Paid software, what is it good for?

Posted by Josh on September 18, 2012 in Review, Security |

With all the great freeware products I discussed in my last article, it may leave you wondering if paid software is worth the money.  The short answer is “it depends.”  If you are a home user with no intent of doing any commercial activities with the software, then the answer is “likely not”, however if you want to do a small home business or are a full fledge business the answer is “absolutely!” 

If you look at the End User License Agreement or EULA on many of the free applications, they are free for non-commercial use only.  What this means is if you are using it to make money, you need to either pay the freeware company a fee or find another software that allows commercial use.

Commercial or paid soft does offer some advantages.  One of the biggest advantages is in integration.   Now what do I really mean my integration?  Simply put integration is where multiple applications link in with each other and function together.  One of the best examples of this in the Microsoft line of products where the domain management software called Active Directory links in with its email product Exchange to share users and make changes the email user’s account directly from Active Directory.  This gets expanded if the company uses Microsoft’s Office Communicator Server (OCS) instant messaging application that not only hooks in to active directory but in Microsoft’s email client Outlook by natively displaying a user’s chat status and linking that to items on their calendar to show free/busy times.  It further allows you to start a chat instance directly from Outlook without having to pull up the Office Communicator window and conversely, be able to start an email from within the Office Communicator application.    You generally do not get this level of shared functionality out of group of freeware applications produced by various vendors that normally are not working together. 

If you look at things like photo and image editing, the premier application currently is Adobe’s Creative Suite line that includes Photoshop and Illustrator.   While it is a costly suite of software, if you are going to be doing this kind of work as a moneymaking activity, spend the time and invest in the correct tools to do your trade.  While you may be able to do “everything” using a group of disparate applications, you will save yourself time, and as such money, in the long run by buying the right application for the job at hand. 

While everything I have discussed to this point is important, as a businessperson, small home office or large corporation, one of the key things with all of these products is the readily available training for the various software applications.   Companies like Microsoft, Apple, Adobe, and the like have a large ecosystem of training for users and IT professionals.  Most also have some form of certification track so that professionals have the ability to demonstrate levels of competency to their employers.  This is good for a business in that you are not locked with software you cannot hire someone to come in and maintain because it is a little known application with not viable training system.  Even for the home user, this vast training system is beneficial.  Many colleges offer extension and even credit courses on the use of software products that can allow you to maximize the use of the software you have purchased.


The final major advantage of paid software is that you have a high degree of confidence that you are going to receive things like patches and hot fixes for the software as security issues become known.  Using a freeware product, you always run the risk of it becoming “abandonware” where the developer has stopped supporting and developing it and now you have a software that is a security risk with no way to fix it or in some cases, move it to a new version of your operating system.  Paid software, especially those from large established companies like Microsoft, Apple and Adobe have teams dedicated to not only patch management, but also have a plan for the next iteration of the software and plans for backwards compatibility.


Overall, freeware is not bad, it can be a great bonus to make a home user’s computer a truly functional system, but businesses generally should be using properly licensed commercial software to leverage the most out of their IT assets and comply with the applicable legal requirements.


Tags: , , , , , , , , , , , ,


Password Theft

Posted by Josh on September 5, 2012 in Uncategorized |

Below is a great infographic that shows some really interesting information on passwords and password theft this year.


Infographic: 2012, the year of password theft


Note: Infographic was produced by Security Coverage; this posting does not consitute an endorsement of their security products, but merely a sharing of their infographic product.


You get what you pay for…

Posted by Josh on August 30, 2012 in Review, Security |

“You get what you pay for is an old adage that implies that if something is “free” it likely isn’t “good”.  Nothing could be further from the truth when it comes to applications for your windows computer!

Symantec and MacAfee are the two “leaders” in the anti-virus world but there are other great options that are free for non-commercial (i.e. home) use.


Here are my top three free Antivirus applications
AVG Free
Avast! Free
and ironically:
Microsoft Security Essentials


Ok so now you have the virus thing taken care of, now what about malware, spyware and adware? There are great free tools as well!


Here are my top three free malware/spyware applications:

Spybot – Search & Destroy


Firewalls, yep windows has one built and it is much better then it use to be, but if you want to really add some protection, a third party firewall is the next best thing to having a hardware firewall like big companies.


