Ransomware is rapidly becoming the tool of choice for criminal organisations to quickly gain large amounts of money for very little effort on their part. The initial costs of acquiring the tool are quickly recovered when organisations panic and pay the ransom, in the hope that they will get their files back.

Paying the Ransom does Nothing

These days, it is highly unlikely that you will get your files back if you panic and pay the ransom. The cyber criminals who infected your system have no incentive to actually give you the decryption keys (assuming they, in fact, have them). There is also no way for you to reverse the transfer of bitcoins once you have made it if they don't give you what they promised.

All paying the ransom does, in most cases, is leave you in the same situation you were in before, minus whatever amount the ransom demand was. While this won't stop some people from paying it, the only real way to protect yourself from ransomware is to ensure you have backups of your files in a safe location.

Backup, Backup, and Backup Again (and test your backups)

If you're reading this post and haven't backed up your important files in the last 24 hours. Stop reading and do it now.

If you're reading this post and haven't tested your backups in the last 24 hours. Stop reading and do it now.

Backups are the only real way to ensure you are protected against a ransomware attack. However, a surprising number of people have never set up proper backup procedures. Of those that have, the vast majority have never tested that they actually work.

If you're reading this and thinking "boy, he's really making a big point about backups" you'd be right, for they are the only thing that will save you, when you fall victim to a ransomware attack.

If you're a consumer reading this and thinking "I don't have anything important enough that I need to worry about backups" think again.

Ransomware targets things you will care about (your music collection, family photos, videos of family gatherings, documents, etc.). How much of that could you replace, when a malicious e-mail drops ransomware on your PC?

You set up your backups years ago. They're still copying everything...right?

Great, you do actually have a backup system in place, but when was the last time you checked that it's still backing up all the files you care about?

Software changes, which means the locations where it stores important files can also change. If your backup systems and policies aren't updated to take notice of these new locations, chances are they're going to miss vital files, leaving you unprotected.

Every time you upgrade your software, take note of any changes to storage locations that are mentioned and make sure you update your backup systems to copy those files.

Off-site backups aren't just a good idea, they're essential

Putting the whole ransomware issue aside for a moment, do you take your backups away from your office? If not, you really should.

Backups are essential for protecting you against accidental or malicious damage to your important data, but leaving those backups in your office doesn't help if the building itself is compromised in any way.

If your office catches fire or is flooded, any backups you leave there are likely to be useless. Rotating your backup devices, ensuring that at least one is always off-site, will ensure you are protected from anything that may physically compromise your business location.

If you rotate the backups every 24 hours, that should be the maximum amount of information you will lose. Meaning you'll only be a day behind, instead of weeks or months if your on-site backup is destroyed or stolen.

Updates: Annoying, but Essential

We all hate them but installing updates is essential for protecting your computers against attack. An update corrects a newly discovered (and often publicly disclosed) security issue in your software. The problem is, many organisations take months to apply updates leaving their systems vulnerable to attack.

If you work on your own and shut down your computer every day, chances are it's automatically installing updates for you. However, a large number of organisations leave their computers running overnight, meaning that updates aren't installed as quickly as they should be.

If you work for an organisation that lets you leave your computer switched on overnight, try and find out if the IT department restarts them at weekends to apply updates. If they don't, suggest that they do, there are even articles like this one (https://deployhappiness.com/automatic-restarts-make-for-a-smooth-day/) that enable them to automate it.

While updates won't protect you from all forms of ransomware (most involve some form of user interaction in order to work), they will protect you from those that exploit vulnerabilities that there have been patches for.

Conclusion

Regularly installing updates, and ensuring that you have working backups are the two most important methods you can use to protect yourself from a ransomware attack. You will be hit by one eventually, it's only a matter of time.

If you're one of the few people reading this article and going "yes, I do all these things" good for you (but it would probably still be wise to double-check).

If you don't have backup procedures in place, use this week to start (all it takes is buying an external hard drive, the backup software is already part of your operating system).

If you don't take a copy of your backups off-site, designate someone to be responsible for them (and if needed, buy additional external hard drives).

If you need help with any of this, get in touch and we'll talk you through your various options.

