InfoBulletin
April 2010
Issue 115
Staying patched, Card payment security: PCI DSS, USB flash drive tricks, Windows support lifetimes, Eventbrite
coopsys.net
InfoBulletin
April 2010
Issue 115
Staying patched, Card payment security: PCI DSS, USB flash drive tricks, Windows support lifetimes, Eventbrite
coopsys.net
Popular editionsMay 2008 Outlook Time Recording: Journal, Video to ruin your ISP? Zoho: software at your service, OCR tips, BGInfo, How to audit my PC? August 2008 Risky business, Salesforce review, SteadyState manages multi-user PCs, Do you really need a web site? June 2008 Time Recording: Outlook Times plug-in, Windows Server 2008 storage, data protection, Convert PDF documents into Word format |
| *** NewsBytes *** | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| ||||||||||||||||
| *** end of NewsBytes *** | |||||||||||||||||
| ^ Back to contents ^ | |
|
1.
Staying patched securely
A review of three utilities that help keep all your programs up to date.
| |
|
Help at hand. |
With so much software being downloaded and installed on our computers these days, it's hard to know whether what's safe and what's scary, especially when even those third party applications we use every day are now regularly reported as having security holes too. Windows Automatic Updates of course takes care of not just Windows but Microsoft Office and Windows Live, but what about patching all those third party applications such as Adobe Reader, Flash Player, Skype, WinZip and ZoneAlarm? IB looks at three utilities that ease the patching process and help PCs to stay up to date and secure. In order of sophistication, let's look at the simplest first.
NiniteNinite allows you stack a bunch of applications in a kind of virtual shopping basket and then gift wraps them for you. Except all the applications are free, or trials. 
On offer is a commonly-used selection of around 70 applications browsers such as (Firefox, Chrome, etc), messaging (Skype, Thunderbird, etc), media (iTunes, Spotify, etc) Documents (Office 2007 trial, OpenOffice, Foxit Reader, etc) and various utilitarian extras like Java, Flash plug-ins and anti-virus .... all of which Ninite bundles into a single file for downloading and installing in one go. You then hit Get Installer. A Pro monthly paid version offers saved downloads and a silent mode for extra speed.
FileHippo checkerThe well-known FileHippo site is used by many major software makers as a bang-up-to-date distribution point so it makes sense for the site owners to offer their own checker. 
The neat FHchecker download can optionally run at Windows start-up. It scans to see what's already installed on your PC, compares it with their latest listing, presenting a download update list in your browser. 
Items like beta versions and the installation path can be usefully displayed or suppressed with one click. You can even use the checker as a mini-audit to show all your applications, though of course only the ones that FHchecker can recognise. However with hundreds of applications in its inventory (including all the previous versions), it will pick up all but the most obscure programs. 
Although both individual and total file sizes are shown, you have to implement downloads and installations one at a time.
SecuniaSecunia's software inspectors come in two forms and help to keep all your applications and Windows patches up to date and is definitely the most sophisticated of the bunch. 
The free online inspector (OSI) runs in any browser (via Java) and checks about 100 of the most common applications (Adobe Reader, QuickTime, Yahoo! Messenger, etc) in under a minute. The resulting report presents links for downloading and installing out of date or insecure applications. The downloadable inspector (PSI, also free) sits in your system tray and monitors programs (primarily .exe, .dll, and .ocx files) in the background from a list of thousands submitted by vendors. Its initial scan takes about 10 minutes and repeats every week, popping up a nice Flash-generated diagram to show how security is improving (if you are doing your patches). In this example, you can see how security levels suddenly dropped when plugging an extra drive undergoing recovery which contained a pile of outdated apps. 
Simple and Advanced interfaces make PSI suitable for either novices or techies. Again, you still have to do the donkey work of downloading and installing updated programs individually, but the depth of detail in the advanced interface reveals solutions, folder paths, bug forum discussions and the ability to rescan just one program. This rather hands-on updating scenario is fine for a handful of PCs but becomes impossible to manage for say, more than half a dozen machines. Hence, Secunia's business model derives revenue by selling network and enterprise versions of PSI (CSI and EVM), which inevitably save heaps of time where an organisation has to contend with maintaining the security of many computers. The easy-to-use inspectors are backed by a site full of advisory details about the latest bugs and vulnerabilities, supplying daily or weekly alerts via email subscription, if you're into that kind of paranoia. Like so many bug reports, some are the subject of (heated) debate, though Secunia claims it verifies all reports before publishing. With even the free product boasting a 10% higher patch rate than for users of computers without it, PSI looks worthy of serious consideration. A beta project is underway to integrate Secunia Corporate Software Inspector (CSI) with Microsoft WSUS for third Party Patch Management.
