Did a colleague forward this newsletter? Please email me to join the list and receive your own copy. Blog and Syndicated Articles Please visit the Technology Reflections Blog on the Web for new articles, explainers, and opinion. Here's a sampling of entries made this last month. US-CERT Advises of Critical PDF Vulnerability Microsoft Office 2003 SP3 Released GAP Breach Exposes PPI of 800,000 Terminal Server Printer Redirect Tool Neolingo SAAS Software As A Service (SAAS) represents the next evolution of software distribution and the next big boon to small business. Instead of purchasing a retail software product off the shelf in a box, software can be purchased at a subscription rate and ran across the Internet. SAAS solutions are ran across the Internet - they aren't installed on the local hard disks of personal computers or servers. Small businesses can immediately gain the capability of the software without complex installation or maintenance. This is great for small business because there's no barrier to entry and no special expertise needed to maintain the software, and the software is available anywhere there is an Internet connection. And the cost is sometimes free, otherwise scaleable - pricing is based on a per-user subscription rate, allowing the solution to be relatively inexpensive as compared to regularly- installed applications. Examples of SAAS are netsuite.com, salesforce.com, zoho.com, blinksale.com, goplan.com, Google docs, etc.  The risk behind SAAS solutions has to do with the confidentiality of intellectual property and its physical dislocation from the company - as critical information isn't stored or managed by the company. News and Announcements Beginning in January, we're offering a free one hour presentation on business continuity and online data backups. Please register for this event online via our website. Thurs. January 10, 2007 10:00am Battle Grounds Coffee Co. 113 E Main Street Battle Ground, WA 98604 360.666.2441 Join Us in the Large Conference Room Upstairs! Mickler & Associates, Inc. welcomes its new customer: Golsan Scruggs Bugs and Viruses Two issues came to mind this last month - a worm by the name of w32.mabezat, and the increasing propensity of misleading applications. w32.mabezat is a worm that spreads through email, removable drives, and network shares. As a self-replicating virus, mabezat is a problem to contain especially if it's released on an unmanaged small business network. The worm encrypts critical files in Windows which could make removal and restoration of a PC somewhat difficult.  Make sure your anti-virus solutions are up-to-date, limit the use of USB drives, and also make sure there's an anti-virus solution scanning your corporate email server's SMTP (email) traffic, as this is the preferred way mabezat would enter a small network. The strategy here being to avoid an initial compromise that would exploit unprotected network resources. Misleading applications is a term to describe a new classification of SAAS utilities that perform questionable functions or services. Example: users are prompted to check their system for spyware and a SAAS product is installed that is difficult to get rid of, mis-reports problems, or is generally a means of advertising to the end-user. In effect, the user was tricked to authorize the installation of the application and it's not performing a valuable or relevant function. Spotting misleading applications is hard and really just comes from distinguishing the presentation of the request for installation as a web application rather than a local, trusted application (like Symantec's Norton Anti-Virus) - some examples of misleading applications: Live Antispy, OnlineGuard, PC Raiser, Dr. Protector, Deus Cleaner, ErrorDigger, ErrorInspector, and MySpyProtector. Unfortunately, most anti-virus solutions cannot distinguish a misleading application from a normal, beneficial one, so it's really up to training end-users to refuse the installation of any software on their system, and, to encourage any web-based software to check their system. The sure-fire solution on this one is simply education. How to Create a Technology Strategy for Your Small Business! Additional Resources for Technology and Business Professionals BMighty.com A good reference for IT students and for technically-inclined small business managers, BMighty.com discusses how information technology solutions are addressing the SMB marketplace. Good articles, white papers, blogs, FICKR's, and how-to's on problems concerning the IT field. It may be a little too heavy for the non-technical reader. FreePatentsOnline.com This one came to me from a reader. It's a great site for being able to review and search patents, and is a little easier to use than the official US Patent and Trademark Office system. I think one of the coolest features of this site is an RSS feed for patents based on product classifications. In effect, you can get a free feed on patents filed with the US Government in your specific SMB area of interest. IRS Small Business and Self-Employed One-Stop Resource A comprehensive site from the IRS on everything small business and sole-proprietor? Yeah, I was skeptical, too. Last time I checked, they wanted to distribute all of this information on some kind of lame CD ROM. Now it's online, concise, easy to navigate, fresh, and relevant.  This site isn't so bad albeit visually dull and simple. Maybe not a bad site to bookmark given the turn of the calendar next month.