The post Ransomware: How to Protect Yourself appeared first on DigiPest.

The news of yet another breach of the Data Protection Act, through improper handling of e-mail addresses, when sending newsletters to clients indicates a fundamental issue with the general understanding of proper methods for bulk e-mail distribution.

Don't Use the To: Field

If you're sending the same message to a group of users, you may be tempted to just add all their addresses to the standard 'To:' field. This may seem like a perfectly viable solution, after all, you're sending the message to multiple people, right?

While you are sending the content of the message to multiple people, in most cases, you don't want to disclose the addresses of every other recipient, as doing so may lead to an unintentional breach of the Data Protection Act.

If you're not supposed to use the 'To:' field, what options do you have for safely distributing your newsletter to a large group of people?

Option 1: Use the BCC: Field

All e-mail clients give you the option of specifying addresses in what is known as the BCC (Blind Carbon Copy) field. This field serves the same purpose as the 'To:' and 'CC:' fields, but the individual recipients do not receive the value of this field in the messages that are delivered, so they do not know who else the message has been sent to.

This method allows you to continue to use your existing e-mail client to distribute your newsletters while protecting the e-mail addresses of the recipients from accidental disclosure. However, it isn't the ideal method for the distribution of mass e-mail.

It falls short because your recipients have no easy way of telling you they no longer wish to receive your messages. This is where your second option comes into play: Mailing Lists.

Option 2: Set Up a Mailing List

There are many third-party services that make the process of setting up mailing lists easy. Many have integrated tools to help you track the effectiveness of your messages, acquire address information, and take care of the unsubscribe process.

Services like MailChimp and AWeber even have plugins available for Content Management Systems like WordPress, so visitors to your site can sign up to your mailing list.

They also allow you to test your proposed message, to see how it will look in a variety of e-mail clients, so you can avoid sending messages that are unreadable to some of your recipients.

Of course, if entrusting your newsletter distribution to a third-party is not an option for your specific usage scenario, you can still run mailing lists from your own servers, using Open Source software like MailMan.

While this post is in no way an endorsement of such services, they do provide an easy to use mechanism for managing your mass e-mail requirements, while also ensuring that you stand the best chance of remaining compliant with all relevant legislation.

Hopefully, the information in this post has helped you understand e-mail distribution a little better. If you have any questions, please leave a comment and I will be happy to answer them.

The post E-Mail Security: Sending Newsletters appeared first on DigiPest.

Security Is An Afterthought

IT security has been a passion of mine for a long time, the problem is figuring out how best to channel that passion into something that small businesses are willing to buy into.

Although companies understand the basics (anti virus, firewalls, etc.) getting them to see the value in the more rigorous security solutions like penetration testing, security awareness training, etc. has been a significant challenge.

Many small businesses fail to see the value in paying an organisation to pro-actively test how secure they actually are, because they always believe that they'll never be the target of a cyber attack.

No matter how many times I have tried to explain that they're at as much risk as the big companies (who are suffering security breaches every month), it has rarely made any difference.

Change Is Good

Towards the end of 2014, I came to the realisation that the vast majority of the work we had been doing since we were founded in 2011 wasn't strictly IT security related. In fact, we've been asked to do everything from server migrations to website development and bespoke applications.

Now, this doesn't mean that DigiPest is suddenly going to stop providing IT security services to those who want them, just that we're no longer going to rely on it as our primary source of income.

This new website design was selected to enable us to gradually start introducing new products and services, while keeping our existing content within easy reach.

Over the next few weeks, new entries will start appearing in the navigation bar, detailing the wider range of services that we offer. These will include:

[list_arrow]

[item]Web Development[/item]

[item]Website Migration[/item]

[item]Software Development[/item]

[item]Network Setup/Migration[/item]

[item]Open Source Consultancy[/item]

[/list_arrow]

Monthly Q&As

Another first for us, we're going to start planning for a series of monthly Q&A sessions, hosted on either YouTube or Google Hangouts, where we will aim to answer any questions you have about how to make technology work better for your business.

The exact format of these sessions is still being worked out, and more details will be made available before the first session takes place, but we feel this could be a valuable service we can offer to help small businesses navigate the confusing world of technology.