My top pick for free firewall protection application:

Zone Alarm Free Firewall
Want to check to see how well your firewall is working? Check out Gibson Research Corporation’s ShieldsUP to test.  They also have lots of other great test applications as well.
Got kids?  Want to stop them from getting on to sites on the more seedy side of the net?  Well known applications like NetNanny work great but can be seen as a bit pricy, however there are free alternatives.
My top pick is K9 Web Protection from Blue Coat.  (The real bonus is they have Smartphone applications too!)


Want to clean and optimize your PC? Get rid of all the “Crap” files on your computer?

My top free application pick is CCleaner.


While we are talking about cleaning, Windows has a built in disk defragmenter and there are a number of paid defragmenter programs like Diskkeeper, but like everything else in this list, there are free alternatives.


My best free defragmenter applications is Defraggler.


OPPS!  You deleted a file and emptied the recycle bin and only .0005 seconds after you clicked ok you realized, I really DID need that file.  File recovery software has many options out there for you, one of my favorites is GetDataBack, but there are good free tools as well.


The best free  applications to recover data is Recuva, the caevet is that you should already have it installed BEFORE you deleted the file since installing risks overwriting the file you want to recover.


Ever have to re-install a program and cannot find the activation/product key for it?  Did you know you have an application that can come to the rescue?  Belarc Advisor can scan your computer and create a file that has all of that in it, pulled directly from the application!


With a combination of the above tools as well as doing all the software patches and hotfixes from Microsoft and your various applications, your system should stay malware/virus free and running smoothly for the life of the hardware.

Now let us talk about adding function beyond just surfing the net.

The first thing (after getting on the internet of course) people want to be able to do is word processing.  The flagship application for this is Microsoft Word, but Microsoft Office unless you’re a student or work for a company that has the Home Use Program, can be a bit pricy.  Fear not! There are free alternatives!


My top two FREE applications for word processing/MS Office type productivity:
Open Office (application)
Google Docs (cloud)


Want to be able to create/edit/convert your own audio media files?   Audacity is the application for you, it is free and extremely powerful.
Want to be able to use and ISO image as a DVD/CD without having to burn it to a disk first? There is a free app for that!  Virtual CloneDrive allows you to mount and run ISO’s as if they were in the ROM drive of your PC.  This is great if you burn ISO images of your software install disks to keep backup copies in case the originals get lost or busted.  Now you do not even have to burn a disk to re-install, just mount it and go!


Now you’re thinking, how am I suppose to create these ISO backups your mentioned earlier, easy!  Use the applications ImgBurn! It is free and supports a wide range of images.


Like to watch video but get tired of Windows Media Player saying you do not have the codec for it or QuickTime showing the video funny?  VLC is the answer; it is a small, lightweight, easy to use movie player that is free to boot!


Photo editing, everyone like to do it, even if it is just to crop a photo or make a background transparent.  The “big name” tool is Adobe Photoshop, but you can do many of the same things free using a nifty application called GIMP.


Yet another common task people want to do is be able print documents as a .PDF document.  This is normally done either via a plugin in your word processor or using Adobe Acrobat Professional, but you can get the same print as .PDF capability by using the free CutePDF application.


While this articles in no way covers every free software, these are the ones that I have used time and time again over my career as a “IT Guy” that not only get the job done (and many times better then the paid version) but gets it done for free.  With these software applications, you can turn a $300 netbook in to a secure and really functional laptop without adding a single cent to the price tag.


The Lost Art of Physical Security

Posted by Josh on August 26, 2012 in Security |


When you read about IT security, you see lots of hype about Operating System security, application security and various types of encryption.  What is often left out is the concept of physical security.

You might ask what physical security is and it is a good question!  Physical security, as it applies to Information Technology, is the art and science of controlling what individuals have access to IT systems and the areas and support functions that contain them.

The most basic method is a simple locked door.   Unfortunately, standard locks like those that you would have on your front door are relatively simple to defeat using a standard lock picking kit.  Picking a lock generally uses 2 tools a known as a rake and a tension wrench that allow the tumblers to be depressed and the lock turned.  The video below does a great job at showing how this process works.

