Monday, November 25, 2013

Cryptolocker Virus Warning!



Recently there has been a dangerous new virus going around which poses significant risk to both personal and business computers alike. Cryptolocker, as it is commonly known, is a new virus variant which seeks to encrypt all useful files on a computer and then hold the user for ransom to unlock them. This virus preys upon users who click or preview an attachment in an email; typically disguised as a bill of lading from a shipping company. Once the attachment is opened or previewed, it will utilized a vulnerability in older versions of java to execute and encrypt not only the entire contents of the offending computer, but all files over a network which that computer has access to. The virus is difficult to detect and is sophisticated enough to evade capture by even modern anti-virus solutions. Worse yet, if you are infected, removal of the virus removes the encryption key needed to unlock your files, rendering all of your data completely useless.

Once a machine is infected, anything with the following file extensions will be encrypted (you will notice these are just about all useful files):
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

Recovery from such an attack is limited to 2 options. Pay the ransom (a dangerous idea by basically dealing with criminals) or restore from a backup. This emphasizes the importance of maintaining incremental backups on a regular basis. Even more insidious, unless the backups are themselves encrypted (a common feature available in business class backup solutions) or the backup system is separated from view of users on the network, then the backups themselves risk being encrypted.

Prevention, as most risks in the virus landscape, involves layers of preventative measures. The most important is awareness and common sense when handling email attachments. Only open attachments which you are clearly expecting to receive from an individual, and even better, contact the individual who sent the attachment to verify they sent one. Also, turn off any preview options within Outlook to prevent accidental selection of emails from automatically opening bad attachments. Organizations should review their business critical data, and ensure that access is limited to key individuals, rather than globally through group policy. The last thing you want is for a weekend book keeper to take down all of your data because they had access to more than just the accounting network share. Users should be compartmentalized to access only what is necessary to perform their job function. Finally… backup, backup, backup, backup. It cannot be stressed enough that maintaining good, encrypted, incremental backups on a regular basis is not just a good idea, but critical for any business.


Or contact your account manager for network assessment.


Chris Bodenhamer
Sierra Computer Group Dispatch

Monday, November 11, 2013

Clouds Are Made of Vapor



There's been lots of discussion regarding cloud versus closet reliability.  I recall years ago when Microsoft ran a campaign about five "9"s referring to the reliability of cloud solutions.  Despite a few remarkable exceptions, the last few years have quieted these claims by Microsoft, Google and even Apple.  The web does fail.  And in lots of different ways.

Here's an interesting example:

How Box.com allowed a complete stranger to delete all my files

As you can see, even when all the hardware and all of the software work fine, there's still the human element.

The best advice is still to keep your content close, or in the closet.  This solution will give you better control, performance and flexibility.  And if you back it up to the cloud...

Do it at least twice.

Wednesday, April 24, 2013

Rotate Your Second Display

Have you noticed how web content and computer displays are pointed in different directions?

If you open almost any webpage on a laptop or desktop computer you'll see blank white bands along the sides.  Even worse, you won't see much vertical depth of content.  This is because most documents and web content scroll vertically; yet most displays are presented horizontally.  And the sites that ARE formatted horizontally, are so wide they are difficult to read.

Why is this?  It's because of the movies.

Since movie and TV's 1080P format with their 16 by 9 aspect ratio is now the sweet spot in volume display manufacturing, we have this strange situation where computer content does match the display presentation.

This is why you see people rotating their phones and tablets so often.  Unfortunately with a laptop or desktop computers it's a bit more clumsy to rotate the display.  But the very factor that has cause the problem (volume price point), provides a reasonable solution - buy a second monitor and turn it vertical.


This is actually easier than you might think.  There are lots of optional vertical monitor stands, and most computers (including laptops) already have a second video port.  So get a second display, turn it sideways, configure Windows screen settings and poof!  The problem is solved.

Give it a try.  It's like having a whole new second computer - and one that actually fits your work.

Wednesday, March 27, 2013

Windows XP End of Life


On April 8, 2014, Windows XP will have reached its end of life.

What does this really mean for you? Well for one, there will be no more support from Microsoft. You may be able to find a technical article on your problem, but Microsoft will no longer field phone calls, answer e-mails, or respond to forums regarding Windows XP.

Microsoft will also discontinue supplying security patches via Windows Update to PCs running Windows XP. This also means if a hacker or virus writer finds a new hole in Windows XP, Microsoft will not fix it, leaving your PC vulnerable to attack. Even if you were to clean the infection, the attack could continue as you would not be able to block it from happening again.

For those of you with a Point of Sale or other payment systems running on Windows XP after April 8, 2014, you will no longer be PCI compliant, which may create a legal liability.

Now I am sure some of you are thinking that your home PC running Windows XP won't be a problem. Think again. As application compatibility for Windows XP disappears, you will have problems. What happens when your bank requires that you use Internet Explorer 9 to access you bank account? Windows XP only supports Internet Explorer 8 and older. You will not be able to install Internet Explorer 9. How about that new version of Office 2013? It's not compatible with Windows XP. As you can see Microsoft as well as other software developers will have moved on from Windows XP. You will be left to only run old software.

