Tag Archives: Dirk Morris

About 1360 days ago Computer Security

How to Fight Organized Cybercrime

our beautiful site

Kris Covino, CTO and co-founder of Date.com once received an e-mail that appeared to come from the United Kingdom. The writer explained that he had encountered a lot of fraudulent activity on Date.com, and asked for advice on how to detect fraudulent behavior. Covino wanted to be helpful. “I responded with information on some anti-fraud databases, places to check if a photo of a supposed Date.com user had been used in online scams, and an online discussion group about scams,” he says. “It was pretty comprehensive and I sent it off…but something about it bothered me.” So Covino checked the sender’s e-mail address against Date.com’s database of known frauds, and it matched up with a known scammer in Nigeria. “The scammers had proactively contacted me to find out how they could disguise themselves better!” Covino says. Not only that, at the same time he was answering the e-mail, the company’s customer service staff was fielding phone calls in which the caller claimed to be a Date.com user who’d been banned from the site, and asking for detailed information on how to avoid being banned in the future. There’s no question that in the past few years cybercrime has taken on new dimensions. “Ten years ago, it was teenagers with pony tails sitting in their garages,” says Fred Rica, principal at PricewaterhouseCoopers. “We now see a high level of organization, a high level of sophistication, and a high level of funding. Whether it’s coming from a nation-state, or organized crime, or somewhere else, they seem to have a lot of resources at their disposal.” And they operate across international borders. “We found many crime rings employed multiple teams that focused on different parts of a fraud operation,” Covino says. “For example, one team located in the U.S. would register free user accounts, but when it came time to input stolen credit card numbers to create fake pay accounts — which is illegal here — that was done from offshore. Then yet another team located predominantly in a few specific regions would use those accounts to perpetrate romance scams within our community.” Romance scams might include getting to know a Date.com member by e-mail or chat over a period of months, and then asking him or her to cash a check, for example. Cyber-gangs prey on small companies “If you ask a small business about safety, the response is often: ‘Who would hack me? I have nothing of value,’” reports Dirk Morris, CTO and founder of Untangle, an open-source security gateway for small businesses. They’re wrong. Organized cybercriminals are after two things that every company, large and small, has. The first is computers, which, if vulnerable, can be used as part of a botnet, sending out spam or performing other tasks without their users’ knowledge. The second is personally identifiable information, such as credit card or Social Security numbers, but also log-ins and passwords that could give the cybercriminals access to users’ accounts. In fact, organized cybercrime often targets small companies rather than larger corporations. “It’s just too easy to exploit small or medium-sized businesses,” says Ron Plesco, president and CEO of the National Cyber Forensics & Training Alliance. “Large corporations have more funds to remediate and mitigate. Small businesses don’t, and the bad guys know it. They’re concentrating on small businesses, and have been for the past year.” How you can avoid being a victim of cybercrime  Here are some steps that can help. Get the best security you can afford. You can’t match a large company’s security arsenal, and that’s okay. All you need is enough to make your company an unappealing target. “If the door to your house is locked, you have an alarm sign in the window, and a sign that says ‘Beware of the dog,’ a thief will probably go on to the next house,” Rica explains. It works the same with cyber-gangs: if you make it difficult to gain access, they’ll go bother someone else. Know your network patterns. It’s smart to review logs and usage on a periodic basis. For instance, by examining logs, Covino was able to determine that a user who appeared to be in the United Kingdom was actually in Nigeria when the scammer’s proxy server stopped working for a few moments, revealing the user’s actual location. Know your customers’ patterns. “You have to understand your customer base and have some information about how they use the site,” Covino says. “It’s impossible to fight this without some of that information.” Just as important, be aware of what user behaviors should be taken as red flags. For Modern Tribe, which sells Jewish themed t-shirts and other Judaica, that turned out to be large orders for t-shirts with overnight delivery and a shipping address that didn’t match the credit card billing address. The first time the company received such an order, it billed the credit card number and sent out the t-shirts for overnight delivery — and received an irate phone call a few days later from the credit card’s owner who had not authorized the charge. By then, it was too late to stop or recover the shipment, so Modern Tribe wound up eating the cost of the t-shirts and expedited shipping. However, there was a second order in process that also involved a large number of t-shirts, expedited delivery, and a shipping address that didn’t match the card’s billing address. “We immediately suspected that the second order was also fraudulent, so we looked into it, and when it turned out to be false, we were able to stop it,” says Jennie Rivlin, Modern Tribe’s founder. Since then, she says, her firm has received many such orders, but since they know the pattern, they can take extra steps to make sure an order is real before filling it. “We have had some larger orders where the billing and shipping address didn’t match, so we contacted the customers and it turned out to be fine,” Rivlin says. “But it was well worth taking that extra precaution.”

