Raven Cloud Computing Blog

Password Protection Act of 2012 filed in House and Senate

Barry Bestpitch — Thu, 24 May 2012 14:40:01 +0000

On March 19, I wrote about employers asking for your Facebook and other social media login information.

On May 9, Senator Richard Blumenthal (D-CT), Representative Martin Heinrich (D-NM), and several others filed the Password Protection Act of 2012 (PPA) in the Senate and House. The bill is meant to prevent employers from demanding employees and job applicants into sharing information from their personal social networking accounts.

The Password Protection states:

The Password Protection Act would make it illegal for an employer to compel or coerce access to any online information stored anywhere on the Internet if that information is secured against general public access by the user.

This is accomplished by prohibiting employers from compelling or coercing access to, and subsequently retrieving information from, the online servers where private user information is stored. (These servers are referred to as “protected computers” in the legislation.). This broad approach mirrors the approach of the existing federal anti-hacking statutes and has several key benefits:

1. Builds on Existing Law. The Password Protection Act’s focus on where information is stored, rather than how it is accessed, reflects the approach of the Computer Fraud and Abuse Act, the federal government’s primary anti-hacking tool. This tool has been used for years by federal prosecutors and private individuals and companies to protect the integrity of internet systems against hackers, including protecting online email accounts and Facebook accounts against the stealing of passwords.

2. Technology-Neutral. By focusing on the servers where information is ultimately stored, the Password Protection Act avoids the tricky business of identifying and defining particular types of internet services (e.g., social networking websites, email accounts, networked gaming services, cloud computing services, online storage lockers, etc.).

3. Designed to Adapt to New Internet Innovations. The Internet is constantly changing and evolving, challenging our ability to create privacy protections that can grow alongside the Internet itself. Fortunately, every innovative website, social networking, storage, or communication technology is still ultimately supported by physical computer servers. By focusing on where a person’s private information is stored, instead of how it is accessed, the Password Protection Act ensures that personal, private online information will be protected the eyes of prying employers even as new online technologies emerge.

4. Protects Employer Systems, NOT Employer Actions. The Password Protection Act preserves the rights of employers to control access to their own hardware, as well as any internet software operated on behalf of the employer for work purposes (e.g., third-party sales data software or websites that facilitate collaborative work online). However, the Password Protection Act does not allow employers to access private employee data under any circumstances, even if the employer uses its own computers to access that data.

The Password Protection Act is broad in scope. It doesn’t just apply to Facebook or social networks, but rather to any situation when an employer coerces an employee into providing access to information held on any computer that isn’t owned or controlled by the employer. Even if the employee is looking at a social network on his work computer, the employer still can’t force that employee to disclose a password or grant access, because that would allow the employer to access another computer (that of the social network). This protection extends to email accounts, photo sharing sites, and any location where an employee stores data privately and it is limited to public access.

If you would like, we provide a Free Technical Assessment, this can be beneficial to new and startup companies that are not sure where to start. You can always find our cloud and hosted services in the right column of this page or by simply going to our website at Raven Cloud Computing

Fackbook stock under performs – where are Facebook’s friends now?

Barry Bestpitch — Mon, 21 May 2012 15:20:24 +0000

I guess Facebook does not have as many friends as it thought. With dismal stock prices from the start, Facebook’s initial stock offering started at $38.00 per share and closed its inaugural day of trading at a disappointing $38.23. Only up 23 cents for the day. Investors and technology industry watchers are closely tracking the Menlo Park, Calif.-based company’s shares. The world’s largest online social network was one of the most anticipated initial public stock offerings ever.

In Facebook’s first half of the second day, trading is like someone has flushed the toilet on Facebook’s stock. From the beginning the company’s stock has been swirling downward. Currently at 7:52 AM this morning the stock is down 11.9% to $33.68.

Many analysis have stated that Facebook over-valued it’s worth and overestimated demand for the company’s stock. It is estimated that Facebook will generate revenue of $5.78 billion in 2012. Yet – Facebook’s stock is set to $104 billion, more than 20 times Facebook’s worth.

We will be watching this closely and keep you informed with any updates.

What is BYOD?

