Trouble viewing this message? You may also view it online.
Please add rmickler@micklerandassociates.com to your address book or content safe-list.

Mickler & Associates, Inc. - IT Strategies for Small Business
IT Strategies for Small Business
Eight | June 2007
  
     
Click to SubscribeDid a colleague forward this newsletter? Please email me to join the list and receive your own copy.

Blog and Syndicated Articles

Please visit the Technology Reflections Blog on the Web for new articles, explainers, and opinion. Here's a sampling of entries made this last month.

SEC Relaxes Section 404 Compliance Requirements

Net Neutrality and Small Business

What's in Your Backup?

What's in My Forensic ToolKit?

Open Source Miscellany

My Story on Adjunct Teaching

The Windows Experience Index (WEI)

Installing Ubuntu

Neolingo



Ever wonder how geeks are able to keep up on new trends and market activities? How they find the time to read hundreds of websites a day? You, too, can surf the web like a pro by bringing the web to you - with Really Simple Syndication (RSS).  A RSS Feed brings new website content and articles into a reader, kind of like email, so that it can be organized, cataloged, and read.

You see, the geek doesn't browse the web - the geek sucks it all in via a RSS feed! In IE7 and FireFox, there are built-in RSS tools that allow you to subscribe to feeds through the browser.  However, I recommend a free RSS aggregation utility called SharpReader. It looks and feels kind of like an email interface - it even provides pop-up notifications like email when new content is posted to your favorite blog - and makes using an RSS intuitive and practical. Put SharpReader into your Startup folder for maximum web exposure: let the new content of the web come to you!

News and Announcements

Mickler & Associates, Inc. introduces two new features on its website:

Online Shopping. We're proud to open the doors to our online store with our business partner, Amazon.com.  Find great deals on software, academic textbooks, and reading recommendations for the small business owner.

Online Lectures. We've partnered with Google to bring dynamic content to our blog - video of IT lectures presented in colleges and universities around the world. Ideal for students!

Mickler & Associates, Inc. also joined the Business Networking International (BNI) Vancouver, WA Chapter this month.

Bugs and Viruses

Our highlighted virus this month is W32.Kenety worm discovered on May 10, 2007. Kenety is a self-replicating virus - a worm - that exploits a vulnerability in the software RealVNC.  Small and mid-range businesses may use VNC as a way of remote controlling computers across the Internet, and it's popular because it's free.

Well, Kenety looks for computers on the Internet running the RealVNC host program that is waiting for a remote control connection. In exploiting the vulnerability, the worm installs itself on the target computer as a running service called "Sync" and modifies the registry to make the Windows firewall more vulnerable.  This is so that the firewall can become useless as it replicates and makes more copies of itself, and, opens a backdoor on port 8888 to allow others to take over the infected computer.

Then, Kenety goes dormant, waiting for a remote command from an attacker. Kenety can then be used by an attacker to launch a file transfer process to load new files to the infected machine, bypassing the station's local firewall.

Finally, if all of this fails - if the worm can't install itself as a service - it'll attempt to brute-force attack the RealVNC service with a set of common passwords so that it can attempt to infect the machine again.

W32.Kenety can be sneaky because there'll be no obvious failure to RealVNC and it could try, over and over again, to compromise the system without evidence of attack. Further, many administrators would ignore patching RealVNC because it's more of a forgotten background capability. Luckily, RealVNC was quick to respond by releasing new updates on May 12, 2007, to combat Kenety, but the administrator must manually install it. This could prevent a weakness not easily detectable by antivirus utilities.  If you're a small business, ask your systems person about RealVNC and if it's used anywhere on your network. It has to be manually upgraded to defend against the Kenety worm.

Also, watch out for that African Puppy Phishing Scam - it's making the rounds, and the national media, once again!

 Click here to learn more about Federal and State Privacy Laws

Additional Resources for Technology and Business Professionals
Smartbiz.com. Well, all of us have a "smart business", right? None of us have a "dumb business" but if you'd like to make your business smarter, visit Smartbiz. A well-designed and useful site that lends a great deal of professional and managerial resources to the small business owner. 

SOHO America. Representing the home office revolution, SOHO America provides articles, ideas, and insight on managing your small business.

