Link: http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx

In response to the security flaws discovered and reported on March 9, 2010, as well as other cumulative fixes for nine other severe vulnerabilities, Microsoft has issued a critical security update for all supported versions of Internet Explorer. This includes IE 5, IE 6, IE 7 and IE 8. If you are using Internet Explorer, Centrend recommends that you make sure that you have run this important update.

[Cumulative Security Update for Internet Explorer (980182)]

As always, if you have any questions, please contact us for help!

- Bill

***
Bill Bowman
Senior Technology Advisor
Centrend, Inc.
508-347-9550 x135

Link: http://www.centrend.com

You probably have a long list of computer passwords, for when starting up your PC, to accessing your bank account online, or perhaps when checking your e-mail. Passwords are an important barrier to accessing private, sensitive or proprietary information. An electronic password is much like a key, in the physical world, that unlocks a file cabinet. Whoever possesses the key to that cabinet will have unhindered access to its contents. But, what are the situations where computer passwords are just not secure enough?

With the physical key and file cabinet, the concerns we have are that the key could be misplaced or stolen and fall into the wrong hands. It could be surreptitiously duplicated and distributed to unauthorized people. The lock on the cabinet itself can be tampered with or simply broken with brute force. All of these concerns are the same as what we have for computer passwords. All of these scenarios do occur, even with electronic data protected with passwords that are considered strong, and therefore not easily figured out.

Once access to the file cabinet has been achieved, all the information the key was protecting is exposed. But, what if there were a way, even if the lock were to be broken open, to make it so that the contents would be worthless? It would be great if the person who breaks into the file cabinet only finds a mass of unrecognizable shredded up paper. In effect, that is what encryption helps you achieve for your protected electronic data.

Encryption is nothing new, having been around since the ancient Egyptian times in the form of non-standard hieroglyphs, which was a method of symbolic substitution for words and phrases. With encryption, there is a key which enables the data to be deciphered. Modern electronic encryption is capable of encoding data in such a way that it renders it completely unrecognizable, and there are different levels of encryption available to suit the security demand. Encryption technology today also provides us with strong key methods that make unauthenticated use of keys impossible.

So, unlike password protection, an encrypted data file has been altered, so that the key is required not only to access it, but to make it readable as well. This is very important for data that rests on a portable device, such as a laptop computer or smart phone, and media such as CD-ROMs, or plug-in USB drives, because these devices and media can be easily lost or stolen. According to the Federal Trade Commission, 49% of all reported unauthorized data breaches were the result of lost laptops or other devices.

For the protection of its residents, the Commonwealth of Massachusetts has now made it mandatory that portable devices and media are protected with data encryption technology, when personal information is present. Other requirements are that we safeguard and protect our passwords. The keys to the encrypted files, or any other protected files, still must be of adequate strength, kept safe and not duplicated, distributed or left out in the open. For most organizations, encryption technology is a matter of policy for the sensitive, personal or proprietary data that requires the greatest degree of protection.

- Bill

***
Bill Bowman
Senior Technology Advisor
Centrend, Inc.
508-347-9550 x135

Traditionally, the IT staff or outsourced IT provider of any small business has been in command and control of the technology choices that are developed for the business. Careful selection and implementation of hardware, software and critical business systems is paramount to maintaining security, business continuity and information protection. Today, however, consumers often have better, faster, or more productive technology than the average small business. This presents an interesting dilemma for the business entrenched in a tough economy, which can now trade the umbrella of control for increased productivity.

Consumer devices continually become available that would traditionally be handled by the IT experts. Once high-end devices affordable only to businesses are now lower in cost, simpler to use, and owned by individual consumers. However, sometimes a little availability can be dangerous. The underlying reasons for not allowing a device onto your network may be lost in the anticipation of the increased productivity.

For example, a worker’s personal smart phone may give him the ability to answer e-mails on the run, while this technology may have been considered by the business decision-makers to be too risky or expensive to deploy company-wide. When making this decision about whether to relinquish control, the business leaders of the organization must consider the risk factors. Let’s say, for continuing the example, that the aforementioned business is a mortgage company, and the user of the smart phone receives confidential e-mail referencing the personal financial information of his customers. What is the risk if the smart phone were to be lost or stolen? Is the device handled with proper security methodology in order to prevent a data breach?