Of course, these won't succeed without input from you, so please follow us on Twitter: @digipest and/or like our Facebook page for more information.

DigiPest Is Doing YouTube!?

Yes, as part of our re-branding as a technology consultancy firm we're going to start posting videos to our YouTube channel, which we hope will fill a small gap we've uncovered in the YouTube technology video market: a channel aimed at helping small businesses do more with the technology that's out there.

Once we've got the rest of the new website up and running, we'll start posting videos to our YouTube channel covering a few of the things we've been asked to help with over the years, so subscribe now and you'll know when the first one is live.

Here's To A New Beginning

We're hopeful that the changes that are being implemented will position us for success, but we can't do any of our more ambitious projects without support from you, so we would really appreciate it if you could share this post with friends or family who might be struggling to tame the technology that they use.

The post New Website Is Live! appeared first on DigiPest.

MS14-066 is an identified remote code execution vulnerability in SChannel (the portion of Windows responsible for secure communications, including SSL/TLS).

What Does This Mean?

Should an attacker be able to exploit this vulnerability, they would be able to run arbitrary code on an affected system - which at this point at least is all versions of Windows Microsoft is still supporting!

Exploiting this vulnerability requires an attacker to send a specially crafted piece of information (a packet) to a vulnerable system, once the system receives this packet it would proceed to execute any instructions that were contained within it.

What Can I Do?

At this point, all you can do is wait for Microsoft to release the update that fixes MS14-066 (KB2992611) as Microsoft hasn't identified any mitigating factors that would reduce the impact of this vulnerability.

It may be possible to configure any IDS/IPS that you may be running to detect and block these packets, but until someone releases a Proof of Concept exploit, it is difficult to know for sure.

More Information

We will be updating this post as more details about the mechanism of this vulnerability become available, in the meantime you can keep up to date with the progress of the patch by visiting the link below:

MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014 (Microsoft Support)

The post MS14-066: Microsoft's 'Heartbleed' appeared first on DigiPest.

What is Bash?

Bash is a program that is present on millions of devices, and all it does is provide a method for users or other programs to interact with them.

It provides what is known as a shell, that allows users of a device, or programs running on it to issue commands to the operating system and receive responses.

If you are a Windows user, the PowerShell or Command Prompt serve the same purpose. For the OS X users out there, OS X uses Bash, and you can access it yourself via the 'Terminal' application.

How Serious is Shellshock?

Various security companies, along with US-CERT, have labelled Shellshock as the most severe vulnerability to affect devices. US-CERT has given it a score of 10.0.

Simply put, it allows an attacker to execute commands on a vulnerable device by modifying the contents of so-called Environment Variables.

What is an Environment Variable?

An environment variable is a way of storing information that can be accessed by other programs on a system. A typical example of an environment variable you may find on your computer is the PATH variable.

The PATH variable stores a list of directories where your system can find programs/commands to execute - it saves you from having to remember where they are every time you want to use them.

What makes Shellshock so deadly is that there are lots of ways for you to modify environment variables, including via other programs such as a web server.

This means that a system vulnerable to Shellshock could be compromised pretty easily if an attacker placed some code to set or change environment variables in a form on your website, and the server processed the instruction.

How Does Shellshock Work?

In a nutshell, Shellshock is a flaw in how Bash processes environment variables. It exists because Bash allows a user to specify a command after terminating a function definition.

Simply put, in order to exploit a device vulnerable to Shellshock, an attacker would set an environment variable similar to this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The first part of this command says that we are defining an environment variable called 'x', which contains an empty function and an 'echo' instruction that prints the word vulnerable to the prompt. We then execute another instance of Bash and tell it to echo 'this is a test'.

If this is run on a device vulnerable to Shellshock, you will get the following output:

vulnerable
this is a test

This is because Bash allows users to not only export individual values to environment variables, but also entire functions. However, it should be ignoring the echo instruction that comes after the function definition - it isn't.

This makes it possible for an attacker to trick Bash into executing arbitrary commands by simply overriding existing environment variables that are set or used by web applications, and do so without any authentication checks.

This could enable them to compromise other machines, or extract sensitive data from the affected device.