 If you haven't already done so now is the time to start planning an exit strategy for Windows XP.


Wednesday, February 6, 2013

Secure Mobile Communications

Rod Coleman

It seems mobile technology security has been fighting a losing battle lately.  This development could have a significant positive impact on tech privacy.

The explanation:

The Threat of Silence

The solution:

Silent Circle

If you give it a try, post your experience here in comments:


Friday, December 21, 2012

What about Windows 8?

Microsoft has released the next version of their operating system, Windows 8, and chances are the next PC you purchase will be running it. What does this mean for most users?  There are a few key differences, mostly dealing with the user interface. Let's review a few of the big ones.

















The Start Screen
Instead of the traditional list of settings and programs that popped up when the Windows logo in the bottom left corner of the screen was clicked, the Start Menu is now a full-screen experience known as the Start Screen. Microsoft has gone away from a list of programs and created a screen full of "tiles" that scrolls left and right. Each tile can be a link to launch a program or can contain live content like weather, social network updates, or news headlines. This is very similar to the new Windows Phone interface.

The Start Screen can be accessed at any time by pressing the Windows key on your keyboard. If you are already on the Start Screen, the Windows key will take you back to the last app you were in. To view the desktop, Press the Windows + D keys at the same time.

While on the Start screen, you can scroll through all the tiles by using the scroll wheel on your mouse, the scroll area of a touchpad, the arrow keys on the keyboard, or by swiping left and right on a touchscreen. One very nice feature of Windows 8 is the ability to start typing the name of a program. While on the Start Screen, just type the first few letters of the program you want, and a list will display of any matching programs.

Desktop Apps and Modern UI Apps.


Windows 8 comes in versions for PCs, Tablets (Windows RT), and Phones (Windows Phone). All share the Start Screen interface, also known as the Modern UI. The difference comes in what programs can be run. There are now two types of programs, or Apps, for Windows 8.

Modern UI Apps are full-screen and usually are designed to work with touchscreens. These are often comparable to apps on iOS or Android platforms. Many popular apps are available, such as Pandora, Evernote, Netflix, and of course Angry Birds. These apps will run on PCs, tablets, and phones.

Desktop Apps includes traditional programs like QuickBooks, Photoshop, or Autocad. These will only run on the full PC version of Windows. (Note: Some tablets run the full PC Windows 8, and some run Windows 8 RT.)

Some programs have both Modern UI and Desktop versions. For example, the Microsoft Office suite of programs come in both varieties.

Settings

Since the traditional Start Menu is gone, how you access PC settings, log on and off, and shutdown your computer is a bit different. For any of these tasks, you will move the mouse to the bottom right corner of the screen (or swipe in from the right on a touchscreen). This will bring up a menu that lets you search, access settings and see connected devices. Once you click Settings, you will be able to connect and disconnect from networks, shutdown or restart your computer, personalize your computer, and access the Control Panel.

To log off or switch users, go to the Start Screen and click on your name in the top right corner. This will give you options to lock or log out of your computer.


The Big Picture

One big question that is floating around is "Do I have to have a touchscreen?". The answer is no. Everything still works just fine with a mouse and keyboard. However the touchscreen interface will seem much more natural to some people, and will likely become a bigger part of how we use computers.

Beyond these interface changes, most of Windows is still similar to the versions that have been around for years. Most desktop app programs will still look and feel exactly the same, and things such as printers and cameras will still work as they always have. Microsoft has made many improvements behind the scenes with performance and stability, making Windows 8 a very robust operating system. Things like anti-virus protection are now built in (though you can still choose to use a third party application).

So go ahead and give Windows 8 a shot, chances are you'll get used to it within a few hours, and find many things easier to use. - Gary Micander


Tuesday, October 16, 2012

Smart Meters and Servers

You maybe have received a letter from Nevada Energy informing you that they will be installing a Smart Meter on your premise soon.

During the install of your new Smart Meter, NV Energy will cut your buildings power for up to 15 minutes.

There may be a major problem with a 15 Minute interruption in power.

Most battery backup systems are installed with the intention of surviving a brief (less then 5 Minute) power outage that is typical of weather related phenomena.
Many battery backup systems will not hold your computer system up for the 15 minutes required.

Letting your system go down unexpectedly can mean lost productivity, data corruption, or a major outage costing your business hundreds or thousands of dollars in downtime and repair expenses.

Being prepared is as simple as knowing systems passwords, and how to properly shutdown your business computer systems, and then how to properly turn your network back on. If you have any questions about shutting your systems down please don't hesitate to contact our dispatch team:

(dispatch@sierracomputergroup.com or 322-6455)

If Nevada Energy should show up at your Office and request to install the power meter. Ask them for 20 minutes so that you can properly shutdown your business computer systems.

A General guideline for shutting your systems down is listed below:

1. First, have all users save all data and shutdown their workstations normally. Have users turn off their battery backup systems; this will avoid the incessant beeping generated by these units when they lose power.

2. Next, shutdown your server(s)

3. Finally, turn off printers, scanners and copiers, networking equipment (routers, switches, etc.) and any battery backup units hooked up to your server(s) and networking equipment.

