For the past few weeks Veracity’s Help Desk team has noticed a dramatic increase in the amount of malware infecting computers. In most of these cases the infection started with an innocent search for pictures from Google Images. Even at Veracity we search Google Images often looking for pictures of products/diagrams that we work with on a daily basis. Through some very sneaky coding, attackers found a way that simply clicking on a link to an image from Google Images initiates a malware install.

After clicking on the link to an image a popup will appear claiming that you are infected. Do not try to click on the “X” at the top of the window that pops up. In some cases clicking on that “X” will initiate the installation of the malware. Instead shutdown and reboot your computer. This will ensure that the malware does not have an opportunity to install on your computer.

You can be easily fooled into thinking the pop-up is a legitimate message from Microsoft and/or your antivirus software. It is actually quite amazing how similar these pop-ups appear to look like the real thing. Please, if you have any questions call us before clicking on anything. Being cautious will save a lot of time if you do become infected.

It is worth mentioning that this version of malware is very bad. It more often than not requires a system rebuild, following the above instructions will prevent a lot of downtime.

As always, if you believe you are infected or if you have questions, contact us.

I personally take my online privacy & security very seriously.  Yet, I am astonished how online security appears to be getting worse as technology “improves”.

Laura Bahr at our office shared with me an article below from August 2010.  I know time is very important, but I strongly recommend you take the time to at least read the article below (you can skip the actual report by Verizon & the Secret Service).

I try and not sound like a social-networks hater, but I really do fear the amount of personal data these sites collect.  I know these sites have safe-guards to protect who views your page/profile/wall/etc., but the report below suggests that this is not enough.  These safe-guards will protect you from the “innocent” criminals (or friends that you no longer like!), but they may not protect you from technically savvy criminals.  I am not saying that you should stop participating in social-networks; but I am saying that you should be very careful what you disclose on these websites. 

I would recommend that when given the option to save your credit card information with an online retailer – to not do it.  I know it is convenient to have your credit card number saved when completing your shopping cart.  But why take the chance of that online retailer’s website being hacked and having your credit card information stolen.  From the report below it suggests that in some cases you may not even be notified if your credit card number was stolen.

Always try and keep in mind that whatever you post online may end up on CNN or in the hands of a criminal.  For any advice and/or tips feel free to contact someone at Veracity and we will be more than happy to assist.

New analysis of stolen data brings surprises

By Woody Leonhard

Every year, the highly respected Verizon Business RISK data crime-investigation team publishes an analysis of major online data thefts it’s been asked to study.

This year, a first-ever joint report by VBR and the U.S. Secret Service presents a fascinating view into the state of the data-stealing art, with many surprising facts that should interest all consumers.

Throughout 2009, according to the 2010 Data Breach Investigation Report (PDF), Verizon investigated 57 “confirmed breaches” that included data theft. The Secret Service investigated 84 similar cases. That’s 141 verified cases covering a total of 143 million data records owned by organizations around the world. Verizon’s efforts led to arrests in 15% of its cases; the Secret Service’s rate was a more-impressive 66%.

As you might imagine, many of the victimized companies don’t want their identities to be known. The report states, “… about two-thirds of the breaches covered herein have either not yet been disclosed or never will be.” Nevertheless, this aggregate report is still important: it gives an excellent overview of security problems that could affect you, the consumer.

Who’s stealing sensitive data? Surprise!

I always assumed that most people involved in stealing sensitive data from organizations – bank records, credit-card numbers, personal information – were rogues acting alone, selling their booty via clandestine channels to the highest bidder.

Wrong!

An astonishing 85% of all stolen data records can, according to this report, be traced to organized crime. “Banding together allows criminal groups to pool resources, specialize skills, and distribute the work effort.” Lone wolves aren’t stealing our data. Rather, it’s groups of people, acting in concert with one simple motive: profit.

The report quashed many of my other preconceived notions. For example, insiders (employees, executives, programmers) were actively involved in 48% of the cases – which doesn’t surprise me – but they were implicated in only 3% of the total number of records stolen. Insiders participate in smaller jobs.