About 1634 days ago E-Commerce

Beware the E-mail Blacklist

our beautiful site

You’ve sent an important business e-mail to a contact, but it never arrives. The person on the other end complains. Eventually, your message is found, trapped in the recipient’s spam filter. If this scenario sounds familiar, there’s a good chance your email server has been blacklisted. E-mail software routinely uses blacklists as a first line of defense against the relentless onslaught of spam. Blacklists work by keeping track of the Internet protocol (IP) numbers of servers that have sent spam. Once your e-mail server’s IP number is on a list, any spam filter using that list will automatically block message from your server.   Server owners generally are not notified that they’ve been added to a blacklist. In fact, most small businesses only find out they’ve been blacklisted when they hear from their contacts that an expected e-mail either vanished or was stopped as spam, according to Peter Firstbrook, research director at Gartner. By that time, you’ve already got a serious problem. An anti-blacklist strategy You don’t have to wait until messages go missing before dealing with blacklist issues. What follows is a six-part strategy for staying off e-mail blacklists. Please note that this strategy assumes you host your own e-mail. If you use hosted e-mail, and the server gets blacklisted, there’s little you can do but complain to your provider and immediately start looking for a replacement. Assuming you do host your own e-mail, though, these steps should help you stay in the clear: Test your blacklist status. Begin by making sure your IP address isn’t already blacklisted. Sites like MXToolbox allow you to input your mail server’s IP number and will check it against the most commonly used blacklists. Don’t send unsolicited mass e-mails. Needless to say, the easiest way to ensure that your server will wind up blacklisted is to use it to send unwanted e-mails recipients may view as spam. A few such complaints can get your server blocked in a hurry — so don’t do it. (For additional tips on keeping marketing e-mail out of spam filters, see this IncTechnology article.) Check your company for bot computers. The most common way a company’s server winds up blacklisted is because one or more of its computers has become part of a “botnet.” A botnet is a group of computers infected by malware that allows outsiders to use them for tasks such as sending out spam, usually without their owners’ knowledge. Botnets are a preferred method for spam distribution for the obvious reason that they prevent spam from being traced to its source. With increasing demand from a growing spam industry, botnets are becoming alarmingly widespread.  “Most companies already have bots in their organizations,” Firstbrook says. “You’re best off if you assume you have a bot, and then go find it, rather than starting from the assumption that you don’t.” Observe strict security protocols. If you’ve managed to stay clear of botnets so far, your best chance of remaining that way is to keep your company as secure from malware as you can. That means not only running the standard suite of security applications — anti-virus, intrusion prevention, anti-spyware, and anti-spam — but also making sure patches and updates are deployed as quickly as possible. “The Microsoft Tuesday patch needs to be on all computers by Wednesday,” Firstbrook says. “And if the only browser you’re keeping up to date is Internet Explorer, then that should be the only one employees can