When NV Energy says they are done, power up in the reverse order, waiting at least 2-3 minutes between steps.

1. Start with turning on printers, networking equipment (routers, switches, etc.) and any battery backup units hooked up to your server(s) and networking equipment.

2. Next power on your server.

3. Making sure to wait 2-3 minutes and have users begin by turning their battery backup units on (if so equipped) and finally turn their computers back on.

This procedure may save you time and money.

Let us know if we can help.

Thursday, May 17, 2012

Why you need a fast(er) Internet connection.



Everyone is familiar with high-speed internet, or broadband as it’s sometimes called, and almost every business has some form of it. Often, people will say “I have DSL, why would I need anything faster?”, or “Why should I pay $150/month for internet, we don’t need to pay that much just to surf the web.” All high-speed internet connections are not created equal however. A basic DSL connection may be somewhere around the 1.5Mbit download/.75Mbit upload speed, while a VDSL, cable or fiber internet connection can be upwards of 30Mbit download/5Mbit upload. This speed difference can have a huge impact on how long it takes to perform a task online.

Most people would likely say the internet has two main purposes – seeking web content and processing email, but more and more it's used for actual business operation. Plus, there are other things going on in the background that may not be obvious. One of the most critical uses for an internet connection is to receive updates for computer operating systems, software packages, and anti-virus programs.

In today’s computing environment, it is critical to run updated antivirus software and install security updates to the computer operating system and software running on it. These updates are often fairly large files, and can be released frequently. Having a faster internet connection ensures that updates are downloaded and installed in a timely manner.

While web browsing and email may seem like a simple thing, it is important to consider employee productivity. Many businesses use the internet for a large portion of their day to day operations, whether doing research online, ordering product, or simply sending and receiving email. These small tasks can add up to a significant part of an employee’s day.

For example, placing an order for products from an office supply store on a 1.5Mbit connection may take three or four times longer than it would take on a 10Mbit connection just due to waiting for webpages to load. This may only be a savings of 1-2 minutes, but consider all the tasks that are similar to this, and how often they occur.

As more and more companies work with digital copies of documents, architectural drawings, photos, and videos, the size of email attachments and downloaded files have grown drastically. A typical drawing file from a program like AutoCAD can easily run into the dozens or hundreds of megabytes. A 50 megabyte file would take 5 minutes to download on a 1.5Mbit connection, versus 40 seconds on a 10Mbit connection. Imagine downloading dozens of such files every day, and it becomes immediately apparent where time can be saved.

Other reasons to have higher speed internet that I haven’t covered include remote user access, website hosting, email server hosting, streaming video/audio, and many others. In my opinion, no business today should be running on less than a 5Mbit connection. If hosting any sort of server on-premises (email for example), or using streaming media, that number goes up to 20Mbit down/2-3Mbit up.

Often, the cost difference between a basic 1.5Mbit connection and 10Mbit connection is less than $60/month. And since you and your employee's time is your most valuable resource, it's important that you make the most of it. So ask yourself, how much time do you waste waiting for your computer to give you what you want?

Tuesday, March 27, 2012

The Significance of the Samsung Note


Like much in the history of human affairs, technical advancement does not generally happen in smooth progression. It moves in fits and starts, and smart-phone technology has been on a tear for the last few years.

Palm was the first true smart-phone with a library of independent apps, but it was the iPhone that first found broad acceptance of the general public. Apple seems to have a way with tech fashion, even if they aren't always the first to market.  Or the best.

The next major fit of development was the Android family.  Motorola Droid offered the first significant competition to the iPhone.  HTC improved performance and over this last year Samsung has come to lead Android technology with it's large displays, yet light weight.

We now have the Samsung Galaxy Note as it's latest example, but is it a true advancement of technology?  Yep.  I'll compare it to my Droid which is what I know best.  The Samsung Note has:

100% more screen area.
50% taller
67% wider
250% more pixels
255% faster clock
80% more battery
60% more pixels in its camera
Plus a front camera
4G surfing and movies
4 times the RAM
16 times the ROM
Effective pen interface

So what's not to like?  Well, it is 8 grams heavier but that's too small to notice.  The Samsung Note also has no hard keyboard, but surprisingly, the screen is so large, I'm faster (and more accurate) on its soft keyboard than the Droid hard keyboard.  The Samsung Note is better in every way than the standard Droid and even better in most ways than the latest iPhone.  End of story?  No quite.

Surprisingly, the Note's best feature (the screen) is also the critic's biggest complaint, which is what this post is really about.  The Note is being panned as a "phablet" because of it's large screen. The logic is, it's too big to hold up to your face, and yet too small to compete as a tablet.  Here's an example review:

By: Jonathan S. Geller - Feb 13th, 2012 at 03:45PM

"The Galaxy Note essentially has everything you’d want in a smartphone: a great dual-core processor, a solid camera, a beautiful display and good build quality, and it runs on ATT’s new 4G LTE network that delivers incredibly fast downloads speeds. Plus the battery seems actually decent so far, which is a triumph for modern smart-phones.

Throw all of that right out the window.

The phone is too big. You will look stupid talking on it, people will laugh at you, and you’ll be unhappy if you buy it. I really can’t get around this, unfortunately, because Samsung pushed things way too far this time."

