Did a colleague forward this newsletter? Please email me to join the list and receive your own copy. Blog and Syndicated Articles Please visit the Technology Reflections Blog on the Web for new articles, explainers, and opinion. Here's a sampling of entries made this last month. Nov 21. The Web Announces 3 Beta. Nov 18. The Fall of the Geek. Nov 15. State Data Breach Laws. Nov 5. Top Five IT Trends for 2007. Oct. 30. MsOffice Accounting Express 2007. Oct 28. A DoS Explainer. Oct. 27. Five Reasons Why Microsoft's Support Constraints are Good for Small Business   Neolingo Neolingo will introduce you to important Internet vocabulary. Google’s patented method for measuring page importance on a scale from 0 - 10, where 10 is the highest. The PageRank algorithm analyzes the quality and quantity of links that point to a page. If you own a webpage and don't know it's pagerank, you should! More information.   News and Announcements Mickler & Associates, Inc. is a proud supporter of the Camas Ohana Volleyball Club! We applaud the girls as they take on the new 2007 season! YAY - Go team! And we'd like to wish everyone, all our readers, their families, and associates, a wonderful holiday season! A new presentation has been added to our online documents section: Organic Search Engine Optimization Techniques. Things you can do to improve your site's search engine results. Bugs and Viruses Use PayPal? There's a lot of buzz about the latest PayPal phishing scam. What's interesting about this scam is how professional that it looks with the graphics and narrative - it sounds and looks like a corporate promotion inviting you to click on a hyperlink to confirm your security settings. Check out the link to see a picture of what the scam looks like so you know what to look for. Got worms? As of Nov. 22, the second-largest virus on the planet right now is actually a worm, NYXEM.E.  This guy's a doozie and is the fifth iteration of a nasty little worm that's been circulating since last February! This worm is self-replicating and can use various channels (email, file shares, and drive systems) to copy itself and re-infect computer systems. The NYXEM.E worm will create an email message that is used to infect other computers, and once infected, will scan a local area network for the default C$ and Admin$ shares on connected workstations. If accessible, it places a copy of itself into these shares so that users might run it. Furthermore, the worm deletes autorun services from the local Registry in an attempt to prevent an antivirus package from starting after reboot. And if that wasn't bad enough, the worm creates a Windows schedule event to attempt to launch itself every 59th minute of every hour and, if it can, it even tries to disable the local mouse and keyboard of an infected machine. NYMEX.E follows the "old school" idea of simply being a malicious agent bent to do harm to your computer system. Today, many worms try to remain silent and resident on your computer to capture your passwords, see where you browse to, or commander your PC for distributing spam. You wouldn't want this - make sure your anti-virus packages are updated on all of your PC's, especially if you run a small network inside of your company. If you need to buy new subscriptions, get new subscriptions - this worm is presently positioned as Number 2 in the past 30 days! Finally, a word about a hoax that's circulating out there and it's called A Virtual Card For You.  The language in the email attempts to suggest that Microsoft and CNN have identified the most powerful virus ever and it'll be delivered in the form of an e-greetings card sent to your email. Its intention is to get you to panic if you find a greeting card in your inbox, and, to forward the darn message to everyone you know. And naturally it's circulating well because of the holidays. This is a hoax, folks. It's not real. Yep, you can safely delete the message and read your e-greeting cards.   Learn more about hard drives and other forms of secondary storage Additional Resources for Technology and Business Professionals Oregon State's Small Business Resource Center is found online at BizCenter.org. This is a great website for the small business in Oregon, introducing you to all of the state's services and a great set of information resources (sign in anonymously using your zip code instead of registering). Washington State's Small Business Development Centers - wsbdc.org - is also useful but not as flashy or as sophisticated as Oregon's website. Kind of dry, opens into a confusing map, not extraordinarily compelling navigation and broken features.  Why am I recommending this? Oh yeah - because Oregon's SBRC rocks! I'm not sure if you've heard of this term but I've rather taken to it - solopreneur. It's a name for all of the one-person-band companies that are starting up out there, and now we have our little niche on the web. The Solopreneur Zone provides articles, information, advice, discussions, and ideas on marketing yourself and controlling your private enterprise.  Finally, this little gem came to me way of an E-Business class at the University of Phoenix this month. It's an interview with Thomas Friedman, the author of The End of Work. You'll probably need a RAM player to watch this video, like RealPlayer.

