Saturday, December 22, 2007

Those data thingies, that you put on your key chain, what are they called?

There are many names, USB Memory stick, thumb drive, or any of a number of Branded names. USB memory sticks are great, they have made sharing data & transporting data simple and fast. However there are some practical security measures and got-cha's to look out for.

1. Having a data USB memory stick is not considered a backup unless it is at least the second copy of the data

2. While keeping the USB memory stick on your keys is a good way not to loose it, it would take minutes for a valet to copy the contents of the drive while parking the car.

3. Encrypting the data is a good way to keep your data safe.

4. Plugging your thumb drive into machines can get your data deleted, corrupted, stolen, or a virus, remember the floppy days.

For memory sticks use encryption for sensitive data, don't leave your memory stick(s) where it can be easily stolen. Watch what machines you put you memory stick into, get a memory stick with a read only switch. Get a memory stick with built in encryption such as the Iron Key. If you already have a memory stick get program such as TrueCrypt or PGP.

-- Tim Krabec

Wednesday, December 12, 2007


I got a call from a customer of mine a few weeks ago. "Hi Tim we're selling our building and will probably be moving sometime before the end of the year, less than 3 weeks from the call." Moves are relatively easy to coordinate and plan. A checklist, good communications, capable workers and some coordination are the key aspects of a successful move.
As soon as a move date is know, and move location are know contact, your ISP, Phone company, Electric company, locksmith, Security company, moving company and computer company, set up a meetings, and or assign tasks, and pass out contact information for those parties that are expected to work together. Get estimates for all activities, budget for overages and unexpected expenses and plan for contingencies.
It can be tempting to plan several large changes to occur while the move is happening, this is both a good thing and a bad thing, as employees & customers are expecting change. However, too much change can over complicate the move and cause unnecessary delays or problems. Good changes are new furniture which can be delivered before the move and set up in the new location. A new phone system, in another option, which can also be installed & tested in advance of the move, however if the new system is overly complicated staff training can cause extra stress. New computers or servers can cause problems during a move, especially if the old machines are not properly tracked. Changes to computer systems where logins and changes need to be made on every machine will quickly compound the time that is required during a move. For example a change that requires 15 minutes of time on each computer will quickly swell to hours when multiple computer need the same additional time. If there are 12 computers a 15 minute change will require an additional 3 hours of time.
Plan for problems, no matter how much planning you undergo plan for problems. Expect at least 1 computer & 1 printer will not be operation after the move. Expect some furniture to get lost or broken. Head these problems off at the pass, authorize people to make purchases (with limits) with out approvals to speed resolution. For instance the wheels get broken off a chair and a computer monitor gets broken, document the occurances, and resolve them, it does not good to cause keep easily resolved problems around. When possible pick on 1 person or workstation. When resolving issues it may be necessary to take cables or spare parts from 1 broken workstation or computer, or printer to get another one working. Two broken computers that can be cannibalized and combined into 1 working computer is advisable.
Don't sweat the small stuff. During the move look at the problems as the occur and decide weather your time should be spent addressing them now, or putting them off to a later time. Make a list of items that you need as the crop up ie, broken chair, new computer monitor, mop & bucket, extra what ever, then send 1 person (2 if necessary) to go pick up the items, when it makes sense, be sure to send them with a cell phone so extra items can be added to the list after they have left. During the later stages of the move address problems that arose, that are still issues, prioritize them, in terms of impact on the bottom line and or based on the amount of stress that will be caused.
Finally during the move, feed the people moving & helping out, provide drinks soda, coffee, tea, energy drinks and water, have some snacks around. After the move thank those involved, have a luncheon, and possibly award some time off.