Personal laptop computers and netbooks are wildly popular and more and more workers wish to use them for working on business projects, connecting with business services and checking and keeping e-mail, contacts and other data. Not all businesses can afford to issue netbooks to its staff. Some employees will go so far as to bring in and install their own wireless access points off the company network to use their own laptop computer. All of this presents security risks, not only for data protection, but for controlling access by outsiders to your business network.

Very common is the case of the home-worker. In years past, it was not only most likely the office workstation would provide the best productivity, but it was the only workstation available that could run whatever business productivity software was in use at the time. However, today it’s not uncommon for a home computer to be newer and faster than the machine the worker has on his desktop in the office, and he has a business productivity suite, like Microsoft Office, that equals the one in the office.

Once the business has allowed its data to be taken off of its own network, all control is lost. Of course, technology is available to make remote workstations safer and more secure to a business. The deployment of Virtual Private Networks (VPN) has greatly increased over the years to accommodate the growing number of home workers. A VPN is a secure Internet connection to a remote location, where the remote user has access to the Local Area Network (LAN) as if they are right there in the same physical location. There are still issues of data use control that can’t be resolved even with a secure connection. The employee must be trusted.

Not all businesses are safeguarding personal information, and not all business need complete control over the devices used by the employees. The approach that many organizations could take is one that allows for opportunistic advantage. Embrace the idea that some of these devices may improve productivity, and then decidedly take control of their usage. Simply issue a list of approved devices to the employees. Before creating the list, examine the risk factors of the various hardware and software that workers wish to bring in to enhance their productivity and user experience. Does it pose a security risk? Will it jeopardize data integrity? Does is compromise any regulatory compliance guidelines? Only choose the devices or software that would be approved and could be controlled by your IT staff or provider.

Make the list of approved devices available to the employees, along with policies for registration and use. If you currently have devices in use in your organization that you are unsure about, consult an IT expert like Centrend.

- Bill
 
***
Bill Bowman
Senior Technology Advisor
Centrend, Inc.
508-347-9550 x135
 

You will find out in the next couple days or so that a new vulnerability has been found in an Internet Explorer IEPEERS.DLL file that effects computers running every version of Internet Explorer except the latest Version 8.

If you visit a site that has been infected with the malicious code, your computer can be caused to crash (freeze requiring reboot but fail to restart) or a program of any nature can be downloaded and run on your computer.

Microsoft is testing patches right now and a fix will be available soon. Meanwhile, if you are running Internet Explorer 7 on any platform besides Windows 7, you are vulnerable.

Actions you could take:

1. Upgrade your Internet Explorer to Version 8x
2. Upgrade your computer to Windows 7
3. Browse very conservatively for the next couple days.

If you’re concerned about how to keep your computer up to date and whether you are computing as safely as you can be, please contact us for a free security audit of your environment.

-Paul
***
Paul LaFlamme
President & CEO
Centrend, Inc.
508-347-9550 x115

Link: http://www.centrend.com/erp_lessons.html

More often than not, in our experience, huge benefits are realized by the sharing of data. Keeping each team within an organization responsible for their own contribution to the data “warehouse” avoids conflict and problems between staff and systems. On the other hand, separate “silos” of information within an organization can lead to sudden issues that hinder decision-making.

For example, when operating under separate silos of data, an operations department may be compiling data all month long, and the accounting department is also, but at the end of the month, the two departments come up with conflicting reports. Had their been one central data location, such as an ERP system’s database, then both departments would be working harmoniously from the same data set, which would lead to appropriate corrective action throughout the month instead of reacting to it at the end of the month. It’s like steering your ship along the way, instead waiting until your already at the wrong spot - when it’s already too late to make course corrections.

Find out more about ERP systems by attending one of the free web sessions presented by Paul LaFlamme.

- Bill

***
Bill Bowman
Senior Technology Advisor
Centrend, Inc.
508-347-9550 x135

A client called me the other morning, panicked. He opened a virus infected email from someone that was disguised as a legitimate message from UPS. The message said something to the effect that there was a problem with the shipping address of his recent shipment and the details are in the attached file.

Coincidentally, he had just ordered something online earlier that very morning. He was in a hurry to get to a meeting when he saw the message came in so without hardly giving it a thought, he opened the message and infected his system.