I was also surprised to find that the percentage of pilfering attributable to business partners – a category that includes IT service providers, suppliers, and vendors – has fallen steadily. The report can’t pinpoint the reason for the decline in partners’ shenanigans, but does point to the possibility that increased awareness of third-party security threats may be a factor.

And, contrary to widespread publicity, no foreign governments were implicated in data thefts, according to this report.

How the bad guys get your personal information

While headlines herald stories about a bank employee losing a notebook with a gazillion account records or a civil servant dropping a disc with Social Security numbers, the report notes that 98% of the stolen data was snatched directly from company servers – mostly by use of malware and direct hacking.

Once again, the Verizon/Secret Service numbers surprised me. More than half of the malware infections came from direct installation (injection) by the attacker, and SQL databases led the list of subverted systems. SQL injections frequently rely on well-known quirks in SQL systems; craftily assembled SQL database queries, for example, can install programs that pluck data and send it to the requester.

Perhaps the best-known SQL-injection attack involved American Albert Gonzalez, who on March 25 was sentenced to 20 years in federal prison for stealing more than 90 million credit- and debit-card numbers. (See Wired’s March 25 Threat Level post.) As the Verizon report says, “SQL infection vulnerabilities are endemic, and to fix them you have to overhaul all your code.”

The second-most-popular method for subverting servers uses drive-by Web infections (where you get an infection without actually clicking anything on a malicious site), followed by infections that require user interaction (“click here to clean your system” come-ons, for example).

Added together, injections and Web infections using malware accounted for 79% of all stolen data – not e-mail, not infected documents, and not zero-day attacks.

Keyloggers – those surreptitiously installed programs that record what you type – made up 36% of all the data breaches but accounted for only 1% of the clandestinely collected data. That’s a big change from last year, when keyloggers collected more than 80% of the compromised data. The bad guys have found more efficient ways to take your information.

And what of the never-ending process of receiving and applying security patches to quickly shore up those security vulnerabilities? Not an issue, says the report. “It is very interesting to note that there were no confirmed cases in which malware exploited a system or software vulnerability in 2009 … there wasn’t a single confirmed intrusion that exploited a patchable vulnerability.”

What companies must do to protect our data

If this is all starting to sound hopeless, it isn’t. The authors of the report offer many suggestions that every company with sensitive data should consider. Most of it doesn’t stray too far from common sense: give access to sensitive information only to employees who need it, watch your access logs, encourage strong passwords, warn employees about installing rogue antivirus programs, and so on.

Even if you aren’t involved with an organization that handles sensitive data, you need to know that the kinds of attacks documented by Verizon are getting larger and more complex.

You can help by regularly checking all of your online information that you can access, reporting any data or activity you see that’s out of the ordinary. Immediately tell your bank, your credit card company, and your stock broker if you think something’s gone awry.

As the report says, “Third-party fraud detection is still the most common way breach victims come to know of their predicament” – in other words, companies learn of breaches when customers report them.

So if you think your data’s been stolen, holler yer head off!

Our help desk has identified a recent change in strategy regarding malware infections on our client’s computers.  I would like to take a few minutes and inform you of this change to better protect your computer from potential infection.  The current generation of “Malware”, “Scareware”, “Scamware” or “Rogueware” has shifted its aim from false virus infection warnings to false disk error warnings.   Initially the false messages portrayed “System Defragmenter”, then “Scan Disk” and now “Check Disk”.

Some symptoms of this new false disk error malware infection are random applications shutting down, and error messages pertaining to the hard drive when opening applications like Microsoft Word.

This malware preys upon your fears of the loss of personal data by the threat of a hard drive failure.  If you do become infected with this malware it can be removed with tools like Malwarebytes or ComboFix.  Of course, you can always call our help desk and we will be more than happy to assist you in removing this malware infection.

Almost everyone has first-hand experience dealing with malware or viruses on their computer.  I am sure that experience was not a positive one.  At Veracity Technologies we deal with this issue on a daily basis.  VT’s Help Desk is great at removing malware and viruses from computers.  Unfortunately this is a practice that they have come to perfect because of the frequency they have had to clean infected computers.

In the last 30-days VT has increased our capabilities to prevent our client’s managed computers and servers from becoming the next victims in the war against malware and viruses. 