What Should I Do?

If you use either Linux or Mac OS X, there should be updates to address this vulnerability available already (although there are reports that the fix developed by the developers of Bash is incomplete, and therefore may still lead to your system being vulnerable under certain circumstances).

It is also worth noting that Bash is often included in many consumer electronics devices (broadband routers, TVs, Blu-ray Players, etc.) and therefore security experts, including us, are urging consumers to check with device manufacturers for updates.

If you run your own Linux-based servers, or host websites on servers provided by hosting companies, we advise that you check for and install any updates immediately. If in doubt, contact your hosting provider and seek their advice.

The post Critical 'Shellshock' Bug Affects Millions of Devices appeared first on DigiPest.

They Will Still Find It

Just because you haven't told search engines about your internal system, doesn't mean that they won't still find it. Your easiest method of stopping them is a robots.txt file that denies access to your application from search engines.

However, even this isn't foolproof. Malicious attackers have created custom search engines that explicitly ignore the contents of a robots.txt file, and in fact use it to tell them what to look for.

The best way of keeping confidential, internal systems secure is to run them internally, on servers that aren't accessible from the Internet.

It Only Takes One

If you are going to run 'internal' applications on your public servers, please keep in mind that ensuring the code developed for your internal application doesn't expose your server to basic security attacks is even more vital.

In the case of this travel services company, their internal application (which they thought no one outside the company could find) was vulnerable to a SQL Injection attack, which enabled the attacker who compromised it to gain access to the database of their e-commerce website, which contained the credit card details of all their customers, dating back to 2006!

People outside the security industry often think that an attacker has to compromise each website or application they target separately - this is not the case.

Your separate websites or applications often share resources on your server, such as the application that they use to store their data. Therefore if you can compromise one application's access to that shared resource, you can often escalate your access privileges and get access to the data from other applications that use it.

It's Not All About Passwords

Another common misconception people outside the security industry have is that the only way to compromise a website involves cracking the password of an existing user. This rarely happens in practice.

More often than not, websites are compromised through small, but significant flaws in the code that was written by the people who developed them. These flaws have no impact on the normal operation of a website, so they often go undetected until an attacker exploits them. By far the most common of these is a SQL Injection vulnerability.

Simply put, it occurs when the developers of a website or application fail to properly verify the data supplied from user input fields, leading to the ability for an attacker to replace the legitimate database query from the application, with one that they have written themselves.

This enables an attacker to tell the database server to do anything  that the user account that the application is using to connect to the server can (which, if it's been configured properly, and the database server is up to date, should be very little outside of the database of the vulnerable application).

One of the things they can do is to dump a list of other tables in the database that the compromised application uses, and then use that information to dump the contents of user tables (including your passwords).

If, as was the case with this security breach, your database server is itself vulnerable to further attacks, an attacker can use the access they have gained through SQL Injection to exploit the server and then gain access to any database it contains.

More Pain On The Horizon?

There is of course another aspect of this story that hasn't been covered much - the response of the credit card companies.

When you decide to run an e-commerce website and accept credit/debit cards, you are required to ensure that your server, website and any other system that those details pass through is compliant with the Payment Card Industry Data Security Standard (PCI DSS).

This standard ensures that the card details that customers give you are stored securely, and not retained for any longer than necessary.

Failing to comply with PCI DSS can lead to your merchant services provider (or the PCI itself) suspending your ability to process credit/debit cards, and also issue you with a fine that can reach millions of dollars.

Security Experts Are Here To Help

The penalty notice published by the Information Commissioner's Office identified that the affected application had not undergone any security assessments since it was put into service.

Had the company had a security assessment of their application done before it was deployed, they would have discovered the SQL Injection issues and fixed them before anyone had the chance to exploit them.

People may think that security testing is an expensive waste of time, and that they don't need it - but it is often the only way security issues can be found (until of course, someone actually exploits them).

In the face of a £150,000 fine, plus any compensation claims or additional fines from other organisations, spending a few thousand pounds for someone to make sure that your systems and applications are as secure as possible seems like good value to me.

The post If You Build It, They Will Come appeared first on DigiPest.