Contacts
-IB- |
| ^ Back to contents ^ | |||||||||||||||||||||||||||
|
2.
Credit where it's due: payment card data and security
Handling financial payments across your network? Be very afraid - or very secure.
| |||||||||||||||||||||||||||
|
Help at hand. |
The news in recent years has been peppered with stories about loss or theft of credit card records, but they seem far away and unlikely to affect us in the workplace. One thing is well-known: such financial security breaches cost hundreds of thousands of pounds to investigate and clear up. What is less well understood is that some of this cost can come back to organisations connected with the records under investigation. Indeed, for anyone who processes card payments, the ramifications of having finance data passing through your LAN are onerous. It is becoming a dichotomy for third sector groups, as interest in online donations is rising, spurred by the ease of transactions for donors.Even if a leak doesn't occur within your organisation's network, just being in possession of relevant card holder details at the time can bring the wide sweep of forensic investigations your way. And it's often the concomitant costs that add up, such as contacting owners of exposed records, establishing credit monitoring as a safeguard, and potential legal action from victims. Gossip merchantTo avert such leaks, the Payment Card Industry Data Security Standard (PCI DSS) has been developed, though not fast enough to avert extreme cases of exposure like Monster.com and TJ Maxx which demonstrates how severe instances can soar into the millions. BT SafePay 
BT SafePay enables charities and other organisations to avoid the expense of using call centres for securely collecting credit or debit card donations while still guaranteeing that every call is answered. The dedicated automated telephone interactive voice response (IVR) system is now combined with the card payment processing system provided by Charity Technology Trust (CTT) who announced a partnership with BT agilemedia. The deal enables charities to significantly cut the cost of collecting telephone donations. PCI DSS is a global standard and while not a legal requirement, might just as well be, since the process of compliance offers protection against the massive costs of breach investigations and their consequences. Moreover, major financial institutions are making it a requirement for who want to process online payments direct from their web sites. No compliance equals no trade. Thus, a large bank who ultimately accepts your online payments might put you in touch with a Qualified Security Assessor (QSA). Such specialist companies will typically do a security scan of all the IP addresses in your organisation. At roughly £75 per IP, the costs can mount up. Via a Self-Assessment Questionnaire (SAQ), anyone can run these checks themselves, but may baulk at the assessment form which suddenly grows from a few pages to a disconcerting 200-odd questions, most of which aim to verify that the person undertaking the security scans is competent and qualified to do so. In which case, they probably work for a company that is a Qualified Security Assessor. Catch 22. Although the ultimate benefit of PCI DSS is effectively an insurance to offset the cost of forensic investigations into security breaches, the standard contains a few grey areas and some which are less well understood ...
Leave no paper trailThose organisations who decide not to handle cardholder payments directly through their digital networks (perhaps a wise decision on reflection), but still take payments from visitors to their premises via a PIN Entry Device (PED) have to a undergo an assessment too, albeit a less arduous and much cheaper Non-Internet Self-Assessment Questionnaire B (SAQ B), which at £10-20 is a snip. Even so, those who simply accept Card-Not-Present payments (e-commerce or mail/telephone-order) or who have standalone, dial-up terminals not connected to the Internet must undertake to have policies in place to ensure the paper credit card receipts and written records are securely shredded. If kept for any length of time, records must be securely stored, and security and training policies must show which personnel are allowed access. The consequence of ignoring PCI DSS – in other words being "non-compliant" - while still processing cardholder data card brands, even via a merchant – is to risk losing this ability and being audited and/or fined. All of which can bankrupt small organisations. Perhaps the best advice is get a secure payment merchant to do it all. Contacts
-IB- Paul Craig |
| ^ Back to contents ^ | |
|
3.
Flash tricks for your USB flash drive
Va-va-voom for your pocket storage. Find out how much more it can do!
| |
|
Help at hand. |
Trick 1 - Carry portable applications with youWhy do it?
Keep your personal favourites apps in your pocket without lugging a laptop. For a complete office package plus web surfing, email access and phone calls, fill your flash drive with pre-configured software: OpenOffice suite with all your doucments; Firefox browser with all your bookmarks; Thunderbird with all your emails; and Skype with all your contacts. Leaves no trace on the host computer when you finish your session. How?
The U3 phenomenon arrived first, bringing a bonanza of everyone's favourite mini applications to USB sticks, complete with pop-up menus. Find out more in U3: popping up on a stick near you. Also check out PortableApps.com which comes with its own menu system for easy access to your portable applications. The list of free apps is endless including audio players, games, anti-virus utilities, and image viewers. Trick 2 - Run your PC fasterWhy do it?Starting with Vista upwards, one of the cleverest, no-cost tricks has been to plug in a memory stick/drive and speed up the Windows system on any PC, even when it's not your PC! 