Barry Bestpitch — Thu, 17 May 2012 15:03:14 +0000

Over the past several months you probably have been hearing it more and more. I am referring to the term BYOD. Have you been wondering what this new technology this is?

Well first let me clarify what BYOD is. It is not a new technology. In its simplest form BYOD is a term. It stands for Bring Your Own Device.

It is a recent trend of employees bringing personally-owned mobile devices to their workplace, and using those devices to access privileged company resources such as email, file servers, and databases. Some prefer the term Bring Your Own Technology (BYOT), because it is a broader description, which not only covers the hardware device(s), but also the software used on the device (e.g. web browser, media player, antivirus, word processor).

Today we access data and the Internet in various ways. Many companies have taken advantage of this allowing their employees to access company resources through their personal devices.

Some have argued that companies have become cheap and this is an easy way to decrease their company’s expenses. Other’s have argued that their company is behind in technology and if an employee want to effectively accomplish their job, they need the additional technology for an advantage.

Either way – one burning concern that you and your company need to determine is who is responsible for supporting your device. Because many companies have made deep cuts, their IT staff has limited resources and abilities.

Before you bring your smartphone or tablet into the office you should clarify what support you can expect from your IT dept.

However – support is not the only concern, there are other things that can make your company uneasy too. One of the biggest issues with BYOD is security – and the tracking and controlling access to the corporate resources, mainly the network and databases.

Additionally, it is important to consider damage liability. If an employee brings their personal device to work, and it is damaged through no fault of their own, should a company reimburse the employee the device?

So – make sure the know your company’s policies regarding personal devices in the workplace and if and how you are authorized to use them. If your company does not have a policy, perhaps you should talk with the powers that be to incorporate some.

The Yahoo Shuffle

Barry Bestpitch — Mon, 14 May 2012 16:02:57 +0000

Sure looks like a hostile take-over to me. I am referring to all the shenanigans at Yahoo. Fred Amoroso, Yahoo’s new board chairman released a statement saying they are confident that these changes will server the best interest of their shareholders.

With Scott Thompson’s resignation and that of Patti Hart, who lead the hunt for Thompson, the door is now wide open to bring in new minions for some behind the scenes wheeling and dealing. Thompson was only four months in the role since Carol Bartz’s infamous firing by email. Thompson was replaced by interim chief Ross Levinsohn.

From the outside looking in, the master puppeteer looks to be Dan Loeb. Allegations were made by activist investor Dan Loeb claiming the chief executive did not attain the college qualifications he claimed. Loeb has secured seats on Yahoo’s board for himself and two other members of Third Point, a hedge fund he founded. Now he has two more seats he is trying to fill with his yes-men. If he succeeds – then there were five.

I have to question if having a hedge fund run Yahoo is in the best interest of the shareholders, or Dan Loeb.

I am not saying that Scott Thompson was right, wrong or actually made a mistake. It is never a good idea to put misleading information on your resume, and things get real blurry from his previous employment at eBay and PayPal. But before you put all the blame on Thompson, you also have to look at Yahoo’s board of directors. It speaks volumes that the board was insubordinate in conducting a proper analysis of Thompson’s work history and education. Each and every board member had to vote for Thompson to become Yahoo’s CEO. As a side note – Yahoo has had five CEO’s in six years. I have to say with this record, I have to blame the board of directors.

It should be no surprise to Yahoo or its shareholders about Dan Loeb. He has a long history of launching proxy fights – and Yahoo is the latest company in his crosshairs. Third Point owns about 5.8% of Yahoo, and is the largest outside shareholder. In February, Third Point filed paperwork proposing four new Yahoo board members. There is a lot more detail on this subject, which I will not cover here. I will say this – At first, Yahoo didn’t want to play ball. But Third Point scored a coup by finding and exposing Thompson’s padded resume. Now, Yahoo has settled with Loeb to end the proxy fight. On Sunday, Yahoo and Third Point released a joint statement explaining the terms.

In addition, Yahoo said Sunday that it named Fred Amoroso, an existing board member, as chairman. The chairman position had been in play since a February board shakeup that wiped out most of Yahoo’s previous directors.

