SimplicIT Blog

Trusted Reviews has put the new Dell XFR rugged laptop through the grinder and it hasn’t fared as well as expected. Considering that these guys drove a car over a Panasonic Toughbook, they went pretty easy on the Dell, but it still couldn’t take the punishment. It looks like Dell still has a way to go to steal the ball from Panasonic when it comes to all terrain computing.

A Sophos blog today tested 10 unique incoming virus samples against Windows 7 UAC.

The results were dismaying, with UAC preventing infection of only a single virus. Two of the samples did not run on Windows 7 at all (one wasn’t Win32). The remaining 7 viruses reportedly infected Windows 7 with UAC enabled.

Sadly, Sophos Labs fails to provide detailed information about methodology. I suspect that most – if not all – of these infections target the local profile and would not be system wide.

Microsoft’s Big Easy promotion is back this November. Here’s a video explaining more:

<video removed>

(In a nutshell: Microsoft software purchases will include a rebate to pay for installation, configuration, etc.)

I just came across a fascinating method of privilege escalation using the Windows pass-the-hash toolkit to modify your current logon credentials.

• Physical access to a workstation is required – for only about 20 minutes. A traveling laptop with VPN would even be sufficient, though write access to the file system from a bootable CD or USB drive is required.
• Also required is a local administrator account with a pre-defined password on all workstations throughout the domain. In my experience, this is a standard practice for Windows administrators.
• Finally, a domain administrator has to be actively logged on to a server (non-DC) or a workstation.

From there it’s simple: NO social engineering, NO password stealer, NO password cracker, NO malicious code, NO exploiting zero-day or already patched vulnerabilities.

This is really an impressive hack and should encourage administrators to rethink some of their behaviors. Many security conscious admins will have encrypted hard drives, limit boot devices, etc… but few have likely fully addressed the security implications of using a global password for the local administrator account. (I’ve already written and deployed a script to change the password to a hash computed by combining the computer name with a password.)

Can you spot a phishing email? This quiz developed by Sonic Wall asks just that and provides detailed results at the end.

Please share it with everyone you know.

Mistake #12: Using pirated software

Software licensing rules can seem quite unfair. Many small business owners wonder why they should purchase more copies of software when they can simply use one for all their machines. With older software, you could probably get away with this. But with today’s ultra-sophisticated software, it’s simply a losing bet. Some software companies are cracking down so hard that when you download updates, it alerts them when the software has been used more than once. A company can disable your software completely at just the click of a mouse. Even worse, you could end up facing fines of upwards of $100,000 from the Business Software Alliance. Keep your software licenses up to date and you’ll never find yourself in this situation.

Many of the problems tackled within the Top 12 Technology Mistakes Small Business Make blog-series can easily be remedied by using a qualified IT professional. Many IT companies now provide flexible, affordable packages that cover maintenance, support and the overall health of your IT environment. So take your time and do your homework. Plan ahead, spend wisely and hire qualified personnel. The money you spend on IT in the short run may feel like an incredible investment at the time, but it most certainly will pay off in the end.

A network of Russian malware writers and spammers paid hackers 43 cents for each Mac machine they infected with bogus video software, a sign that Macs have become attack targets, a Sophos security researcher said yesterday.

Details at ComputerWorld.

(edit: it’s worth noting that the rate for hacked Windows machines in the US is 10-20 cents)

More news on the wireless security front. WPA has been cracked, again.

As was noted in the previous post — WPA2-AES is surely a requirement now.

Mistake #11: Not knowing what you have…

Ever wonder what’s in your server closet? Well, you should. Sometimes small business owners are so busy running their shops that they forget to count their software licenses or keep inventory of how many PCs they have. While countless businesses played it fast and loose years ago, one can’t afford to do that now. Strict asset management requirements–straight from the U.S. government–demand that you keep tabs of what you own. The companies of today that wave off asset management may find themselves unable to get a loan or other financing. They may be sued by Microsoft or The Business Software Alliance. They may be denied warranty or insurance coverage. Asset management is critical. Conducting your first inventory, especially if you’ve been in business for some time, may be an expensive task. But it will save you much heartache in the long run and possibly some tax benefits in the short term.

Mistake #10: Using under-qualified staff for IT support

On its face, leaving the office manager in charge of your IT is not necessarily a bad move. They seem knowledgeable and they’re already salaried. But assuming they’re capable of such responsibility just because they can download and install software is a disaster waiting to happen. An under-qualified person might “fix” a problem only to cause more – or might incorrectly install new software or a new computer and leave it open to security threats. Because they’ve fallen into this trap, many small businesses actually end up spending more money just to correct the mistakes of an under-qualified IT person. In the long run it’s always less expensive to outsource it all to an experienced and certified expert.