Even easier now is the technique known as bump keying.  Bump keys were originally made on an individual basis but now can even be bought in complete sets to cover a plethora of lock makes and models.  Bump keying works using the same principle as the standard lock picking tools, but a much easier to use application as demonstrated in the video below.

Another common locking system is the magnetic swipe card.  This is most often seen in large companies and hotels.  The problem with these keys is that they often are clearly labeled with what building they will gain access to via the using of company logos.   The most common security threat from these types of keys is physical theft.  This is not the only threat though; it is exceedingly simple to clone a magnetic swipe card as show by the folks over at Hack a Day that does not require much more than a few seconds of access with a valid magnetic swipe card.  This access is most often done via a combination of social engineering and actual theft and return.

One of the latest types of key is that of RFID that is generally imbedded in a card like and ID card.  They work based on the card having a chip on the card having a code that is picked up by a receiver and validated against a system if that code is in the system.  Unfortunately, like all the types of keys before them, they can be copied or spoof as well.  Again, the folks over at Hack a Day have a great example of a cheap low-level example.  The researchers at Iowa University demonstrated that RFID security implementers HID  has “hackable” flaws and recommend a using two-fold authentication using the RFID card in conjunction with things like PINs.  Melanie Rieback gave a great talk on this at DEFCON 14 on how it is being using and spoofing.

Even more “high tech” is the advent of biometric access controls.  Biometric controls basically means that you are being granted access based on WHAT you are versus something you have (key) or something you know (PIN or combination).   Common examples are things like hand geometry, fingerprints, iris scans, and facial recognition.  Yet even these technologies are not spoof proof.  As far back as 2001 presenters at Blackhat have show the issues with biometric controls.

Now all these locking mechanisms are “cool” and while they can be “hacked”, there are even easier methods of gaining access to a building.  One of the easiest ways is something called “tailgating” which is simply following someone else in when they user their key to gain access.  Another common method is going back to the standard of social engineering.  How does that work?  Ever see someone say they left their key/ID at home or desk and someone let them in?  They were socially engineered.  Yet another social engineering attack is “spoofing” your way in.  A great example that actually happened is someone went to a Goodwill store and got a uniform for a local telephone company and showed up at a company with a large directory of various departments with a receptionist at a front desk.  This individual walked in, and said (picked the name of the person from the IT Department) called about a problem with the telephone system.   The secretary, rather than calling the person to verify or even the telephone company, they seen the uniform and then the person gave a valid employee name so they must be “legitimate” and gave them UNSUPERVISED access to their entire communications node room.

This is why your high value areas should have multiple layers of DIFFERENT security to protect them.  A good example would be an RFID and PIN required to enter a building.  A different physical card to use a magnetic swipe and PIN to enter a sub-area of the building, and then a biometric control like iris scan to enter a mantrap room that relies on a person viewing the individual via closed circuit camera against an access control list to “buzz” them in room.   While this may seem “extreme”, yet this kind of defense in-depth is key at preventing someone from accessing something like your main server room.

Now you are probably wondering: “well someone has physical access, what can they do?”  PLENTY! Using readily available FREE software a “bad guy” can gain access to your IT systems.  Here are a few examples.  Using various free tools like Ultimate Boot CD (UBCD) the individual can gain local administrative access to a system on your network in under 15 minutes of unsupervised access.  Let us say that they do not really care about accessing your network, they just want the data on a specific IT asset.  Enter the free software Clonezilla!  Using this software, they can make a complete copy of the hard drive on an IT system using nothing but a properly configured external USB hard drive.  Depending on the size of data on the drive, this can take as little as 15 minutes and they can go home and mine the data at their leisure.   Even your telephone systems can be “hacked” and have wiretaps installed in just a few minutes.

This obviously does not cover everything regarding physical security, but it should serve as a spring-board to draw your attention to the topic and get your mental wheels turning as to what you currently are doing, what flaws you might be able to identify and maybe even make you a bit more aware of if someone is trying to gain access to your building or assets.


Tags: , , , , , , , , , , ,


Own the Email, Own the Person

Posted by Josh on August 21, 2012 in Security |

This article by Dennis Fisher is a great piggy back on my Password Security  and Social Engineering articles.