use.” He also recommends preventing employees from surfing to certain dangerous sites. Block port 25 on every machine except your e-mail server. Port 25 is a generally agreed standard for most computers and servers use when sending e-mail to the Internet. A legitimate user within your company would not send out e-mail directly from his or her computer, but would use your e-mail software to route it through your company’s e-mail server. A bot, on the other hand, would send spam directly — through port 25 — to avoid detection. Blocking this port on all but your e-mail server won’t prevent you from having bot computers, but it will prevent those computers from sending out spam and landing your company on a blacklist. Be aware of your neighbors. Another way to get blacklisted through no fault of your own is if a server adjacent to yours on a network sends out spam. Many blacklists block not only the specific server that sent the spam, but also other servers with numbers with mostly matching digits. “Even as a security company, we got blacklisted once because we’d installed our servers in a data center, and one of the other servers there sent out spam,” notes Dirk Morris, founder and CTO of Untangle, an open-source gateway provider. The offender happened to be another server with a number near to Untangle’s. “Any time you rent Internet space, you have a neighbor, and you can be affected by what that neighbor does,” he says. If you get blacklisted What do you do if you find out you’re already on one or more blacklists? “If you are, it’s bad news,” Firstbrook says. “It’s not an easy problem to solve.” Each blacklist has a different procedure for requesting removal, so you’ll have to follow a different set of instructions for each list you’re on. Or, you could just wait. “They usually expire after five days or so,” Morris says. “On the other hand, you can’t send anyone e-mail during those days. Whatever you do, make sure you’ve actually identified and solved the problem that caused you to be blacklisted in the first place before you ask to be taken off the list. “You’d be surprised how many people skip this step,” Morris says. “When someone tells you you’re sending spam, the common reaction is ‘No, I’m not,’ instead of trying to find out if there’s a bot or other problem.” That kind of thing can sour your relationship with the blacklist providers, and make it harder to get off the list in case of any future incidents, Firstbrook says. “Don’t say that you’ve cleaned things up and then let something happen that will put you back on the blacklist,” he says. “You don’t want to try their patience.” SIDEBAR: Blacklist Testing Sites Want to find out if you’re on any blacklists? These sites can tell you. MXToolbox checks your IP address against 147 blacklists, and offers the option of sending a ping e-mail to its server — a super-easy way to lean whether you’re on a blacklist or not.   Blacklistedip not only lets people know when they’re blacklisted, but helps track the issue that caused the blacklisting and assists with getting off the blacklist. Repcheck constantly monitors some 200 blacklists and alerts you if you get blacklisted. Blacklist Sites Need to get off blacklists? Here are three of the most popular, but there are many more. MAPS, now part of Trend Micro, offers both information on whether you’re blacklisted, and also threat analysis. SpamCop provides anti-spam software as well as its blacklist of spamming server IP addresses. The Spamhaus Project is an international, non-profit effort to combat spam.