First, we introduced a tool we call FILE BLOCKER.  Just before you open an application the FILE BLOCKER scans the program against a list of malware characteristics we have identified.  If there is a match, FILE BLOCKER prevents the application from even starting.  This is very helpful as antivirus applications do not always detect the latest threats.  As VT recognizes threats we can immediately “block” those threats from running.

Second, we introduced a new service we call Reliant+ Security.  Reliant+ Security’s advantage is that it integrates fully with our managed services tool.  In the past if antivirus applications detected an infection that could not be cleaned it would generate an alert within a separate management tool.  In most cases the end-user had called us before we even knew of the infection.  This was not something we wanted.  With Reliant+ Security we have all of the monitoring being done within our managed services tool.  All of our alerts are in a single console; making our response time more efficient.

Both of the new capabilities above require that your organization participate in at least one of our many Reliant+ service offerings.  If you are interested in hearing more please contact one of our Account Managers at 952-941-7333 or info@veracitytech.com.

As I drove back to Minnesota from Georgia last week I had plenty of time to reflect on what I had learned in the past five months.  I also thought a lot about what I should do for the next several months before I have to return to Georgia.  While in Georgia I was learning about information technology (IT) solutions.  Although I thought I knew these solutions well, I still found a lot of good information that I did not know.  As I was thinking about what I learned; the answer came to me.  I have been learning, but what have the others at Veracity been learning while I was away?  Can Veracity continue to excel, especially in providing technology solutions, if we provide no guidance on continuing education to our employees?

As I thought about those two questions I also realized that this is not unique to just IT organizations; this also applies to almost every other organization.  Continuing education can be difficult to implement and enforce in small businesses, as everyone already has a lot of work to do.  Where are you going to find time to better yourself?

I am a firm believer in continuing education.  In fact, I took the Strengths Finder 2.0 assessment awhile back and my #1 strength is Learner…no surprise, right!  But I realize not everyone at Veracity is like me; although, at times I wish this were true.  Regardless, we at Veracity need to pursue continuing education as our industry is always evolving and if we do not continue to learn we will soon be left in the dust.

So, my focus for the next several months is going to be around continuing education here at Veracity.  Not just focusing on technology; but also on communication, leadership, and any other topics that can help Veracity and our clientele.  I encourage each of you to take a moment and think about what you are doing to develop yourself both personally and professionally?  Of course, I asked my wife this question and she stated that she is already perfect; so be careful who you ask.

I love to scour the web looking for good nuggets of information that I can learn from.  I know my co-workers really like this as I typically take what I learn and try to implement it on them.  A special emphasis on “try”!

The latest nugget of knowledge is an article about implementing technology within your business.  When I first read the article I thought that was fairly common sense; but when I reflected on what I learned I realized that although this may sound straightforward I really may not apply these practices all of the time.  Please take a few minutes to read this article at below or at http://smallbiztechnology.com/sixrules/.

Six Rules for Leveraging Technology In Your Business

Over the past few weeks, I’ve been really chewing on the following six rules I created that I believe will really help you boost your business. There’s a lot more technology rules and guidelines you need to keep in mind, but these six rules are one’s really dear to my heart.

• Spend money on your technology as an investment – not as a cost
• Email is NOT CRM
• Web 2.0 is no joke
• Mobile technology empowers small businesses
• Outsource
• Don’t technologize a bad business process

Here’s the details:
Spend money on technology as an investment – not as a cost

You spend money on insurance – right? You have a lawyer (most likely) and an accountant (for sure) – right? However, when it comes to spending money on technology, many of you ONLY spend money if you have to. You don’t spend money on technology that you think you don’t need. This is a mistake.

If you are building a business that’s built to last you must think of your technology spending as an investment in how technology can help your business GROW. You must spend money on technology that will help you now and in the future. The right investments in technology will help you save money, save time, do more with lesson and overall grow your business.

Don’t think of where your business is now, but think of where your business will be in 5 years and invest in technology accordingly.

Email is NOT CRM

Many of you, like I do, use Microsoft Outlook or some other email program as the core foundation of their business. You use it to manage your email, tasks, notes and calendar and that’s good. But if you want to increase sales to your current customers and really know everything you can about each customer, based on each interaction they have with you – you must use a true CRM product or service.

