How Much Power Should the Internet Police Have – And Who Are the Internet Police?

Time to look at a sensitive, exponentially issue-inducing question: who should police the internet and how much policing should they, or anyone, be allowed to do? In this blog, we will be looking at the topic of domain name policing in particular.

We are constantly reminded of the anonymity and opportunity the internet affords its users. These freedoms are one of the founding principles of the internet: that it be an open canvas on which anything can be painted and anyone we want can view it. The internet was supposed to be a virtual land where the most typical, average person could stake a claim and make a small piece of it their own.

Like all newly-settled worlds, however, it cannot remain so forever. Various organizations have come about to monitor the internet and keep its users and their information safe. The Internet Corporation for the Assigned Names and Numbers (ICANN), a non-profit in contract with the U.S. government, exists to manage internet addresses and oversee the addition of new domain suffixes. The most popular suffixes currently in use are .com, .net, and .org.

 A recent article on CNET.com once again brings to light the issue of domain name – and ultimately internet – governance. The United States government, among other governments both national and local, is looking to gain more power to allow or deny domain names. This has been a battle that has been raging in the internet background for as long as it has existed, and is a topic filled with shades of gray. For the past seven years, the domain suffix .xxx has been contested over by three camps: those who wish to use it, those who wish that it not be used at all, and those who wish not to be forced to use it.

Many adult content webmasters want to have the suffix .xxx be as useable as .com or .org, to give them their own space on the internet and make them easier to find. Currently .xxx is not a functioning domain. The United States government and many conservative organizations do not want the .xxx domain to exist, seeing it as comparable to allowing an adult video store on the same block as the white house.  On another end of the argument are those who see this new domain as a way to keep all of these adult content websites in one centralized location, so no one can accidentally stumble upon them or so they can be blocked more easily. Some adult content webmasters, and some webmasters who have sex education information on their websites, or others whose main purpose is not adult content but some exists on their site, do not want to be forced to join this new domain.

 Over 115 new domain name proposals are expected this year, and some raise controversies, such as the .gay domain. Whose responsibility – or right – is it to say whether or not the .gay or .freetibet domains can be used? If the former were used, it may upset millions of conservatives. If the latter were used, it may upset a government with rule over billions of people. Yet what about the people who want to use those names? What about their rights? They aren’t breaking any laws.

The debate over domain name allowance is explosive because it induces issues about freedom of speech and how much of a role governments should be able to play in the direction and access of the internet. Another example of governmental power over the internet is seen recently in Egypt, where the government shut down the internet in the entire country in an attempt to control its people. Is it right for a government to control something that belongs to no one, and yet belongs to everyone?

Product Spotlight – McAfee SaaS Web Protection

More and more businesses are looking for a good way to protect themselves against the litany of harmful viruses, spyware, and other malware that comes from the web.  In my article Web & Spyware Defense I cover some of the technologies that are effective at defending your business from web-based threats.  Here, I’d like to focus on the one of the products we believe balances effectiveness with cost, the best.

McAfee SaaS Web Protection  is a service provided by McAfee (formerly MX Logic) that effectively “scrubs” incoming and outgoing web traffic to ensure web threats don’t get in or out of your network.  It also provides options for limiting access to certain sites and can generate some valuable reports on web activity (by user, device, site, etc.).  Additionally, it includes a simple, straight forward user interface and has a price point under $3 per device per month.

How it works

The architecture of the solution is very simple: your company’s Internet/web traffic is routed through McAfee SaaS’ servers and scrubbed for harmful software.  Basically, it is a standard, cloud-based solution.

Effectiveness

We have deployed this solution for a number of our clients and it simply works.  There is no substitution for seeing how a product or service works in an actual production environment and this is one that lives up to the hype.

Note: Cloud solutions are often incredibly valuable solutions, but like any technology, they aren’t for every business.  At ITP we always recommend reviewing technology solutions within the context of your specific business goals, culture, processes and people.  Of course, if you need some help with that we’ve got some great people here at ITP that can help.

