How to Shield Your Network from Clever Hackers

January 2007

Intelligent Technical Solutions Innovations

How to shield your network from clever Quotes “We can let circumstances hackers rule us or we can take charge and rule our lives from You've got antivirus software and firewalls guarding These efforts can be conducted over the telephone, via within.” Earl Nightingale your computers and routers. You religiously download e-mail, or through instant messaging. Larger organiza- “If you want to make peace, security updates. You've done everything you can tions are especially at risk, because employees do not don't talk to your friends. think of to stay secure. But your network is still at know one another, but small businesses can be victim- Talk to your enemies.” Moshe risk. ized too. Anonymity is important to the hacker. But Dayan the little fish at a company can also be "gamed." “Avoiding danger is no safer Why? Because an employee could unwittingly give in the long run than outright away the castle's keys. So let's look at four different social engineering situa- exposure. Life is a daring tions -- and the ways to thwart them. adventure or nothing at all.” The biggest threat to a computer is not a hardware or Helen Keller software problem. It's social engineering. 1. The caller isn't working on your network. One of “Be master of your petty your newer employees gets a call from a computer What it boils down to is this: Someone will attempt to annoyances and conserve your repair technician. "My name is Joe Smith," says the energies for the big, gain an employee's trust. Information can be elicited technician. "Your company's network is having prob- worthwhile things. It isn't the from that employee that puts everything at risk. mountain ahead that wears lems, and I'm working on it. I need you to type in you out, it's the grain of sand Social engineering relies on the fact that most people some commands." in your shoe.” Robert Service are nice. They want to be helpful. There's a natural On the face of it, this is silly. Any legitimate repair inclination to lend a hand when someone has a problem. (Continued on page 2)

Microsoft Releases Internet Explorer 7 Significant Security Improvements, New Features

Microsoft has released Internet Explorer 7, the newest with Windows updates, you may need to install these version of their web browser. The program, which has updates before being offered the option to download been in the works for nearly five years offers many IE7. The Windows Update service will handle every- significant improvements and is a worthy upgrade. thing for you. “Internet Explorer 7.0 is the Few problems have been reported best browser Microsoft has with the upgrade, although there are ever produced,” wrote Mike some known incompatilbilities with Wendland of the Detroit Free the Yahoo Toolbar. The most cur- Press. rent version of the toolbar works fine, but older versions do not. Users running their Windows Updates have been offered the upgrade option begin- For those still a bit squeamish about upgrading, there ning last week. The new version does require Win- is an excellent uninstall utility that can restore your dows XP Service Pack 2, so if you haven’t kept up (Continued on page 4) Innovations Clever hackers. . .

(Continued from page 1) employee wasn't expecting something from Joe, she tech is going to have access to the network, if should have checked with him before opening it. that's what he needs. How else could he fix the 3. When the hackers go "phishing," don't take thing? The Lighter Side the bait. An employee gets an e-mail message that The caller is playing on your employee's natural her eBay (or PayPal, Citibank, America Online, Things toddlers eat.... desire to be helpful. The employee is unlikely to etc.) account has a problem. She's told that she Panicking when his toddler understand the commands he is asked to enter. must go to a certain page for more information. The swallowed a small magnet, They may expose the structure of the network, or spam includes a link. George, rushed him to the open a security hole. emergency room. When she clicks the link, a page with the com- The caller then asks the employee to enter company's logo opens. It explains that her account will "He'll be fine," the doctor mands that identify his desktop computer. "Aha," lapse unless she re-authorizes it. It then asks for her promised. "The magnet should he says. "That's the machine that has been causing username and password. pass through his system in a the problems. I'll need your username and pass- day or two." Or it may ask for a credit card number, or perhaps a word." "How will I be sure?" he Social Security number. Sometimes, it requests her pressed. Once the caller has collected this information, you mother's maiden name (often used as a hint to get a could have an identity theft problem. He has a password restored). "Well, the doctor suggested, route into your system and he knows how your "you could stick him on the Your average crook isn't a Rhodes Scholar, so, network is structured. If you have a database of refrigerator. When he falls off, early on, these schemes were unsophisticated. The customers and their credit card numbers, he may you'll know." "phishing" pages were poorly designed and often download it. Or he could get into your payroll contained bad English. And their Web addresses system. There, he'll find Social Security numbers. clearly had nothing to do with the companies they Grief and suffering What to do? Train your employees to never, ever supposedly represented. give out information to such callers. Computer A dietitian was addressing a More recently, the pages have been much better large audience in Chicago: repair personnel already have access to the net- designed. And the pages often contain the logos of work. If they don't, there's probably a good reason. "The material we put into our eBay or other companies. You'll find links to the And they should already have a password with stomachs is enough to have company's real pages. It's easy to be suckered. killed us. Red meat is awful. system privileges. They don't need an individual Soft drinks erode your stomach employee's password. So remember this: eBay isn't going to ask for a password. Neither will AOL or any other legitimate lining. Chinese food has MSG. At the very least, employees should check with a And vegetables can be disas- company. Delete all spam, including these pitches. supervisor before disclosing sensitive information. trous. What, you may ask, does an eBay password have to 2. That e-mail isn't from Joe. One of your em- "But one thing is the most dan- do with my business? Just this: People often use the ployees gets an e-mail. It's from her friend Joe. It gerous of all and we all have same password for everything. So the eBay pass- has an attachment. Without giving it much eaten it or will eat it. What food word may also give access to your network, a bank causes the most grief and suf- thought, she opens the attachment. It's something account and other confidential areas. fering for years after eating it?" unappealing, so she deletes the e-mail and forgets it. Without skipping a 4. You must protect your company. A good security system will protect you technologically and beat, a 75-year-old Unfortunately, that attachment includes a Trojan socially. in the front row horse. Your antivirus software should whack it. stood up and But maybe you haven't kept the antivirus software Your employees are there to do a job. They're said, up-to-date. The Trojan could use a backdoor port "Wedding probably overburdened, so they'll resist worrying cake." in Windows to download more dangerous pro- about security. But you must train them never to grams. give out sensitive information, unless they are certain of the caller's identity, and never to open an These programs could find their way around your attachment they were not expecting. (Do you think network, digging for credit card and Social Secu- passwords are safe? In a London study, passersby rity numbers. were asked at random to give up their passwords in Employees should never open attachments they exchange for a candy bar. Seventy percent com- were not expecting. Legitimate return addresses plied!) are easily stolen by worms. The fact that the e-mail (Continued on page 4) bore Joe's return address is meaningless. If your