Technology Reflections is a newsletter sponsored and prepared by Mickler & Associates, Inc. of Battle Ground, Washington.  The newsletter addresses the technology concerns of small business in every day lingo, and reflects on trends, issues, and tips to help your company gain competitive advantage from tech spend. Please feel free to distribute to colleagues and partners.

Disposing of Used Hard Drives

Following a microcomputer upgrade, you might wonder what to do with the hard drive found in the old system. Everybody understands the risks: the confidential data on the old hard drive could eventually end up in the wrong hands.  But what do you do about it?

Delete the Files. Many believe that simply deleting the files off the drive and keeping the operating system intact is acceptable. This is mistaken - deleted files are really never deleted from the computer and someone with the appropriate tools can easily retrieve them.

Format the Drive. Others believe that formatting the drive, wiping the operating system and applications off the hard disk is acceptable. Again, a common misnomer - formatting the drive just replaces the index that points to the files found on the hard disk. Rebuilding the index to recover the files which are still intact on the drive isn't that difficult to do.

Low-Level Format. Yet some technical experts might suggest a "low-level" format of the disk. All this refers to is deleting an area on the disk called the master boot record (MBR) and partition table; in effect, keeping the rest of the file data intact so indexes, partitions, and MBR's can be rebuilt with the right tools. Indeed, "low-level format" is not a perfect option.

Zero-Fill the Drive. Closer to what is desirable is an option you might find in the system BIOS called "Zero-Fill" - over-writing each sector on the drive with zeroes. Sometimes this capability is shipped with the BIOS and sometimes it is not; Zero-Fill utilities are often purchased separately and ran against the hard drive. This process will take hours but is extremely thorough, erasing each bit on the drive with zeroes, making it very difficult to reconstitute the drive's original data.

Physical Destruction. However, Zero-Fill still leaves the drive readable and functional. Many experts agree that, if you do not intend on using the drive again, your best bet is to take a swift and heavy hammer to the hard drive.

"When retiring a hard drive, physical destruction makes information inaccessible," said Simson L. Garfinkel, Harvard University Department of Computer Science and a postdoctoral fellow at the Center for Research on Computation and Society at Harvard University. Garfinkel attended the MIS Training Institute's Annual Conference and Expo on Control and Audit of Information Technology in Boston last week.

Smashing the hard disk may seem a little extreme; admittedly, there may be opportunity in reselling the drive or donating it to a worthy charity. Physical destruction, however, is the only way to guarantee that access to the data cannot be achieved. Even degaussing a drive (magnetically wiping the contents of a drive) is not perceived as effective in protecting confidentiality as physical destruction.

Organizations would be encouraged to implement audit controls that outline data disposition and destruction policies for hard disks then record time, date, and method of their destruction. Doing so preserves a record of  "best practices" handling that can limit a company's legal exposure in this area. In fact, HIPAA and other regulatory influences demands that a policy like this be implemented in conjunction with a 2nd party certification process in disposing of electronic information.

In the health industry, there's a saying: "There's no safe cigarette." In the technology industry, there's a similar saying: "Nothing is ever truly deleted."  Keep that in mind when you're preparing for your next upgrade.

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.

p.s. We can help with certified disposition and destruction of hard drives - ask us how!

Securing Thumb Drives

Thumb drives are the USB stick drives that everybody is carrying around these days. What's cool about them is their high capacity, their portability, and, their ease of use. Increasingly, I find clients and students porting around extremely sensitive information on thumb drives as a form of tertiary backup - a fall-back just in case a hard drive or server backup goes bad.

However, this is bad policy. If you think about it, these things are entirely unsecured, can be used by anyone, bypasses any physical controls you might have securing your office because you're taking the data with you, and bypasses any technical controls like firewalls, anti-virus, encryption, or logical security that are implemented in firewalls. In short, you're hauling around the very asset you're trying to protect, all because of convenience, and making the data even more vulnerable.

