Monday, January 30, 2012

Business Online Banking Safety: A strong recommendation from the FBI

I present two topics on this subject for your reading pleasure.

1) Why small and medium business owners should be concerned about online banking, and what action steps the FBI, US Secret Service, the Internet Crime Complaint Center and the FS-ISAC recommend you take to reduce your risk exposure.

2) The specific steps for one method to lock down a secure workstation along with how you should use and respond to alerts once that machine is configured for safe use.

Unsafe Online Business Banking

Some time ago a recommendation by the FBI and the Banking Association was circulated to small and medium business owners. It never received much attention from press, but should have.

Banking fraud on business accounts has become rampant. Aside from insider crime, it's happening when the workstation you use to conduct banking via your browser is infected with malware that captures your account log-in credentials and transmits those credentials to an Internet server run by criminals. (It can also happen if you fall for email phishing attempts, but that's another story for another time.)

The really nasty part is if your computer -- the one that you used to access your bank -- was infected then the bank that serves your business accounts may not be willing (and depending on the judge, you might not succeed in compelling them) to cover your losses if criminals drain the account dry.

Go on now please, read this article. I'll wait . ..

Information Week: Who Bears Online Fraud Burden: Bank Or Business?

Back? Onward to the details then.

Here is the FBI press release:
Fraud Advisory for Businesses: Corporate Account Take Over
(Opens in new window, PDF format.)

Cyber criminals employ various technological and non-technological methods to manipulate or trick victims into divulging personal or account information. Such techniques may include performing an action such as opening an email attachment, accepting a fake friend request on a social networking site, or visiting a legitimate, yet compromised, website that installs malware on their computer(s).


Minimize the number of, and restrict the functions for, computer workstations and laptops that are used for online banking and payments. A workstation used for online banking should not be used for general web browsing, e-mailing, and social networking. Conduct online banking and payments activity from at least one dedicated computer that is not used for other online activity.

In short, they are telling us that the risk of malware on a business computer that is used for both online banking and normal web surfing has become too high to afford.

Their recommendation is that you set aside a special workstation that is ONLY used for online financial transactions, to known safe web banking addresses, and that it NEVER be used for email or web surfing anywhere but at your banks.

Do that, plus more:

I'm going to take that a step further and outline how you can further lock down any workstation to mitigate the risk of infection. This method works at home or work and - if your IT department does not already do it -- you should insist they consider the method.

Of note is that this works best with Windows 7, any flavor (Home, Pro, Ultimate).

1) On the designated workstation (or on all workstations if you want to increase safety for all users) create an Administrator account and grant it Administrator access in the Users Control Panel. I don't recommend you name the account Administrator. Call it some variation of AdminXYZ - make it unique to your company. This account MUST have a password, and if you feel safe in your office and trust your peers then it doesn't really have to be a super secure password, but of course . . . I do recommend you consider a strong password. If this is for a local domain, you should create a shared domain account and grant it local administrator permissions on all the member client workstations, but NOT on the server.

2) If you are setting up a new machine, install ALL your required software from that Administrator account. At a minimum, get decent Anti-Virus protection installed at this point.  You should also make sure the operating system is fully patched through current critical updates and service packs.  Finally, in Windows 7 at least, turn on Automatic Windows Updates and turn on the setting to "Allow All Users to install updates on this computer."

3) Log in as AdminXYZ and create your user accounts. Be certain to make the regular user account - the one you will use for work - a "Standard User." If your user accounts already exist, get into the Users Control Panel and DEMOTE all other users to "Standard User." Don't demote the AdminXYZ account . . . bad things may happen.

4) Open User Account Control Settings and make sure the slider is set to the highest level. I know you'll hate this, and you might have to back off a notch if you're running very old applications on Windows 7, but at least for your financial workstation this should be a requirement. For others, the second or third notch from the bottom may suffice.

5) That's it. When you use your workstation, always log into the machine with your normal user account. Only use the AdminXYZ account when you need to install something, or update an application.

Now if you do this on Windows 7 - there's a very cool feature that makes doing an occasional application update relatively easy. When you get the notice that your update requires permission, you'll be presented with the option of entering in an Admin account and password. No need to log off or switch users, Windows 7 will open a shell under that admin account to run the update. Other applications (like your browser) that are open will still be protected by your limited access account.

Usage and preventing social hacks to your system:

Once you have this setup correctly - use your system as recommended for its role. If this is the workstation from which you will access your banking/credit accounts then I strongly recommend you restrict its use as described by the fraud advisory notice I linked above. If this is your normal workstation, then practice safe surfing and smart email habits. Otherwise use as normal for your work.

Once a month or so you might see a request for admin access pop for Windows Update. You might also see such an alert for other updates to your specific applications.

If you know you are updating something, it's generally okay to grant that permission.

But here's where the protection kicks in. In almost every case if you inadvertently land on a malicious website, or open that ill-advised email hosting a virus, you'll see this alert asking for admin level permissions pop up in your face.