Back in November 2013, we were contacted by a company, at 5pm on a Friday, who said they had received a notification that all their files had been encrypted by a program calling itself 'CryptoLocker' and that they had to pay a ransom in order to get their files back. We agreed that we would come and look at the issue in the morning.

Tick-Tock

What they neglected to tell us was that CryptoLocker had given them a time limit, and that this had in fact happened a couple of days ago. By the time we got there, we had just under an hour to figure out what could be done about it, after which CryptoLocker said it was going to delete the encryption key it had used, and the files would be permanently encrypted.

To make matters worse, we couldn't be sure that they had usable backups as they didn't seem to have any administrator credentials that would grant us access to the server.

Given these two facts, our initial recommendation was that they paid the ransom in the hope that CryptoLocker would do exactly what it claimed, and they would have their files back.

Pay Up or Lose Your Files Forever?

Now, CryptoLocker is a pretty scary example of this particular breed of malware (known as ransomware) in that it does actually do what it claims to have done.

When your machine is compromised by CryptoLocker it scans it (and every drive it can reach - this is an important fact I will get back to later) for specific file extensions (mainly important things like Office documents, Outlook Personal Folders, images, etc.) and then encrypts any it finds using industry-standard encryption.

CryptoLocker's use of real-world, proven encryption technology makes it impossible to mount a brute-force attack in an attempt to recover the key used (unless you happen to have a few supercomputers lying around) and therefore leaves you with two options: restore your files from a recent backup, or pay the ransom.

Needless to say, this particular client wasn't about to hand over £300 to some nameless criminal in the hope that they could get their files back - they said they had backups and that those were unaffected.

Upon finally gaining access to the server to check those backups, we discovered it had failed to back up anything for the last week, so their most recent backup of all their encrypted data was from the previous Friday.

Had this backup not existed, I would say that this particular company may have found it difficult to re-create all the compromised files from scratch.

Mapped Network Drives and CryptoLocker

CryptoLocker will encrypt files it finds on any drive it can access and, as this particular company found out, that includes shared folders on other machines that you have 'mapped' as drives on your machine.

Now, access permissions should protect any files on those drives from being overwritten - assuming they have been set correctly, but any files that the affected user can modify will be encrypted by CryptoLocker.

That, in essence, is what happened to this company: one user opened an e-mail attachment that put CryptoLocker on their laptop, which then quickly found and encrypted all the files on the company's network shares that this user had access to.

It Only Takes One

This company's data was rendered un-usable in a matter of minutes through the actions of one employee. Their lack of understanding about what a phishing e-mail looks like, and how to properly deal with one cost the company lost productivity, revenue and a lot of money to put right.

Had all staff at this company had even a basic level of security awareness training chances are, even though their anti virus was out of date, CryptoLocker would never have been able to gain a foothold within the company, and their data would have remained safe.

What Can You Do?

If you're worried that you may not have a usable backup of your important data, make one now. You currently have two weeks in which the National Crime Agency, and other law enforcement agencies around the world expect there to be no threat from CryptoLocker.

Use this time to make sure that your computers are up to date, and that your backups work how you expect them to. You really don't want to find yourself a victim of CryptoLocker without a recent backup.

Keep Your Backups Safe

Once you have made a backup, disconnect the backup device from your computer. If you fall victim to CryptoLocker with the backup device still attached, it is likely to render it useless.

It is best to keep any backups off-site, so that if anything happens to your office, you still have a backup of your data in a safe location.

Educate Your Staff

You may have the most advanced security systems on the planet, but they are useless if an attacker can convince an employee on the inside to give them what they want.

Teaching your staff about security threats is your most cost-effective option. Turn your biggest security weakness into your company's greatest asset in the fight against cyber crime, and you'll be less of a target.

Audit Your Access Controls

If your users have access to shared network files, make sure that they only have the permissions they need. Giving your staff too much access to shared data could put your entire company at risk should a new member of staff fall victim to CryptoLocker.

Verifying that your staff only have the permissions they need will help you ensure that your important data is kept safe.

We're Here to Help

If you need more advice on how to properly ensure that your company is protected from threats like CryptoLocker, we are here to help.