And it wasn't just Jonathan.  Here's what Zach at BGR had to say:

Samsung Galaxy Note review: The smartphone that ‘Samsunged’ Samsung
By: Zach Epstein | Feb 22nd, 2012 at 12:01PM


"Holding this beast to your face while on a phone call in public will result in awkward stares. Not “maybe” or “might,” but “will.” It just looks silly."

One more - PC World's review:

"For most, the Note will be too big for a phone, but too small for a tablet. Rather, it’s an awkward in-between device, and will only appeal to a niche consumer base. "

I'm here to tell you, PC World and all the rest are dead WRONG.  The Note will NOT be limited to a niche.  It has hit the sweet spot in size and will become the new standard in smart-phone technology.  Here's how I know.

There's not much to which I can easily lay claim, but I am an original and authentic geek. I'm been interested in computers since the smallest ones filled up a room, which was long before they became personal.  It was much later that the first thing that could be considered personal technology was introduced, and it was a calculator.

If you think the lines are long for gadgets now, you should have been around in 1972 when HP introduced the original HP35 calculator.  It sold for $395 which was over $2000 in today dollars, but you couldn't buy it at any price (no eBay back then).  After placing only two full-page magazine ads, the original HP35 calculator was back-ordered for more than six months!

This backlog was because the HP35 was SUCH a major advancement  in technology, it is hard to imagine even in today's new gadget world.  The closest competition to the HP35 sat on a desk, weighed 25 pounds and cost more than $10,000 (or $50,000 in today dollars).

In contrast, the HP35 was designed to fit into William Hewlett's shirt pocket, which is the key to the issue at hand.

Even though back-ordered from their own distribution, I discovered from a friend at HP that I could buy their calculator at HP headquarters.  This outlet was for employees, but he said they weren't checking IDs.  I immediately flew my plane to Palo Alto, walked up to the front counter and bought two (an extra one for my cousin).

It's been that way my whole life. I watch a given technology then buy the latest and greatest when it's introduced; not because it's a fashion, but because it's significantly better in some technical way. I bought the very first Palm Pilot when it was released. I generally hold off upgrading until there is significant advancement. At their introduction I bought the first color Palm PHONE (also from Samsung), then the Palm Treo and Palm Centro in turn.

Just over two years ago I ended a long-term relationship with Palm and bought the original Droid on the day of it's introduction. I considered the iPhone but the first version wouldn't even copy, cut and paste text which I can't live without.  Android has been amazing though there are still things the old Palm did that the Droid can not yet touch. But that's another blog post.

So why am I leaving the Droid behind so quickly? The usual reasons - significant advancement in technology which are listed above, but most importantly because of the size of the screen.  All of that visual real estate is wonderful.  For years now I've known the  the original HP-35 hit a sweet spot in physical size and weight.  It was as big as possible without being too big to fit in a shirt pocket.

As it turns out the Samsung Note is almost the same size and weight as that original HP-35. I've been carrying the Note in my shirt pocket the last few weeks and it feels just like the HP35 I carried from years back. So according to the reviewers, the only problem is how silly we look if we hold it up to our head, which is my second point - a true geek is like the Honey Badger - he doesn't give a shit.

And that's how I know I'm authentic: I don't understand why it looks weird to hold a Samsung Note up to your head.  Why does it matter?  It's what it DOES that counts.  I for one believe it's the ultimate geek-cred.  And who's says Bill Hewlett wouldn't have looked cool talking on his new calculator, if there had been some cell towers around?

Who wants to bet the next iPhone is not bigger?

And that in three years the Samsung Note will be the standard size for a phone?

And then it will be cool.

Email your wager.

Rod Coleman
General Manager
Sierra Computer Group

Tuesday, February 21, 2012

Local Server or Cloud?

Local Server or Cloud?


There is a lot of talk lately about “cloud computing” and moving “Line of Business” applications to the cloud. Simply put this means using a web browser to access your applications hosted on a server somewhere on the Internet. There are several advantages for using cloud computing and many disadvantages. The best analogy I can use is that using cloud services can be like renting a house versus buying one. If you’re in it for the long haul, owning the house might me the way to go. If there is uncertainty about the future, or if a landlord is offering rent cheap – as many cloud providers are – then it might be worth renting for a while. It may make sense to have a hybrid approach. For example use email or spam filtering located in the cloud, but retain accounting and customer data locally.



Advantages of the Cloud

1. No cash up front required to buy a server, applications, and operating system. Only a monthly fee where you “pay for what you use” –often this is per seat (per employee).

2. You and your employees can access the server from any Internet connected location. This can provide a built-in disaster recovery plan because if your office location loses Internet, you can still access the cloud through alternate channels.

3. Software is kept up to date automatically.

4. More predictable IT support costs, no surprise server outages etc.

5. It’s possible to use lower costs dumb terminals locally if no line of business applications that require PCs are needed.



Disadvantages of the Cloud

1. Speed. No matter what the vendor claims, it seems cloud apps are never as fast as local. Possible cost savings will be eaten up by reduced employee productivity that often can’t even be measured.