Perhaps you may remember “Jerry and David’s Guide to the World Wide Web”. This was the brain child of Jerry Yang and David Filo, two college students at Stanford University in 1994. This guide was basically their way of keeping track of their online information. It grew into Yahoo.

Since those days, Yahoo has come a long way, up and down. But is now is the slide back down.

So back to my question above. Should a hedge fund be allowed to run another company?

By definition – a hedge fund is an investment fund that can undertake a wider range of investment and trading activities than other funds, but which is only open for investment from particular types of investors specified by regulators. These investors are typically institutions, such as pension funds, university endowments and foundations, or high net worth individuals. As a class, hedge funds invest in a diverse range of assets, but they most commonly trade liquid securities on public markets. They also employ a wide variety of investment strategies, and make use of techniques such as short selling and leverage. This definition is explained Wikipedia.

The Future of Mobile Phones and Tablets is in the cloud

Barry Bestpitch — Thu, 10 May 2012 15:47:02 +0000

As our technology evolves, some things are beginning to take on a life of their own. We already know the Internet population has doubled in the last 5 years to 2.27 billion. Just 5 years ago it stood solid at 1.15 billion. Already 11% of adults own a tablet of some sort, and 77% of them use them daily. Almost half of us (47%) now own a smart phone and 80% of us own a mobile phone. There are 91.4 million smartphones in the USA alone. Android has the highest market share with 46.9% – iPhone has 28.7%.

Who remembers Star Trek and watching Star Trek’s LT Uhura with that huge ear piece talking to someone, or the infamous “Beam me up Scotty” spoken into their hand-held communicator. What about Spock or Bone’s Tri-Corder taking readings of a plant, person or thing? I think we can safely say – we have arrived.

Why am I mentioning all this, am I taking a walk down memory lane? Surprisingly enough, that answer is – NO.

Today – we are moving closer and closer to the realization that those fictional TV shows and movies are not too far from the truth, at least in part. I think those shows drove our ambitions, wants and desires to mimic what we were seeing. Let’s face it, it was pretty cool.

Computer chips, and subsequent computers have gotten smaller, faster and can hold more data. Wireless technology has evolved enough to allow us to communicate from almost anyway, within reason. And with cloud technology now we can safely store, access and share huge amounts of data on the fly. Live – if you will. We can collect and compile, sort and disseminate data to anyone we want, when we want and how we want. It does not matter what you use to view it, a smart phone, tablet, notebook, or computer. You will be able to use the data when you need it.

Now that we have achieved this – now what? I think our future now lies in our applications. The software programs we use to collect, access and use this data. The cloud is driving this movement with new ability. The capabilities are endless, or at least far-reaching. Just as Star Trek used the technology, so shall we. Everyday I am asked if the cloud is right for a certain vertical market. So far – I have not seen any resistance.

The biggest issues left to work on reside on security, and this I must say really resides with your chosen developer. The latest Cybercrime report shows that 54% of data breaches are from the software application itself, 34% are from backdoors and control panels (still the developer is to blame here too). This leaves just 12% to spread out over the hardware, network and cloud infrastructure.

The future of mobile phones and tablets is in the cloud. It’s not about providers anymore. It’s not about the features of the device. It will be about these devices becoming the primary computer of everyday’s life.

My recommendation to you is to investigate your software before you use it. Check out the developers. As mentioned above, 88% of your issues will stem from your developer. If you outsource to an overseas development organization – then you really have no recourse either. Most counties do not recognize or honor our legal system, so if you have to venture down that path, keep this in mind.

If you would like, we provide a Free Technical Assessment, this can be beneficial to new and startup companies that are not sure where to start.

IT Consultants VS IT Vendors: Who should you believe?

Barry Bestpitch — Mon, 07 May 2012 15:49:56 +0000

Last week I spent several hours on the phone with a product vendor discussing a problem with a client’s network and some possible causes and cures. It became abundantly clear during our marathon conversations that the vendor was not well versed at troubleshooting issues on a production environment (a network in use by users). The vendors analysis was limited and they wanted to just start trying different strategies to try to fix the problem, even if that fix broke other things on the network.