Geek.com.  All things geek. Information and news on the technology industry, new gadgets, market expansions and contractions, price search and comparison tools, technology analysis and reviews. A great place to bookmark if you like to be in the know when it comes to IT.

Technology Reflections is a newsletter sponsored and prepared by Mickler & Associates, Inc. of Battle Ground, Washington.  The newsletter addresses the technology concerns of small business in every day lingo, and reflects on trends, issues, and tips to help your company gain competitive advantage from tech spend. Please feel free to distribute to colleagues and partners.

Employee Privacy

In my experience, many SMB (small to mid-range businesses) are not aware of the Federal Electronic Communications Privacy Act ("ECPA"). ECPA addresses the interception and monitoring of electronic communications: telephone conversations, voice mail, email, instant messaging chats, and other online interactions fall into ECPA's perview. Violations of ECPA are punishable by fines or imprisonment for up to five years; any persons harmed by an ECPA violation are permitted to file for equitable relief covering damages and attorney fees of up to $10,000. Since many SMB's monitor and intercept the electronic communications of their employees, understanding ECPA business use exceptions can reduce the risk of legal exposure to ECPA claims filed by employees.

ECPA extends federal protection over employee communication in the workplace but this protection is quite limited.  Presumably, employers would want to monitor electronic communications to guarantee quality control and to protect intellectual property, investigate incidents of wrong-doing, and so on, and ECPA provides "business use exceptions" to allow the employer to do these things.

A couple of rules as it relates to intercepting transmissions and monitoring employees in the workplace:

One-Party Consent. Interception and monitoring are allowed if either the sender or recipient consents before it occurs.

Ordinary Course. Business use exceptions under ECPA dictate that interception or monitoring be conducted within the regular course of employer's business and the subject matter be one in which the employer has a vested interest. Employers should be aware that, if a voice conversation turns personal, the employer may lose its exemption because it is no longer authorized to monitor such conversations.

Equipment Restriction. Employers can monitor and tap only the equipment that they own and which is used in the employer's regular course of business.

Email. Employers have the right to monitor and access email communications of employees stored on their assets (client workstations and servers). This is tricky because employers do not have the right to monitor or access email hosted by a 3rd party (like AOL or MSN), even though such communication might transverse the company's network.

Suggestions for the SMB to remain in ECPA compliance revolve around the creation of good Administrative Controls (policies) to govern employee expectations. Example:

1. Employees should be offered some form of notification is required either through a statement, a written policy signed at the time of employment, or a recording over the phone system.

2. Employers should present a policy to prohibit personal use of communications assets (phones, cell phones, computers, private email systems, and instant messaging) which would set acceptable use practices to restrict employee's use to strictly business communications.

3. An acceptable use policy that prohibits the use of personal communications and storage equipment - MP3 players, digital cameras or recorders, cell phones, thumb-drives - to conduct company business.

4. A privacy policy should be crafted to identify the personal private information (PPI) collected on employees that defines how that PPI is used and maintained.

"...personal employee devices and protected communications are constantly interacting on company assets..."

ECPA compliance is more relevant today than it has ever been: personal employee devices, software, and protected communications are constantly interacting on company assets, wirelessly and effortlessly. The commingling of protected communications and devices can both expose your company's assets to harm and restrict what forms of corrective action to can take to protect them.

ECPA compliance is generally policy-driven: so long as the employer sets good Administrative Policies into motion that define expectations ahead of time, and, they understand what is and is not permissible under the business use exceptions of ECPA, then compliance is fairly straight forward.

What's your state of ECPA compliance? First, discuss your level of exposure with your legal counsel then call us - we can help setup the administrative and technical framework to ensure contained liability and risk.

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.
360.600.9508 | rmickler@micklerandassociates.com

WA State Bans Cell Phone Use and Texting While Driving

Something that all SOHO and small business owners in Washington State should be aware of is that Gov. Chris Gregoire signed Senate Bills 5037 and 1214 prohibiting the use of cell phones to talk or to text while driving. The laws were signed in mid-May and will take effect July 2008 and January 2008, respectively.

If you are pulled over in the State of Washington and found to be talking without a headset or texting on a cell phone, PDA, or BlackBerry, you could be fined $101.