Random Thoughts – Avoid Spyware by Managing your Internet Traffic

So let’s start with a bold statement: If you’re not managing your Internet traffic you’re throwing money out the window.  A pretty strong statement, I know, but hear me out before you pass judgment…

For most small & medium-sized businesses the two areas of their technology that cost the most are:

1. Managing and supporting desktops
2. Internal IT staff members and/or IT consulting

Spyware, which is more malicious and prevalent than ever these days, affects both the functionality of your desktops and the efficiency of your IT staff or consultant.  Hence, it’s a hard hit on your bottom line.  In fact, I believe that if most businesses ran the numbers on what spyware really costs them, they would be mortified.  The good news is that there are technologies available that do a great job protecting you from spyware and other threats (see my article, Web & Spyware Defense  for more).  The bad news is that it takes more than just your antivirus software.

But keep in mind that the management of your Internet traffic can do much more than defend against incoming threats – it can also help you increase productivity and reduce HR risks. 

Remember when you were deciding whether spam protection was necessary for your business?  Well, managing your Internet traffic is the same discussion, only it’s a more costly one.

Automated Offsite Backup

There is no question that the secure, reliable retention of data is absolutely critical to good business operations – and, of course, that includes the ability to recover your data in the event of a disaster.  Consequently, more businesses are prioritizing their data backup procedures including regular verification of data integrity and disciplined off-site storage of backup media.  Yet, businesses are finding that even with rock solid procedures, there are still many areas of concern.  Here are a few  of the most prominent concerns:

Traditional Onsite Backup Issues

• Media (tapes or drives) must be tested regularly to ensure data integrity
• Reliability – most onsite backup systems (software & hardware) fail to backup all of your data.  Often a few corrupt files, or an open database connection can derail the backup process
• Lifespan – a quality backup system will last between 2 and 4 years depending on the quality
• Maintenance – In order to have confidence in the backup system it needs to be maintained regularly.
• Security – For any given onsite backup solution, there needs to be an off-site option.  Often, this amounts to an employee taking the backup media home with them.  Obviously, this presents significant data security concerns – especially if the employee needs to be terminated at some point.

Make no mistake, onsite backup is a good thing – it’s just that there are some undeniable drawbacks.  Consequently, more businesses are turning to automated offsite backup as a solution (i.e. backing up to the cloud).   The one notable drawback is that you have an ongoing monthly cost, yet the advantages often outweigh the concerns about ongoing cost – especially considering the fact that costs have fallen significantly over the past 12 to 18 months.  And the operational benefits are undeniable:

Benefits of Offsite Backup

• Security – Encrypted data transfer means that automated offsite backup is often far more secure the traditional onsite backup
• Automation – No switching tapes, drives, or transporting backup media to other locations
• Reliability – Today’s online backup systems are highly reliable.
• Retention – retaining data for more than two weeks is easy to accomplish, and for even longer retention periods, offsite backup is significantly less expensive than onsite data storage

Like all technologies, backing data up to the cloud isn’t for everyone.  And even if you do decide to invest in cloud-based backup, it doesn’t mean you need to abandon your onsite backup.  In fact, having some onsite backup never hurts because when it comes to your data, you have to be 100% certain that you can recover what you need when you need to recover it.

Web & Spyware Defense

There are few IT issues that are more pervasive or costly for businesses these days than spyware.  Spyware not only affects the system it infects, but also tries to distribute itself to other systems.  Additionally, it can be incredibly difficult to “clean” the infected system, often requiring the system to be rebuilt. Worse yet, standard methods of protection often fall short because users can easily circumvent them and click on a link or advertisement that invites spyware into their system by accident.  Much like spam defense solutions, deployment of onsite devices have become more popular, and to some extent those devices are effective.  But the significant upfront costs and the maintenance required to support the devices have both become detractors from these solutions.  Consequently, cloud-based solutions have been growing in popularity. 

In essence cloud-based web defense solutions provide:

• Protection against harmful links, sites, and spyware
• Granular control of the websites staff members can access
• Integrated reporting showing web activity for staff members
• Low-cost, zero maintenance solution

As always, this solution should be reviewed in context of your specific business needs and goals, but cloud-based protection against spyware have proven to be quite effective.  And with the additional control you get for managing your outgoing web traffic, cloud-based spyware protection is quite a powerful solution.

