Due to a critical security vulnerability with SSL 3.0  (an 18-year-old, outdated technology), we recommend disabling it on your server. We have instructions on how to do that in the Updating section but recommend reading the entire document to understand the scope of what this does.

What does POODLE do?
In short, it’s a way attackers can compromise SSL certificates if they’re on the same network as the target if (and only if) the server the target is communicating with supports SSL 3.0.

Google has a lot more detail on their security blog here.

Does POODLE affect my server/sites?
Because POODLE is a vulnerability in SSL technology, it only impacts sites using SSL certificates. If your server or your sites don’t use an SSL certificate, you don’t need to update your server. However, we recommend doing it now in case you do end up installing an SSL certificate at a later date.

Updating
How you update your server depends on whether your server uses a Linux® distribution or Windows® and if it uses cPanel.

cPanel

cPanel requires slightly different steps from any other control panel/operating system configuration.

To Configure cPanel to Prevent POODLE Vulnerability on HTTP

1. Log in to your cPanel (more info).
2. In the Service Configuration section, click Apache Configuration.
3. Click Include Editor.
4. In the Pre Main Include section, from the Select an Apache Version menu, select All Versions.
5. In the field that displays, type the following, depending on which version of CentOS you’re using:

If you encounter errors while applying this update, please review this forum post at cPanel that discusses potential fixes.

6. Click Update.

Preventing POODLE on Other Protocols (FTP, etc.)

Right now, only servers using RHEL can protect themselves against POODLE on non-HTTPS protocols. They can do this by updating the latest version of OpenSSL, and then implementing TLS_FALLBACK_SCSV.

Servers using CentOS do not yet have a known fix for the vulnerability on non-HTTPS protocols. However, we will update this article with those instructions as soon as we do.

Linux (Apache)

Modify your Apache configuration to include the following line:

SSLProtocol All -SSLv2 -SSLv3

For more information on how to do that, view Apache’s documentation.

Windows (IIS)

Modify your server’s registry (which removes access SSL 3.0 support from IIS) using Microsoft’s document here. You can jump down to the Disable SSL 3.0 in Windows section.

October is National Cyber Security Awareness Month by Department of Homeland Security.

National Cyber Security Awareness Month encourages vigilance and protection by sharing tips and best practices in regard to how to stay safe.

Small businesses are a large target for criminals because they have limited resources dedicated to information system security.  Cyber criminals look for access to sensitive data.

Create a cyber security plan

The Federal Communications Commission offers a Cyber Planner for small businesses.  The planner guide allows specific sections to be added to your guide, including Privacy and Data Security, Scams/Fraud, Network Security, Website Security, Email, Mobile Devices, Employees, Facility Security, Operational Security, Payment Cards, Incident Response/Reporting and Policy Development/Management.

Generate a personalized Small Biz Cyber Planner Guide.

Establish Rules and Educate Employees

Create rules and guidelines for protecting information.  Educate employees on how to post online in a way that does not share intellectual property.  Clearly explain the penalties for violating security policies.

Network Protection

Deploy and update protection software, such a antivirus and antispyware software, on each computer within your network.  Create a regularly scheduled full computer scan.

Manage and assess risk

Cyber criminals often use small businesses that are less-protected to get to larger businesses.  Being a victim of a cyber-attack can have a huge impact on any business including financial issues, loss of possible business partner(s) and many more issues.

Download and install software updates

Installing software updates from vendors can protect your network for unwanted viruses and malware.  Vendors frequently release patches/updates for their software to improve performance and fine-tune software security.  (Example:  Adobe Reader, Adobe Flash and Java updates are critical for protection.)

Backup important business data and information

Create a backup plan for all data including documents, databases, files, HR records and accounting files.  A regularly scheduled backup can be a full, differential or incremental.

• Full Backup:  Backup of all data.
• Differential Backup:  Backup of all data that has changed since the last full backup.
• Incremental Backup:  Backup of all data that has changed since the last full or incremental backup.

Control physical access

Protecting physical property is a very important role in protecting intellectual data.  Create a physical security plan to prevent unauthorized access to business computers and components. 

Secure Wi-Fi

Securing your Wi-Fi network consists of a few configurations.  Configure a device administrator password for your wireless access point (WAP) or router, require a password for Wi-Fi access and do not allow the WAP or router to broadcast the Service Set Identifier (SSID), also known, as network name.