After resolving the client’s problem, minus the bad advice from the product vendor I sat at my desk, writing up my post-mortem and logged my notes on the incident. I began to think about similar incidents, not in relation to the client’s problem, but more about the occasions where we’ve had to involve a product vendor. In doing so, a pattern began to merge and an awareness hit me.

IT Vendors, either hardware or software really do not understand a customers environment, nor do they really care to. They are more concerned about getting you off the phone, shutting you up so you don’t bad mouth their products and in the process hopefully they can get their product functional again. Their only concern is that their product works.

In realizing this I began to think about the role both the IT vendor and consultant take.

IT Consultant’s – are typically well-trained companies or individuals in general and specialized IT topics, from desktops, servers, routers, switches, firewalls, software, hardware, mobile devices and laundry list of other topics. IT Consultants usually take the time to understand their clients environment in detail and research how each product interacts with the others. Some environments are easier than others but none-the-less it is important for the consultant to understand the inter-workings of such things. As a rule, here at Raven IT Consulting and Raven Cloud Computing, we frequently conduct a technical assessment with our clients to understand their environment before we make recommendations.

IT Vendor’s – in most cases have sold their product to you and the relationship ends their, expect for the possible warranty, maintenance and the occasional up sell. The IT Vendor does not want to know more about you or your environment unless they can market additional products to you. It you call their support or tech line, their sole purpose is to get their product working again as fast as they can. In doing this, often times other items cease to function on your network.

I am amazed at some of the suggestions IT vendors have made to customers. During this particular call, the IT vendor had asked the customer to remove and shutoff their firewall. For those of you who do not know what a firewall is – it is the CRITICAL component that keeps unwanted people from accessing your network and gaining access to all of your data. This specific customer just happens to be a retail store and they have customer personal and credit card information on their network. I am sure I do not need to explain the catastrophic result of doing this.

So this brings up many questions regarding vendor management. Who should manage them? What role does your IT consultant and/or IT staff play? When should you ever take the advice of an IT vendor who has not taken the time to learn your environment, in detail?

So – have you had similar encounters? If so, please comment below, I would like to hear what others have to say on this topic.

If you would like, we provide a Free Technical Assessment, this can be beneficial to new and startup companies that are not sure where to start.

Kaspersky Finds Microsoft is 10 Years Ahead of Apple in Security

Barry Bestpitch — Thu, 03 May 2012 16:00:26 +0000

The CEO of the security software vendor Kaspersky says that the number of attacks on Macs is growing, and Apple will have to learn to respond more quickly.

Apple is at least a decade behind Microsoft when it comes to dealing with malware attacks and security, and the recent Flashback attack on Macs only highlights the problems facing the systems maker, according to the founder of security software vendor Kaspersky Lab.

In an interview with Computer Business Review at the Info Security 2012 show in London, Eugene Kaspersky, CEO and founder of his namesake company, said Apple will have to change how it responds to attacks like the Flashback malware–which Kaspersky researchers call Flashfake–which infected more than 600,000 Macs worldwide and may still be plaguing users several weeks later.

In addition, as Apple systems become more popular with consumers and businesses alike, Apple will draw more attention from cyber-criminals, and the attacks will become more sophisticated, as was seen with Flashback, he said.

“I think they are 10 years behind Microsoft in terms of security,” Kaspersky told the publication. “For many years, I’ve been saying that from a security point of view, there is no big difference between Mac and Windows. It’s always been possible to develop Mac malware, but this one Flashback was a bit different. For example, it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms.”

The problem facing Apple now is learning to be more responsive to threats, he said. The Flashback malware not only shook the theory of the Mac s invulnerability to malware, but also made Apple the target of harsh criticism for its slow response to the problem. The Flashback malware exploited a flaw in Java that Oracle had patched two months earlier. However, Apple–which doesn’t let third parties update software on Apple systems–didn’t issue its own patch until the first week of April, by which time the number of infected systems had exceeded 600,000.

Researchers at Kaspersky and other security experts strongly criticized Apple, pointing out the systems maker’s history of being months late with updates. With Apple products becoming an increasingly popular target for scammers, the company will have to change how it responds, Eugene Kaspersky said.

“Welcome to Microsoft’s world, Mac,” he said. “It’s full of malware. Apple is now entering the same world as Microsoft has been in for more than 10 years: updates, security patches and so on.”

