authorities; it is estimated that about 17% of secure web servers may be vulnerable to an attack based on the Heartbleed flaw, which could compromise the server’s private keys and end-user passwords and cookies.

Fortunately, most organizations with secure web servers have taken steps to identify and fix this flaw.  And, to date, no known exploitations of this flaw have taken place.

Unfortunately, this flaw has been around for over two years and leaves no traces; if exploited, there would be no ready evidence that anything was wrong.

At the moment, there is not much any end-user can do except to logout of any secure web server that has not been patched.  (See http://filippo.io/Heartbleed/, a site created by Italian cryptographer Filippo Valsorda, which claims that it can identify unpatched servers.)

Http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/index.html contains an informative article and video by Jose Pagliery at CNN Money.

Living with Windows XP

/in , , /by

Microsoft has officially ended general support of Windows XP, but many have not updated or replaced their Windows XP PCs.  Although we recommend against continuing to use Windows XP, particularly in any Internet-facing role, there are some steps that can be taken to reduce the risk of remaining on this platform.

The easiest, but least practical solution would be to disconnect all Windows XP PCs from the Internet or to limit their access to the Internet.  This step could exclude exposure to outside sources, but reduces the effectiveness of these PCs.

The second-most effective strategy would be to replace older versions of Internet Explorer (IE) with a supported Internet browser; replacing IE with Mozilla Firefox or Google Chrome will reduce, but not eliminate, the risk of using a Windows XP PC to browse the Internet.  (Windows XP originally released with IE 6, but most Windows XP systems are now running version 7 or 8.  The current version of IE is 11.)

Updating to Mozilla’s Firefox is easy:

Please see http://www.zdnet.com/windows-xp-support-ends-survival-tips-to-stay-safe-7000028188/ for more information from Charlie Osborn of ZDNet.  Or, visit http://www.computerworld.com/s/article/9246877/US_CERT_urges_XP_users_to_dump_IE?source=CTWNLE_nlt_pm_2014-03-11 for a similar message from Gregg Keizer of ComputerWorld.

Additional steps to reduce Windows XP risk include:

  • Disable the ability to add new applications to a Windows XP PC
  • Remove administrative rights of all Windows XP users
  • Disable ports and drives on Windows XP PCs

See the article from Toby Wolpe of ZDNet at http://www.zdnet.com/windows-xp-support-end-10-steps-to-cut-security-risks-7000028193/.

98% of mobile-device malware attacking Android (DROID) phones

/in , , , /by

Worldwide, a significant portion of the population owns and uses a smartphone;  mobile users search Google over 5.9 Billion times daily while over 6 Billion hours of YouTube are watched each month on mobile devices.  (Statistics taken from a presentation by Intel Corporation at the MOBILE World Congress 2014.)

Since most smartphones are based on Google’s Android operating system, these are the primary targets of malicious attacks.  Kaspersky Labs, a prominent anti-virus software manufacturer, reports that 98% of malware targeted at mobile devices attacks Google’s Android (DROID), which confirms “both the popularity of this mobile OS and the vulnerability of its architecture”.

Suggestions for DROID (and other smartphone) owners to suppress malware:

  • Keep your mobile phone updated with the latest patches
  • Deploy an anti-malware application

Visit http://blogs.computerworld.com/mobile-security/23577/98-mobile-malware-targets-android-platform for the entire article by Darlene Storm at ComputerWorld.

Fitness regime for your IT equipment: Keep it clean, cool, and empowered

/in , , , /by

IT (Information Technology) equipment is somewhat temperamental; it requires reasonable temperatures; stable, uninterrupted power; and some air flow to operate efficiently.  Cleanliness is important.  Here’s how to keep it toned.

IT equipment should be kept in a clean, neat, and (preferably) dust-adverse/static-resistant area; walls with painted surfaces, tiled or coated floors without carpeting, etc.  Fire-suppression equipment is a plus, but cannot be water-based.

Access should be restricted; a separate, locked room is ideal, but a closet with sufficient space and air flow can work for smaller sites.

Dust is the enemy of fans and electrical components; a reduced-dust environment and regular cleaning of equipment fans can lengthen the life of most items.  (Note: cleanings should be performed when equipment is powered-down, which is not always desirable or feasible.)

The area should have dedicated electrical circuits with sufficient amperage to match the power requirements of the equipment.  We also recommend an Uninterruptible Power Supply (UPS) for all critical items (and require them for equipment that we cover under our Comprehensive Support Program); the UPS provides emergency power when the input-power source is unavailable, but it also helps to regulate fluctuations in power, both spikes/surges (voltage overload) and brown-outs (reduction in voltage) that can damage sensitive equipment.

Cooling and humidity control are very important; most equipment runs optimally within a narrow range of temperature (64° to 81° Fahrenheit) and a maximum range of relative humidity of 60%.  HP, in an effort to be “greener”, lists current specifications on its DL360 server that provide a wider range of 50° to 90°F with 10% to 90% humidity (non-condensing).  However, cooler temperatures do make things last longer.  (The DL360 will actually throttle-back the CPU when the air-inlet sensors detect temperatures over 85°F.)