Bring-Your-Own-Device (BYOD) is permitting employees to bring personal devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access company information and applications.

Create a Private App Store

Designing a private App Store provides the ability to manage custom and purchased apps.  Businesses can manage apps by pushing mandatory apps, approving recommended apps and blocking rouge or unrelated apps.

Policy Compliance

Policies ensure security, productivity, protection of resources and reduce risks.  Implementing a location-based service (LBS) such as Geo-Fencing and GPS will set limitations on access to data based on location.

Strong Security

There are many layers of security for a BYOD environment.  Device enrollment can be a one-time passcode and/or Active Directory credentials.  Applying user profiles will distribute policies, restrictions and Apps based on logical groups (department/location/device type).  Other types of security are tracking device locations, Remote Lock, Complete Wipe and Corporate Wipe.

Track Usage

Usage thresholds can be monitored based on talk, text, data and roaming for each user.  Setting up alerts and reports for misuse, excessive bandwidth, additional charges and security exposures will help track usage appropriately. 

Banning Rouge Devices

Compromised devices such as “jail broken” iPhone or a rooted Android should be restricted from accessing enterprise data and resources.  Compromised devices are susceptible to virus attacks.

For more information on Mobile Device Management

Contact us at 856-745-9990 or click here.

Takeaway:  Five simple ways to protect your information when using WiFi and Hotspots.

WiFi is exchanging data through a wireless local area network (WLAN) from electronic devices including smartphones, laptops and tablets.

Also, WiFi is available in public places such as Airports and Restaurants.  Identity Thieves, Hackers and Criminals take advantage of WiFi because it is convenient for users to access personal information.

1.  Avoid accessing your bank accounts & online stores:

When using public WiFi, it is best to avoid using your credit card or banking information.

2.  Double check the WiFi name:

Prior to connecting to a public network double check with an employee for their network name.  Identity thieves can create a false Hot-Spot, have users connect and then steal personal information.

3.  Turn-Off “Auto Connect”:

Stay in control of what networks you connect to, smartphones have a setting that automatically connects you to the closest open network.  Simply, turn this setting off to decide what networks to connect to.

4.  Never use the same Password:

An additional step you can take to keep online accounts safe is to use different passwords for each account.   Using the same password makes stealing your information easier for criminals.

5.  Check the Lock:

The extra layer of security is the locked padlock in the address bar of your browser or “https” which means that your information has been encrypted.

Recent victim of a cyber-attack is the local daily deal site, LivingSocial.  Protected during the attack was merchant and customer banking and credit card information.  Regrettably, 50 million subscriber names, date of birth, e-mail addresses and hashed passwords were compromised.

Steps to further protect your personal information:

1. An e-mail from LivingSocial will provide you with the necessary steps to create a new password.
2. If you are using the same password for multiple accounts it is strongly recommended to change all passwords.
3. After an attack, hackers try to use phishing to extract additional information.  Before changing your password make sure that you are directed to www.livingsocial.com.
4. Always protect yourself by never sending personal information via e-mail to any person or organization.

Takeaway:  Understanding Cloud Computing for technological infrastructures.

Cloud computing is the delivery of computing resources as a service over the Internet.  The varieties of services offered are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) Desktop as a Service (DaaS) and Network as a Service (NaaS).

Scalability, fast provisioning and agility help all organizations, big and small, reach monetary growth.  

There are a few major misunderstandings associated with joining the Cloud Computing revolution, such as:

It’s A Trend:

Cloud computing is a credible and efficient tool with longevity.  If you use social media, eBay, Gmail or Online Banking, you are already using Cloud Computing.

It’s not as Secure:

Cloud computing is a significantly safe way to store, share and secure your data.  Client’s are highly recommended to use the Cloud’s host-based firewall.  Also available are host-based intrusion protection programs specialized for virtual machines and Cloud Clients

(Example –  Trend Micro Deep Security or Symantec O3). 

It’s Costly:

Even with the move to the cloud and monthly costs, organizations could save money long term on IT Management Services.

It’s Complicated:

There are many different types of Cloud Computing to choose from that should make executing hassle-free.

