Did a colleague forward this newsletter? Please email me to join the list and receive your own copy. Blog and Syndicated Articles Please visit the Technology Reflections Blog on the Web for new articles, explainers, and opinion. Here's a sampling of entries made this last month. Keylogger Exploits Soar 250-Percent Five Windows Vista Upgrade Pitfalls A Letter to Steve Jobs Use Google for Free Telephone Calls Microsoft Updates the Malicious Software Removal Tool Lock Down Your Internet Browser Risk Management - Lecture 1 Risk Management - Lecture 2 Risk Management - Lecture 3 Risk Management - Lecture 4 Risk Management - Lecture 5   Neolingo Neolingo will introduce you to important Internet vocabulary. A Non-Delivery Report (NDR) is an email server report announcing a problem in routing or delivering email. Generically, an NDR usually begins with "your message did not reach some or all of its intended recipients..." with a set of codes that explains the error condition. Unfortunately, troubleshooting an NDR usually takes the experience and security of a system administrator, but  sometimes an NDR can be issued because of a simple misspelling of the email address.   News and Announcements Mickler & Associates, Inc. welcomes it's new customer: Tradesmen Electric Yacolt, WA This month, our web hosting, file transfer services, and mail services were bundled under ServerLogic, Inc. of Beaverton, OR. We had a great transition - no hick-ups or services disruption for our customers. Thank you, ServerLogic! Bugs and Viruses This month's focus is on a an executable Trojan Horse delivered through spam. Trojan.Peacomm was elevated at the end of January 2007 to a threat level 3/5 from SARC - the Symantec Antivirus Research Center. Peacomm is distributed as an email with some enticing subjects designed to get people to open or read the email. Attached to the email is what looks like to be a video (really an *.exe file) of the event described in the subject. As you can tell by the subject list, Peacomm does a pretty good job tapping into the social anxieties of our time: 230 dead as storm batters Europe Chinese missile shot down USA aircraft Saddam Hussein alive! Fidel Castro dead Attachment names: FullVideo.exe Full Story.exe Video.exe Because the attachment is an *.exe file, most antivirus and server-based filtering mechanisms should catch this message before it arrives in your inbox. However, if those controls are bypassed and you ended-up double-clicking on the attachment, the executable installs a malware driver to download even more viruses and automatic emailing engines, conscripting your computer to become a subordinate bot in a BotNet of other infected computers. What's interesting about Peacomm is how it exploits user response through a social engineering approach; there are mounting military, political, and weather-related concerns throughout the world, and we're all waiting at the edge of our chairs for more news. The authors of Peacomm used that to their advantage to entice users into doing what they shouldn't do: double-click email attachments. There will likely be future imitators and clones of Peacomm -Peacomm is the first email-distributed Trojan to be promoted to Level 3 in a long time. To protect yourself and your company, ensure virus definitions on your servers and PC's are updated, and re-affirm to everyone to be weary of messages with similar subjects and attachments.   Learn more about IT Risk Management Additional Resources for Technology and Business Professionals The Microsoft Windows Longhorn Portal Site. Microsoft announced the Longhorn portal site this month for its upcoming beta testing program. Longhorn is a codename referring to the next generation of Windows Server software that will complement the desktop release of Windows Vista. Technical professionals can use this site to download white papers, register for the beta, and evaluate technical notes on installation and deployment. The Microsoft TechNet Windows Vista Portal. Frustrated that you can't find simple answers to technical questions through Microsoft's commercial Vista launch portal? Here's a backdoor to the TechNet portal for Vista. Here is a wealth of information for technical professionals trying to resolve the myriad of challenges that will come with deploying, using, and installing Vista. FindLaw for Small Business. What's so cool about the FindLaw site is both the extent of information and its easy-to-use navigation, offering a menu of choices from contracting, to intellectual property, to sample legal documents available for download. Here the small business can find a lot of practical advice on legal issues surrounding their business without having to pay for a lawyer for it.

Technology Reflections is a newsletter sponsored and prepared by Mickler & Associates, Inc. of Battle Ground, Washington.  The newsletter addresses the technology concerns of small business in every day lingo, and reflects on trends, issues, and tips to help your company gain competitive advantage from tech spend. Please feel free to distribute to colleagues and partners.

Fraud on the Internet

It's easy to get the impression that the only thing we have to fear from the Internet are firewall compromises, unauthorized intruders, spyware, worms, viruses, Trojan Horses - well, okay, so the Internet is a pretty risky place; we get it. However, are the risks purely technical in nature? The answer might surprise you.

The National Fraud Information Center has released its Top 10 Internet Scam Trends for 2006. Auction scams, fake check scams, lotteries, advanced fee loans, prizes and sweepstakes all top the list. The report also identifies the age of targeted consumers, the states where most Internet fraud originates from, common methods, and the nationalities of captured fraud perpetrators.

And if that weren't enough, the FBI is currently warning about an email phishing and telephone marketing scam involving jury service, where the scam artist contacts consumers by phone and by email asking for Social Security Numbers for jury duty; if the request is refused, the criminals want a credit card number to process the municipal/county fine!