Spam defense

It’s generally accepted that spam protection, is a requirement for the productive use of e-mail these days.  Traditionally, businesses have used software to filter out the volumes of spam, but more recently, the use of local hardware appliances have become popular.  Yet, there are drawbacks to both these solutions that have opened the door for more seamless solutions like cloud-based e-mail defense.  In short, traditional solutions, whether hardware or software-based, allow spam to get to your network, using up your valuable bandwidth along the way. 

Additionally, most (but not all) of these traditional solutions don’t:

• Provide e-mail continuity (retain e-mail when your e-mail server is unavailable)
• Provide the ability to securely view e-mails without downloading them
• Include the ability to send & respond e-mail if your mail server is down. 

In essence, these are some of the greatest advantages of cloud-based spam protection.  But there are other, less acute advantages, as well:

• Almost no upfront costs
• Zero internal costs for managing or administering the system
• Little to no training required
• Seamless deployment
• Integrated reporting

Like any technology, isn’t a perfect solution for every business and should be analyzed within the scope of your specific business needs, goals, and operations.  However, the advantages are compelling enough that it’s worth taking a close look.

Options For Defending Against Spyware

Spyware is everywhere and it’s costing businesses and organizations a ton of money in lost productivity alone.  Traditional methods of combating spyware (such as installing software on your systems) have proven mostly effective.  The problem is that mostly effective isn’t really good enough.  So what other options are there?  Currently, I believe the two most viable options currently are:

• Deploy a device onsite
• Subscribe to a service

Onsite Protection

Devices like Barricuda Networks Web Defense device 

and others work by filtering web traffic through their device which resides at your office between your firewall and your LAN (traditionally).  It functions as a filter both for incoming and outgoing traffic and is quote robust from a configuration and reporting standpoint.

Benefits

• Powerful
• Robust functionality
• Granular reporting

Drawbacks

• Large upfront cost
• Annual maintenance costs
• Allows “malicious” traffic to utilize your bandwidth
• Need to maintain hardware

Service-based Protection

Service-based protection such as McAfee’s Web Protection Service works in a similar fashion to the onsite protection model except that the “filtering” occurs offsite.  Basically, your web traffic is routed through your service-provider’s systems.  In this model you don’t need to purchase hardware or maintain it – you just redirect your web traffic through their systems.

Benefits

• Easy to set up
• Very low initial cost
• Stops malicious traffic before it gets to your network
• No hardware maintenance or upgrade costs
• Highly effective

Drawbacks

• Recurring monthly cost
• Adequate reporting functionality

With these options, the days of combating spyware with just onsite software are probably coming to an end.  Don’t get me wrong, onsite software is still necessary, but in all probability, adding another layer of defense is probably a solid, cost-effective decision at this point.

Google in privacy trouble again for stealing wireless data from google street view

Google street view is a handy tool to use when you need to know what that building your looking for should look like from your car.  These Google cars traverse the U.S. and 30 countries taking pictures and sending back GPS data about locations around the world.  Recently Google has admitted to the F.C.C. that they were in fact in violation of Federal privacy and wiretapping statues when these cars were equipped with WiFi detectors.

Google originally set out only to mark the locations of wifi devices.  Recently though, for a yet explained reason, Google cars actually capture Wifi data on unencrypted Wifi connections.  Google in the process capture emails, web data and other traffic from thousands of unsuspecting citizens.

Once notified Google did delete the data and reported themselves to the authorities and no further legal action has been taken but privacy watchdogs are not happy with the lack of follow up but the federal government.

For businesses this is a stark reminder of how easy it is to let data outside the network.  Wifi is a handy tool but carries with it some risks when not properly configured and monitored.  We recommend all our clients with Wifi secure them with at least WPA+ security or higher and all passwords on public facing routers meet complex password policies.  Your firewall and routers simply cannot have the same basic passwords they must be complex and include no words in the dictionary.

Most businesses today think with anti virus and a firewall that is sufficient given they don’t have any “private” data or regulatory restrictions.  Keep in mind that PCI compliance requires network security and applies to almost every company that takes credit cards.

Do you have reports confirming your networks safety?

E-mail Scams to Watch Out For

I ran across this article written for Tech Republic (a great source of all things technology) by  Debra Littlejohn Shinder and thought it would be helpful to many businesses. Being in IT, I’m all too familiar with the scams businesses see in their e-mail boxes every day, but I know some (many) people still get confused. So, here’s a little quick information on what to look out for when you’re reviewing your e-mail in the morning…
1. Fake Facebook “friend” messages – these are e-mail messages that look the same as when someone posts to your Facebook wall or sends you a private message.
2. Fake Messages from “The Administrator” – these are messages that come from “The Administrator” of any number of given organizations (facebook, your bank, credit card, etc.).  Here, there are two things that give away these “false” e-mails.