2. Another big concern involves getting locked into a cloud vendor and having your data held hostage. Moving to another provider might mean significant conversion issues.

3. Spurious shut down. If a monthly bill is overlooked or a clerical error occurs, your entire business can be shut down for days while you straighten it out. This is a particular problem with “big” vendors with automated tech support where it’s hard to reach a human.

4. The reliability of cloud vendors has sometimes been over stated. They often claim 99.9xx % uptime, but in the last two years many high profile companies have had outages including Google and Microsoft.

5. Many people are worried about security and privacy of their data.

6. Cost Savings are often imaginary. What initially seems like a low, low monthly fee really adds up when you multiply it by the number of employees times 36 months. I suggest using 36 to 48 months to make cost comparisons because that’s often quoted as the lifetime of server equipment. For example, if you bought a brand new server with a Windows server OS today, you could expect to use it for the next 3 to 4 years.

7. Free or low cost services often omit critical functionality. The soft cost of having employees not being able to install apps as needed can bleed dollars from the organization.



Advantages of a Local Server

1. You can create order from chaos. By centralizing data on a server, you can better manage business-critical information. Sharing files and other data across PCs becomes much easier, as does migrating data from one PC to another. Older PCs can get new life if their files and data are off-loaded onto a server.

2. You can protect your data by making backups easier. Windows Small Business Server 2011 enables users to protect their data by simplifying backups and the restoration of critical data.

3. You can collaborate better as a business. Not only is data sharing easier with a server-based network, but Windows Small Business Server 2011 comes with Windows SharePoint Services, which is software that enables your employees and other team members to collaborate via the Web. With SharePoint, you get a company intranet with a user-friendly interface to organize and share information.

4. You can accommodate a mobile work force. Servers enable out-of-office workers to have remote access to your network, enabling data sharing among those who travel, telecommute or work off-site.

5. You can share high-speed broadband access. High-speed Internet access across a network from a single ISP account.

6. You can set up new computers, add users and deploy new applications more quickly and easily. Expect to grow? You can better co-ordinate the addition of new PCs amd software. You can also better manage firewalls and monitor threats to your data, and more easily deploy virus protection.

7. You can get more processing power. A server can supercharge your network, storing chunks of data, freeing up memory and enabling PCs to perform better. Small businesses today need that additional processing power to manage Web sites, do e-mail newsletters, and use sophisticated software.

8. You will look more professional — and connect better with your customers. Microsoft Small Business Server enables you to consolidate your e-mail accounts (AOL, Yahoo!, Hotmail, etc.) into a single e-mail account, enhancing your image to customers. A server can make a lot of businesses look bigger than they are.

In conclusion, small start-ups that may need flexibility yet have simple requirements are a good fit for the cloud.  But if have more complex requirements or sensitive customer data or performance needs, keep your server in your closet.

Friday, December 30, 2011

Creating Passwords Using Seed Mapping

Rod Coleman

Passwords are a pain.

Security requirements are becoming more complex just as we need more passwords for new apps, challenging our ability to remember them all.

Here are the requirements for a reasonably secure password:
1. Contain at least 8 characters.
2. Contain upper case letters.
3. Contain lower case letters.
4. Contain numbers.
5. Contain special characters.
6. Appear to be random.
7. Be different for each application.

And...
8. Be easy to remember. 
  
Unfortunately the first seven requirements make the last almost impossible.  Many just give up and use personal information or typical words which are easily cracked.  Yes, there are software tools to help out, but they mostly add cost, complexity and management.

Fortunately there's a simple trick I've been using for years, and it's good enough to stop the average hacker.  Plus, it costs nothing at all to use.  The trick is, don't REMEMBER your passwords - DERIVE them.  Here's a simple example using a two phase algorithm - seed selection, and keyboard mapping.  It will pseudo-randomize any password.

Start with a seed that's in front of you as you log on to the site, for instance Microsoft.  A simple seed would be the first four letters "micr".  There.  You're halfway done.

Now simply expand this seed onto the keyboard in a visually consistent way.  Let's use the two keys above the seed key for this example.  "m" becomes "Ju", "i" becomes "8*", "c" becomes "de" and "r" becomes "4$" yielding the password - "Ju8*de4$".  No, don't try to memorize this mess, just watch your fingers as they move.  

See the pattern?  The visual pattern is the trick.  This password meets the all the standard criteria, yet you don't have to memorize it - just look at the name, then map it visually with your personal method.

Notice I capitalized the first character and had to shift to get the "*" and "$" because I ran out of room moving up the keyboard.  That's one way of including special characters and caps.  If you don't want special characters, wrap to the bottom of the keyboard instead.

The beauty is, memory was not a factor.  It's simply visual.  It's best to not even think about what keys you're hitting - just hit the two above your seed character.  I honestly have no idea what my passwords are, I just know the pattern that produces them.

It's easy once you define a method.  For the above approach:
Gmail would produce "T5juq18*"
Yahoo would produce "6^q1y69("
FaceBook would produce "R4q1de3#"

Again, no memorizing.  OK, go ahead and use my example method if you like.  It's better than using your dog's name.  And you won't need to read any further.  But remember you'll have the same passwords as every other person who happens to read this blog and goes to the same sites you do.