We can provide you with a detailed analysis of just how vulnerable your systems may be to any potential attack, and give you advice on how to ensure that minimal disruption is caused should you actually fall victim to something like CryptoLocker.

We are also more than happy to come in and run a training session about CryptoLocker for your staff, so they know what to look out for.

If you would like to speak to us about any of this, please do not hesitate to contact us.

The post CryptoLocker Takes Out Company Data appeared first on DigiPest.

What Took So Long?

For a breach that took place months ago, the fact that eBay is only now asking users to change their passwords is extremely concerning. Normally, whenever a security breach occurs, it is usually expected that the affected service makes their users aware of it, so they can change their passwords, and keep an eye open for any issues.

Even though your initial investigation may lead you to believe that no personal data was compromised, it is always better to tell your users that you suffered a breach, and prepare them for the worst, rather than risk the level of condemnation that eBay has received due to it's poor handling of the incident.

Your users place a large amount of trust in your ability to keep their information safe. Every time you suffer a security incident...you lose a significant amount of any trust you have built up. How much that ends up hurting your profits, is directly related to the way you handle the incident.

While there may be legal reasons why you can't give your users all the details regarding any incident, not even telling them it has happened for months is a pretty big mistake to make. The sooner you reveal that you have suffered a security breach, the less time the individuals responsible have to use the information they have collected.

Given the fact that the majority of people tend to re-use the same passwords on multiple websites, the longer they believe their password is safe, the more danger they are in.

If you admit the security breach as soon as you discover it, you give your users a chance to get ahead of any issues that might result from them using that password elsewhere. This is a very important way to minimise any negative feeling your users may have.

Why Wasn't All Personal Data Encrypted?

eBay has stated that only the passwords stored in the compromised database were encrypted/hashed. My question (and that of several other security experts) is: why wasn't all the personal data encrypted?

eBay has said that they follow all data protection regulations regarding the storage of sensitive data like credit card numbers. The problem is, someone's name and address is also considered sensitive data (at least as far as the Data Protection Act is concerned).

The compromised database stored the names, addresses and dates of birth of all eBay's users. That information is all the vast majority of banks would require to prove you were the actual account holder.

Now I suspect I know the reason why eBay didn't encrypt all the data in that database: encryption is an expensive process, requires the server to devote significant time to processing the data, and maintaining a secure key store is a pain.

However, there are encryption-optimised hardware devices that can reduce the load on your servers, and make key management and distribution pretty painless.

Were eBay's Internal Security Policies Strong Enough?

The fact that this breach occurred due to the compromise of internal credentials makes me wonder how strong eBay's internal security policies are, and question effectiveness of their security training programmes.

Now I know that enforcing security policies often comes at the expense of usability, and that after several complaints, an IT department is likely to relax some of the controls (I've been in that position myself) - but this shouldn't apply to anyone in a position to directly access your database servers.

I have said many times on this blog that staff security training is your most effective weapon against any attack: if your staff know what a malicious individual is likely to do, they can stop them.

The problem is, very few organisations security awareness training goes far enough (if they indeed have any security awareness training programmes). They might tell new recruits about some of the more common threats during their induction training, but unless you continually refresh that knowledge (and update it as new attacks appear), your staff will very quickly forget what you told them.

Also, generic security awareness training won't fully protect your organisation, the programmes need to be tailored to your exact circumstances.

How I Think eBay Should Have Handled It

Firstly, this is my opinion, and is based in part on how similar incidents have been handled by other companies.

After discovering the breach, I would have issued a statement that alerted users to the possibility that their data had been compromised, and advised them to keep an look out for any unusual activity.

This may have been annoying for users, as no one likes being told to change their passwords - but it's better than leaving them under the impression that their data is safe while you investigate what was compromised. Those investigations are going to take a while, and during that time, the attackers will be attempting to crack any passwords they've stolen - and they will succeed in cracking and using quite a few before you realise they've got them.

I would then make sure that my password reset system hadn't also been compromised, and if necessary build a new one.

All in all, the only thing I would have done differently is change the time I notified users - which would have diffused some of the backlash that eBay has had, as people would at least have been able to act a lot quicker than they have been able to.