The area should have continuous air flow (to provide new, cool air while removing heated air that is exiting the equipment) and remain uncluttered to facilitate this air flow.  A dedicated A/C unit combined with a closed door is optimal; locating all equipment within a rack enclosure (with blanking panels over open areas) can enhance air flow.

TechAdvisory has 9 tips at http://techtimes.techadvisory.org/2011/11/9-steps-you-must-know-to-prevent-a-server-crash/.

Comparing Cloud-based services – Part 4: Prevention

/in , /by

Many Cloud-based services fall into one of these categories:

  • Productivity suites – Applications that help you be more productive
  • Storage – Storing, retrieving, and synchronizing files in the Cloud
  • Backup and Recovery – Backing-up data and being able to recover it
  • Prevention – Prevent malware, spam, and related components
  • Search – Find items from either a holistic or from a specialty perspective

In this issue, we’ll explore popular, Cloud-oriented options within Prevention, the highlighted item above, and compare them with one another.

Prevention is a necessary evil; it can slow end-point performance (since these tools are using computing resources to constantly scan for problems), but it is critical in keeping end-users safe from external threats like spam, malware, and viruses.  Cloud-oriented Prevention includes:

  • Email protection – Control spam plus encrypt and archive emails
  • End-point security – Secure end-user computers against attacks
  • Web filtering – Prevent unauthorized access to undesired websites

Email protection is wholly Cloud-based, but end-point security tools usually deploy an application onto the end-user computer while web filtering requires at least an adjustment to (ie: setup a proxy server), or an application installed on, the end-user computer.  We’ll cover only Cloud-based, email protection in this article.

Key issues for email-protection options include:

  • Administration – Easy setup and enforcement
  • Effectiveness – Works reliably and consistently
  • End-user interface – Intuitive, secure, and easy-to-use
  • Granularity – Allows multi-level policies and permissions

Popular, email-protection options (alphabetically) include:

  • Google Message Secure (formerly Postini; now bundled within Google Apps)
  • McAfee® (now Intel Security) SaaS Email Prevention and Continuity
  • Microsoft® Exchange Online Protection
  • ProofPointEssentials Business
  • Symantec Email Security.cloud (formerly MessageLabs)

Google Message Secure (GMS)

GMS was one of the best products at an excellent price of $12/user per year.  In 2013, Google discontinued GMS as a stand-alone service and bundled it within Google Apps.  Former GMS clients will retain the $12 pricing for a period of time, but will eventually pay the Google Apps for Business price of $50/user per year.

Visit http://www.google.com/postini/ for details on this transition.

McAfee SaaS Email Prevention and Continuity (MEPC)

Intel is currently rebranding McAfee within Intel Security; no timeframe on the conversion, but the McAfee logo (a red “M” on a shield) will remain associated with these services.

MEPC prevents spam, but also includes Continuity, which allows end-users to retrieve and send email even if their email service is unavailable; once the email service becomes available, all emails received and sent via MEPC are then resynchronized with the email service.  The price is $27/user per year.

McAfee also offers email encryption and email archiving.  (Please visit our site at http://www.Bryley.com/services/email-management/ for details on MEPC and related offerings.)

Microsoft Exchange Online Protection (EOP)

Microsoft provides email protection and archiving within its Office 365 suite, but also offers it as a stand–alone service under EOP, although it is directed solely at Exchange-based email.  In addition to spam and malware prevention, you can establish content and policy-based filtering to ensure outbound emails do not violate company standards.  Price is $12/user per year.

Visit http://office.microsoft.com/en-us/exchange/microsoft-exchange-online-protection-email-filter-and-anti-spam-protection-email-security-email-spam-FX103763969.aspx for details on EOP.  Or, visit our site for information on

Office 365 at http://www.Bryley.com/office365/.

Proofpoint Essentials Business

Proofpoint Essentials Business is a comprehensive offering that classifies security threats and then manages against their intrusion.  Outbound filtering, content filtering, and 14-day spooling are included; archiving is also available.  Proofpoint Essentials Business starts at $26.40/user per year.

Please visit http://essentials.proofpoint.com/ for more information.

Symantec Email Security.cloud

Symantec recently acquired MessageLabs spam filter and rebranded it within their Symantec.cloud services under Email Security.cloud.  It protects against targeted attacks, malware, spam, and the like using proprietary Skeptic technologies.  Content filtering is included; email encryption is available.

See http://www.symantec.com/email-security-cloud for details.

CryptoLocker Case Study

/in , , /by

The following event depicts a real-life malware attack that infected a New England manufacturing firm. The company has chosen to share its story anonymously to help other businesses avoid a similar fate.

The unsuspecting sales rep certainly reacted in a way anyone would expect. He received an email with a voicemail attachment that looked like it came from the company CEO. When the CEO calls, reps jump to attention, and at this particular manufacturing firm based in New England, the business relies on a communication system that sends voicemails as email attachments. So the sales rep had no reason to suspect anything was wrong.

As it turns out, something was very wrong.

Click the link below to read the full article.

Bryley — CryptoLocker Remediation — 2013