Business Security Information

If you have not already heard, in mid-January Internet Explorer was under attack by the same attack method that was used by the Chinese to break into Google’s network.  Since then, a number of security researchers, security companies ,and even some governments have recommended that computer users switch to other web browsers such as Firefox, Chrome, Opera and Safari.  Currently, it appears the attack code is mainly geared towards IE (Internet Explorer) 6 and possible IE 7 so businesses that are still using IE 6 should change to another web browser or at least upgrade to IE 8.

Well, we have had a good Thanksgiving meal, and most everyone has headed off to bed so it is now time for me to get down to writing this article.  Yesterday I received an e-mail from a friend stating she was out of the country visiting a friend that was ill.  Her friend was in need of surgery, and they were trying to recruit a surgeon from Israel and were in need of $2800 to pay for this necessary surgery.  First, I was suspicious that this was a fraudulent e-mail because I had just seen the person and knew that she had no plans of heading out of the country.  Secondly, the e-mail requested $2800 dollars which is a very small amount for a surgery, especially since the e-mail had an urgency about it leading the reader to believe that it may be a matter of life and death.  The return e-mail was also suspicious because the return address was a generic Yahoo e-mail address.

If you have not read my two articles on phishing, I would recommend that you do that before reading this article.

1. Do I need My Boat to Go Phishing?
2. VOIP Phishing Scam

A new twist on this scam has come out recently, and I wanted to make sure everyone was aware of it.  RSA Security, a security firm that provides businesses with a variety of consulting services and products, has discovered what they call “chat-in-the-middle” attack.  Like most phishing scams, the attacker uses a fake web page which is set up to look like a banking website.  They get people to go to the site by sending out e-mails which contain a link to the fake website.  The difference in this attack is that the website has live chat support so the attackers can interact with their victims.

A lot of today’s websites are dynamic, meaning they can deliver different content to a user depending on the user’s needs.  Dynamic content is achieved with the use of web applications.  This sounds great, but dynamic websites are open to an attack called cross-site scripting.  If you have been in business long and pay attention to the variety of security issues that you have to protect your business from, you probably have heard of this term before.  Cross-site scripting is a type of exploit where the attacker inserts or embeds malicious programming code into a web link which the attacker disguises so it appears that it is coming from a trusted source. 

In the security arena, an exploit means a program, procedure, or a technique used to take advantage of a security vulnerability or hole in a computer program or application.  Basically, it is a form of attack against a computer system which takes advantage of known weaknesses.

A special type of exploit called a Zero-Day Exploit is an attack method that takes advantage of an unknown weakness or a vulnerability that has just been announced before a patch for the weakness has been developed or distributed to users of the software program or application.

When Windows Vista was released and found to have problematic issues,  many businesses stayed with Windows XP Professional.  Now Windows 7 is about to be released.  Will businesses upgrade to Windows 7 when it is released or take the more cautious approach and wait till Windows 7 is out for some time before deciding to upgrade to the newer version of Windows?  I think that a lot of businesses will wait and see before deciding to upgrade.  Since so many businesses are still using Windows XP Professional and may wait to upgrade to Windows 7, I decided to go ahead and write this article on securing Windows XP desktops.

On this site I cover physical security, computer security and fraud (on and off-line) issues.  When I read a recent survey report from Panda Security regarding small and medium-sized businesses, it made me take a look at the number of articles I have written for each of those categories.  I found that I have written more articles covering computer security and fraud issues than I have physical security issues.

It is usually not the purpose of this blog to write about every type of virus or malware that is discovered–there are  plenty of websites out there that do a good job of that.  Sometimes, however, I do like to make note of malware that I feel can affect your business in a broad way.  I wrote about the conflicker worm back in May of this year for similar reasons.  Some of the security measures that I mention in both articles will help protect your business from a variety of malware, not just the ones noted in these two articles.

Secure Socket Layer (SSL) is used on the internet to encrypt connections to such sites as e-commerce and banking sites.  Most everyone has used and seen these sites.  They have the “https” at the beginning of the website URL along with a little padlock symbol that is usually found on the lower right hand side of your web browser.  If you click on the padlock icon, it will open up and give you information regarding the encryption method and the encryption certificate.  The purpose of SSL is to keep your information confidential while it is being transmitted over the internet from your browser to the website.

Many businesses today use social media sites as a marketing tool as well as to touch base with existing customers.  Some of the most popular social media sites include Twitter, Facebook, Linkedin, and Myspace.  Of course, there are others out there, and it seems like new ones are becoming available almost on a daily basis.  Do you ever think about what information you are providing others when you  use these sites?  A little information can go a long way.  For example, I read a story recently about a businessman who owned and operated a video-related business from his home and decided to go on vacation with his family.  He is a Twitter user and also has his own website for his business.  While on vacation, he sent Twitter messages out to his followers. When he returned home, he discovered that someone had burglarized his home and had stolen a lot of his video equipment.  An additional note:  he also had his own Flickr page where he had posted pictures of his computers, bicycles, his flat-screen television, and other related items.  It is not known for sure, but it is believed that the information that the businessman put on Twitter about being away from home and updates related to their vacation may have allowed the burglar to know when they would be returning home, and that the home was currently empty.