About 1725 days ago Computer Security

How Much Website Uptime Is Too Much?

our beautiful site

When it comes to things like serving customers, business leaders are fond of saying that nothing less than 100 percent will do. So it seems natural to take that same approach with your company’s website, and if you can’t guarantee 100 percent uptime come as close as possible — 99.999 percent — or less than six minutes of unplanned downtime a year. That may sound like a logical goal. But what does it take to guarantee near-perfect uptime? The only way is to have backups for everything that could conceivably go wrong. You’ll need backup servers, and/or servers with multiple disk drives in a redundant array of independent disks (RAID) configuration. You also need multiple instances of important applications and databases. Your connection to the Internet could fail, so it’s smart to have more than one provider, a practice known as “multihoming.” Redundant servers and software won’t be much use without electricity, so your equipment should be protected with an uninterruptible power supply (UPS) device, which can run your servers on battery power for a couple of hours, long enough to get a generator — which you also need — up and running. Even all this may not prevent an outage in a hurricane or earthquake. So, to truly guarantee uptime, you should have a second set of servers with multiple disks and uninterruptible power in a different geographic area, ready to take over in case of need. Large enterprises do all of this as a matter of course. Should smaller companies follow suit, putting as many of these protections in place as their budgets allow? No, according to David Heinemeier Hansson, partner in the software firm 37signals, and creator the popular Ruby on Rails software development framework. “Companies tend to emphasize uptime to the detriment of other things,” he says. “Unless you have a very large number of users, uptime doesn’t matter as much as other things, such as innovation.” Most experts agree that 99 percent uptime — or a total 3.65 days of outage a year — is unacceptably bad. So it may make sense to seek better performance than that, but the closer you get to perfection, the more it will cost. “The expense of going from 99 percent to 99.59 percent can be astronomical,” Hansson says. It can have an unexpected impact on future costs as well, notes Dirk Morris, founder and CTO of Untangle, which provides open source gateway appliances. “A typical scenario for a small business is to have some kind of database-driven Web application for sales,” he says. “To avoid having that go down, they might put in a second instance of the same database. Now you have an extra layer of complexity in your system, and it’s much harder to change or add anything. You might have better uptime, but you’ve lost flexibility.” Because of this tradeoff, many companies wind up regretting the backups they’ve put in place, he says. Outsourcing for uptime Not necessarily, argues Dan Ushman, co-founder and vice president of marketing at SingleHop, Inc. SingleHop provides managed hosting, and Ushman claims that for clients of companies like his, 100 percent uptime is indeed possible, because the service can provide the many layers of redundancy required.  In fact, Ushman says most small businesses don’t spend enough on uptime. “The biggest mistake small businesses make is to go with shared hosting, which may just cost $20 a month,” he says. “Then you’re one of 500 accounts on one server, and any of the other accounts can cause the server to crash and cause downtime for everyone else.” It’s certainly true that hosting services have more redundancy, more expertise, and better monitoring than most small businesses, allowing them to offer a higher percentage of uptime. But, Hansson notes, hosting providers don’t put much financial commitment behind their uptime guarantees; most offer only a partial reimbursement of their hosting fee for the time the service was down. “We were actually in this situation, and the payments you get back are not substantial,” Hansson says. Doing downtime right How much cost and complexity to take on to avoid possible downtime is a question with a different right answer from company to company. But in every case, there are ways to minimize the business effect of an outage. Unless you’re certain your site can never go down, it’s worth spending a little time and energy to prepare in case it does. Here are some tips that can help you get started: 1. Find an alternate way to communicate with customers. Even if customers can’t actually get to your site, they should get more than their browser’s error message when they try. This can be as simple as a webpage that apologizes for the outage and lets customers know you’re working to fix it. If your site is down for more than a brief time, Hansson recommends redirecting traffic to that page instead. (Needless to say, it should be hosted away from the servers you normally use.) 37signals takes this one step further with a blog that constantly reports on its site’s status. During an outage, 37signals staff post updates every 15 minutes or so, reporting on their progress getting the site back up. 2. Apologize and explain. Once the outage is solved, give your customers a post mortem as to what went wrong, and tell them what you did to fix the problem. Make sure to apologize for the inconvenience your down time undoubtedly caused. Whatever you don’t, don’t fudge the facts or use anything that sounds like double-speak, such as Amazon’s recent description of its outage as an “availability event.” “Admit your mistakes up front, and in human language. That’s all people really want,” Hansson says. “If you’re making it sound like you didn’t do anything wrong, if you can’t call an outage an outage, then you’re not trying hard enough.” 3. Treat your outage as an opportunity. “When people go to a hotel and everything goes smoothly, they’ll give it an OK rating,” Hansson says. “But if there’s an issue and the hotel fixes it, they’ll give it a better rating.” There’s a lesson in this, he says: if you have an outage, but customers see that you fixed it as quickly as possible, were honest about the event, and apologized for the trouble, they may appreciate you more than if you never had the outage at all. “When we have a downtime issue we respond to it honestly, and we get positive feedback,” he says. “It’s a unique opportunity to bond with your customers. If you handle it right, they’ll come away liking you more, not less.”