What's important to realize here is that no amount of technology could have prevented the attack or the scam. The user willingly responded to the scam and circumvented any Technical Controls that would have protected them from the scam artist. 

Like our featured Virus this month, the success of such scams arise of emotional responses and anxieties - there's a bit of human psychology here - whether it's a desperate attempt to secure money, or an sense of euphoria at "winning" something, or the obligation we feel to civil duties, or the empathy we feel that drives us to help others. When acting upon the emotion is as simple as pressing "reply", we have to decouple our rational mind from our very human responses.  And that problem is not going to be solved by a firewall.

Small business owners would do well by counseling their employees that not is all that it seems on the Internet - a supposed "vendor" emailing for an account number, a "customer" wanting a refund, or a "government agency" wanting a few minutes of your time - and that the Internet guarantees total anonymity is grounds enough for not trusting any source of information.

Having some kind of escalation procedure for internal validation of information might be reasonable; certainly a policy especially covering the release of personal private information of employees or consumers should be directly considered.  A small brown-bag luncheon with your staff over the 2006 report from the National Fraud Information Center, a questionnaire distributed to your employees, or even a periodic managerial review of how email generates internal reaction to share confidential information might also be in order. If you're personally thinking about these problems, rationally critique any request from the web and demand the communication channel switch to telephone - that will usually dissuade the party from harassing you.  Never agree to meet the party in-person; never directly challenge a would-be scam artist. Instead, report the fraud to the FBI using the Internet Crime Complain Center.

The focus here is education and awareness. We cannot engineer a technology solution around the problem of fraud but you can significantly raise awareness and implement stronger Administrative Controls governing the sharing and trustworthiness of information.

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.

Backing Up Your Data

Everybody talks about it but nobody says how to do it. Backup this, backup that - how do you know what is important to back up, where to back it up, and how to prevent a backup from becoming a liability. Can't somebody steal your backups?

There are a couple of different options you have concerning data backup from your individual PC. Just the nature of "backing up" may sound a bit of a chore. The reasons for backing up your data from your personal hard drive:

1. Applications fail. Data can get corrupted. Files can be lost or over-written, accidentally deleted. It's an inescapable part of computing.

2. You typically just have one hard drive in your PC. It's measured by a statistic we use in the industry called Mean Time Before Failure (MTBF) rating - this is a timeframe, usually expressed in hours or months - that the hard disk is likely to fail. It's a mechanical device with many moving components; a hard disk's failure is inevitable.

3. The PC is in physical risk in your home or office. Whether from flood, a power surge, a fire, burglary, or your kids, the physical risks to the PC and your data are fairly extraordinary.

So backing up your PC isn't just for the wise or those with a lot of time on their hands. It is part of a process to plan for the inevitable. At some time, your data will be rendered unusable or irretrievable - it's simply a matter of time.

Approaches to backup:

1. Some purchase a dynamic portable drive, hook the drive into the PC using a USB connection, and manually copy critical files to the drive. QuickBooks, for example, allows you to create a backup and target that backup file (QBB) to a removable media. This isn't a bad solution but it is very manual and dependent upon the user's initiative to accomplish.

2. Some purchase software applications that streamline and automate the backup process on a PC. Those applications then target critical files and compress them into a single file, which is then stored on a removable form of media (like a dynamic portable drive, a tape, a CD/DVD ROM, or other device). A better solution because of automation, and, user-friendly screens for backup and restore functions.

3. Some image their drive. This is where a software application is used to boot the system up on, then, to make a copy of the entire binary image of the hard drive. It's like taking a snapshot of the hard drive's entire contents. A great solution for those with technical know-how.

A simple way to perform a backup of your PC is to use a native tool provided by Microsoft Windows called ntbackup.  It is located at the following location:

START>Program Files>Accessories>System Tools>Backup

A Wizard will guide you through the process of conducting a backup operation on your computer.  Use a Full Backup (Regular) option. If the Backup option is not available, you can install it from Add/Remove Software, Windows Components, from the Control Panel.

This is a manual process and will take more than an hour. The end result of the backup will be to create a single compressed file (*.bkf), that will look something like this once the process is completed.

You can call the file whatever you'd like, perhaps even the date of the backup itself, and target the backup to a removable location: a CD/DVD burner, a dynamic drive connected by USB... the idea is to move it off of the hard drive. Do not store this file on a USB thumb drive - that's simply too easy to lose.

If the media is a CD/DVD or a tape, label the media you copy this file to and put it in a dry, safe place.  Through following more advanced features of the ntbackup Wizard, you can actually schedule the backup to happen automatically.

Once the backup file is copied to the external media, it can be deleted from the hard drive of your system. It is good practice to rotate media off-site and this can be accomplished by taking the previous backup to another physical location (perhaps a home) but do not leave it in a conspicuous place, or, in your car. Someone who knows what to do with this file could open it then extract your files, so use some caution.  And when you make a new backup and rotate the media again, destroy or archive the older media that was at your house.

Naturally, if you have a system administrator in your work place, discuss your backup concerns with them first - they might already have a solution on the network that could automate the process and put your concerns at ease.  At least the conversation could inform you on the process for recovering your files in a crisis situation.

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.

p.s. - We can help with data backup, archive, and retention strategies. Ask us how!