Monday, June 6, 2011

A note to various print driver and PDF print driver developers

A short rant:

I and my clients are NOT going to withhold service packs and critical security patches for modern Windows clients (read: Windows 7 x64 SP1) just so your poorly written print drivers will install and run in a stable manner. Crashing the print spooler service leaving all installed printers unusable without a reset is not acceptable.

I'm looking at you Adobe PDF and Nova PDF . . .

Instead, we will look for compatible substitutes from your competitors. Once we change to those alternates, it's highly unlikely that we will EVER return to your products in the future.

Get it right, or lose our business!

'nough said.

Saturday, April 2, 2011

Protect your company - Colorado has almost zero protections against someone editing your state business records

Update January 26, 2012: Colorado now has the option to lock down business registrations.

Almost zero . . .

In the State of Colorado the principle/owner of a business can create a corporation online, file amendments, corrections to contact information and annual reports.

It's nice to have that ability online, and the fee's for filing over the Internet are substantially lower than filing by paper.

But, and this is a HUGE BUT: there is no way to password protect your ability to alter your records.

This was exposed half a year ago, one very good write up about the problem was posted on ComputerWorld: Colorado warns of major corporate ID theft scam (Link pops a new tab or window.)

Seems like a good time to revisit the problem given my feelings about a potential scam snail mail solicitation received today.

So what should a business owner or principle do to protect their corporate ID in Colorado?

Buried within the sage but overly general advice on protecting your business posted by the Colorado Secretary of State is the one thing you can do to be notified when your corporate record is altered: add your email to their notification list.

Here are the steps:

1) Get thee to http://www.sos.state.co.us/pubs/business/ProtectYourBusiness/protectyourbusiness.htm

2) Click the left upper link offering to "Subscribe to E-mail Notification Services"

3) Click the first link under the heading: "E-mails specific to a business organization record" entitled "Click here to subscribe to e-mail notification regarding a specific record"

4) This brings you to a search page, you can either enter your state ID, or search on your business name. After entering your search criteria, click the Search button.

5) Click the ID Number of YOUR business from the list after doing the search.

6) This brings you to a summary page of the business record. Find and click the link at the bottom that states: "Subscribe to E-mail Notification Regarding this Record"

7) Enter a valid email address and click the Subscribe button.

8) Within the hour (after I tried this it took about 50 minutes) you should receive an email from the Colorado Department of State (entity.subscribe@sos.state.co.us) confirming the subscription.

. . .

This is just WEAK. Complex steps to subscribe, no real security. No way to verify anyone's identity. Oh sure, it's a felony to misrepresent yourself on the states website, but since when has that stopped the criminals?

Corporate Controllers Unit - Scam Smelling Snail Mail

Scam? Spam? Both? I got some snail mail today from an organization calling themselves "Corporate Controllers Unit" or the initials "CCU" offering a very expensive service: for the low low fee of $225 per year they will file my company's annual report with the state where I do business.

This report costs me about 10 minutes of time and a $10 fee when I file directly with the state.

The envelope looks like an official mailing. So does the letter inside, filled with legalese threatening dire things unless you file on time. Thankfully the fine print at the very bottom lets you know it's "just" a solicitation.

Couple of other clues. The organization uses a PO Box. A search on the web does not find any contact info, but it does bring up about six pages of the same couple of articles touting their service via spam blogs. Someone hired a blackhat SEO agent to market their stuff.

My advice: save your money and your sanity. Companies should file directly with the state as they have in the past.

My suspicion: this might be an attempt to steal your companies ID.

Update: This smells more like a scam the more I don't see . . . let me explain:

I cannot find anything on this company at all, other than the aforementioned spam blogs re-posting the same few articles over and over. No contact info, no phone, no web site, just the PO Box. And I think my Google-Fu is pretty darn good, thank you. If it was out there, I would have found it by now.

Other than the comments below, I've gotten calls from two of my clients and one of my business partners asking my opinion - they also received one of these in the mail today.

Update 2: Remember I said 6 pages of search results? That was 4 hours ago. Something fishy is up, because the returned results as of this update (8:30 PM Saturday night) presents over 29 pages now, and except for this blog the results are all the same couple of articles over and over on different odd domain sites.

Update 3: Denver Channel 9 posted this article at 7:27 AM MDT Monday April 4.
State warns of potentially misleading letters (from Corporate Controllers Unit)

Update 4: Denver Post finally listed an article with more information, including a quote from the Attorney General that this is most likely a scam.
"Gessler warns businesses, non-profits of "deceptive mail solicitation" (from Corporate Controllers Unit)



.

Thursday, January 20, 2011

Multiple Java Updates Installed == Vulnerable!

Update: We're now up to version 7.5 . . . and Oracle has added a page in the Java site to assist with removing old versions.

Over the last year security researchers have been tracking a major rise in the use of Java exploits to plant malware on unsuspecting users.  Many of them have blamed security vulnerabilities in IE or (pick your browser) . . . and truth be told that's still going on too.  But the big surprise is that Java exploits are eclipsing "plain jane" browser exploits, across all browsers and in some cases across platforms.

Bottom line: many Java exploits go after vulnerabilities that have been patched. Since Java runs on a wide variety of platforms, this makes it a very serious vector. You should stay alert for and accept automatic Java updates. You should remove old Java versions as they allow older - vulnerable - Java scripts to run even when you are patched to the most current version.  You should also check the Java test page to make sure the latest version installed successfully.

Not to put too fine a point here:  Java Updates are notorious for leaving previous versions on your system instead of upgrading in place.  Those old Java versions are alive and vulnerable until they are removed.

Worse, many times the Java setup or update process offers end users some form of crapware:  additional toolbars, "free" virus scans, etc.  I personally recommend that during any install - of any plugin (and I include Adobe products etc here) that you watch for these unneeded add-ons and UNcheck them during installation. If you allow every update of every plugin you use to install these extra craplets, your system will quickly be bogged down to a slow, sad mess. 

Action Steps:

1) Check in Control Panel:  Add/Remove Programs (Windows XP) or Uninstall a Program (Windows 7) for older Java or J2SE or Java Runtime versions and remove ALL of them.  You'll gain back on average around 120MB of disk space per outdated version removed.  And you'll close some serious holes in your security.

Example of multiple old Java versions.
Get rid of them!

2) The current Java version as of this writing is "Java 6 Update 23"   That should be the ONLY version you have listed in "Remove Programs." You can install the latest version of Java:  www.java.com

What you want to see.
Only one Java, and it's the most recent version.

3) Test your installation: http://www.java.com/en/download/testjava.jsp

Oh hey there!
I passed, or did I?

Note that this test only reports the latest working version installed on your system.  It does not reveal whether your system has older versions still installed.  For that see Step 1 above . . .

A note on x86 versus 64-bit:  If you - like most people - use a 32-bit browser when running a true 64-bit operating system, then you only need to install the 32-bit version of Java.  In fact I recommend that if you see a 64-bit version of Java in your "Remove Programs" window, you zap it away.

Additional reading:

http://itmanagement.earthweb.com/secu/article.php/3921441/Cisco-Java-Attacks-on-the-Rise-As-Spam-Declines.htm


http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx