Confidentiality of data – where you ensure that critical data is only accessed by people with proper approval and on a need to know basis.
Confidentiality is related to the broader concept of data privacy – the act of limiting access to Personally Identifiable Information (PII). In the US, a range of state and federal laws, with abbreviations like FERPA, FSMA, and HIPAA, set the legal terms of privacy.

Integrity of data – where you do everything possible to protect business and client information from unauthorized alteration. Integrity is all about the trustworthiness of information and the assurance that data have not been changed inappropriately, whether by accident or deliberately.  It also includes making sure that the data actually came from the person or entity you think it did, rather than an impostor. In many cases, it might actually come down to making sure that the information recorded reflects actual, reliable and correct record or circumstance. At the end of the day, it is the business owners job to make sure that  business’s information system includes mechanism to preserve without corruption, whatever was transmitted or entered into the system, right or wrong.

Availability – where you ensure that critical business information is readily available to authorized users and applications as needed. Businesses today are highly dependent on functioning information systems.  Many could not operate without them.
Availability, like other aspects of security, may be affected by purely technical issues (e.g., a malfunctioning part of a computer or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate).
While the relative risks associated with these categories depend on the particular context, the general rule is that humans are the weakest link.  (That’s why each user’s ability and willingness to use a data system securely are critical.)

The provision of Confidentiality, Integrity and Availability is something most businesses take for granted, especially those that provide services dealing with sensitive data like finance, health and legal matters. Consider the following scenarios:

• janitors working at night freely browsing customer information that was left open on a computer without a screen-saver password.
• partially printed result of a retina scan that was thrown into a trashcan
• sensitive email that was sent without encryption
• a USB drive full of financial reports that has no password protection or encryption is carelessly left at the front desk?
• an employee loudly discussing sensitive business details on the phone at an airport

The biggest area where most small businesses fail is in the area of availability – making sure that resources are available to users and clients when needed. This is because over seventy percent of small businesses do not make any effort to back up their critical data. I have dealt with enough to know that it is only when a hard drive fails, or a memory module goes bad (the famous server crash) that they scramble around begging any computer support provider they can find to “do whatever it takes to get our stuff back”. Sadly, in most cases it is either too late or is going to cost an outrageous amount to recover the data through high-end data recovery software or service.

What can you do? We’ll talk about this in the next installment.

Tweet This Post

Recently, I started noticing a trend that did not initially ring an alarm bell. Whenever I go online to research a particular topic, say “disaster recovery” or “file encryption”, I would get an email from one of the content provider’s “Research Assistant” with links to articles and documents from vendors about data backup, disaster recovery and file encryption. Normally you would say, “great, just what I was looking for”. But I tend to look at it from the other side – how did they know what I was searching for? And more importantly, what else are they tracking other than my search habits? To push it even further, how long has it been going on?

Remember, these are subscription services I signed up for a long time ago. Sure, whenever you download a white-paper (never mind that the piece of crap is only a page long) and you have to fill out a long form asking for every little detail about you, you will get your fair share of spam email. But thanks to recent regulations, you also have the option of putting a stop to the nonsense by opting out. In some stubborn cases as was my recent experience with Preplogic, you simply add them to your block list (yes, I will name this company because of their unethical behavior after I tried to unsubscribe four times and was still getting their “promotions”. I had to block their list address from sending me emails!).

[As an aside, I do hope companies realize that it is not the amount of emails you bombard us with on a daily basis that spurs our purchase (listen up Amazon!); rather, it is our need for specific products at specific times. After all, I came to your website to buy something in the first place. If I need something else, I know how to get to your website. Clogging my Inbox with useless "promotions" just pisses me off and could surely guarantee that I will not buy from you next time].

I had a suspicion that my internet searches were being tracked by this content provider (through IP tracking). IP tracking can be used to track people’s online behavior in a way that eliminates their anonymity online,  and recent tests have shown that IP addresses can perfectly identify about 30% of U.S. households.  That means that from your IP address, it is possible for a site to know or approximate your exact physical or home address).

So I did a little experiment (as a regular day-to-day user) to test my theory. I installed a fresh copy of Mozilla Firefox and set it up to always start in private browsing mode and to clear the cache on exit. I then used Adobe’s Flash Settings Manager to lock down (I thought)  flash cookies. Over a period of three weeks, I went online and searched for three different unique subject areas.

The first was “Identity Theft”. To my surprise (and to be honest, a little alarm), about 15 minutes later, I got an e-mail from the content provider’s “Research Assistant” with the following:

RECOMMENDATIONS:
Linking identity and data loss prevention to avoid damage to brand, reputation and competitiveness

Next, I searched for “Risk Management” and like clockwork, the “Research Assistant” came back with:

RECOMMENDATIONS:
Managing Risk an Integrated Approach

Finally, I searched for “Security Compliance” and got an e-mail from the “Research Assistant” with the following:

RECOMMENDATIONS:
Video Whiteboard: Managing Risk and Compliance Proactively

Were these three case coincidental? Possibly, but I find it really interesting that their email robot would send me messages “To assist you with your IT research”  and recommending “following related content, which other readers have recently requested. I am tempted to believe that despite the steps I had taken to shield myself from invisible “eye-balls” following my every move online, these content providers have found a clever and invasive way of keeping tabs on us all the same. The good thing is they (or some at least), provide an option to “opt out”. Whether that is just a window dressing to cover their butts is the anyone’s guess.

My recommendation is that you should be aware that nothing you do online is anonymous. More and more content providers are sharing subscriber information these days and tracking is the way they fulfill these barter arrangements. The goal is targeted marketing, but the psychological effect on us is a little stressful. There is so much going on in our daily lives that many of us do not have the time to look at the stuff working in the background as we go about our daily “surfness”.

Be careful out there.

Tweet This Post

Business owners have a false sense of security when it comes to the issue of Business Continuity which is often thought of as just an IT (Information Technology) problem. “We have a good backup system so we are fine”. There is often the tendency to overlook flaws on business processes, application development, and logistics.

According to the Gartner Group, over fifty-percent of all businesses fail after experiencing a major disruption. In addition, lack of planning for these disruptions can cause a business to lose a majority of its customers and integrity.

Research has also shown that a business is more likely to recover if it has a plan and has taken into account all of the areas on which it depends to function normally especially since it is difficult to predict such failures.

As is well known, most computer hardware, if used consistently over a period of three to five years, stand a forty to sixty percent chance of having a catastrophic failure.  It is also a fact that most small businesses purchase non-brand computers, disregard repair policies (depending on the toss-and-replace mentality instead), and depend on these non-brand computers heavily. Most use inexpensive file servers (actually desktop computers converted to “servers”), or a cheap tape drive for backup. Backups are rarely tested to determine if a failed system can be rebuilt from scratch, and in many cases, the backups fail to restore critical data.

The question, “What if you had to leave your office within 30 seconds and could not come back for a month, if ever?” has been asked again and again.  The sad situation is that even with all the evidence supporting the urgency around this question, it remains answered with only a shrug. Business owners, who normally would not think twice about purchasing liability or health insurance, reply with a fatalistic, “I will deal with that if it happens.”

Business owners need to identify the risks that their businesses face, and make proactive plan to follow should the unexpected computer shutdown occur. By making computer problems “expected” and “planned for,” businesses will reduce the cost of data loss and recovery efforts.  The events of September 11th 2001, the ensuing Anthrax bio-terrorism scare, hurricanes Katrina and Rita, the incident with a small plane crashing into the IRS building in Austin, TX etc. gave “Business Continuity” new meaning. Although the probability of these events occurring again may be considered quite low, business owners should recognize the need for Business Continuity planning.

We understand that the typical small business has no IT department and in many cases may only have one person, or a contract with a service, that truly understands IT. For the most part, however, computers are treated like appliances in the sense that when something breaks, it is repaired or replaced.

Our goal as IT service providers should be to assist the small business owner in saving money and preserving wealth. We could do this by advising business owners on:

• Discovering what risks need to be avoided immediately.
• Closely examining processes, policies, and procedures to ensure requirements are met.
• Developing an awareness of what processes actually impact the business.
• Developing an appreciation of the business continuation plan as an integral part of the business plan.
• Helping you with a remote backup solution that backs up your critical data in real time, as it changes, to reduce the amount of time it takes to complete a data backup for as little as $20 a month.
• Simple operating system imaging techniques that reduces the time it takes to bring a system back online and operations following a system failure
• Working with vendors with whom you can pre-arrange replacement hardware should your fail.
• Simple techniques to follow to make sure you have continuous access to your data even when your computers are not available.

Tweet This Post

Well, Disney is in hot water right now for something similar but far more disturbing – Flash Cookies. Flash cookies are a new way of tracing your movement and storing a lot more information about you than with normal cookies and you can’t locate them in your browser. They are not shown in the list of cookies that you can see when you take a look at the cookies that are currently saved in your web browser. Even more disturbing is the fact that while normal web browser or HTTP cookies cannot save more than 4 Kilobyte of data, Flash cookies can save up to a whopping 100 Kilobyte.

That is a lot of storage space for snooped personal information through the use of LSOs, or locally shared objects with the ability to gather detailed user information over long periods of time without a trace. To make it worse, a recent paper by UC Berkeley researchers exposed the ability of Flash cookies to “re-spawn” themselves. This means that even if the user deleted the cookies, they automatically re-generated, like a virus.

This is not a new development as the dangers of Flash cookies were exposed way back in 2007.
The Disney case involves the use of Flash cookies to track highly personal information about their users, many of whom were minors by the company and its subsidiaries. Specifically, it is the “re-spawning” aspect of the suit that should concern “ordinary” users who do not have enough time or interest to dig into the inner workings of the more technical aspects of web browsing.