Even the US Military found this out earlier in the year in Iraq when thumb drives containing military information were found for sale in open markets. Thumb drives aren't conducive to protecting the confidentiality of data.

However, there are ways to mitigate the vulnerability with some free and useful software. TrueCrypt is a free open source product that allows you to encrypt the contents of your thumb drive.

TrueCrypt is wizard-driven and easy to use. It works by creating a virtual file on the disk then stuffing all of your other files into it, then demanding a password to decrypt and see the data. Encryption is on-the-fly and transparent, using a variety of known algorithms - AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Two fish.  If your thumb drive is lost, nobody can easily get access to your files; trying to do so would take an exceptionally long time using a microcomputer (several hundred years), so encrypting the drive serves as an effective deterrent. The would-be hacker would rather find an unencrypted drive to work with and will leave your data alone. And yes, TrueCrypt can even be used to create secure encrypted containers of files on your hard drive.

So, if you have to use a thumb drive, take a few minutes to make it a little more secure. Protect your data from accidental loss or theft.

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.

Securing a Blackberry

It seems like I can't go anywhere these days without finding a client who's addicted to the "Crackberry".  The advice that I have to give concerning securing the Blackberry is to create a layer of protection around your email account if you use the Blackberry for accessing your email.

Use Updated Software. Make sure you have the latest software for your device. You can download the latest desktop agent and software for the Blackberry here. To find the version of handheld software you are running, on the handheld, go to Options and then choose About from the Options menu.

Set Password Timeout. Set the password and timeout option.

1. Select Options.
2. Select Security.
3. Next to "Password", highlight the word Disable.
4. Click the track wheel.
5. Select Change Option.
6. Select Enable.
7. Enter your password and press the Enter key on the pad.

Note: The password must be 4 to 14 characters in length. You must not enter a password composed of identical characters or a natural sequence (e.g., 1, 2, 3, 4), as it will be rejected.

8. Enter your password again to verify it.
9. Next to "Security Timeout," highlight the displayed time.
10. Click the track wheel.
11. Select Change Option.
12. Choose a time for the Blackberry to time out and lock. (5 minutes is usually best)
13. Exit the "Security" screen - press the Escape key.
14. You will be prompted to save.
15. Select Yes.

Whenever you put down your Blackberry, lock it by selecting Lock from the main menu.

Avoid Using Pin to Pin Messaging.  When using the Blackberry Enterprise Server Redirector, email messages are encrypted. However, Pin to Pin messages are not encrypted and transmit in plaintext. You should not transmit sensitive information in a Pin to Pin message; use email instead.

Securing a BlueTooth Device

There is a discipline in the hacking world that concentrates on infiltrating devices that use Bluetooth. Such devices come in the form of phones, PDA's, and personal entertainment systems. These devices are often synchronized with desktop data and are easier to hack than your PC. Here's a couple of ideas in protecting your portable data from the bluehacker.

1. Password Complexity. Set a password of at least eight characters long when pairing the device.

2. Don't Accept Files. If you don't know who is transmitting a file to your device, do not accept the file.

3. Unpair the Device. If your Bluetooth device is lost or stolen, then unpair it from your desktop and other devices.

4. Upgrade. Make sure the software and firmware on the BlueTooth device are the latest versions.

5. Disappear. Place all Bluetooth-enabled devices in a nondiscoverable mode.

6. Encrypt. Scramble everything stored on your device so that in the event of a hack, the information is protected.

7. Be smart. Avoid storing usernames, passwords or other sensitive information on a Bluetooth device.

8. Avoid Public Pairing. Device-to-device connections could be monitored. Don't pair in public or a crowded area.

9. Techie Advice. Want to sniff Bluetooth packets off the air? Monitor traffic in your space? Try BlueWatch.

10. Power down. For maximum security, turn off your Bluetooth features when not using them.
 

Securing an iPOD

Wait, there's more!  Everyone has an iPod these days and some folks actually use the device to store names, numbers, calendar information, and other files that can be easily accessed. iPod does have some simple security features though which can be followed by reviewing Apple's documentation on the subject.

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.