It’s only for Large Organizations:

The Cloud is not reserved for Large Organizations only.  Virtual Desktop Infrastructure (SaaS or DaaS) can be a cost-effective solution for organizations of any size. 

Changes are not strategic:

Plans are setup to acquire full benefits offered by Cloud Computing by integrating corporate strategy and technology with the advantage of using internal resources.

Cloud is inoperable if the Internet goes down:

Having another provider with a secondary connection is a logical setup for all companies.  Most organizations already operate with a connectivity “safety net”.

To migrate your business to Cloud Computing, please visit BigBeagle.com

Takeaway:  Risks with staying with Windows XP after April 8, 2014.

Since being release worldwide on October 25, 2001, Windows XP has become one of the most popular versions of Windows.  OEM and retail sales of Windows XP ended in June 2008, while smaller OEMs continued to sell the Operating System until January of 2009.

On April 10, 2012, Microsoft officially announced that as of April 8, 2014 they will end extended support for Windows XP and Office 2003, after which no new bug fixes or patches will be issued.

Organizations may be taking a spontaneous risk and assume that Window’s XP’s prolonged life means major vulnerabilities have been acknowledged and dealt with.  If XP were secure, there still might be application-level vulnerabilities.  Even the ranges of security breaches are inadequate to persuade some organizations that are still using Windows XP to upgrade.  The dynamics that have safeguarded XP’s success are now working against the organizations that stuck by the operating system.

A major aspect attackers assess during their investigation is the operating system and the applications used within an organization.  With Microsoft ending their support, the vendors for applications running on it will most likely end support.

On the other hand, those preparing to continue using XP after the cut-off date, are going to be in a unpleasant situation trying to protect their intellectual property, but can take certain steps to limit exposure to risk.  There are specific technologies you could deploy that will permit you to remain using legacy systems.  Mitigating technologies like Host-Based Intrusion Protection will be able to identify that a vulnerability exists and make that vulnerability difficult/impossible to exploit by applying a virtual patch to those non-supported environments.

However, XP’s acceptance is down to the technology itself and an operating system format that people are content with.  The significant changes with Windows Vista, Windows 7 and especially Windows 8 are the reason people are resistant to change.

To protect and upgrade your home or business

 please contact us 856-745-9990

Takeaway: From diagnostic tools to antivirus to backup utilities, this list of freebies will help you do more with less.

If you’re trying to stretch a thin IT budget, you probably can’t afford a lot of pricey tools. Luckily, a number of highly useful tools are available for free. Some of them even work better and are more efficient than their costlier alternatives.

1: ComboFix

When the standard antivirus/malware software can’t seem to find the problem, ComboFix almost always does. It also looks for and removes most rootkits and Trojans. To use this tool, you must completely disable all antivirus solutions (and you should completely remove AVG). Caution: If ComboFix is not used properly, it can wreak havoc on the machine you’re trying to fix.

2: ProduKey

ProduKey will help you get product keys from installed applications so that when you need to migrate to a new machine, you can continue using those costly licenses. ProduKey will recover keys from more than 1,000 software titles, including Microsoft Office, Adobe, and Symantec. When you use this tool, you will have both the product ID and the product key; the ID is important because it will tell you which version of the software is installed.

3: Hiren’s BootCD

Hiren’s BootCD is a one-stop-shop Linux boot disk that can help you pull off a number of small miracles. Its tools include Antivir, ClamWin, ComboFix, Clonedisk, Image for Windows, BIOS Cracker, 7-Zip, Bulk Rename, Mini Windows XP, CCleaner, and Notepad++, among others. This single bootable disk could easily be the only tool you need.

4: Microsoft Security Essentials

Microsoft Security Essentials is one of the better free antivirus tools available. Its tagline, “The anti-annoying, anti-expensive, anti-virus program,” is true. When the firm I work with was looking for a new free solution, we tested Microsoft Security Essentials against AVG Free and Avast Free and found Microsoft Security Essentials to be superior, less intrusive, and less resource intensive.

Note: Microsoft Security Essentials can be used for free for up to 10 PCs. Beyond that, you can purchase the business version, System Center Endpoint Protection.

5: WinDirStat

WinDirStat is the program you need when you must know what is taking up the space on a hard drive. When C drives begin to fill up, performance degrades rapidly. It’s essential to have a tool to help you discern what is gobbling up the precious space on a machine, and WinDirStat is the foremost app for getting this information quickly.