Agree with my comments? Disagree? Leave a comment below and let me know your thoughts.

The post eBay Breach Analysis & Thoughts appeared first on DigiPest.

What's the Problem?

Now, I'm the first to admit that having an Internet-connected thermostat sounds like a brilliant idea in theory. As a security professional I'm worried that such a device presents a significant risk to the security of my home.

Why? It's quite simple really. Should someone manage to link their smartphone with my Internet-connected thermostat, they could do a lot of things that might cause me problems:

1. They can tell when there's no one in the house - as the thermostat automatically lowers the temperature when it stops detecting movement.
2. They could tell the thermostat to raise or lower the temperature - potentially putting the lives of people in the house at risk.

Now I know that the designers of the Nest Learning Thermostat have built technology into the product to make the pairing process, and app communication as secure as possible. However, if someone manages to get access to your Nest Account, they have access to all the devices connected to it from anywhere.

Internet-connected refrigerators have already been proven to be susceptible to attack, and have even been used to send spam e-mail messages. If this happened to your smoke alarm, could you really trust that it was protecting you?

 Why the Internet of Things is Such a Big Deal

The Internet of Things has been talked about at length for years. However, it hasn't been until recently that we've had the technology to make the most of it.

The fact that whenever you install an Internet connection in your house these days, it is most likely distributed through some form of wireless network, has given consumer electronics manufacturers a way of connecting your appliances to the outside world more easily than ever before.

This ease of connectivity comes at a price though - your wireless network is only as secure as the passphrase that protects it. If that is easy for someone to guess, then everything connected to it becomes a target.

Now, this may not be such a big deal if your wireless network only has computers connected to it, that aren't switched on all the time. However, if you have started filling your house with "connected devices" (TVs, Blu-ray Players, etc.) then the risk posed by someone gaining access to your wireless network increases greatly.

I Can See You

If you have a new "Smart TV" that has a built-in web cam for example, it has already been proven that malicious individuals could get access to the camera and see what was happening in your house.

Even if all you have is a standard networked web cam to keep an eye on things you care about, several security researchers have shown that most people do not set these up properly and that they can be accessed by anyone.

Now, is this purely a result of the Internet of Things crowd making us believe that we need all of our devices to have cameras so they can recognise us? I don't think so.

People have been installing cameras in their homes and offices, and connecting them to the Internet long before anyone ever heard of the Internet of Things - and they've been attacked and compromised but probably never knew about it.

If your office was broken into, would you instinctively look to see if someone had gained access to your surveillance system to find out where your security guards were (and make sure they didn't run into them)? Of course not, as you still think of your cameras as they would have been had you been using CCTV - completely isolated and only accessible on-site.

This is because the companies that used to supply standard CCTV systems, that were only accessible on-site, started adding the ability for you to monitor your systems externally. The easiest way for them to do that was to make them accessible via something your company already had: an Internet connection.

It doesn't take a genius to see what happens to an inherently secure system when you connect it to something that is by it's very nature insecure. Small hint - it is no longer secure.

Is It Getting Hot In Here?

Thermostats with interfaces you can access via a computer are also nothing new and people have still opened those up to the Internet at large, all in the name of convenience - without even stopping to think about what impact that will have.

Just because the thermostat on the wall of your meeting room has a web interface that allows you to control it remotely does not mean you should open up access to that interface from the Internet so you can control from home it should you forget to switch off the air conditioning.

If you are going to need to do that, at least make sure you make it accessible through your existing secure remote access technology, so someone just casually scanning the Internet doesn't find it.

Let There Be Light

One of the most bizarre things to appear as a result of the Internet of Things revolution are light bulbs that you can control from your smartphone.

Now, I can understand why you would want to control your lights with your smartphone. After all, you use it for practically everything, it's never too far from you, and light switches are so 20th century. However, you may want to stop and think about what could happen if someone else managed to gain control of your lights.

If someone else managed to gain control of your lighting system, they could probably only annoy you by turning the lights on in your bedroom while you're trying to sleep - or turn them off and stop you from being able to turn them on again. However, if they could tell the light bulbs to switch on and off rapidly, they may well cause serious harm.