For attackers looking to take control of a victim’s online presence, there is no better place to start than the target’s email account. If you own the email, you own the person. That’s never been more true than today, with so many social networks, services and shopping sites attached to users’ email addresses.


Read More: http://threatpost.com/en_us/blogs/own-email-own-person-082012

Tags: , ,


Everybody Lies…

Posted by Josh on August 20, 2012 in Security |


To quote the famous TV doctor Gregory House, “everybody lies”.  Why do I say that, I do not know a single person that actually reads the whole end-user license agreement (EULA) on software products they buy.  They are those things that everyone clicks “ok” to after scrolling through what seems like 100 pages of legal “mumbo jumbo”.

The question I often receive is, if it is all written in “legalese” is there any point in reading them?  My answer is simple, ABSOLUTELY!  This document not only tells you what you can do and more importantly cannot do with a particular piece of software.  Not too long ago a company called GameStation slipped in a bit in their EULA to “grant Us a non transferable option to claim, for now and for ever more, your immortal soul.”     The real take away from that addition is that 7,500 customers clicked agree to the EULA containing that statement.

Other than stealing your immortal sole, EULA’s give and take away other things too.  Just a few months ago, the new Microsoft Windows EULA that prohibits “class action lawsuits” regarding the product.   This is a HUGE move as Microsoft has had several class action suits against them.  One recent lawsuit regarded the way the camera in Window Phones reported data.

Yet another example of EULA imposed restrictions is one that was used by Blizzard Inc the makers of MMORPGWorld of Warcraft”.  The EULA was recently used to shutdown a “private server” of their flagship product.  Not only did they shut down the server but also received monetary damages from its operation.

With all the this talk of how restrictive EULAs can be, some are exceptionally open.  The gold standard for this type of license is the GNU General Public License or GNU GPL, which is a specifically free to copy and share license.

Two of the largest issues I have personally seen are with people not reading the EULA of software specifically comes with the Microsoft Home Use Program (HUP) and Dreamspark Programs.  With the Home Use Program, I have seen where people buy copies of the software for their extended family, which is outside of the EULA.  One of the major portions in the EULA of the Dreamspark Program designed for college students in IT programs is that they are specifically for “non-commercial use”, so no you can’t use that copy of windows server 2008 to build a network for your friend’s small business.

While no one is ever going to read each and every EULA they encounter, it is important to know what they do and at the minimum give a quick glance over it to ensure that you are not accidentally selling your soul.

Tags: , , , , , , , , , ,


The Mobile Device Dilemma

Posted by Josh on August 13, 2012 in Security |

Within the US particularly and most “first world” countries, we live in societies of “always on” and “always connected” for both personal and our professional lives.  While this 24×7 connection allows for greater productivity and hyper-connectivity, it is not without its own pitfalls.   

From both a personal and professional standpoint we must take a step back and really think about the “data” that is contained on our various smart phones, tablets, net books, and laptop PC’s.   

Long ago are the days when your mobile phone only really had just a list of contacts.   In today’s world, a person’s smart phone is their “go to” devices.  They contain, personal and professional contacts, personal emails, calendars, banking applications, web browsers, personal documents stored either on the device or connected to some form of cloud-based storage.  In short, a person’s smart phone is a capsule of their life.  When you take this and factor that upwards of 50% of companies allow for “bring your own device” or “BOYD” to the corporate enterprise you add in all your professional documents and counterparts. 

Taking this thought process and applying it to all of your other mobile IT devices and you can see the potential of massive amounts of both personal and professional data being moved throughout any city or country on a daily basis.  This data is also traveling over a multitude  of transmission means ranging from the built in cellular data services to private WiFi networks all the way to the Starbucks shop down the street.

With all that data flowing, what are we doing as consumers and IT professionals to protect ourselves?   The answer is “it depends”.  Corporations that have locked in to the BlackBerry architecture by Research In Motion (RIM) with a full suite of end-to-end encryption for data transmission and options for forced Data at Rest (DaR) device encryption and remote device wiping.  While advantageous, BlackBerry has taken a few black eyes over their poorly received foray in to the world of tables, the playbook and more recently, and importantly, their massive network outages.  Looking at the other two heavy hitters Apple with its iOS and Google with its Android, you really are looking at third party apps to not only bring better integration with the enterprise, but also beef up the security.  The major advantage to having to use a third party offering is the ability to go “cross-platform”,  that is you can have a mixed environment of both iOS and Android (even BlackBerry) based devices and still connect and secure them. The drawback is that they often require a bit more of a learning curve to properly deploy and configure it for use when compared to the “out of the box” solution provided by Research In Motion. 