Or...  You can quickly customize.

Just invent your own method (algorithm).  There are literally millions of ways of doing it.  Here are a few aspects to keep in mind while you think about it:

First, the seed - it should be at least four characters which will produce nearly a half a million unique passwords.  Two characters will only create 676 unique passwords - not enough.  A three character seed is on the border.  And I don't suggest using more than a seven character seed because you'll either be creating very long passwords, or have poor distribution in the mapping phase as described below.  

Since the objective here is to leave the mob behind, it might be best if you mix up your seed a bit.  How about a backward flip - "iamg" for Gmail.  Or better yet, replace the "g" with your dog's middle initial.  Or yours.  It doesn't matter much as long as it's an easy method to remember.  Personalizing with an initial or two will also make your passwords different from most others who visit your sites.  After all, Microsoft or Hotmail will be a common starting point for many.

How about taking every other letter then step back? Gmail could become "gami".  Or ignore the first letter and get "mial".  You get the idea, there are a lot of ways of doing this - make yours unique.  I've only discussed a couple of aspects of seed generation as examples.  It's best to come up with something I haven't even talked about.  Just be consistent so your method is easy to use.

Now as to the keyboard mapping phase.  Our first example was OK, but did you notice how "q1" occurred three times in the last three examples?  That's because each seed contained the letter "a", which is a common letter.  Also these simple examples only have a fair distribution over the key-map.  To produce a good pseudo-random number you need a good distribution across the random field.  The keyboard itself makes for a decent random field, as long as you span it well.  For instance, "mmiiccrr" for Microsoft stays close to (and IS) your seed.  That's poor distribution.

In contrast, an expansion of three or four going up will always capture a number, and often a special character.  Or if you go down instead, then wrap back up, it's almost as good (but no special characters).  Three up will get a number two thirds of the time, and a special character one third of the time.  See how you can control how many and what types of characters are likely to end up in your password?

There are obviously lots of ways of getting similarly distributed results.  Go up for the first seed character, down for the second, capitalize the third and shift the forth to possibly add a special character.  Or expand the first seed character once, the second twice, the third three times, etc.  You choose - that's the beauty.  No one but you knows your method.

Or ignore the first character, right one and three up.  Or one up, two left.  Or skip a couple.  The objective of distribution is to break up patterns of common letters (a, i, e) by applying different directions to different seed letters. This key map phase is where you can really express your unique nature.  Try diagonals.  Or leaps. There is no right or wrong method, just some are better than others.  Scramble your seed.  Scramble your map.  But in a way that's visual to you.

One challenge you'll face are sites that require you to change passwords every few months.  An easy (if less secure) solution is simply to add a number starting with 1 to the end (or beginning).  Increment the number each time you have to change passwords.  In a few tries you'll get it, and have plenty of time before you have to use 1 again.  Or add the last digit of the year to your seed and shift it after June 30th.  Do what works for you.

It's a good idea to have a  backup method for when you encounter other conflicts (such as some sites not allowing special characters).  If your password doesn't work, try your simpler method B.

Also, don't use your method for any password you have to share with anyone else, or they might guess your trick and put all your other passwords at risk.  This is another good reason for a more simple method B or C for shared passwords.

Finally, don't make your method TOO complex.  There's a point of diminishing return.  Other capture or social cracking will make a "perfect" method irrelevant anyway.  Video cameras are common and getting smaller, so even a perfect password can be stolen.  If you're still concerned, add Iris Scan and go multi-factor.  But for most, pseudo-random is good enough.  And FAR better than your dog's name.

By the way, Seed Mapping is just one approach that happens to give a fairly good result.  There are many other methods.  Be creative.

Now go change all your passwords so you can burn that cheat-sheet in your desk drawer.

And let me know how Seed Mapping works for you.

Rod Coleman
General Manager
Sierra Computer Group


Tuesday, December 13, 2011

Zero Access Infection


Recently I encountered a threat that infected a client's computer.    The Client noticed that their Antivirus Program intervened and requested a reboot of the computer to finish the remediation.   Upon Rebooting the user was unable to log on.   Worse yet she had no mouse or keyboard.    Fearing the worst the user pushed the power button to shut down the computer; which responded normally and gracefully shutdown the computer.    Next she tried to get into Safe Mode by pressing f8.   Windows booted into safe mode but again no keyboard or mouse inputs it seemed.

I was able to verify the customers complaint.   Only I noted that system was still alive and I was able to PING it, which to me meant that it was still working.  I remotely accessed the machines registry and enabled remote access to the machine.    When attempting to connect remotely I discovered I did not have the local administrators account password.    After rebooting the computer with a bootable Password Recovery CD I recovered the four letter local administrator password in only 9 seconds.  

Using the recovered password I was able to remotely connect to the computer and was able to determine that the installed and updated Antivirus Software had clobbered the Windows XP PS/2 Driver (i8042prt.sys) used for both PS/2 keyboard and PS/2 Mouse Input.  