About 1756 days ago Network Security

Protect Your Network from Users

our beautiful site

A small technology provider installed a T1 and shared it with two other small companies in the same building. One of these was a real estate office that began experiencing network problems. “Fortunately, there was a guy there who had a background in IT,” recalls Danny Nickason, who managed technology for the provider in a previous job, and is now IT director for Genesis Physicians Group. “He told me they were getting heavy pinging, about 25,000 a second, and gave me the IP address it was coming from.” Devices on a network use “pings” to check the connection to other devices, but viruses can also use them to overload a network. Nickason checked the IP address, which came from a wireless system his company used for demos. He shut down the server in question, and the pings immediately increased to 1 million per second. “It brought both our network and their network down,” he says. “We were hosting eight or nine websites for our clients, and those went down as well.” Nickason investigated further, and discovered the problem originated with the computer a new employee was using. He began by disconnecting the offending computer, which immediately returned both networks to normal. Next, he tried a virus scan on the computer, and encountered a file that wouldn’t let him complete the scan. The file was located in the computer’s “My Music” directory — the result of downloading infected music files. Because of this activity, Nickason notes, “That employee cost several companies money. We had to send apologies to both the companies using our T1 line, and to our clients whose sites went down.” Inviting the vampire in When asked how a network became infected with a virus, Nickason once replied, “The vampire gets in if you invite him in. If you don’t invite him in, he stays out.” This is a major issue in security, where most problems begin with someone downloading an infected file, browsing to an infected site, or leaving a computer unprotected. “Computers come configured to do just about anything,” notes David Rice, author of the new book Geekonomics: The Real Cost of Insecure Software (Addison Wesley 2007). “So you’re starting out behind the eight ball, as far as security is concerned.” How can you improve those odds? Consider these steps: 1. Invest in educating users. “Employees do stupid things, and attackers are out there trying to trick them,” Rice says. “So making them aware of the dangers is probably the biggest bang for the security buck.” Frequent communication is essential, Nickason adds. “I see too many IT departments hide in a room, waiting to react to problems,” he says. “I’m very vocal, constantly reminding them about security. If there are updates, I make sure to advise everyone to reboot their computers, and leave them running that night. I let them know not to open attachments, even from someone they know, unless it’s something they’re expecting.” Communication also helps build trust. For instance, Nickason reports, suspect e-mail is quarantined until he can look at it and make sure it’s virus-free. Employees could override the quarantine if they so chose — but they never do because they understand the risks. 2. Create an acceptable-use policy. “Some companies say that you can’t make personal phone calls, but they let employees use their computers any way they want,” Rice notes. In one case, he says, he found an employee running a “home-based” business entirely on an employer’s computer. “Most companies have very lightweight acceptable-use policies, if they have them at all,” he says. “You need to have the mindset that the equipment belongs to the company, and should be used only for company business. If you start from there, it’s much easier to influence user behavior.” 3. Don’t assume all users have identical access needs. “Knowledge workers need more Internet access than someone in the mailroom assembling components to ship,” says Adam Hils, primary research analyst specializing small and mid-sized businesses for Gartner. “Yet many IT departments set the same profile for everyone, so they all wind up with the same access. If you have 100 people in your company, and you give all 100 the same access, but only 50 actually use it for their jobs, you’ve doubled your security exposure unnecessarily.” 4. Don’t prevent people from doing their work. “Your users are higher-order problem-solving primates,” Rice notes. “And they’re trying to get their jobs done. So if you prohibit something, make sure they have another path to doing what they need to.” Otherwise, he says, they’re likely to look for workarounds that may create worse security problems than the one you solved. 5. Accept that mistakes will be made. Ultimately, even the best-educated users will eventually make a security mistake, so make sure your firewall, antivirus, and spyware filtering are as robust as you can make them. Dirk Morris, CTO and founder of the security gateway Untangle notes that, while purchasing software recently, he himself did an Internet search for a discount coupon, downloaded it, and would have given the company a virus had it not been protected with its own product. “You can educate a lot, and it will make a big difference, but it won’t solve everything,” he says. “There are too many ways even a perfectly well-informed user can still do something harmful.”