The legislative action stems from an automobile accident which took place December 2006 in downtown Seattle. A 53-year old man was using his BlackBerry while driving down the express lane of I-5. The man, unaware that traffic ahead of him had stopped, smashed into the car in front of him causing a chain reaction affecting 28 passengers in other cars and busses. Nobody was killed nor seriously injured, but it was enough to prompt the Gov. to take action.

"This is a common sense measure that will limit distractions to drivers and help keep Washingtonians safer on the road," said Governor Gregoire. "Just as you do not want other drivers on the road to be reading a newspaper or book while driving, you don't want them to be distracted by an email or a text message, taking their eyes off the road."

"If you are found ...talking without a headset or texting while driving...you could be fined $101."

With the passing of the legislation, Washington joins California, Connecticut, the District of Columbia, New Jersey, New York, and some local jurisdictions in prohibiting the use of handheld mobile phones while driving.

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.
360.600.9508 | rmickler@micklerandassociates.com

Business Continuity Planning

Take a minute to imagine your job without your personal computer or company's network server. If you're a student, think about trying to keep up with your coursework by hand.

Client contact lists, transaction systems, financial systems, payroll and payment systems, your websites and electronic communications, business plans, taxes, graphics and logos, intellectual property, task lists, reminder and alert systems, manufacturing or assembly specifications, years of historical data covering your business' operations.  Duh - a lot of stuff is on your computer.

Now, if that gives you shivers, amplify this effect by considering your partners up and down your supply chain. What if their personal computers or network servers were to fail.  How would they be able to meet their order obligations, understand your scheduling requirements and inventory levels, and deliver raw material on-time and on-budget so that you can meet your customer's needs?

Now, go one step further: supply routes and transit lines are closed; infrastructure is unavailable; financial institutions cannot staff-up to accommodate walk-in demand because nobody can get to work; gas and oil prices, already high, shoot through the roof, driving hyper-inflationary effects throughout the local economy; a mass exodus of talent and skill leaves your geographic region.

"...how will your small  business sustain itself? Sustain your employees? Sustain you?"

Now what? What kinds of effects would this have on your P&L, your payroll, the ability for your firm to sustain itself? Your employees? You?

Hurricane Katrina hit the Gulf Coast nearly two years ago yet only 10% of small businesses in New Orleans have re-opened their doors; more than 17,800 small businesses just in Louisiana have entirely shut down. Hurricanes might sound extreme in the pacific northwest, but - in my small town of Battle Ground - we're less than 50 miles from an active volcano and we had a 3.3 earthquake just last year. And yesterday, national news: a tuberculosis patient infected with a rare strain of drug-resistant TB flew on six flights around the world, possibly spreading an incurable and highly infectious disease to fellow passengers.

Small business, more so than larger businesses, are particularly vulnerable to disruptions in economic patterns because they haven't the excess capital, liquidity, or cash reserves to weather strains on the supply chain. But coming out of a crisis positively has more to do with planning than cash. Developing an Emergency Preparedness Plan, or, a Business Continuity Plan, gives you insight, confidence, and peace of mind as a business owner that it would be possible to recover in the event of a minor emergency (say your server's hard drive failing) straight through a catastrophic disruption (like a mass quarantine for TB or Avian Flu). Truly, the lack of a coherent plan is really the only thing which sets the small companies that survived Katrina apart from those who didn't.

My advice: be proactive, take the initiative, manage your business - plan for positive and negative outcomes in the short and long term, and planning is the operative term. Visit Ready.gov for assistance in preparing your own Emergency Preparedness Plan for you and your family, but for your business, give us a call. We can help distinguish facts from fiction and help you service your customers in times of crisis or disruption.  And by the way: the worst time to call will be when the disruption happens... so call us today!

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.
360.600.9508 | rmickler@micklerandassociates.com

 

 

Your feedback is important to us. Want us to cover a specific topic relevant to small business? Please contact us with your comments and questions. Technology Reflections is published on the first day of every calendar month. Want to contribute a 300-word or less article to Technology Reflections? Just email the article along with a brief bio for possible publication and circulation.  To unsubscribe to this distribution, please email your request to be removed from the mailing list.

 Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License.
© 2006-2007. Mickler & Associates, Inc. All Rights Reserved. Privacy Statement.