I booted from the Windows XP CD and using the repair console manually replaced the i8042prt.sys driver, however I was still unable to have the system use a PS/2 Keyboard or Mouse.    I found an unused USB Keyboard and began to work on the system running some additional virus removal tools.    One of the tools had identified an infection known as Zero Access.    After the tool completed the removal steps the system still did not work with the PS/2 Keyboard and Mouse but did work with the USB Keyboard.

I decided to run a repair install of windows to correct the issue.   The repair install soon reached the point in the setup process where it booted from the hard drive, and disturbingly again I had no PS/2 Mouse and no PS/2 keyboard access.    After a little research  and on a hunch, I aborted the repair install (knowing that it would resume upon reboot) and tried a decidedly different tactic.  

Most of the variants of the Zero Access Rootkit will infect the Master Boot Record of the hard drive which causes the machine to load part of the rootkit while the machine is still vulnerable and unprotected from viruses.    I booted the Windows Recovery Console from the CD and had windows replace the MBR and Boot Sector.

Next I crossed my fingers let windows reboot.  Next Windows setup continued the repair install and voila I now had access via the PS/2 Keyboard and PS/2 Mouse again and the Machine was fully remediated.

The Client was upset that the anti-virus program had disabled their computer, when they should have realized this was a fortunate circuit breaker.  Their real concern should have been that their system and all their activity was almost exposed to some unknown source.    Without the anti-virus program disabling this computer, every single input to the computer would be collected and redirected...and probably not for the forces of good.

Remain vigilant.



Dave Hendricks
System Engineer
Sierra Computer Group

Thursday, October 27, 2011

Big Brother or Big Sister? - Improving Employee Productivity

Improving employee productivity

The internet can be a big employee time waster.  About once or twice a month I get a call from a business owner asking how they can either monitor their employee’s computer usage or prevent them from wasting time on various web sites.  Monitoring and content filtering software are available to do this, but using these solutions should be weighed against your corporate culture.  The costs and benefits of monitoring and managing internet access can be huge, but the problem can also be managed using a human approach, by doing a combination of coaching and leading.  I call content management software the Big Brother approach after the quote “Big brother is watching you” from George Orwell’s book 1984.  Many small business owners like the idea of being able to view their employee’s desktop, but it can lead to employee resentment and lost productivity when implemented without their buy-in.  An alternative is the “Big Sister” approach, which means creating a culture of trust by sitting down with employees and educating them about the conditions or time frames they’re free to use the internet for personal things.  The big sister approach can work well for small groups of professionals. Either way, you should also have a written “acceptable use policy” to cover inappropriate computer use for things like porn and sending jokes that are sexist, racist or could be misinterpreted.  The big brother approach is often needed for schools, large organizations, or those subject to regulatory restrictions like HIPAA.  Big brother is also needed for anyone with a serious need to protect corporate assets.

One of the solutions we use when employee monitoring is needed is Spector 360, a software package that is purchased for about $115 “per seat”.  Multiply this by the number of employees, and figure about an hour of labor per workstation to get the software set up and you’ll have a good idea of the cost.  The software can be installed in stealth mode, providing complete transparency to the user, who is unaware that is on his machine.  This is legal given the machines are owned by the business, but we recommend having employees sign an acceptable use document that states that monitoring may be done. This investment will pay for itself by allowing the manager to centrally monitor and even manage computer use from his desk.  Regular or periodic screen shots can be taken of the employee’s screens, allowing for a security camera Digital Video Recorder (DVR) type playback. Logs can be created and reports produced to answer questions like which employees spend the most time surfing web sites, which is spending time on what sites, who uses chat or anonymous email, and much more.  Other, less expensive packages are also available to install on “problem” machines on a case by case basis.  Tools like this can significantly increase productivity, allow investigation into violations of acceptable use policies, and protect against data theft (studies show 1 in 5 employees will print or copy company data in the days leading up to their resignation).   In one High School the software was configured to create and email reports automatically any time inappropriate words were used.  This included, for example, swear words inside .doc files or in any software on 700 desktops across the school.  Administrators were able to discipline students and word got around, greatly reducing problems.

Content filtering is another class of productivity tool.  Filters will limit access to websites to those needed for business.  We often implement this using a SonicWall router but many other products are available depending on the needs of the client.  The content filter allows us to either create a whitelist of sites that are OK to use, or blacklist specific sites that aren’t.  While effective, this technique sometimes produces employee frustration when they have previously had free access.  In some cases a new site is needed for legitimate business use and yet can’t be accessed until someone with the password has added it to the white list.   The difficulties associated with aggressive filtering came to light when I implemented it in my own house to protect our children.  My teenage daughter came to me complaining that she couldn’t access her favorite swimsuit shopping site.  This shopping site was lumped into one of the unacceptable use categories, probably because of the pictures of scantily clad swimsuit models.  I found myself slowly white listing sites, and then unblocking whole categories (ie shopping, photography etc).  After 6 months of frustration (for both me and the children) we ended up taking the “big sister” approach with our kids.  We basically said “OK if you go to bad places then we’re shutting the whole thing down”.  At least with the content filtering I was able to put a schedule that automatically shut down Internet usage at 10pm each night.  This helped reduce late nights of online gaming.