When a customer buys from you, chats with your sales rep and maybe returns a product, for whatever reason, a TRUE CRM product can help you mine this data and help you use this raw data as POWERFUL information to know more about your customer.

Web 2.0 is no joke

You’ve heard all about FaceBook, MySpace, LinkedIn and a few dozen other social media tools that help you connect with others. Many web sites also enable you to comment, upload your own videos and share your own insight with others. This is what web 2.0 is about. It’s more than you giving content or a sales pitch to someone – a one way conversation. It’s about having a conversation with customers and letting customers have a conversation with each other – all about you and your product or service.

You need to do this with your own online communications. You must have a great web site, with awesome navigation and content. You must have an email newsletter to reach people right in their email inboxes. You really should have a blog to foster more conversation and boost your web sites rankings in search engines.

The next step is to ensure your web site enables visitors to communicate & connect with you and each other as well via “Web 2.0″ technologies.

Mobile Technology

If you and your staff are sitting desks all day long I guess you don’t need mobile technology.

However, if you and your staff are traveling around (as I suspect you do) then you need to implement mobile technology solutions. This means that you can access your office, wherever you are – email, faxes, files – you can access it all.

There’s no reason you should have to tell a customer you didn’t get their fax or voice mail as you were out of the office. Take your office with you by leveraging mobile technology.

Outsource your technology

There is NO need at all for you to manage and implement technology on your own. Sure, you are an expert in what you sell (be you a florist, computer vendor, lawyer, graphic artists or media consultant). But you are not an expert in network security, data backup or mobile technology.

The only way you are going to maximize your use of technology is to outsource your use and implementation of it, it in your business.

Technology is not all that you need to outsource. If you find that you are scanning business cards, answering phones and faxing proposals you need to hire someone else to do these tasks for your so you can concentrate on your business. If you are a one person business or a 50 person business – you need to manage your company and concentrate on its growth. Hire someone else, like a smart virtual or in-person assistant to help you.

Don’t technologize a bad business process

I’m sure you run a very good business and do your best to manage its various processes, however if there are parts of your business that are not going so well and you think technology is the answer, you’re wrong.

I was recently in Puerto Rico at the great Ritz Carlton Hotel. The entire experience in Puerto Rico and at the hotel was simply splendid, what most impressed me was the customer service. It so happens that customer service is a HUGE part of the hotel’s culture and ingrained into each employee.

However, they use technology to profile each guest and build a database of their likes and “don’t likes” and maximize their culture of customer service. What if the Ritz Carlton had employees that were rude, inconsiderate and nasty. Ritz Carlton would only be “technologizing a bad business process”.

They first hire great employees and then leverage technology.

 This weekend I stumbled across a great article on TechRepublic that I thought I should share with the rest of you.  This article really made me think about how I communicate not only to clients, but also to my co-workers.  This got me to thinking that I can do a much better job at communicating.  After all, everyone likes to be informed.

I sent this article to everyone on the VT team as I think we all can improve.  Especially those of us in the service industry!

I hope you find this article as interesting as I have.

Joe Lyons

Editor’s note: This article originally published on TechRepublic on August 28, 2000.

When is an IT consulting project like an oil change? This isn’t a riddle — it’s a brainstorm I had recently while watching the team at my local Instant Lube perform an oil change on my car. Let me describe the process.

As I drove up to the garage, the manager came out and guided me into the oil change bay. When I stepped out of my car, he walked up to me and smiled, and then began to explain to me how they were going to service my automobile. He described the different grades of service available, but never tried to sell me on one or the other — he just gave me the information I needed so I could make a decision about which service was appropriate for me. The team that would work on my car surrounded it and began to shout to each other: “Car in bay one,” “Opening hood in bay one,” “Testing coolant in bay one,” and “Tire pressure 40 in bay one.”

It wasn’t clear to me immediately why the guy emptying the old oil from my car needed to know that another guy was putting air in my tires. As all this activity went on, the manager, rather than trying to shuffle me into the waiting room, chatted with me about the work his team was doing on my car, explaining to me why they constantly communicated their progress to each other as they worked. “It helps each member of the team know how much time they have left, and helps them make sure that we do everything we’re supposed to do for each car. It helps them check each other, so no one forgets to put back the oil plug or the fluid cap.”