According to the suit filed in US District Court in Los Angeles against Walt Disney Internet Group, Clearspring Technologies, Warner Bros. Records, and several other companies that shared the cookies, the affiliates engaged in “covert online survellance” by failing to adequately warn users about the information-sharing arrangement. They are also alleged to have allowed “zombie cookies” to be restored even after a user had gone through the trouble of deleting them. In one stated instance, the “re-spawning” allowed Disney affiliates to track the habits of one individual who researched articles on depression.

The companies are alleged to have violated several laws, including the federal Computer Fraud and Abuse Act, the California Computer Crime Law, the California Invasion of Privacy Act and trespass and personal property statutes by:

• “…hack(ing) the computers of millions of consumers’ computers to plant rogue, cookie-like tracking code on users’ computers” which could not be easily detected, managed or deleted without notice or consent;
• “circumventing the users’ browser controls for managing web privacy and security”
• scheming to “obtain personal identifying information, monitor users, and to sell users’ data and to use the hacked profiles to track users’ across numerous websites;
• Spotting and tracking users when they accessed the internet from different computers, at home and at work.

There is a laundry list of information collected which, even though we know this stuff goes on, is a little troubling:

• viewing choices
• Gender, age, race, number of children
• Educational level, geographic location, household income
• What the user looked at, what the user bought, the materials the user read
• Details about financial situation, sexual preference, name, home address, email address, telephone number, health conditions etc.

So what can you do to protect yourself?

• Adobe Flash has a “Settings Manager” that can be used to control how Flash cookies work on your computer, but the tool is buried on the company’s website and is not readily available through the controls on your web browser. You can access the tool here. Go through the settings and make “deny” the default for everything. You can also set the allowable storage to 0. The setting can always be adjusted if necessary.

• In addition, get into the habit of using other web browsers than Internet Explorer that give you more granular control over what your web browser can do and you do not have to dig through hidden menus and locations to adjust them as is the case with Internet Explorer.
  Firefox, Opera and Chrome for example, have add-ons that can help you fight the invasion of privacy that is being driven by the need to gather more information about your browsing habits so companies can better target what to advertise to you.

• You can also try not using your real name for your computer account. Use a nickname instead. Encrypt personal data with tools like Truecrypt and Axcrypt. If you are using Internet Explorer 7 and above, Opera or Firefox, there is an option for private browsing where cookies are not saved. t is not perfect, but it can reduce the amount of trash content providers leave on your computer.

• Use spy-ware scanning tools like Spybot Search and Destroy, MalwareBytes etc. By occasionally scanning your computer for spy-ware, you may be able to detect some irregular files dropped on your computer by a content provider.

Sadly, many computer users take the issue of privacy and safe computing for granted, until something terrible happens.

Tweet This Post

I finally found a solution in the notes I took while researching this problem that worked, at least temporarily, to allow updates to the server. I am not sure who the original provider of this solution is, but if I come across it again, I will surely give them credit for it.

It appears that the major cause of the 0x80072efd error, at least on the SBS 2008, is a misconfiguration or meltdown of Windows Server Update Services (WSUS) and it can happen if your network goes out of alignment or something screws up like if your NT AUTHORITY\NETWORK SERVICE  entry in the registry says 0 instead of 1.

Since WSUS is a core part of SBS 2008 and is supposed to pull updates from Microsoft and distribute the updates to computers on your network, when you call for updates, the agent goes to http://server:8530 expecting to communicate with the Windows Update Server locally. A problem with WSUS will affect the ability of  the update agent to pull down updates since the WUAgent gets no response back from an assigned WSUS server. It then throws up error 80072efd.

A quick and dirty fix is to temporarily hide or remove the local server and allow the agent to pull down updates directly from the Microsoft website. To do this, I uninstalled WSUS and edited the Windows Update entry in the registry.
To edit the registry:

• Click Start > Run > type “regedit” without the quotes, and accept the UAC prompt to continue

• Navigate to HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

• Look at the keys in that folder, if they look something like this:
  “WUServer”=”http://SERVER:8530″
  “WUStatusServer”=”http://SERVER:8530″
  that means Windows Update is trying to look for updates on your own server. Chances are those updates don’t exist on the server (unless you have a successful installation of WSUS which was not our case).

• Delete the “WindowsUpdate” key from the registry at HKLM\Software\Policies\Microsoft\Windows.  I’d recommend you export this to a .reg file to be safe. Right-click on the folder and select “export” to save.

• Restart the Windows Update service. (located in Start > Run > type “services.msc” without quotes), or Start > Administrative Tools > Services > Windows Update Service (for those who like doing things the hard way).

If you don’t even see the HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate folder then this probably doesn’t apply to you.

This worked for me and I was able to update a server that had not been updated since November 2009!

After making sure that all updates were current, I went back and added WSUS as a role causing a fresh install of the update server. Your mileage may vary on this one. Make sure you have a reliable backup of your server before messing with the registry, and do this on a weekend just in case things go sour for you.

Good luck.

Tweet This Post