A third and incredibly important business productivity tool we use is the spam filter.  I’m constantly amazed at the number of small business owners who suffer silently with hundreds of spam messages each day.  Multiply the number of minutes you spend reading and deleting spam by how many employees you have and you realize that attempting to use the free spam filters (that don’t work or integrate with outlook well) are not cost effective.  Like anti-virus software, no spam filter is perfect, but along with regularly unsubscribing to unwanted newsletters, it can help control most of the volume.  Spam filters run about $2-$5 per person per month, but pay for themselves quickly.  The goal is to receive as little email as possible without false positives (which means rejecting customer email that you want to receive).

Each of these three productivity enhancement techniques (Monitoring, website blocking, and spam filtering) can help control wasted employee time.  To the list we should probably add workstation backup, anti-virus, and anti-spyware tools.  The average virus slows a machine down for weeks, causes  8-14 hours of actual down time, and costs another 4 hours for IT staff to fix.  The hard cost of these tools are arguably less than the soft costs associated with lost productivity.  Just make sure employees understand the reason for any changes in their access. 

Darren McBride is CEO of Sierra Computer Group, a Reno based IT and Network Consulting firm

Monday, October 3, 2011

Friday, September 23, 2011

A False Sense of Flight Security

The last 50 years has seen the emergence of passwords (or pass-numbers) to protect access to everything from your front door to your computer.  Cyberlore is has many examples of how poorly we apply this technology, and much of it's true.  There are so many ways these security systems can fail, many of which are social and have nothing to do with technology.  Stories of passwords left as default, written in convenient places and being based on common personal information are often true, and DO put the user at risk.  Even when you use a random password, there are social ways to fail.

Earlier this week in a meeting, I was logging into Windows as one of our techs was watching me type and noted, "At least you don't use a simple password".  He could tell that from my finger movements.  It's part of what our techs do for our clients, and it reminded me of something that happened years ago as I waited at an airport gate for my next flight.

It had been a long day and I was tired of reading.  I also happened to be facing the jet-way access door, but a little off to the side.  It was getting close to boarding time and a flight attendant walked up to the door.  Before she could enter she had to key in a pass-code on the five buttons of the door knob.  OK, I admit it - I was bored.  I couldn't help but notice the pattern of movement her fingers made just before she turned the knob and went through the door.

A few minutes later another attendant did the same thing, verifying the code for me, or at least the required finger movement.  I laughed to myself at how easy it had been to visually crack this important security system, but didn't realize what was to happen next.  I'm still laughing even today.  Here's why:

A couple of minutes later the pilot arrived (or co-pilot - at least he had a scrambled-egg hat).  Anyway, he keyed in his code.  I immediately noticed it was different and wondered if there were multiple valid codes.  But then the door didn't open.  He tried again - no luck.  I smiled to myself.  After a third time he swore quietly.  They had either changed the code, or he simply didn't remember it correctly.

You may have already figured out what happened next.  Yep.  I took pity on him, walked up, entered the code, letting him on the plane.  After all, I wanted to go home without delay.  The look on his face reflected the irony of the situation, but he didn't say anything.  I just smiled and sat back down.

The point is, your security can fail in many ways.  Keep an opened mind.  Cover as many bases as you can, but don't expect any technology to be perfect.  Just good enough.

Rod Coleman
General Manager
Sierra Computer Group

Tuesday, July 19, 2011

Tuesday, June 28, 2011

How Google's Panda Update Changed SEO Best Practices Forever

SEO is not just a moving target, it's a whole new ball game.  If you manage a website, this 11 minutes may be the best investment you make today.

Wistia


On the upside, our Google searches may begin to improve again.  It seems like the content farms have been winning lately.  If their theories are correct, we should see this Panda dance over the next few months.

How Google's Panda Update Changed SEO Best Practices Forever

Saturday, February 19, 2011

IPv6 Transition

IPv4 to IPv6

It's not likely to be critical for your installation today, but sooner or later it WILL be a factor in your IT plan.

Here is one of the best overview's I've seen on the topic so far:

Ask Ars:  How should my organization approach the IPv6 transition?


And if you think you can simply ignore the topic:

Why the IPv4 to IPv6 transition will be ugly


Let us know if you want help with an IPv6 transition plan.

Thursday, February 17, 2011

How Far Into the Cloud?

More and more technical services and applications are becoming available in the cloud.  But which ones are prudent to use for a small or medium size business?

Every technical solution has it's drawbacks.  Servers in the closet have to be maintained, backed up and refreshed, but they are physically and logically secure and usually the best choice for business critical applications.

But what about those web-apps that have broad public exposure?  Or the ones that need to scale in an instant? Are these not candidates for living in the cloud in some form?  In some cases, yes.  Here's an excellent article that can help you evaluate the alternatives:




The ABCs of virtual private servers, Part 1: Why go virtual?





Thursday, January 20, 2011

5 Signs Your Marketing is Outdated

Each business is different, but EVERY business should at the very least have a web page - it's like being in the Yellow Pages 20 years ago.

And if you have a web page, can you remember what it looks like?  Here's a link to a great review of web marketing practices by Robyn Freye:


5 Signs Your Marketing is Outdated