Inform clients at every opportunity

Why am I going into this length about my oil change? Because I’ve had my oil changed before at other places that didn’t go through this process. I’ve faced surly, uncommunicative mechanics who pulled out my air filter — which was in fine condition — and tried to talk me into changing it, and then looked at me like I was a bug when I declined. I’ve been to lube stations where I came out not knowing what they had done, or if they’d even actually changed my oil at all. The stark contrast between those other lube shops and this one was so striking that I’m sure I’ll be a customer for life, as long as they keep communicating with me the way they did.

How does this relate to consulting? I’m no mechanic, so I can’t judge the quality of the work that my mechanics do except by the results and by the quality of the attention I receive. Many of our consulting clients are in the same boat. They’re looking to us to deliver excellence in our technical specialty, but in order to differentiate ourselves from other service providers, we need to do more. We need to make their experience with us the best, most comfortable event possible.

This superior experience, in most instances, boils down to superior communications. Helping our clients understand the process they’re about to go through, just like the store manager did with me; communicating the status of the job as it progresses — both within the team and with the client — like the lube team did; acting as an advisor, not a salesman: All these things add up to an enhanced experience for the client.

Characteristics of a good communication plan

For all these reasons, I insist that in consulting teams I work with, every engagement includes a communication plan. A good communication plan can bring value to the engagement in a number of ways: It helps set customer expectations, acts as an assurance factor that bolsters the client’s confidence, builds consensus around the project and helps market its benefits, and gives the client and the various constituencies in the organization an opportunity to give feedback on the results of our efforts.

Let’s delve into these factors a bit and discuss the ways a communication program can make our lives as consultants easier and more fruitful.

Set customer expectations. One of the most important jobs any project manager or consultant must do is to manage the expectations of the client community. From the very first meeting, and all through the project, we need to be sure that we’re communicating clearly what we’ve committed to deliver, what we can (and can’t) achieve, and what our role is and what the clients’ or subcontractors’ roles are, and we need to be sure that we’re setting budgetary and schedule expectations. This is not a one-time event, but a constant activity. We need to help adjust client expectations as we deliver, so that as circumstances affect our schedule, budget, or deliverables, we’ve clearly communicated that to the client, thereby avoiding any misunderstandings.

Assurance factors. As I described in one of my previous columns on pricing scenarios, reassuring the client as we go is a critical consulting skill. In all engagements, but especially in time and materials projects, the client can be nervous or uneasy, wondering if we’re on track, running into any hidden snags, or running over budget or schedule. By building in formal assurance factors, like status reports and team reviews, we short-circuit any concerns that may be building up, and get a reputation as a “straight shooter.” For clients who have internal intranets, I’ll often set up a project Web site where interested team members can keep tabs on the project’s progress.

Build consensus. Effective users of technology have one characteristic in common: they seek consensus, rather than running IT projects out of the boardroom or the executive suite. Communications plans that include believable, meaningful descriptions of the features and benefits of the new technology go a long way toward building buy-in across the organization. For large-scale projects, town hall meetings or “lunch-and-learn” sessions can help create a feeling of inclusion and participation throughout the organization.

Market its benefits. Experienced consultants, just like good internal IT professionals, know that a major part of their job is selling the features and benefits of the technology they are implementing. I’ve been involved in projects that went as far as designing logos and “brand names” for the project in order to raise awareness and comfort inside the organization with the new effort. New technology is often disruptive; it’s our responsibility as business advisors to help our clients convince their troops that there is a reason for the disruption.

Client feedback. One-way communication, from the top down, doesn’t cut it anymore. Modern associates in the client enterprise are likely to resist any effort that doesn’t give them a chance to participate in the process. Project communication plans should include an avenue for feedback from the affected staff members. The project Web site mentioned above is one avenue, as are project e-mail and voice mail suggestion boxes, where constituents can voice their opinions and express their concerns.

The corollary with the oil change has one other significance: Communications are the lubricant that every IT project needs in order to run smoothly.

Have you created a sure-fire communication plan that keeps you and your clients happy? If so, what does it entail?