Over the years, the IT landscape has changed dramatically.  Every few years brings the release of a new software platform from Microsoft, or the next innovative design from Apple.  And the refractory period between each new product release has shrunk considerably and innovation brings exciting new solutions to market.

Unfortunately, as the technology has evolved, so have the threats that face it.  Every day, security problems grow with more sophisticated external and internal threats that have more channels into your network.  Traditional firewalls are no longer capable of keeping up, so how can you stay strong?

Ever heard of a Next Generation Firewall?

You’re thinking, “I already have a firewall, why should I buy a new one?”  But ask yourself a few questions: What applications are running on your network?  What exactly is consuming your bandwith?  Where is your network traffic coming from?  What Web 2.0 apps are being accessed and what ports are they coming through?

Chances are, you don’t know.  And that’s perfectly reasonable, because a typical network solution can’t provide these answers.  You’ll also be surprised by how much bandwith you’re unwittingly dedicating to Facebook and Netflix.

Approximately 25% of all office Internet traffic is non-business related.  Chances are your company network is exposed to malware such as Trojans that can deliver botnet agents or worse.  And, not to make the situation seem worse, many of these attacks succeed without user knowledge or involvement.

“But what about the anti-virus software on my computer?” you might be wondering.  An excellent, excellent question.  It’s certainly no unnecessary.  If a virus has a chance to attack before your computer’s anti-virus can take effect, your whole system is compromised.

Firewalls on the other hand are less susceptible to viruses.  Running anti-virus from your firewall provices a layered security approach whereby traffic is scanned at the edge of the network rather than at various points on the inside.  Having this gateway anti-malware layer will significantly  reduce your operational risk.

And unlike mupltiple point solutions, such as stateful firewalls, intrusion prevention, URL filtering, and remote access appliances – all of which require seperate support contracts and distinct subscriptions – Next Generation Firewalls featured Unified Threat Management.  That way, you get comprehensive security, intrusion prevention, and content filtering from a single device.

These new firewalls provide an unprecedented level of security.  Next Generation Firewalls identify, categorize, and control network traffic using Deep Packet Inspection, which goes through every byte in every packet as it enters and exits your network to identify the applications that are in use and who is using them.  This includes Web traffic, e-mail, compressed file transfers, IM, P2P… everything that has anything to do with your network gets the full enterprise-class protection it deserves.

This may sound like it would drastically reduce your network speed, but the Next Generation Firewall actually has near-zero latency.  Not only will your network be better protected, it will be faster as well.

Next Generation Firewalls are equipped with something called Application Intelligence and Control which gives you the visibility you need to prevent threats.  Instead of a flurry of numbers running across your screen, you get a clean picture of what applications are being used in real-time.  Now you can enforce your policies, guaranteeing bandwith prioritization and ensuring maximum network security and productivity.

Next Generation Firewalls also access a continuously expanding cloud-based threat signature database, which means that even if your device hasn’t ever encountered a particular instance of malware, it is smart enough to detect and reject it.

That’s why Responza is partnering with SonicWALL to provide you with a totally managed Next Generation Firewall, complete with Unified Threat Management, Deep Packet Inspection, and Application Intelligence and Control.

Questions?  Want to protect yourself better?  Give me a call at (206) 762-5100 or shoot an e-mail to solutions@responza.com.

To learn more Responza’s stance on network security, visit www.responza.com/firewall.html.

Back in August, Australians were warned by Microsoft of a phone scam that fools people into giving cold callers their cash. Microsoft issued a press release, hoping they could nip this one in the bud, but the scamming seems to have spread to the U.S. Here’s how the scheme works:

Someone claiming to represent Microsoft or one of its brands contacts the victim and tells them that their computer has a problem, an infection, or a virus that Microsoft’s scanners were able to detect. The scammer then directs the victim to a website that allows the scammer to remotely control the computer. Finally, the scammer shows the victim these “problems,” and convinces the victim to pay for “services” rendered.

People: please don’t get fooled by these types of calls. Scammers are simply tricking people into believing that a problem exists when it really doesn’t. Sure, there might be something wrong with your computer, but wouldn’t you rather have someone you trust check it out?

And the sad thing is that even if something is actually wrong with your computer, Microsoft would never contact you first. You – or your trusted IT managed services provider – would need to create a support ticket with Microsoft. I’ll say this again: they will never contact you first.

So while it seems like you’re always shelling out for the latest from Microsoft, this is one case where even they say it’s safer to just hang up.

Security problems are getting worse. Systematic attacks are coming from kids, thieves and spies. Every day, we read about some break-in or other types of security compromises. Witness the recent major Sony break-in.
PCs can be compromised any number of ways. An infected machine can take hours to scan and clean. When things don’t go well it can take a day or more to get the machine rebuilt and reconfigured.
No one likes downtime.