It will mean Apple will have to be quicker in reacting to threats.

“They will understand very soon that they have the same problems Microsoft had 10 or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software,” Kaspersky said. “That’s what Microsoft did in the past after so many incidents like Blaster and the more complicated worms that infected millions of computers in a short time. They had to do a lot of work to check the code to find mistakes and vulnerabilities. Now it’s time for Apple to do that .”

If you would like, we provide a Free Technical Assessment, this can be beneficial to new and startup companies that are not sure where to start.

Survey – What are the biggest challenges you face with your company’s use of technology?

Barry Bestpitch — Tue, 01 May 2012 14:46:50 +0000

Security checklist – unusual items you should be looking at

Barry Bestpitch — Mon, 30 Apr 2012 16:08:57 +0000

Over the last 20 years I done hundreds of security audits and worked on many resolutions. It amazes me that many businesses think they are completely secure, yet have not taken the appropriate steps to actually ensure their company’s security success. There are the obvious task a company should perform, like security patches, updates and such. Once complete, they pat themselves on the back and announce they are secure. But there are so many more items and points you overlook everyday. Vulnerabilities lurk in some not-so-obvious places. I am going to discuss these today. Things and places companies rarely consider, but should.

If your company or business is like every other company in this economy, then your IT staff is thin, real thin. I work with several companies that use to employ five to ten IT staff members, but due to downsizing and reductions in force brought on by the slumping economy, slowing revenues, bad management or a variety of other circumstances, today only employ one of two IT staff members. In every case, the hardware, software and business requirements have not changed. The demand is even higher on these poor remaining staff members and things begin to slip.

As mention above you should make sure you perform hardware and software updates. Plus – your IT staff should regularly check with vendors for updates too. Just don’t rely on Microsoft to push out it’s weekly and monthly patches. Most times, Microsoft does not include many hardware updates, and does not include any third-party software updates in their update process.

So here is a list of the not-so-obvious security risk, when patched and resolved, coupled with the standard patches and updates should make you a much lower security prospect.

Your employees – your own employees are your biggest source of security risks. Sometimes, it is deliberate; often times it is not. Employees have the most access to your assets. We expend a lot of effort worrying about external threats, but all it takes is an employee bringing in a virus from a home PC on a USB drive to nullify all your measures. Disgruntled employees sometimes express their anger by hurting your computer systems. And of course, it is possible for a well-meaning employee to make a major mistake. Good governance, education, setting (and enforcing) policies, and knowing your employees are your best steps to closing the holes.

Common coding mistakes – certain mistakes in programming still get made despite years of warnings and education. Most common are SQL injection and cross-site scripting vulnerabilities. I still see these issues from time to time even in major software packages that you would think are trustworthy (WordPress is a good example). It’s hard to change software once you’ve installed it, so you need to keep these packages up to date even though it is quite a hassle.

Unauthorized machines – I see this all the time, unauthorized computers, servers, switches even routers and firewalls. Someone decides to bring in an old PC and put it on the network to do something your existing infrastructure doesn’t allow them to do. They think that they are being helpful. The best way to keep these rogue machines in line is with rigorous IP address audits and policies and scanning the network to create a list of machines. If machines can’t get IP addresses, they can’t do much harm.

Old “rock solid” servers - we all have them — that server buried deep in the data room that “just won’t quit.” Most times, it’s running some software package that is impossible to migrate to another machine. Sadly, these machines are often major security risks because they typically are no longer getting patches or we fail to patch them out of fear of breaking them. In addition, those older versions of operating systems often come with inherent security holes that no patching can fix. You need to replace these servers one way or the other. The best first step is to visualize them. From there, it is a lot easier to try to update them.

Legacy applications – it’s not just the old servers that are big security risks; it is also the applications running on them, as well as other legacy applications you may have running. These applications would be a lot less problematic if they were current with their patches, but usually they aren’t. All too often, we miss a major version update because the upgrade is so difficult, and then we’re so far behind the ball that it’s impossible to catch up. Sometimes the applications are completely discontinued. It’s painful to say it, but the best thing you can do is find a migration path to a recent version or another package entirely.