How?Using the Windows ReadyBoost technology, storage space on your USB flash drive can be pressed into action as an additional memory cache. Flash drives contain just memory chips and no moving parts, unlike your PC's disc drive so your whole Windows system will feel more responsive. Using ReadyBoost couldn't be simpler.
You will need to have at least the same amount of free space on the flash drive as your PC has memory (RAM). Trick 3 - Manage USB files and backupsWhy do it?For Windows XP users just wanting trot around with their USB flash drive data, one of the most efficient ways to manage it all is Microsoft's USB Flash Drive Manager. This simple interface allows you to copy files to and from your USB easily, back up and restore the whole flash drive (and manage that backup library), and change the drive label. You can even launch the Drive Manager automatically on plugging the USB in. 
How?It's a free download. Find the genuine USB Flash Drive Manager software here. Trick 4 - A zero-cost, battery-free MP3 player
Why do it?No MP3 player? You can create the most simple and free one just by copying your MP3 files to the drive. That's it! You don't even have to worry about batteries. How?Plug your USB flash drive into your computer, and tell the Windows Media Player pop-up to build a library out of the stored tunes. Windows Media Player offers a full set of playback features, playlists and favourites. Or choose from a variety of alternative media players such as MediaMonkey, Winamp, Songbird or Spider Player. Trick 5 - Password-protect your USB drive
Why do it?Find 10 people with a USB flash drive and you can bet 9 of those drives contain sensitive information. It's almost a dead cert that none of the owners have protected the information against loss or theft. Time to lock up yours by creating a secret partition on the drive. How?
Secure your sensitive files with USB protection software. TrueCrypt, a classic multi-platform encryptor, creates a whole secure volume inside your USB drive. There are numerous other free downloads too such as Rohos Mini Drive and Folder Lock. Trick 6 - Run a web site from your USB flash driveWhy do it?Want to take a working web site to demonstrate, but without making it public? Or just have a local portable web site to test ideas on? No more worries about making coding goofs for all to see. You get a web server that runs on all versions of Windows, supports common browsers, and is completely free. 
How?Server2Go works 'out of the box' and lets you easily run your own web server from a USB flash drive without any installation. It supports Apache, PHP and SQLite with downloadable options for MySQL and Perl. www.server2go-web.deTrick 7 - Padlock your PCWhy do it?A USB drive is key-sized, and sometimes referred to as a data key, so why not use it as a real key? Walk up to the PC, insert the USB drive to unlock it. Take the USB drive with you when you walk away and the PC self-locks. No passwords or screen saver time-outs to deal with. 
How?Download a small freeware utility called PREDATOR. It locks the mouse and keyboard, darkens the screen, and can start automatically with Windows. The software also includes full event logging and can send alert messages by email or SMS text. -IB- Learn more about flash drives. |
| ^ Back to contents ^ | |
|
4.
Is my Windows no longer supported?
Old copies of Windows may be way past their 'sell-by date' and turning your PC into a liability.
| |
|
Help at hand. |
So many computer buyers accept the Windows their machine was installed with, letting it whirr away through the months and years 'doing its thing', until either the hardware or software breaks catastrophically. However, Windows and many other software products aren't just for Christmas, but neither are they 'for life', at least not the owner's life. Unlike fridges and dishwashers of the white goods hardware world, any software that becomes popular soon collects a following of parasitic attackers determined to exploit any holes (bugs, flaws) they can find in the code. These days they are usually aiming to steal identities, passwords or financial details. 
Fortunately, Microsoft will go on fixing these flaws for at least another 5 years after purchase - longer for business and development software. This Mainstream Support phase includes security patches downloaded freely and automatically at least once a month, as well as fixes where particular applications have running problems (hot-fixes). During this period you can even make suggestions to the design of the current version of Windows though if, for instance, you decided it was a good idea for Windows to look more like a Mac or Linux, or to have a resizeable Start menu, you'd have to find significant millions of other users that agreed with you to realise your request. 
An Extended Support phase then continues Security Updates and optional hotfixes for a further 5 years. Beyond 8 to 10 years support constitutes online information for self-helpers largely in the form of the Microsoft Knowledge Base (KB). But for most ordinary users the end of the line starts to loom with the end of Mainstream Support phase. If nothing else, warranty claims and no-charge incident support are no longer covered under Extended Support. 
So for example, those people still hanging on to machines running Windows 2000 Professional may be surprised to learn that their Mainstream Support finished on 30th June 2005 and that the Extended Support deadline is 13th July 2010. That later date crucially means no more security updates, so after this point any flaws exposed by hackers, security firms and skilled amateurs will remain unfixed forever, leaving your machine open to attack without recourse to Microsoft's free patching service, Windows Updates. 