6: CCleaner

CCleaner gets rid of temporary files and Windows Registry problems faster than any other tool. When a machine is having problems, this is almost always the tool I use first. CCleaner also helps ensure privacy by getting rid of traces left behind (such as cookies) by Web browsers.

Note: It is legal to use CCleaner Free for business use. However, CCleaner Business Editioncomes with a few more features (including one-click cleaning) than the free version.

7: Defraggler

Defraggler blows away the defragmenting application in all Windows operating systems. It’s faster, more reliable, and more flexible than the built-in tools. With Defraggler, you can defrag a single file or an entire drive. Defraggler supports NTFS and FAT32 systems.

8: 7-Zip

7-Zip is the best file archiver/compression tool (outside of Linux command-line tools). It’s open source and works on multiple platforms. Once you install it, you will find 7-Zip has Explorer support and a simple GUI tool that any level of user can manage.

9: SyncBack

SyncBack is a reliable, easy-to-use backup utility. No, you won’t be recovering from bare metal, but you can save your precious data. SyncBack can synchronize data to the same drive, a different drive or medium (CDRW, CompactFlash, etc.), an FTP server, a network, or a zip archive.

10: FileZilla

FileZilla reminds you that the cloud has not made FTP useless. There are plenty of reasons you might need FTP, so why not use one of the best and most cost effective FTP clients? And if you need an easy-to-use FTP server to slap up on your Windows machines, FileZilla has one.

Oracle says Java Update Coming Tuesday!

Oracle is working on an update to address a flaw in its Java software.

The company says it will release a patch that will fix 86 vulnerabilities in Java 7 on Tuesday.

The Department of Homeland Security last week said computer users should disable the program in web browsers because hackers were using a zero-day vulnerability to attack computer systems. Criminals were using the flaw to stealthily install malware on the computers of users who visit compromised websites.

The problem, which affects Oracle Java 7 update 10 and earlier, can allow an untrusted Java applet to escalate its privileges, without requiring code signing.

In fact, Java is so ubiquitous that the software has become a major bull’s-eye for hackers. Last year, Java overtook Adobe Reader as the most frequently attacked software, according to computer security firm Kaspersky Lab.

Mac users probably don’t have to worry because Apple already removed Java plug-ins from OS X browsers. Apple apparently learned a lesson last year when it took its time making a Java patch available and as a result more than 600,000 Macs were infected with malware.

Last February, Oracle released a fix for a targeted vulnerability identified as CVE-2012-0507 and included it in an update for the Windows version of Java. However, since Apple distributes a self-compiled version of Java for Macs, it ports Oracle’s patches to it according to its own schedule, which can be months behind the one for Java on Windows.

Mozilla also has blacklisted all current releases of Java.

Java Plugin Security Information

Kill your java plugin as soon as possible.

A new Java zero-day security vulnerability is already being actively exploited to compromise PCs. The best way to defend against the attacks is to disable any Java browser plugins on your systems.

The offending bug is present in fully patched and up-to-date installations of the Java platform, now overseen by database giant Oracle, according to Jaime Blasco, head of labs at security tools firm AlienVault.

“The hacker can virtually own your computer if you visit a malicious link thanks to this new vulnerability. At the moment, there is no patch for this vulnerability, so the only way to protect yourself is by disabling Java.”

The exploit targets Java 7 update 10 and prior versions. No fix is available and early indications suggest that exploitation is widespread. Brian Krebs reckons the exploit has found its way into crimeware toolkits, such as the Blackhole Exploit Kit, which will uses the hole to infect victims with software nasties.

Java vulnerabilities were abused by the infamous Flashback Trojan, creating the first botnet on Mac OS X machines in the process last year. In the years before that attacks on Java and Adobe applications have eclipsed browser bugs as hackers’ favourite way into a system.

In all but a limited number of cases Java support in web browsers is not mandatory for home users, unless required by a banking website or similar, so disabling plugins even as a temporary measure is a good idea. Businesses, on the other hand, that rely on Java for particular applications are not so fortunate.

While waiting for a patch from Oracle to plug the gaping hole, you can contact South Jersey Techies by emailing support@sjtechies.com to make sure your systems are protected.