Just How Far Will the Internet of Things Go?

The problem with this new era of connected devices is that companies are constantly looking for ways to enable you to control everything from your smartphone, so I don't expect the Internet of Things train to stop any time soon. In fact, I expect that things are likely to get a lot worse.

Apple recently announced CarPlay - a system that enables car manufacturers to provide direct integration of iOS into their cars. This enables iPhone users to access their Messages, Maps, Contacts and many of their apps directly from something that is connected to the rest of your car.

Google is also working on a similar system for Android devices. However, I really hope that Google re-thinks it's policy of allowing anyone to post apps to the Play Store if you can start running those apps on your car, as we already know that there is a large amount of malicious software available for Android devices purely because Google doesn't control the Play Store.

This is not to say that I think the Internet of Things is a bad concept, just that I feel that the companies creating all this new technology really need to start engaging with the security community so we can help them design the most secure systems possible.

The post The Danger of the Internet of Things appeared first on DigiPest.

New Services

We have quietly provided many services to a select number of clients ever since we started back in 2011 (mainly because we already provided them with the services, and they wanted to continue to use us).

The big news for 2014 is that we are now making details of those public.

They include the little-known fact that, as well as being passionate about your computer security, we also have a wide range of additional experience to help you solve your current (and future) business challenges.

Web Application Troubleshooting

Are you having a problem with your WordPress installation that you haven't been able to solve on your own (or that your web designer can't get to the bottom of)?

If so, why not let us have a crack at it for you. We have in-depth knowledge of WordPress and many other common web applications, and can very often find and fix the issues that have eluded other people. If nothing else, it often helps to have a fresh pair of eyes take a look at the issue.

Custom Application Development

Does your business have a mass of data that you find it difficult to access and/or keep up-to-date?

Have you looked at existing software designed to solve your problems and found it doesn't quite meet your requirements?

If the answer to either of these is yes, you may benefit from having a custom application developed that enables you to access and control the data in the exact way you want, and it doesn't have to be as expensive as you may fear.

We will often develop a solution using tools that are Open Source, and therefore carry no licensing fees or other continual costs you may not be in a position to commit to.

If you already have a collection of bespoke software, we will (if possible) develop any new solutions using the technologies you already have the infrastructure to support, to save you having to maintain different environments.

Web Server Management

Is your website hosted on an un-managed server (where the hosting company expects you to perform normal server maintenance tasks)?

Many small businesses host their websites on such servers because they are the cheapest way to get the power and flexibility of a dedicated server without the overheads of purchasing physical hardware.

Many small businesses also don't have the skills in-house to perform the routine maintenance necessary to keep your server and the software that runs on it working correctly.

This can lead to anything from performance issues to significant security vulnerabilities going un-patched, leading to your website and/or server being compromised, damaging your company's reputation, and costing hundreds (sometimes thousands) of pounds to correct.

Given our security focus (which we are still maintaining) we can act as the technical contacts and management team for your web hosting, ensuring that software updates are installed as quickly as possible, and that the performance of your server doesn't degrade as the load on it increases.

So Much More...

Our experience in the technology industry covers a lot more than we could reasonably expect to fit into a blog post.

We haven't even touched on our Network Design and Installation expertise, or our knowledge of Voice over IP telephony, Digital Media Distribution/Encoding, Windows Server Management, Wireless Networking, and many, many other areas.

In short, if you are currently struggling with a technology issue, give us a call or drop us a message via our contact form, and we may be able to provide you with a solution.

What Now?

Over the next few weeks, the DigiPest website will be undergoing some major changes, including a complete re-design.

Once the website has been updated, there will be a follow-up post to this one, with details of how to locate more information on our services, and a collection of special offers that we will be running for a short period of time.

Our security services aren't going away - in fact, they're going to be at the core of all of the other services we're now offering (and there's an exciting new security service on the way, for those of you who want the power and peace of mind of a dedicated security department, without the need to hire the staff directly).

Stay tuned for more details - the easiest way to keep up-to-date with the changes is to follow us on Twitter, Facebook or Google+.

The post New Year - New DigiPest appeared first on DigiPest.