Occasionally, security fixes and critical patches are rolled up into one giant update called a Service Pack. The launch of one of these, say SP2, marks the point at which support for the previous service pack (SP1) will finish, usually either 12 or 24 months afterwards, varying according to the product family (for example, Windows, Office, Servers, or Developer tools). Thus large organisations have a grace period in which to pilot their current machines and applications before rolling out the new service pack organisation-wide. If you are affected by any of the issues discussed here, contact us using the form below. References
-IB- Acknowledgements: Arik Fletcher |
| ^ Back to contents ^ | |
|
5.
Eventbrite - just the ticket!
Event management integration has arrived in an affordable form for non-profits.
| |
|
Help at hand. |
It was an area waiting to be given the intelligent approach. By bringing together event booking, ticket sales and publicity, Eventbrite came along and seized the problem by the throat and applied some savvy integration. The upshot is a system that allows companies to:
The good news for third sector organisations is that Eventbrite has just chopped the rate for non-profit enterprises. Give your event some spinAssuming you have all your event info already to hand, setting up an event is more a less a 1-2-3 process, and where you run a free event (zero-cost tickets) the whole submission and publishing is likewise free. 
The "Add Event Details" section even sports a nice inline web page designer to help show of your details to best effect. But so much more sophistication has been built in, such as:
Probably one of the biggest benefits of Eventbrite however is it's publicity machine since it automatically makes your event more easily found by search engines, with links such as events in London, and a full affiliate programme, as well as employing Twitter, Facebook and god old email. Contacts-IB- |
| ^ Back to contents ^ | ||
|
6.
Q&A: Private investigations - is this email genuine?
Question 
Hi Mark, | ||
|
Help at hand. |
Assuming you have in place anti-spam and anti-phishing tools of the kind that come with your anti-virus product (and even with Windows 7 now), those utilities should have weeded out all but the very latest scams and hoaxes. Where such emails do make it through to an inbox, people spend time staring at the message trying to extract a measure of its legitimacy, instead of going elsewhere to investigate the senders, often the perpetrators of scams. Typically these can be domains bought by supposed third parties with similar name; for every barclays.com you can find someone cyber-squatting a http://barclas.com web site in the hope of luring domain buyers; or in the case of http://brithisairways.co.uk/, of fooling visitors they arrived at British Airways tickets online booking. However, it's easy to investigate a company without going anywhere near its web site. Scrutiny and rating sites such as siteadvisor.com and mywot.com allow you to check the target site independently, and aboutus.org builds visual duplications of sites so you can inspect them remotely. 
Suspicious results from any of these sources should put you on your guard. And finally, don't forget companieshouse.gov.uk as a way of bypassing a questionable web site altogether by looking up the company instead via their WebCHeck service.
-IB-
|
|
| ^ Back to contents ^ | ||
|
Clicks of the Trade - Run Internet Explorer and Firefox without add-ons
--- Quick tips for happier clicks! ---
| ||
|
Help at hand. |
Web browsers like Internet Explorer and Firefox give us the option to install numerous add-ons, such as safe surfing, search toolbars and social bookmarking. Aside from slugging browser performance, an add-on can occasionally crash the browser completely - and then you're stumped! But it's easy to disable add-ons altogether and get the browser going again in 'Safe Mode', until you have time to track down the problem. Internet Explorer without add-onsTo disable all ActiveX addons/extensions and toolbars in Internet Explorer (IE7 upwards):
You see a page prompt before proceeding to IE's Safe Mode. 
Firefox without add-ons/extensionsTo disable all addons or extensions and toolbars in Firefox:
You see a page prompt before proceeding to Firefox's Safe Mode. 
You can also run Firefox in Safe Mode from the Start Program menu. 
To revert to running with add-ons again, simply close the browser and restart it. If your browser appears stuck in Safe Mode, it may that you are running it from a shortcut that has the safe mode instruction inside (eg available on the Firefox progam menu), in which case just create a new shortcut. Or an instance of the browser may still be running in memory, in which case the simplest solution is to restart the PC. ** try it now **-IB-
|
^ Back to contents ^
Opinions expressed within InfoBulletin do not necessarily represent the views of Co-Operative Systems.
E&OE
|
^ Back to contents ^
|
|
|
Read recent and past issues of InfoBulletins on the Web at www.coopsys.net/ibindex.htm or search our archives and subject index.
We hope you found InfoBulletin useful! If you would like to comment on any of the articles or request particular subjects to be covered, mail us here.
|
||
Anyone buying Office 2007 will qualify for a free download of Office 2010 (a corresponding version), if the software is activated before 30 September. Microsoft is declaring full details in its 