-- Tim Krabec

Friday, December 7, 2007

Hard Drive Disposal

Timing is everything, a few days ago, a client called and wanted me to stop by and pick up a few old machines. So i stopped by and picked up 4 used laptops and 3 desktops, there are a few more coming in the near future. The work on these machines is relatively simple, copy off the documents, then wipe the drives and let me know if I can re-use the machines based on our technology plan, and then wipe the data from the other machines. Sounds simple right? If you answered no you are correct. Simply erasing the files or formatting the hard drive no longer assures that people cannot get the data that was written to the computer. To properly destroy data on a Hard drive you need to use the proper software and or cause physical damage to the drive. Simply drilling a hole in the drive is effective, provided you have the proper drill bits, smashing it with a hammer is also effective. However, disposal of the hard drive is still an issue, since there are still materials that should be disposed of in an environmentally friendly manner. Many companies offer destruction services. For the mean time I'm going to wipe the data on hard drives with some good software, like DBAN, then keep using the drives until the drive fails or outlives it's useful life. On very sensitive data I will remove the CPC (Controller board) and drill holes in the drive platters or cause other physical damage to the drive and then hold it until I locate a PC recycler that looks promising.

-- Tim Krabec

Tuesday, December 4, 2007


I was recently at a clients house, I was called in to address some issues with his current wireless network. After some investigation I found a few problems, 1 the router was not properly handling MAC address cloning, and 2 the router had WEP enabled. I replaced the router, and enables WPA2 Personal. When ever possible you should use WPA2 Personal or enterprise
Wired Equivalent Privacy, Wi-Fi Protected Access, Wi-Fi Protected Access 2, What the Heck do all these mean, and why should I care.

WEP (Wired Equivalent Privacy) was intended to make the security of a Wireless or Wi-Fi network as difficult to penetrate, but do to the implementation of encryption involved there are security vulnerabilities, making it as useful as the luggage lock that comes with the suitcases.

WPA/WPA2 (Wi-Fi Protected Access/Wi-Fi Protected Access 2) was implemented after WEP's security issues came to light. WPA/WPA2 addressed the security issues of WEP and has been required for all Devices to achieve "Wi-Fi' certification since 2004. WPA comes in 2 basic flavors Personal and Enterprise. Personal uses a pres-hared Key (PSK) for all the users on the wireless, allowing all users to see all data transfered. Enterprise Requires some back end services to allow authorization of users with out a pre-shared key per say.

Why should you care about encryption? You don't have anything on your computer that anyone would want to steal, no personal information like social security numbers or online banking. But in all likelihood you do have personal information on your computer that you'd rather not have publicized, like those party photos, or that photo of you in the, well let's not mention that one, or your complete browsing history, your entire Rolodex, birthdays, anniversaries, that chat conversation, or your poetry. What about that list of clients from the office, or the list of clients at the office, while not proprietary or confidential, how much do you think a competitor would pay for that information, or your accounting, HR documents, inside information on that "big deal" or simply the details on your profit margins, and bid process, the list goes on and on.
Needless to say, unless you're completely boring and have nothing, absolutely nothing on your
computer, you need to protect the data on it.

-- Tim Krabec

Friday, November 30, 2007

Room for Improvement

I dropped a laptop off a one of my clients office today. I went in to set up the Wireless card and get the email working properly. I popped the wireless card in and poof 2 unsecured networks popped up in the list. If that was not bad enough, both of these networks belonged to the company and both were named for that company. The good part of this is I now get to write up a nice proposal to try to get the company as a client. Business Wireless (unless they run open wireless to establish a VPN) should at the minimum be running WPA PSK, then the exposure is limited to employees and not anyone who happens to walk by.

--Tim Krabec

Wednesday, November 28, 2007

Unlimited, Limited, or No Internet

With the pervasiveness of Viruses, Spyware, Trojans, Root kits and the likes. The question has to be asked, is it better to have full Anti-Virus & Anti-Malware software running on a machine with unlimited or limited internet access or is it better to run with No Anti-Virus or Anti-Malware and run 2 separate networks 1 with internet access, and 1 with out, therefore limiting the exposure to problems and data loss before there is a chance for an infection and public relations nightmare.

Some options to consider are how would you send and receive email with the people outside the company, would it be possible to have remote access to the machines? Do business owners even care about internet access and the risk of Data loss? Would businesses pay for a segmented network? Is a network with "no Internet access' really safer?

-- Tim Krabec