About 1756 days ago Data Security

Would Your Network Survive a Targeted Attack?

our beautiful site

A small company selling products from its website had bare-bones security in place. Its executives had figured its small size would put it beneath the radar of hackers and other cyber-criminals. After all, cyber attacks are usually aimed at large organizations such as the U.S. Commerce Department or Circuit City, or in one stunning case, the entire nation of Lithuania. Why would anyone bother to attack a tiny company with only a couple of servers and a handful of employees? Someone did, though. A hacker managed to crack this company’s not-very-elaborate security system, gain access to its network, and obtain credit card information for its customers. Not only that, the hacker left a root kit  that continued to collect new credit card numbers as they came in. (Root kits are rogue software designed to give unauthorized outsiders administrator-level access to a system.) It took not only a new security setup, but completely wiping and reinstalling the company’s computers to resolve the problem. “The common belief is, ‘I have nothing of value, so no one will bother me,” says Dirk Morris, CTO and founder of Untangle, an open-source network gateway company that helped the small e-tailer rid itself of the hacker.  ”But we keep running into small businesses that are getting hacked and having their machines taken over.” Smaller companies tend to have smaller security budgets and weaker security in general than larger ones, he explains, and that makes them attractive. Organized crime may be involved “We view targeted attacks in the same category as zero-day attacks,” notes Adam Hils, primary research analyst specializing in small and mid-sized businesses for Gartner. “It’s essentially the same problem as with zero-day attacks: they will never show up on any virus definition list.” (For more on zero-day attacks, see previous article.) Hils adds that as hackers become more sophisticated, targeted attacks are “trickling down” to smaller and smaller companies. To make matters worse, Morris says, organized crime is beginning to take advantage of security vulnerabilities, coordinating and managing cyber-attacks—and tracking which campaigns are most effective. This has led to an increased focus on hacking small businesses, because the success rate there has been higher. For instance, he says, some attack campaigns target small businesses specifically by masquerading as e-mails from the Better Business Bureau, notifying the company of a complaint against it with a link to click for more details. “You click it, and it’s malware.” What’s the best defense against these kinds of attacks? There’s an old joke about two campers being chased by a bear: one camper notes he need only outrun the other camper to reach safety. In the same way, you may not need the tightest security possible to preserve against targeted attacks — as long as your security is as strong or stronger as that of other small companies. Having anti-virus, anti-spyware, anti-spam, and a firewall all up to date can go a long way toward providing the necessary protection. “Hackers look for the weakest defenses, so if you have credit card numbers, you’d better have better security than the next guy,” Morris says. The same goes if your servers contain personal information on customers, valuable patents, insider financial information, or anything else valuable enough to be worth stealing. Targeting a single computer Some attacks aim very small. “Things like botnets target individuals, rather than companies,” Hils says. In a botnet attack, one or more of your users’ computers becomes a “zombie,” sending out virus-carrying spam or otherwise doing the hacker’s bidding, usually without the user being aware of it. That’s what happened to furniture maker Summer Hill, Ltd. “This is a small company, with 35 employees,” Morris says. “They started catching tons of spam, and a large number of attacks. It was all coming from one machine inside the network.” It turned out a botnet program had overcome the security on that one computer, and taken it over. The best way of coping with botnet attacks, Morris says, is careful monitoring of network activity since an unexpected increase in little-used applications may be the first indication that something is awry. In this case, the user’s computer was using internet relay chat (IRC) to a surprising degree. “I doubted that the person using the computer even knew what that was,” Morris says. Sure enough, the zombie computer was using IRC to send out spam — and scan the entire Internet in search of other vulnerable machines.