These steps can prevent the majority of potential hacks.

1. Don’t open email or browse the web while logged in as an Administrator.
Administrator accounts are only suitable for (un)installing software and changing computer configurations. If an admin account is exposed to malware the computer is more likely to be compromised to the core. That’s just making it easy for hackers.

If a computer login account is an admin and those rights are needed, do the following things:
- Go to control panel and create a local administrator account for the primary computer user with a strong password (see #3).
- Change the regular login account to a limited user account.

2. Keep your PCs patched.
Patches are usually applied by the IT department when they don’t interfere with work – at night or on weekends. Find out when the PCs are patched and leave computers on. Log off and let the system apply the patches that have passed testing.

Monitors can be turned off to save power.

3. Don’t use a simple password.
When other people get infected with malware (such as the Conficker worm) their machines continuously attempt to breach passwords of the machines around them (as many as three million guesses per hour for an indefinite period of time). The machines do this by downloading dictionaries of all known words and numbers and trying them in various combinations and with common letter substitutions. For example, P@$$w0rd42 is actually not a strong password, even though it will stand up longer than Princess42.

Use a passphrase to create a strong password. “All work and no beer makes Homer go crazy!” becomes Aw&nbmHgc! The phrase is difficult to guess, easy to remember and can just be repeated as each character is typed. An easy reminder can be kept without compromising the account that says password=crazybeer.

4. Turn off two simple settings in Adobe Acrobat and/or Adobe Acrobat Reader.
Half of all machines are infected by exploiting Adobe vulnerabilities.
a. Launch Acrobat or Acrobat Reader.
b. Click Edit.
c. Click Preferences – We are going to make two changes.
d. Under Categories on the left side, click JavaScript, then clear the box that says “Enable Acrobat JavaScript in the right window.”
e. Under Categories on the left side, click Trust Manager. In the right window, clear the box under PDF File Attachments that says “Allow opening of non-PDF file attachments with external applications.”
f. Click OK to accept the changes.

5. Call Responza to assist in patching applications.
Periodically, machines may prompt an update of Java, Flash, Acrobat Reader, Firefox or some other application that are prevented from automatically launching by security settings. In such instances, check with the IT department before accepting updates. Sometimes, updates break applications or cause weirdness in PCs. Responza’s IT Pros can assist with patching processes.

Call your Responza IT Pro if you have any questions about security and policies for protecting your business data: 206-762-2100.

We are aware of fraudulent digital certificates issued by Comodo – a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows – that could affect many users.
Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.

Certificates for the following Web properties are affected:
. login.live.com
. mail.google.com
.www.google.com
. login.yahoo.com (3 certificates)
. login.skype.com
. addons.mozilla.org
. “Global Trustee”

Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.

An update is available for all supported versions of Windows to help address this issue.
Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information about this update, or to manually install this update, see Microsoft Knowledge Base Article 2524375 (http://support.microsoft.com/kb/2524375).

The full advisory can be found on the Web at:http://www.microsoft.com/technet/security/advisory/2524375.mspx.

There is a lot going on in technology as 2011 begins and that means that there are many new products and approaches out there that can be overwhelming or confusing for business owners. It is best to enlist the expertise of Responza’s IT professionals who stay in tune with what’s new and what works for businesses to determine how best to take advantage of trending innovations. Six trends for enterprise computing that have been identified by various experts are shared below.

1. Mainstream means mobile
For many years, mobile has been a peripheral afterthought when developing enterprise applications. Even when running in a browser, the laptop or desktop PC has been the primary user platform, and a mobile client was always an option at best. This year will bring a seismic shift. Significant numbers of enterprise software vendors will set development priorities on mobile, before desktop.

2. The cloud fails the crowd
It should be no surprise to find me predicting that so-called ‘private cloud’ will disappoint. Confusion over what could computing is and is not will lead the way to this disillusionment. Its concepts have been hyped by the best and have left many seeking to capture the benefits of cloud computing without understanding the core principles. This will cause cloud’s reputation to suffer – even if it is undeserved.

3. IT management gets wired in
Even when utilizing cloud computing, hosted providers or outsourced IT services, those managing IT within their organizations will require visibility and accountability. Small to medium business owners are reaching new levels of understanding when it comes to oversight and governance of their computing.

4. Data just wants to be mined
The volume of data being accumulated every day is exploding, and it’s yielding huge new value for those who know how to mine and refine it. Many organizations (not to mention consumers) are sitting on rich seams of data whose value they have barely realized. Others are mining that wealth and learning how to benefit from it.