The securing of these types of devices is still in its infancy, as they become more popular, powerful, and connected, I fully expect to see some form of major data loss to happen sooner rather then later.

Moving away from your ultra-mobile devices and on to your more traditional “Windows” and “OS X” devices, you typically see these devices in the news for corporation data loss.  The laptop stolen out of a car that contained thousands of people’s medical records, or the one left somewhere with hundreds of employees social security numbers on it.  Most windows systems if unencrypted can be compromised in roughly 5-10 minutes with nothing more than a CD or USB drive.  Even encrypted disk are not truly safe when you considered things like the infamous “evil maid” attack.   Due to this, the industry has moved for a more centralized approached where data is stored on a Storage Area Network (SAN) that can be accessed remotely by authorized employees using a combination of Virtual Private Networking (VPN) and their user credentials.    For large or more security minded companies, both of these actions might involve smartcard hardware tokens as a basis for two factor user authentication.   With none of the data actually stored on the laptop, and the only method to access requires a hardware smartcard as well as the PIN or password associated with that card, accessing key data by unauthorized users is reduced.

This threat even applies to the run of the mill home users.  How many people have things like their tax returns, banking information, private correspondence, etc on their laptop?  Let us be honest with ourselves and think about how many home users actually routinely backup their data, let alone have it stored separately?   How many times has a computer crashed and a friend lost “everything”?   How much data would a thief have on you if someone stole your laptop right now?  This is where home users need to be not only aware but be proactive.  If you are going to be traveling with a laptop, file encryption using software like TrueCrypt as well as standard patch management are key to safeguarding private data in conjunction with judicious use of foreign WiFi.

As with most things within the IT realm, I have barely even scratched the surface of both the risks and countermeasures we must use to mitigate them.  Understanding first that there is a threat, second what the threat is and then having a plan for defense in depth is the best method to protect yourself and those who’s networks or data you have access too.

Tags: , , , , , , , , , , , , , ,


Certification vs. Experience vs. Degree

Posted by Josh on August 8, 2012 in Review, Security |

Something that comes up often both when organizations are looking to hire a new IT professional as well as within the circle of IT pro’s themselves is how do certifications, experience and an IT related degree stack up against each other.   Long time IT folks tend to have the view that experience trumps and often makes up for lack of a certification or a degree,  while HR departments tend to focus in on having a degree and certification more than years of experience.

Let us look at each on an individual basis:

Certification – This is a huge benchmark for IT professionals, especially those affiliated with the Department of Defense, which requires specific certifications based on position and administrative privileges.  The basic idea behind certification is that a neutral third-party is validating that an individual has a specific set of skill or knowledge.  Employer’s love this because, to the HR departments, it can ease “vetting” an IT professional’s skills by non-IT managers.   Almost all major certifications now require either periodic re-examination or a specific number of “continuing educations” credits within a specific period normally linked to the re-examination period.   The major drawback to certifications is the abuse of the system by use of “brain dumps” by individuals who do not have the actual skills but simply memorize a list of likely questions on the exam to earn a passing score. 

Experience- IT professionals LOVE to see experience on resumes!  This is especially true when that experience listing is detailed and lists the various equipment, operating systems, network environment, and etcetera.   While this is great for the IT folks, it tends to read like a bunch of scrambled letters to those hiring officials that do not have an IT background.  When talking about experience, as with any profession, there is the possibility of individuals over-stating their actual experience with the hope that no one is going to be actually checking.  That is bad for everyone.  The Company does not hire the right person and the IT pro might end up in a job that is over their head.

Degree(s) – Degrees are a bit of a mixed bag.  “It depends” comes to mind as it really does vary based on the Major and even the school on how much they actually prepare you to work in the IT field.  Some schools are very intense on the “hands on” practical application while others focus mostly on the “theory” of IT.   Why do HR departments love seeing a degree?  Sometimes a degree either is a requirement by law or based on the level of responsibility.  I had a friend who was an HR manager tell me that for his company, they looked at a degree as a benchmark for long-term project management.  The individual had a goal that was a multi-year project requiring a large degree of autonomy to complete with a plethora of variables to overcome including group based work.   If they can earn a degree, odds are they can handle a project.


