Tuesday, June 20, 2006

New Excel Vulnerability

A new and as of yet unpatched security hole in Microsoft's Excel program has been exploited. Receiving a malicious Excel spreadsheet attachment. Naturally, you should never open any attachments from anyone you don't know. Even then, you should be expecting the specific attachment. Currently Microsoft has tested this vulnerability on Excel 2003, Excel XP, Excel 2000, Excel 2004 for the Mac, Excel v X for the Mac, and the Excel Viewer. There are several workarounds that can be employed.

Details can be found at: http://www.microsoft.com/technet/security/advisory/921365.mspx

Derek Rowan
President
HLP Associates, Inc.
www.hlp.net

posted by Derek Rowan at 2:50 PM

Attacks targeting unpatched computers

Microsoft released over 21 security updates on June 13th. The day after that, many hackers starting posting detailed instructions on how to break into systems that haven't yet applied those updates. It is important that you apply all security updates from Microsoft or call us to make sure that they get done. All but two of these 21 updates were for vulnerabilities that would allow a hacker to take control over your system.

According to Microsoft, "the exploit code does not affect users who have installed all June security updates."


Derek Rowan
President
HLP Associates, Inc.
www.hlp.net

posted by Derek Rowan at 2:40 PM

Monday, June 12, 2006

Huge vulnerability in Windows 98 and ME not to be fixed

For those of you still running Windows 98 or Windows ME, Microsoft has confirmed last week that it will not fix a security vulnerability in your operating system. This critical vulnerability for all versions of Windows was detailed in April. Since then, all versions have been patched except Windows 98 and ME. Microsoft has determined that it is not possible to fix the vulnerability in Windows 98 or ME without possibly breaking the entire system so that software won’t run properly.

As such they are leaving this huge vulnerability unpatched and recommending that you place your Windows 98 behind a firewall (software firewalls are OK) or upgrade to Windows XP. For more details, see:

http://www.microsoft.com/technet/security/bulletin/MS06-015.mspx

So, if you're still running an older operating system it's important to make sure you're behind a firewall or you should upgrade if possible.

Derek Rowan
President
HLP Associates, Inc.
www.hlp.net

posted by Derek Rowan at 12:55 PM

Thursday, June 08, 2006

Undo for your whole computer!

Shhh! don’t tell Derek I’m giving away the secrets.

Do you ever wish there was an undo button for your entire computer like there is in word. I hear people say all the time “My computer was working perfectly yesterday and today it won’t…..” Well I am hear to tell you that there is an “Undo” button for the computer called System Restore but it doesn’t quite do what you might think. Say you saved an important file to your C: drive yesterday (which I know that you wouldn’t because for most people the c: drive does not get backed up) and then you deleted it today. System Restore would not help us here. However, if you installed a new program and your Word or Excel now freezes every time you open it, then this is good job for System Restore. System Restore is located Under, All programs > Accessories > System Tools, and it allows you to choose a date to restore your computer to. It is very important to know that while System Restore may seem like the magic wand to solve all of your computer problems; there are some cautions.

  1. System Restore doesn’t change data- this could be good or bad. Good because you will not loose data, and Bad because it will not restore any data.
  2. System Restore will restore your computer to the exact time you picked, so if you have uninstalled a program or made any changes you want to keep on your computer you should be careful to choose a restore point that is after that time. If on Monday the 10th you installed Word 2003 and on Tuesday the 18th you install Adobe, but now you are having trouble with Office and want to go back to before you installed Word on the 10th, beware that you will loose Adobe as well if you choose a restore point from the 9th.
  3. System Restore could restore a virus. Before you remove a virus, you should turn off System Restore that why you cannot accidentally restore your computer to the time when you had a virus.
  4. Have fun, system restore also has an option for “undo my last restore”

For more information on System Restore, please go to http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

Paula Crowell
Service Manager
HLP Associates, Inc.
www.hlp.net

posted by Derek Rowan at 6:02 PM

Wednesday, June 07, 2006

Disaster Recovery for your Exchange E-mail

Just when you thought Microsoft had run out of ways to win your business, they introduce Exchange Hosted Services. These services range from spam filtering, to archiving, to hosted continuity. I’m discussing hosted continuity here, because it’s a unique service that solves a problem that in the past many small businesses thought was simply a fact of life when it comes to technology.

Let’s face it. You’ve grown accustomed to E-mail and your organization can’t live without it. You don’t want to think about it but someday your E-mail may go down. Sure you’ve got redundant hard drives, multiple backups, and plenty of security but there are so many other factors that could cause your server to go down from theft, to fire, to Internet access failure that are out of your control. Microsoft’s Exchange Hosted Continuity is a way to provide continuous access to E-mail for your users even when the server is down.