Local admins – there are dangers of allowing users to run with escalated privileges. Occasionally businesses end up with users being granted local admin rights inappropriately. This often happens while troubleshooting a problem: We make the user a local admin to see if it fixes a problem and we forget to undo it. Regardless of how it occurs, it is a ticking time bomb for security. Use your central administration tools to make sure that the local admin list gets reset on a regular basis to the proper users and groups.

Incorrect share/file permissions - File permissions are tricky things, and most users are not even aware of how to set them. So what happens? Users create sensitive files in their usual networked location and those files get the default permissions, which are “collaboration friendly” to say the least. The next thing you know, everyone can read the documents, which are supposed to be confidential. Your best weapon is to pre-establish a share and file structure with the correct permissions. For example, give everyone a home directory for personal documents and create shares or directories around roles, projects, and teams with the appropriate permissions. The hard part is then educating them to use the correct locations — but that is much easier than trying to teach them permissions.

Hidden servers within applications – I have seen more and more applications lately that use a local Web server as an administration console. Sometimes, these applications are installed by users without permission. But occasionally, the IT department just does not realize what comes with an application. While these servers can be locked down so that they are not a risk (and with luck, they get installed like that), you need to verify that the applications are secured properly before allowing them to be installed on users’ machines.

VPN clients - some users figure out how to set up VPN access on their personal machines. For a power user, it isn’t too hard to do. But you have no control over that machine, and once it is on the VPN, problems with the unauthorized machine can easily spill over onto the VPN. One thing you can do is audit the VPN systems to see who is connecting from what PCs and compare it to your list of authorized systems. Also, you can put additional firewalls around VPN clients to quarantine them. Finally, there are various systems to ensure that the clients connecting are on a pre-approved list.

Disabled security software - security software often puts up roadblocks to getting work done, so the “logical response” from many users is to find a way to work around it. Power users (especially developers and system administrators) often know how to circumvent security tools. They may also be local administrators because of a technical need, which makes disabling software and changing settings even easier.

It is tough to stay in front of these items. Today’s security threats go way beyond what they use to. Every Acrobat file, for example, is a potential security risk. Start looking for unusual trends, like large amounts of consistent traffic to an IP address and use centralized tools to ensure that settings are at the right levels and are reset periodically. Also, take any unnecessary local administration rights and firewall entire groups onto their own network segment to limit damage if those groups have a legitimate need for lower security.

If you would like, we provide a Free Technical Assessment, this can be beneficial to new and startup companies that are not sure where to start.

Google faces backlash on release of new product

Barry Bestpitch — Thu, 26 Apr 2012 18:53:44 +0000

So it Google at it again? Just two days into their launch of Google Drive, an online cloud storage solutions (that competes with our own product). Google is already facing suspicion as it tries to persuade people to entrust their personal documents, photos and other digital content to the company’s new online storage service.

If you know Google, two things come to mind. Number one – they want to own everything you put on or in the products and can use the data for whatever purposes they see fit. Secondly – No support. Whereas Googles does provide online documentation and forums, you are on your own when you try to figure something out, or need just a little more information on the subject. Basically – their support is what I call Wal-Mart service. You walk into the store looking for the shoe department, you cannot find it, so you look for a sales associate to assist you and you cannot even find one of them. There’s a handwritten sign on a post that states the shoe department is in the back. Good Luck!

So before Tuesday was over, blogs, news articles and twitter were picking apart a legal clause that made it sound as if all the users’ content stored in Google Drive automatically would become the intellectual property of Google Inc.

But – that is probably not the case.

Goggle is back peddling now stating the way that they keep documents in its data centers requires the company to obtain a license to “host, store (and) reproduce” the files. “Our terms of service enable us to give you the services you want — so if you decide to share a document with someone, or open it on a different device, you can,” Google said in a Wednesday statement.

As I have always advised: When searching for a cloud provider make sure to do you homework and actually read the providers terms and conditions. (I will discuss this as a future topic in the coming weeks). There are differences.

Do you have any thoughts on this? Have you had any experience with Google, or other providers that you would be willing to share your story. Please comment below.

If you would like, we provide a Free Technical Assessment, this can be beneficial to new and startup companies that are not sure where to start.