While virus scanning and spyware prevention programs prevent many types of malicious code from running on your computer, when the user deliberately clicks and executes something it’s almost like a temporary override occurs. In an instant, your system is infected. One of the first things this particular bug did was disable his Antivirus program’s resident shield.

It’s the resident shield’s job to monitor system activity and quarantine infected files and stop bad code from running. With the resident shield down, the virus “invited in all it’s friends” and proceeded to make a mess of the system in a short time before he even realized he’d been had.

I’m pleased to report we were able to act quickly to clean out the virus, plus we took extra steps to help protect the computer even further. Techniques such as seperate Malware protection such as from Malwarebytes.org, and AVG Internet Security which provides a local firewall in addition to virus scanning are a couple of the strategies we use in higher-risk applications.

If you’re concerned about virus protection, spyware or security in general, contact Bill Bowman (Senior Technology Advisor) or I for a free System Vulnerability and Risk assessment of your computing environment.

-Paul
***
Paul LaFlamme
President & CEO
Centrend, Inc.

508-347-9550 x115

I was recently asked the question “Is Tape Backup Obsolete now?” by a client when we were discussing what kind of backup system to implement in their new file server. As a manager with a great deal of technology experience and having always used tape for backup, he was very surprised that I was not recommending tape as part of their server upgrade.

In larger enterprises, tape is still an effective technology for backing up large volumes of data where multiple versions of the same data need to be stored in different locations. Even this application however, is somewhat obsoleted by NAS (Network Area Storage Systems) implementations that replicate volumes of data to different locations in real time or near real time. Still, it’s good to have this data offline and in generations of copies. Consider for example, how a virus could infect ALL copies of the data if all the data is online at once. The NAS protects from site failures but not from malicious code.

The other concern with tape is that it wears out. Most larger enterprises know this and cycle the tapes frequently enough that they replace them before failure. SMBs (Small/Medium businesses) have less time and resources to pay attention to these types of things [if they aren’t already Centrend customers that is ] Unfortunately sometimes when they need to restore data, the tape ends up looking like the one pictured at the right.

As an alternative to tape backup we are typically recommending online backup for offsite/disaster recovery purposes, while maintaining a local disk based backup for rapid recovery in the event of a total loss of disk. The benefits of this strategy are:

• Fully Automated - no tape rotation
• The cost of a tape backup system is a much larger investment. Tape drives are expensive and the media are expensive
• No risk of data corruption by virus (online encrypted backup is locked down)
• Disk restores are MUCH faster than even the fastest tape drives
• A hard drive based backup system lasts much longer than tape
• The server O/S can monitor the quality of the backup drive and notify when replacement is needed
Please contact me for a free assessment of your backup strategy and let us help you reduce costs and increase your piece of mind.

-Paul
***
Paul LaFlamme
President & CEO
Centrend, Inc.
508-347-9550 x115

Those of you with Sony Playstation 3 (PS3) systems can now once again use your system. As I had reported in my blog post Monday morning, the Sony PS3 was bricked(when technology is rendered completely inoperable by a system crash or bug) by what Sony confirmed to be a leap year bug where at midnight on February 28,2010 the system clock updated to February 29,2010. Because 2010 is not a leap year there should be no February 29th. This bug prevented users from using their PS3 system at all - even if they don’t use the system online.

The problem stems from a pre year-2000 based method of calculating valid leap years. There is a nice description of the problem if you CLICK HERE that is not too technical.

Some users of the PS3 are being extremely critical of Sony with statements such as “They should fire the programmers!” and “We should get free games for the inconvenience!” The users don’t realize that Sony did everything that can be expected of a responsible manufacturer in that situation: They quickly acknowledged the problem, they communicated when resolution was expected, they advised users what to do in the meantime, and ultimately delivered the solution within the promised time frame.

Though this bug happened in a gaming platform, there are some important lessons to be learned from it that apply to our business users:

• Even high tech devices (like the state of the art PS3) can be effected by Y2k glitches
• An application can never be tested too much
• No matter how thoroughly an application is tested, glitches can and will occur
• When bugs do arise in our systems, we need to measure the developers more on the timeliness of their communication and resolution, not in the fact that a bug was allowed to occur

-Paul
***
Paul LaFlamme
President & CEO
Centrend, Inc.
508-347-9550 x115

Here in Massachusetts, Personal Information is required by law to be protected. Since most of the technical concerns we are now hearing about are regarding portable media and laptop computers, the industry focus in Massachusetts has been on encryption technologies. The new data protection regulations, effective March 1, require portable devices and storage media be secured by encryption.