Page 2 January 2007

Resilience, bouncing back

The power to bounce back from disaster is called all born with a tendency to be resilient. Most peo- resilience. By actual definition, it is "the human ple are stronger than they give themselves credit ability to adapt in the face of tragedy, trauma ... and for. ongoing significant life stressers." You don't have to get caught in a hurricane or suf- At one time, it was thought that some people were fer a tragedy to develop resilience. With work, born with resilience, and others were not. That family, trying to get enough sleep, whatever your wasn't true. situation, it comes from the belief than you can and will create positive outcomes. Researchers at Wayne State University say we are

Email: how personal is too personal?

When you get an email and the sender just starts If your first-name status writing, do you feel a little neglected? Shouldn't it feels a little tenuous, go be a little more personalized? But then, do you with the more formal begin with "Dear Sir," Dear Mr. Jones," "Joe," or salutation. something else? In a business email, say the eti- quette experts, it's best to address people the same way you do when speaking with them in person.

Signing your email Your email "signature" can offer your correspon- dent some important information, sometimes not obvious from the email headers. Because the name of the sender is not always clear from the email address, always include your full name at the bottom of a message. Some companies use abbreviations or codes in the sender's address that may mean little to the recipient. Put your email address after your signature. If it's a business address, include the company name and your title in the signature. (Some email programs allow you to set up automatic signatures.)

Page 3 Intelligent Technical Solutions “We make all of your computer problems go

January 2007 away without the cost of

7500 W. Lake Mead Blvd. #9-196 a full-time I.T. staff” Las Vegas, NV 89128 Ask us about our fixed price service agreements — Computer (702) 869-3636 (888) 969-3636 toll free support at a flat monthly fee you can budget for just like rent! www.itsasap.com

Hackers. . . Internet Explorer 7. . .

(Continued from page 2) (Continued from page 1) web sites in the same browser window and switch But even the best-trained em- between them through tabs at the top of the win- previous web browser in a flash. ployees can be suckered. The dow. This eliminates multiple Internet Explorer desire to be helpful can lead So what’s new? windows open simultaneously. them down the garden path. An additional feature is support for RSS feeds. Assume your system eventually Security: Security is the name of the game these days, and the Internet Explorer has historically had RSS allows you to “subscribe” to a web site’s news will be invaded; keep critical a terrible security record. IE7 was designed with and information. As the headlines change the information walled off from security as the first, second, and third priority. browser will update itself automatically. This most employees. Only those Running an entirely new architecture, IE7 disables functionality has been around for a while on sites with a real need should have virtually all ActiveX controls by default, which such as My Yahoo, but it is now available directly access to databases or payroll will stop spyware programs in their tracks. There in the browser. information. is also protection against “phishing” (further de-

Even if a worm gets into your scribed on page 4) where a web site masquerades system, it can be thwarted. If as something else (i.e. pretending to be Bank of For those workstations that we manage, we will you religiously update your America to get you to enter your password). begin rolling out the Internet Explorer 7 update antivirus software and Win- slowly over the upcoming weeks. If you have any Cool Stuff: The program has been redesigned to dows, worms can be knocked questions please give us a call! be simpler to use, but perhaps the biggest innova- out or blocked. Be sure the tion is “tabbed browsing”. You can view multiple firewall in your router has been activated and properly config- ured. Worm and virus technology is Spam By The Numbers rapidly growing in sophistica- tion. Coupled with social engi- $11,000,000 $12,800,000 neering problems, the threat to The amount awarded to EarthLink in a spam law- The amount still owed to AOL by a convicted your company is very real. You suit against a bulk mailer. spammer, David Hawke. must stay alert. Source: The Register Source: MSNBC TWO $600,000 Reprinted courtesy of Micro- The number of spammers EarthLink claims it is The estimated monthly earnings at the peak of soft Corporation. responsible for sending to jail since it began pursu- Hawke’s spam operations. That’s a cool $7.2 mil- ing legal action. Source: The Register lion a year! Source: MSNBC