Terminate that sucker!

Be mindful of what you're doing when that alert pops. You KNOW you were not installing something. If you see that alert while browsing the web, you can be certain it's something uninvited trying to install itself. But you've got your system set to TELL you before it happens. Click NO. Close your browser or email, and don't go there again.

There are some viruses that can still cause minor damage on a protected account though, what about those?

If you suspect/know that your limited account has been compromised, and you did NOT allow the infection admin access (you did say no to that alert, didn't you?) then the virus is restricted to your profile. Here's what to do:

Restart the machine.

Log into the AdminXYZ account - NOT your user account.

Run a full anti-virus scan and let it clean things up.

Now try logging into your account, should be in good condition again.  If not, then you might have to backup all the documents under the infected profile, erase the profile, and restore the data.  So far at least - in those rare cases where something does infect a profile on a prepared workstation -- this method has prevented me from having to completely reformat and reinstall the infected operating system on that workstation.

Thursday, January 26, 2012

Colorado Secretary of State launches password protection for business filings and reports

In April last year I wrote about a serious deficiency in the system used by the Colorado Secretary of State for businesses that use their online service to register with the state and to file annual reports.

I have good news, and bad news.

The good news is that as of today you have the option of securing your business registration with the State of Colorado with your email address and a password.

In May 27, 2011 Bill HB-1095 was signed, allowing the Secretary of State’s office to implement a password protected business filing system.

On January 26, 2012, the Colorado Secretary of State announced that the "Secure Filing" system is up and running.

Here is the state's description of the password system:
Colorado: Secure Business Filing

And instructions for setting it up plus a short FAQ:
Colorado: Create a Secure Business Filing Account

Colorado: Secure Business Filing FAQ

All good and - while overdue - appreciated.

Now the bad news.

I'm sure arguments raged over the conference tables on this topic, but the fact is they've gone and rolled this out the wrong way.

First, it's optional. You can ignore this feature and bet that you're not enough of a target to be worried. That might be a very expensive mistake.

I never saw any notification of this new feature, beyond their website. Which I - like most of you - only check when it's time to file my annual report.

So here's the problem as I see it. Someone is going to go after their target by filing an amendment (same problem of Corporate ID Theft as before) to change your business address of record. Then they'll have the state send the PIN notification that starts the conversion of your "open" account to a secure account system -- to that address they just used to update your record. Now the crooks OWN your account with the state, and I would imagine it might be painful, time consuming and perhaps expensive to wrest control back to you should this happen.

What they should have done is make this mandatory, by mailing out snail mail with temporary accounts/passwords to current record holders.

Since they did not, it's up to you to act fast and get your registration with the state locked down before the ID thieves do it to for you.

Wednesday, January 25, 2012

Disable PCAnywhere from Symantec / Norton

If you have Symantec pcAnywhere installed on any of your workstations or clients, Symantec would like you to disable (or at least patch) it immediately to protect your system from attack.

They are supposed to contacting all known registered customers about the issue, but I know that many people might not have updated their contact info with Symantec in the last few years -- and may not get the notice.

What happened?

Short answer, the source code for part of this product was stolen by hackers and may be used to reverse engineer an active exploit into any systems running pcAnywhere.

From: Symantec tells customers to disable PCAnywhere
PCAnywhere 12.0, 12.1, and 12.5 customers are at increased risk, as well as customers with prior, unsupported versions of the product, according to Symantec.

More info:
Symantec: Anonymous stole source code, users should disable pcAnywhere

Symantec Web Site: Claims by Anonymous about Symantec Source Code

Our investigation continues to indicate that the theft is limited to only the code for the 2006 versions of Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.
Based on our analysis, the Norton Antivirus Corporate Edition code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product.

The Symantec Endpoint Protection 11 product – which was initially released in the fall of 2007 – was based upon a separate code branch that we do not believe was exposed. This code branch contains multiple new protection technologies including Heuristic Protection, Intrusion Prevention Security, Firewall, Application Control, Device Control, Tamper Protection, redesigned core engines, as well as our Symantec Endpoint Protection Manager (SEPM). Customers on Symantec Endpoint Protection 11.x are at no increased security risk as a result of the aforementioned code theft.


Our current analysis shows that all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers using prior versions of the product. pcAnywhere is also bundled with numerous Symantec products.

Disable pcAnywhere

Safest and Easiest Method: Uninstall the product, be sure to save your product keys for later re-installation once the program has been patched.

If you have to have it regardless: Be certain you are on version 12.5 and use LiveUpdate to get the most recent patches as of today.

Expert Level: Disable the service from starting automatically with your system and turn it off for now until patched.

Detailed and specific information is available for administrators on Symantec's blog.
Important Information on pcAnywhere


More patches for V12.x are forthcoming from Symantec. My personal advice is to not use pcAnywhere until those patches are delivered. I'll keep this post updated as they roll out.

Future customers considering pcAnywhere. There are competitive alternatives if you need this functionality now, or wait for version 13.