5. Social technologies remake enterprise apps
The ability to collaborate in real time, to instantly initiate conversations or to develop a thread across time zones is bringing people together in new ways that cut across the old business processes that put the organization and its process automation first. Now applications are being remade to put people at the center of process and have automation serve their needs. The result? A people-centric automation stack instead of resource-centric process management.

6. Adapting surpasses the actual technology
People are obsessed with the pursuit of the new, new thing in technology. 2011 will turn this on its ear because the new, new thing is not a technology, but a new way of doing business. The new year’s most telling innovations will not be in mobile, cloud or social technologies but in how smart, entrepreneurial business people adapt to the potential that blossoms from the above-mentioned technologies.

Responza uses its expertise in applying new computing processes and technologies to the needs and goals of the small to medium business to help them take advantage of innovations to improve the way they do business. Call Responza experts at 206-762-5100.

It has been a couple years since “the cloud” arrived on the IT scene, yet some IT leaders still talk about it with breathless reverence. Even non-IT executives still proudly announce that they’ve “put that in the cloud” when any technology-related topic arises.

The fact of the matter is that the cloud is just another make vs. buy decision.

What is “the cloud”?
Definitions of cloud computing abound, but it has been overly complicated.

Essentially, the cloud is little more than “stuff outside your company.” That “stuff” could be processing power, storage, networks, applications or any other bit of technical wizardry. When the CIO says she’ll “put that in the cloud,” all she is really saying is she will take something that was done in-house and do it with someone else’s “stuff” (outsource it). Any aspect of internal “stuff” can be put into the cloud, from raw data that is stored on another party’s storage systems, to an internal application that is run on someone else’s hardware. Often, the cloud refers to a third party’s applications, analogous to the enterprise equivalent of gmail or hotmail to employees.

Conceptually, all the fancy cloud talk could be applied to anything a company does outside its walls. The toilet paper purchased from an outside vendor effectively comes “from the cloud,” and the same decision making process used to choose that vendor applies to making the decision to move into the cloud – or not.

Mysticism has “clouded” the process
A frightening part of the over-hyping of the cloud is that it has muddled the decision-making process for determining if the cloud is appropriate for a particular IT function. Mysticism seems to creep into any cloud-related discussion, obscuring the fact that deciding to move something into the cloud is merely a simple make vs. buy calculation. If email is under consideration for being moved into the cloud, the process is simple: Tally up the costs of the various servers, software and support, divide by the number of users; Compare that to the per-seat fees from various cloud vendors. Factors that denote reliability, security and support of the vendor can also be figured into the equation.

This process sounds amazingly similar to the process that Operations goes through when selecting vendors for critical components and parts. In companies that produce physical products, supply chain and purchasing groups are likely loaded with experts in this type of process and can assist in making an exceptionally thorough analysis of the various cloud vendors, and apply appropriate rigor to the process.

While those in IT may quip that those buying physical commodities could never understand the subtle nuances of the cloud, remember that the supply chain deals with production and design secrets all the time, and reliability is obviously a central concern since a critical vendor could hamper the ability to actually produce products.

Presenting the cloud in these terms can bring internal purchasing expertise onboard to help make better decisions and inspire more realistic discussions with peers. Rather than the cloud offering a voodoo-like panacea to every internal problem, all executives can approach it as a way to cut maintenance and administrative costs, or a way to allow IT to focus on more valuable activities than maintaining email servers or commodity functions and applications.

As with most emerging technologies, the cloud’s near-magical properties will soon wear thin. A rational look at cloud-based services and straight-forward analysis of the decision to utilize them just as any other third party vendor clears away the haze around the “cloud” and makes its use a far more practical solution.

Questions and confusion abound although the cloud concept is not new. Call Responza’s experts for assistance in implementing or tweaking a cloud strategy that meets your requirements and fits your specific needs.

BLADE (BLock All Drive-by download Exploits), the brainchild of researchers from College of Computing at Georgia Institute of Technology and SRI International, is positioned to help stem the tide of drive-by malware. A big deal according to Dasient.com – the company is tracking over 200 thousand different web-based malware threats.

What is the goal of drive-by malware?
“The goal of the drive-by exploit is to take effective, temporary control of the client web browser for the purpose of forcing it to fetch, store, and then execute a binary application (e.g., .exe, .dll, .msi, .sys) without revealing to the human user that these actions have taken place.”

Let’s look at how the researchers believe the process works.

The process
It all starts when a hapless victim stumbles onto a compromised official web site or possibly a knock off of an official site that’s serving drive-by malware. Next, the code injection process begins and consists of the following three phases:
• Shellcode injection phase: Code purposed to subvert the web browser is downloaded by exploiting a vulnerable component of the web browser.
• Shellcode execution phase: The downloaded code is then injected into the web browser process.
• Covert binary install phase: The web browser, now compromised, tries to retrieve malware from the attacker’s web server. That code installs on the victim’s computer and does all the damage we hear about.
The researchers also determined that drive-by malware somehow avoids the need for user permission to download and execute unsupported file type such as .exe, .dll, and .sys. With this information in hand, the research team developed BLADE.

BLADE’s design criteria
BLADE a browser-independent operating system kernel extension designed to prevent unauthorized content execution. This means BLADE intercepts all downloaded content that has not been okayed by the user and prevents it from executing.
To accomplish that, the research team implemented the following in BLADE:
• Real-time user authorization capture and interpretation: The key to BLADE working properly, user-to-browser interaction is monitored to capture information pertaining to a user authorizing a download.
• Robust correlation between authorization and download content: BLADE must be able to distinguish between user-initiated web-browser downloads and unauthorized ones.
• Stringent enforcement of execution prevention: Unauthorized content must not be allowed to execute.
• Browser agnostic enforcement: BLADE must not rely on how a web browser should work. This is critical, because new web-browser technology is introduced all the time.
• Exploit and evasion independence: BLADE must also be independent of any exploit that attackers use to subvert the web browser.
• Efficient and usable system performance: Web-browser performance must not be compromised, nor any delays allowed. In fact, BLADE should not have a perceptible impact on any computer operation.

How BLADE operates
To spot unsolicited download attempts, BLADE places the following processes in kernel space,
• User-interaction tracking: BLADE uses a screen parser, hardware-event tracer, and a supervisor to track the user’s physical interactions with the web browser, specifically when download authorization is asked for.
• Consent correlation: This process is required by BLADE to distinguish between transparent downloads and those requiring user permission.
• Disk I/O redirection: When BLADE locates un-authorized downloads, it redirects the code to a secure zone. The data is also prevented from loading into memory as an executable.

The following slide (courtesy of the research team) represents BLADE’s system architecture.

The key ingredient that makes BLADE work is its ability to discern whether the download is authorized or not. How that’s done is based on another fact about web browsers.

What the research team has found is that web browsers use a well-defined process to implement download confirmations. That means an application like BLADE, looking specifically for download authorizations, would only need a few examples from the different web browser in order to recognize most download authorization attempts.

The following slide (courtesy of the research team) explains how BLADE checks for authorization:

How effective is BLADE?
BLADE was tested using real-world circumstances as the following quote explains:
“Our testbed automatically harvests malware URLs from multiple whitehat sources on a daily basis and evaluates BLADE against potential drive-by URLs that were reported within the past 48 hours. To validate BLADE’s browser and exploit independence, each URL is tested against multiple software configurations covering different browser versions and common plug-ins. System call and network traces are used to test for missed attacks (false negatives).”

The research team has a web page at blade-defender.org that contains the results of their evaluation. Interestingly, their data seems to verify what other security experts have been saying about Adobe products:

According to the research paper, almost 19,000 trials have taken place, with zero false positives and zero false negatives. Meaning, BLADE prevented in-the-wild drive-by malware from installing in every case.

Not a cure-all
BLADE is designed to block drive-by malware that tries to write to the hard drive. Right now, that works, as a majority of drive-by malware uses that approach. But, security experts are aware of certain threats that reside in memory only and BLADE will not recognize them.

Then there is malware that installs by leveraging social engineering. BLADE is of no help, as the user willingly agrees to the download.
Finally, developers have expressed concern that BLADE may break legitimate applications like Windows Update that download software in the background.

Final thoughts
The research team’s work points out once again how important it is to keep the operating system and all applications up to date. With no vulnerabilities, drive-by malware cannot gain a foothold.

Two new studies have raised concerns about the transmission of private data by some iPhone and Android apps.

Last week, researchers from Duke University, Pennsylvania State University, and Intel Labs released the results of a study on 30 popular third-party Android apps. Using TaintDroid, a tool which the researchers created, they discovered that 20 of the studied applications exhibited “suspicious handling of sensitive data” and that 15 of the applications “reported users’ locations to remote advertising servers.”

In addition to location information, the researchers discovered instances of applications transmitting a device’s phone number, IMSI code (unique code that identifies a user of a GSM or UMTS network), ICC-ID (unique SIM card serial number), and IMEI number (unique identifier for an individual device). They found that one application transmitted information each time the phone booted.

“While this application displays a terms of use on first use, the terms of use does not specify collection of this highly sensitive data. Surprisingly, this application transmits the phone data immediately after install, before first use.”