Technology Reflections is a newsletter sponsored and prepared by Mickler & Associates, Inc. of Battle Ground, Washington.  The newsletter addresses the technology concerns of small business in every day lingo, and reflects on trends, issues, and tips to help your company gain competitive advantage from tech spend. Please feel free to distribute to colleagues and partners.

Bits on Bots: The BotNet and Your Small Business

In June 2007, the FBI announced that over 1 million computer systems had been infected by malicious software programs called bots; in November 2007, the FBI issued a revision of that figure to 2.5 million computer systems. A bot is a relatively new term to the management lexicon and it's important to understand how it relates to information security.

Bots are software programs written to exploit a vulnerability on a personal computer system connected to the Internet. In exploiting that vulnerability, the computer can be issued a remote command from a central intelligence figure - a BotMaster or a BotHerder, which is simply another way of referring to a hacker - turning the infected computer into something of a zombie. Meanwhile, bots replicate independently of its master by identifying more computers vulnerable to the same form of attack, and collectively - many hundreds if not thousands of bots - a BotNet can be issued commands by the hacker to do malicious things.

Bots are exceptionally difficult to spot and increasingly difficult to contain. The FBI study indicated that all kinds of computers, even government computers, have been found to be members of BotNets. BotNets can exceed 100,000 in number of collective PC's and can be ordered to distribute email spam, viruses, attack other computers and services, and turned into grid computing nodes to collectively work on cracking encrypted passwords.

Computers infected by a bot will be unexplainably slow and display confusing messages that may be unrelated to the problems you've asked it to work on. On a larger scale, entire networks can experience sudden latency or connectivity problems to the Internet. Otherwise, it's difficult to tell if your computer has been turned into a zombie. Bots exploit vulnerabilities in software that remains unpatched and can be identified by traditional anti-virus packages.

As a small business manager, there are eight steps you can take to protect your microcomputers and servers against bot infestation.

1. Firewall. Make sure a firewall exists on your network and that its software is patched and up-to-date. Also make certain that individual PC's have their Windows Firewall activated as a personal firewall to protect them from internal attacks.

2. Anti-virus. Make sure your microcomputers are running a commercial software package capable of detecting and disinfecting viruses. A free online tool is available from Microsoft to perform a free scan of your computer, but a full software package is highly recommended.  If you're looking for a free full anti-virus package on a Windows XP workstation, I tend to recommend AVG or Panda.

3. Real-Time Sandbox. A sandbox is a term referring to a "protected mode" state of an application as it runs in memory. If you haven't already done it, upgrade your PC's Internet Explorer browser to IE 7.0. By default, this version of Internet Explorer operates in a sandbox and isolates IE's ability to fiddle with other loaded operating system objects. Your browsing is safer.

4. Phishing Filters. If you've installed IE 7.0, great - use it's automatic phishing filter to help protect your system from known scams. Otherwise, use a commercial product to protect your system.

5. Windows Defender. Defender is a free product from Microsoft that scans, stops, and prevents malicious activity to your computer. It is an anti-spyware utility.  If you're still on Windows XP and not running Windows Vista yet - Defender comes native with Vista - download and install Defender.

6. Software Updates.  Set all of your Windows workstations to automatically update themselves. New patches and security files are distributed by Microsoft all the time to combat zero-day vulnerabilities.

7. Use the MMSRT. The Microsoft Malicious Software Removal Tool is a free product from Microsoft that is updated with some regularity - about once a quarter. Once downloaded to your system and ran, it performs a sweep of your system and make various recommendations to repair the system. Just follow its instructions. After its use, it can be safely uninstalled using Add/Remove Programs.