• First beware of the “To” address – it will be incorrect and you most likely won’t recognize any of the domain name(s).
• Secondly, if it’s not from your local IT administrator, you should immediately be wary.  Because honestly, when is the last time you had an “administrator” send you anything valid that wasn’t as simple as “server reboot tomorrow” or “turn your system off tonight”?

3. Messages that play on our fears – these are emails that feed off of current events or high profile media events a good example would be the (H1N1 virus ) Swine flu, etc.  Don’t panic, just don’t click on it.
4. Cancellation of an account Emails - these may show up even if you don’t have an account with them!  These messages are usually chocked full of spelling/grammar errors and are often sent from another country.
5. Fake “Holiday Cards”- these cards are usually very generic, rather than saying that they are from a specific person’s name they say it is from “a friend”. Be careful, because when you open them, you could be putting your computer at risk without every being aware of it! To be on the safe side, only open Holiday Cards from friends, or better yet just don’t open them at all.
6. Notice of the “Mysterious” package message – these are e-mails saying that you have an UPS, FedEx or perhaps DHL package that was undeliverable due to incorrect/incomplete address information with an attached form that they need you to complete in order to get the package to you. Just as you may suspect, there really isn’t a package at all! They want you to open the attachment so they can infect your computer with a virus. Because some people may be aware of this kind of scam, they will try and infect your computer by sending you an email with a link to a Web page to open instead.
7. Government “Threat” Emails – these can be sent to you to notify you that either the FBI or Homeland Security has been notified of your alleged involvement in terrorist activities or money laundering. Just as you may suspect from a hoax like this… they have an offer for you to avoid prosecution, which could be a payment of a few hundreds made to the Economic Financial Crimes Commission Chairman. If it would be an official threat, they would contact you in person, without asking for a payoff to buy your way out.
8. Fake “Census Survey” email – here again they will use the Federal Government to get you to respond to their emails. The Federal government does require you by law to fill out a census survey every 10 years, and yes, they may send you an online request for your participation in a census surveys, but they don’t ask for your personal information unlike email scams.
9. Abuse of “Trust” in software and hardware manufacturers – these e-mails are basically fake security warnings with a “quick fix” attachment, dubbed to look like it was sent from Microsoft or another familiar company. These “quick fixes” are really malware to fake special offers to payment requests which require you to download and install a transaction inspector module if you want to decline to have payment charged to you credit card.
10. The “Fake” You-are-a-Winner E-mail – You just won a prize, how awesome is that?  Well, the only problem is you didn’t enter into any contest to win the prize. These e-mails want you to fill out a form to claim your prize, complete with your social security number so “the value of your prize can be reported to the IRS.” Remember to check out the legitimacy of any email notification. If you need to send any sensitive information, remember to email it encrypted if you don’t have an alternative method in which to submit it.

Keep in mind, if you’re unsure just don’t open it.  It’s just that simple.  Instead, call your helpdesk, administrator, or IT manager and let them figure out whether it’s valid or not.  Trust me, they’d rather you call them than open it.

Spam Defense Basics

Spam Management

I ran across a client today that was just getting hammered by spam – like two hundred time-wasting messages every day.  Just listening to his frustration with it all got me thinking…why are people still suffering with spam problems?  Why don’t they just do something about it?  I think the answer is that they don’t know that something can be done about it.  Thankfully, today there are a number of effective options for combating spam.  First, however, it’s important to establish a few truths about spam:

1. Spam is expensive!  It costs you time.  It costs you money.  It costs you business (ever accidentally delete that important e-mail in the midst of deleting all your spam?).
2. For the foreseeable future, spam is here to stay.  It is just part of the growing behemoth that is the Internet; one of the bad aspects of cheap, easy communications.
3. Spam is a problem that can be significantly minimized, if not completely solved, without a ton of expense.

The good news is you don’t have to just sit there and take it.  Here’s a good, basic blueprint for fighting the spammers… Read more »