Putting it all together, a good mix of all three areas is what every IT professional and HR department should be striving and looking for.  An IT pro with several years in the industry, multiple certifications and at least one degree within the IT realm is a safe bet that they are not just someone with a “paper” or “brain dump” certification, have the skills to not only do the technical work, but also be able to communicate clearly with their peers, subordinates and leaders.


Continuing Education

Posted by Josh on August 7, 2012 in AFCEA |

Below is a nice writeup on the Continuing Education Program that I started for my local Armed Forces Communications and Electronics Association (AFCEA) Chapter.


Tags: , , , , , , , ,


The WiFi threat is real

Posted by Josh on August 5, 2012 in Security |

One of the most common threats to a computer user’s security is something that has been widely adopted by businesses and home users alike.  Wireless internet connections, also known as Wi-Fi, has made connecting you computing devices to the internet easier in a wide range of locations.  The same technology that allows you to connect your smart phone, laptop, network, iPad, quickly to the internet connection at your local coffee shop, fast food restaurant, or hotel is the same technology that allows “Hackers” to access data on the systems connected to that Wi-Fi access point.  The easiest way for a potential “Hacker” to access your computer or data is to connect to any number of open Wi-Fi networks.  Without any hacking tools, you can open the “network” icon on “my computer” in your Windows-based computer and actually browse files on other users systems if they have “file sharing and printing” enabled on their personal computer.  A free plug in for the popular browser Firefox by Mozilla allows for packet sniffing on computers connected to an unencrypted Wi-Fi network.  Using Firesheep, you are able to use the accounts of other people on the network for social networking , webmail, and even banking  sites by using what is called “sidejacking” .

All the threats you have at a public hot spot still exist in the home and office environment.  When you add your hardwired systems in addition to your Wi-Fi only systems to your open wireless router, it becomes a literally treasure trove of potential data.  Properly configuring you wireless access point to allow for maximum security involves several easy but often overlooked steps.   The very first step you should do is to change the default administrator username and password for the access point.  These usernames and passwords are well known by the “Hacker” community and they will use them to gain access to your wireless network and change your access point’s settings.  The second step is to set up Media Access Control (MAC) address filtering. A MAC address is a unique alphanumeric series of numbers assigned to each network card. Enabling MAC filtering provides a layer of protection by only allowing network cards with a preapproved MAC address connect to your access point.  You next step is setting a non-default service set identifier or SSID and setting it not to broadcast.  Just like the default administrator username and password, these SSID’s are well-known and should be changed immediately.  Setting the SSID broadcast to off prevents the passive “Hacker” from even noticing you have an active wireless network.  Finally, setting a Wi-Fi Protected Access II or WPA2 level of encryption password for your connection is an absolute must.  The older encryption model of Wired Equivalent Privacy or WEP is easily broken using utilities widely available in fewer than five minutes.  While a dedicated “Hacker” can easily defeats any one of these, this kind of defense in-depth will prevent you from becoming low hanging fruit for “Hackers”.

“Hackers” routinely scan for open Wi-Fi networks in an activity known as WAR driving and post their results to websites like http://www.wigle.net .  Websites like Wigle allows you to type in a street address and then see on a map the locations of all the wireless access points in that area and if they are open or secured, and if secured a cracked password if available.  If a “Hacker” is able to penetrate your Wi-Fi network, they can attempt to access your computers to steal your banking, personal,  or corporate information, which they can then use to commit identity theft or sell on the black market.  Once on your network they can also use your internet connection to download illegally digital media like music and movies, which can cause your internet service provider to shut off you internet service or even allow for possible legal action from copyright holders.   Further, they could use your internet connection to participate in other illegal activities like child pornography.  A computer user can easily mitigate all of these possible compromises by judiciously using open Wi-Fi networks with proper security settings and locking down your personal or corporate wireless networks.

Tags: , , ,

Copyright © 2012-2021 All rights reserved.