8. Education. By now, it should be common knowledge that teaching your staff not to open up emails with attachments, or, affirming the installation of misleading applications from the Internet is a good thing. Keep doing it. The best form of botnet protection you can provide is the knowledge of avoiding risk behaviors.

So why botnets? Why are our computer systems so insecure in the first place? Well, the Windows operating system alone has over 55 million lines of code and the probability for error - even by a small factor - is relatively large. Further, programs introduce more millions upon millions of lines of code which could also be suspect. Combine those inherent vulnerabilities and errors in software with risk behaviors, an inattention to software patching, or a lack of attention to anti-virus utilities. Suddenly, the problem explodes exponentially.

Some argue that the battle is already lost - that bots and botnets are permanent fixtures of Internet computing and represent a rising risk to information system security.  No doubt that botnets are becoming increasingly more sophisticated and pervasive, but it's also a manageable problem so long as the response is proactive and informed.

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.
360.601.0818 | rmickler@micklerandassociates.com

Skype for the Small Business

What if I told you that you could take advantage of Voice Over IP (VOIP) right now, using your existing broadband connection to your ISP?

1. That you can make telephone calls to land-lines anywhere in the world for fractions of what you'd pay your phone company (an average of 1.7 cents a minute)? Can you imagine making as many calls as you want, to any domestic US number, at any time, for under $3/mo. per user?

2. That you could call remote business offices without tie-lines or PBX connections for free?

3. That customers can connect directly to you via a phone call made from your own website? For free?

4. That you'd get the same features you've come to expect from your phone system: voice mail, conference calling, call forwarding, SMS texting... but what if it could all interconnect with your Microsoft Outlook contacts, allow you to conduct live video calls, seminars, and presentations?

5. And what if you could manage your company's total voice solution using an electronic web-based dashboard... allowing you to allocate calls, credits to employees, and generate consolidated invoices of activities?

And what if I said this is a SAAS solution that gets installed on your computer - a license for your whole small office - for under $300?

Backed by the financial power of AOL, Skype is growing and has now introduced the Skype Small Business Package. If you don't recognize the name, Skype is the tool that you can download right now to make free calls to any other Skype user from your computer to anywhere in the world. The voice quality is reasonable and the software is intuitive and easy to use.  Their SMB Package addresses common features that we'd find in a sophisticated telephone system provided by a software package on your PC.

The trick to understanding Skype is to accept the paradigm shift. The principle is called Convergence: that phones and computers are really the same thing. Try to realize that your PC - armed with a fast Internet connection, a microphone, and the right software - can perform all of the functions of a PBX or hybrid telephone key system; the same kind of stuff that expensive handset does sitting on your desk.

These VOIP systems demand their own chassis, feature modules, software, installation, maintenance and service expenses, and their own telecommunications circuit to your telephone company, and can cost a small business anywhere from $3,000 to $25,000 depending on scale and complexity. And, in realizing that you can save that much in capital equipment, you should also recognize that you can pass these calls over your existing Internet connection, greatly reducing or eliminating telephony expenses through consolidation against your ISP expenses. Lastly, it allows the SMB to tap into extensive capability without inhouse technical expertise or expensive long-term support agreements with vendors.

Now, is the Skype solution great for everybody? Maybe not, especially if your staff can't make the conceptual transition that their phone and computer can be the same device and that the computer will literally "ring" like a phone. Also, probably not if the control of such features is better designed and orchestrated from within the company, and Internet connectivity is spotty and less than 1.54mbps throughput down.

However, if you're a small business with less than 20 employees, if your employees are adept at using the computer for instant messaging or chatting, you've got modern broadband, and you're looking to cut some major costs for similar scaled functionality, the new Skype Small Business offers a great deal of value to the SMB.

Russell P. Mickler, CISSP | MCSE
Principal Consultant, Mickler & Associates, Inc.
360.601.0818 | rmickler@micklerandassociates.com