Not only are applications transmitting information that could be used to personally identify an individual, they are also sending geographic location data. The researchers found that 50 percent of the studied applications “exposed location data to third-party advertisement servers without requiring implicit or explicit user consent.” And while two of these 15 did display a EULA when first run, neither EULA indicated that such data would be collected and sent to advertisers.

A second paper, written by Eric Smith, Assistant Director of Information Security and Networking at Bucknell University, raised similar privacy questions about iPhone applications. Instead of creating a tool to track transmitted data, Smith analyzed the network traffic sent from an iPhone through a specially configured wireless network.

“Packet captures were recorded using tshark12, the console-based libpcap capture utility. The resulting files were then analyzed using a suite of open-source tools including Wireshark, ngrep, and the Perl Net::Pcap libraries13 in order to determine what, if any, personally-identifiable information was being shared with third parties.”
Smith also analyzed browser cookies placed on the device by applications.

Of the 57 applications Smith evaluated, 68 percent transmitted the iPhone’s UDID (a unique device serial number), “to a remote server, owned either by the application developer or an advertising partner.” Some applications encrypted the data using SSL, but others transmitted the UDID and user’s name (either the logged-in user’s name or the iPhone’s user-assigned name) in plain text.

Applications were also found to place “extremely long-lived” tracking cookies on the iPhone. These cookies aren’t set to expire for several years. According to Smith, “these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals’ new phones as they upgrade to the newest iPhone model every few years.”

Choose apps wisely
In response to the Android study, a Google representative pointed out that users must approve the access when an application is installed. CNET quoted the representative:
“On all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application,” the representative said. “Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data…We consistently advise users to only install apps they trust.”

Under Apple’s latest iPhone Software License Agreement, users have already consented to having their location information collected.
“By using any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ and licensees’ transmission, collection, maintenance, processing, and use of your location data to provide such products and services.”

What is the lesson here? Be VERY careful about the applications you install. If an application asks for access to information that doesn’t seem relevant to the application’s function, you might think twice about installing it. If you do allow an application to access your private data, know that the information may be used in ways you didn’t intend. William Enck, one of the Android researchers, made this point to CNET.

“Right now users have to be more diligent with the apps they install, look closely at the permission screen, and assume that that information may be misused.”

Adobe has acknowledged a critical security flaw in its Reader, Acrobat and Flash Player software. Adobe says the vulnerability potentially enables hackers to take control of affected computer systems and that users running Windows, Macintosh or Linux might all be open to attack. The company is working to fix the problem. In the meantime, users of Reader, Acrobat and Flash are advised to ensure their anti-virus software is up to date. “It doesn’t really get any worse than a vulnerability like this,” said Graham Cluley, senior technology consultant at Sophos, a security software company. He said that hackers could create a “booby-trapped Flash animation, or PDF” that would give them access to a person’s computer, potentially allowing them to harvest personal information or use the machine to send spam messages. In recent years, PDFs have become a popular means of sharing documents that are not easily altered by the recipient.

In a security advisory, Adobe said: “There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat”. Whilst it works to fix the problem, the company suggests upgrading to the latest versions of their software, which appear to be less vulnerable”.

Alternatively, the company said that advanced Reader and Acrobat users could delete or rename the “authplay.dll” file on their system but that doing so means users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash content. Keeping anti-virus software up to date will also help to avoid problems.

If you feel that your network is at risk or that your PCs may have been affected by this vulnerability, call Responza at (206) 762-5100 for advice and support.

As computers become faster and more powerful, a single desktop PC possesses resources far greater than what’s necessary to keep a single user productive. That means lots of gigabytes and kilowatts simply going to waste. Through the process of virtualization, a company can turn a single PC into many “virtual desktops” for multiple users.  It was recently announced that a Silicon Valley firm specializing in large virtualization projects will provide over 30,000 virtual desktops to India’s government employee health insurance program. The project will unify thousands of hospitals, clinics, and insurance offices while creating one of the largest medical databases in the world, all at a 75% savings on hardware and a 90% savings on electricity.

Virtualization requires specialized software and a piece of hardware known as a thin client that connects a user’s monitor, keyboard, and mouse to the shared computer. On top of the cost savings, a virtualized system is less susceptible to network security threats and the amount of energy and materials saved make virtualization one of the greenest decisions a business can make.

Virtualization isn’t just for clients as massive as the Indian government, it can revolutionize how any business manages its IT budget and resources. When you work with Responza’s experts to manage your IT, virtualization is just one of the many cutting edge options we offer to save money, eliminate stress, and just make IT work better.