It works by making a copy of any incoming and outgoing E-mails and storing them in an offsite messages store for 30 days. If your system is down, you simply connect to the off-site website to retrieve your E-mails. What's better, your E-mail continues to come in to this backup server - all automatically! You never lose any incoming E-mail!

And you can retrieve your E-mail from anywhere. There’s no additional hardware or software needed for this service!

So how much does the service cost? The price is $2.50 per user per month with a minimum of three years. You can purchase as few as 5 user license.

Unfortunately the service doesn’t yet replicate public folders or calendars yet, but Microsoft claims they are working on that for a later release. Also, you can’t sign up just a few mailboxes, you need to purchase the service for everyone with an Exchange mailbox in your organization (from the president down to the interns.)

So if your organization can’t function without your E-mail for even a day, Exchange Hosted Continuity may be your answer. For more information give us a call or go to
http://www.microsoft.com/exchange/services/continuity.mspx

For more information on all of Microsoft’s Exchange Hosted Services see:
http://www.microsoft.com/exchange/services/default.mspx

Mike Tanney
Product Manager
HLP Associates, Inc.
www.hlp.net

posted by Derek Rowan at 8:50 PM

Is it time to go to Pass Phrases instead of Passwords?

According to most authorities, your passwords are the key to accessing a huge portion of your personal information. Today, so many of us have so much stuff online that keeping track of our passwords isn't easy. This has caused many of us to use passwords that aren't as secure as they should be. With the wave of hackers making easy entry into sites it is ever more important to make sure your passwords are kept secure.

The best way to do this is to first make your password longer (we recommend 15 characters or greater) and make sure it contains symbols, upper and lowercase letters, an numbers. Of course, I know what you're saying. How can you possibly remember such a password? Yeah, I agree. The solution is a pass phrase. This is where you take a phrase and use it as your password (spaces and all). An example would be: Joshua plays #7 in football

This phrase is easy to remember (assuming you know someone named Joshua) and easy to type. It also has a mix of lowercase, uppercase, symbols, numbers, and is long. Another benefit of phrases is that for most of us, it is easy to come up with new ones as we go through our daily lives. This allows us to change our passwords often and still remember them. Oh yeah, there's really nothing wrong with writing your password down on a piece of paper next to your desk. In most of our client offices, there isn't much worry about the person in the next cube getting your password; it's really for the external hacker. But naturally if your position requires your stuff to be secure from your coworkers, obviously a post-it note on your monitor may not be a good choice!

There is a lot more you can do with your passwords, but we recommend you change to a pass phrase environment. HLP can assist you with enforcing these changes so that your users are required to make the change. I've included some links below to read about secure passwords, pass phrases, and there's even a link to a password checker that will show whether or not your password meets the test of being difficult to "hack."

Some links for further reading.

Help product personal information with strong passwords
Are smart cards a new way of life?
The Great Debates: Pass Phrases vs. Passwords
Check the strength of your passwords online


Derek Rowan
President
HLP Associates, Inc.
www.hlp.net

P.S. Update to this post. Today, we were contacted by a client to test access to a secured area of their website. We were able to gain access relatively quickly. How did we do it? We guessed their password on the second try. Don't you think you should change your passwords today?

posted by Derek Rowan at 2:07 PM

Thursday, June 01, 2006

Microsoft announced date for patch release of critical Word vulnerability

Microsoft has disclosed that the fix for the Word virus circulating won't be available until June 13, 2006. HLP recommends that you apply the fix immediately when it's available. The issue is that a maclious attacker could create a Word document (or Excel spreadsheet) and send it through E-mail (or be sent by a user you trust from a virus on their PC) that contains an executable virus. Typically you cannot get viruses from documents. However in this case, a program could be embedded in the Word document and allow your PC to be open for further attacks, allow a hacker to take full control of your PC, etc.

HLP recommends you do not open any documents from those that you don't know and trust and that you aren't expecting. The only work around is to run Word in "safe mode" and not open documents directly from Outlook or other E-mail program. The full details of the vulnerability as well as the work arounds can be found at: http://www.microsoft.com/technet/security/advisory/919637.mspx. As always, HLP would be happy to assist you with this or any other questions you may have.
Microsoft Security Advisory

Vulnerability in Word Could Allow Remote Code Execution
Published: May 22, 2006

Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user must first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.

Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility.

Derek Rowan
President
HLP Associates, Inc.
www.hlp.net

posted by Derek Rowan at 6:55 PM