Encryption of data can be done with simple desktop tools available now, the software is easy to use and doesn’t really necessitate much of a change in how you use your computer. Once encrypted, data cannot be read by anyone, even if a hacker were to bypass your password protection.

This prompts some additional questions that will be addressed in future blog entries…

› What is the difference between password protection and encryption?
› Isn’t encryption software expensive to deploy?
› Do I really need it?

If you need answers right away, Centrend is helping businesses with answers to these questions. Each business is different, so I’m inviting you to contact me directly for answers to questions about encryption for your unique situation.

- Bill

***
Bill Bowman
Senior Technology Advisor
Centrend, Inc.
508-347-9550 x135
bbowman@centrend.com

Those of you recreational gamers out there that have the older style Play Station 3 Models are most likely experiencing a problem with your system as of Yesterday afternoon. Even if you don’t use the PS3 online, you are now getting a message that says Your trophy registration is incomplete or in error. The game will now quit. It happens on most any game and whether you are trying to play locally or online via the Play Station Network. Other errors that are appearing include a 8001050F error code prompt with little or no supporting text accompanying the code.

At 8 pm EST, yesterday, Sony confirmed the problem and said the are working to resolve the issue. Resolution should come some time this evening, if Sony can keep their promise.

Another PS3 Trophy error appearing is “Registration of the trophy information could not be completed. The game will now quit.”

Some independent blog sites are recommending you dismantle your PS3 and disconnect the battery momentarily to clear the issue. Unless you are extremely technical and have a couple hours to spare (at least) I strongly encourage you not to do this as you could completely break the system. My recommendation is to wait out the problem while Sony’s engineers resolve it.

Exactly what the resolution will be, it’s hard to say. Since the PS3 can’t connect to the Play Station Network at all, it might be necessary for Sony to either send out media that the PS3 can use to read a patch from, or to even recall the units. It’s not clear at this time what the corrective action will be to get these PS3 systems working again.

Users of the new PS3 (Slim model) are not experiencing this problem as it seems to be glitch in the system clock firmware that only occurs in the older (Thick model) systems.

For the latest updates of this issue, follow my blog here, or visit the playstation blog by clicking here.

-Paul
***
Paul LaFlamme
President & CEO
Centrend, Inc.
508-347-9550 x115

Link: http://centrend.com/93h_compliance.html

 
The new law has taken effect today, so every business leader must now be certain that the information that the Commonwealth of Mass defines as personal information flows through their organization under specific guidelines.

The deadline for compliance with the new data protection laws in Massachusetts was extended at the end of 2008, and then it was extended again in 2009. There will be no further extensions. Whether you are ready or not, on March 1, 2010, you will be required by Massachusetts law to take very specific and proactive steps to secure all forms of personal information you collect and store about Massachusetts residents, whether they may be customers, employees or contractors.

The Office of Consumer Affairs and Business Regulations drafted and then refined the regulations (MA 201 CMR 17.00) in response to feedback from the business populace. The regulations mandate that every organization and individual take more responsibility for the active protection of personal data, as defined by the Commonwealth of Massachusetts.

All legal entities will now be required to create and maintain a Written Information Security Plan (WISP). Your organization’s WISP will cover newly required organizational precautions, as well as technological safeguards. With the regulations to be enforced by the Attorney General’s office, the Commonwealth of Massachusetts will take into consideration the size of your organization and the scope of whatever personal information is recorded.

Most of the technical concerns we are now hearing about are regarding portable media and laptop computers. The new data regulations will require all portable devices and storage media containing personal information be secured by encryption technology.

Business leaders needing help determining their own level of compliance should consult an Information Technology expert, and Centrend has scheduled a free online compliance workshop. Each plan must be documented and employees must be trained on how to safely work with both physical and electronic records.

Centrend is offering help and free guidance to any organization challenged by this initiative.

- Bill

***
Bill Bowman
Senior Technology Advisor
Centrend, Inc.
508-347-9550 x135