Posts

Five Plans for Five Problems

Any business owner can tell you that their business is more than just their store front.  It’s culmination of a dozen different factors.  Everything from shipping from the factory to handing out business cards at conventions constitutes a business.  Holding them all together is IT.  Everything from using tracking codes to locate your packages, to recovering your contact info from the phone you dropped in a puddle.  A well thought out IT plan makes for a smoothly run business.  Here are a few things to think about when considering such a plan.

Helpdesk Support

There’s nothing more annoying than when things break unexpectedly.  Most businesses can’t afford to have a dedicated IT department and calling your tech savvy nephew isn’t a good long term plan.  Choosing to outsource your helpdesk isn’t a decision to be taken lightly.  As always, you should look for a company that has a long history of customer satisfaction.  Check with the Better Business Bureau to see if the company you’re considering has any complaints.

Desktop Support

Some problems just can’t be solved over the phone or over the internet.  An in-person visit can help resolve problems in a timely and complete manner.  Time is money, so a good desktop support team will have a flexible schedule and most importantly be on time.

Server and Network Monitoring

Having a someone monitor your server and network can increase efficiency.  Knowing how much data your business is going through can help you get a better picture of how things are running.  As the saying goes, waste not, want not.

Server and Network Security

Is someone leeching off your networking?  Is your data secure?  Remotely or onsite, an IT professional can ensure that your network has minimum downtime.  With so much money changing hands online, security is a must.

Disaster Recovery

It is said that it’s better to suffer your share of hardship rather than living in fear of them.  You know what’s even better?  Having a plan when hardship befalls you.  Working with a group of IT professionals, you can develop a back plan, maybe to even back up your data.  From virtualization, to redundant drivers, there’s a plan to fit every business.

The fact of the matter is you can’t control or master everything.

 

 

Weak passwords and their drawbacks

The topic of password strength is an important one, especially since passwords are used everywhere these days. When creating a password, it is generally a good idea to make it at least 8 characters and use numbers throughout it. Using symbols will make it even stronger. Let’s go over some reasons why weak passwords are bad and talk about common methods that are used to crack them.

The first and most obvious reason that weak passwords are bad is they are easy to crack. One of the most commonly used methods for cracking weak passwords is called a dictionary attack. This is when someone takes a huge list of words and runs each word against your password to see if it can be revealed. There are many “custom” dictionaries floating around the internet specifically for this purpose. To the attacker, the benefit of a dictionary attack is it’s incredibly fast and will usually reveal most weak passwords with no numbers or symbols. A major drawback of dictionary attacks is they rely on the password being weak and using a word that’s in the list (usually an English word). Therefore, it is important to not use an English word that may be in a dictionary as your password. Many of the custom dictionaries have been modified so they will catch words like “passwd” and other words with numbers attached to the end. Sometimes, patterns of numbers like “123456” are included.

If you use the same password for most everything you use, you’ll want to pay attention to this point. If you’re using a weak password and someone attempts to crack it using a dictionary attack, there’s a relatively good chance that they will succeed. If that’s the case, attackers will try the credentials they just stole from you on other sites as well. It’s fairly common for people to use the same password for multiple services. Now, not only has someone gained your information for one site, but for many sites. By using a weak password in combination with reusing it at other places, you’re effectively compromising many of your accounts.

Let’s take an example of someone using a stronger password with numbers and symbols, but only 4 characters in length. There is another method of cracking passwords that’s called a brute-force attempt. This method will try to guess the password in question using every combination of letters, numbers, and symbols possible. The major drawback to brute-force attacks is that they can take an incredibly long time, and are sometimes impractical due to this reason. Brute-force attacks take considerably more time for each additional character a password has. So you can imagine that a password that’s 4 characters in length wouldn’t take nearly as long to crack as a password that’s 10 characters or more.

As you can see, it’s not just using numbers, symbols, and a mix of capital and lowercase letters that makes a password strong. The password’s length contributes an enormous amount to its strength. Also, keep in mind that sometimes brute-force attacks are combined with dictionary attacks to improve speed and efficiency. Sometimes this is effective, sometimes it’s not. It really all comes down to the password in question.

Think twice when using public or unsecured Wi-Fi

Public Wi-Fi has always been an insecure environment, but it’s gotten much worse lately. Not too long ago, there was a Firefox add-on released called Firesheep. It works by capturing or “sniffing” packets on the network you’re connected to. It will look for any connections to the sites it recognizes. If a user logs in to one of those sites, it will capture the cookie that the site sends to the user’s computer after their login has been authenticated. Note that once the user has been authenticated, many of these sites will no longer use an HTTPS connection, and will use the cookie that was sent after logging in to allow that specific user to access to other parts of the site. Once Firesheep has that cookie, an icon will show up in the add-on’s window indicating what site and user it has hijacked. All the attacker needs to do after that is double click on the icon that appeared and he will then be logged in as you on the corresponding site.

The creator said its purpose is to make sites like Flickr, Twitter, Facebook, and Google aware of their security flaws so they will fix them. The best thing sites like these can do to mitigate Firesheep is utilize SSL (HTTPS) everywhere, not just when you login. It is uncertain whether these companies are going to implement that or not. One of the worst things about this add-on is that it makes session hijacking or “hacking” easy enough for anyone to do. Before Firesheep, the same kind of session hijacking attacks were possible and were frequently exploited, but it required a good amount of knowledge and an understanding of networking, sessions, and various protocols.

There are workarounds currently out there. There’s a Firefox add-on called HTTPS Everywhere and another called Force-TLS that will help, but I would personally recommend to not use any social networking, banking, or other sensitive websites over public hotspots. If you really know what you’re doing, one of the better alternatives is to set up a proxy server and set your laptop to use that proxy server for internet access via an SSH tunnel.