As seen in the news Microsoft has disclosed that there is a significant security vulnerability in Internet Explorer.

Here is a link describing the vulnerability in depth: http://www.zdnet.com/microsoft-discloses-zero-day-in-all-versions-of-internet-explorer-7000028803/

The important takeaways are that Microsoft has not released a patch for the vulnerability at this time and the vulnerability is already being exploited in limited attacks. It is a serious enough issue that the Dept of Homeland Security has released an advisory recommending that people not use Internet Explorer until it is patched. Also, since Windows XP is no longer supported by Microsoft they will not be releasing a patch for XP.

Most networks should have several layers of protection to mitigate exposure to the vulnerability. First thing to note is that a user will have to open a website that exposes the vulnerability in order for their PC to be attacked. A user would not be exposed simply by using Internet Explorer on legitimate websites. The most common attack vector will likely be phishing attempts sent via email that will try to trick users into clicking links to open a website with IE which would then expose the vulnerability. Tier1net’s McAfee Antispam/Antivirus service would quarantine those emails as spam, and/or modify the URL to pass it through its ClickProtect proxy. So, even if the user clicked the link and opened it with IE, McAfee should block the URL from loading within the browser.

All that being said, Tier1net recommends that Chrome or Firefox be used in place of Internet Explorer until a patch is released. Regarding Windows XP, since the patch will not be made available to XP PCs, Tier1net suggests installing Google Chrome on all XP PCs and setting it as the default browser. Tier1net’s Managed IT customers can have this process fully automated with no disruption to end users.

As always please contact Tier1net Support should you have any questions or concerns relating to this issue.

Earlier this week, a very serious vulnerability was discovered with OpenSSL software.  This vulnerability, dubbed “Heartbleed” has existed for over two years.   Uncovered just last week, it has generated a lot of attention and driven thousands of websites and services into “patch mode.”  Please read below for some answers to frequently asked questions regarding Heartbleed.

 

How Does Heartbleed Work?

Heartbleed targets systems that are running versions 1.0.1 through 1.0.1f of the OpenSSL software.  There is a vulnerability in these OpenSSL versions that allow hackers to access the memory of systems running OpenSSL.  By accessing this memory, hackers can gain secret “keys” with which they may decrypt or “eavesdrop” on SSL encrypted communications.  Also by accessing this memory, hackers may access the usernames, passwords, and other confidential information normally secured by SSL technology.

 

Who Does Heartbleed Affect?

In essence, Heartbleed affects everyone that uses the Internet.  But the action plan to safeguard against this vulnerability will vary based on if you’re a Business Owner who is managing an OpenSSL site or service, or if you’re just an Internet User.

 

How Can I Tell If I’ve Been Impacted?

Unfortunately, there is no way to know if your OpenSSL website or service was targeted over the past two years.  And while the likelihood may be very low that your site or service was infiltrated, Tier1Net recommends taking all appropriate actions to safeguard against this vulnerability.  We have outlined these actions below.

 

What Should I Do?

From a Business Owner’s perspective, your priority is to ensure that traffic over your network is secure:

  1. Any business using OpenSSL 1.0.1 through 1.0.1f must update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension
  2. Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL
  3. Businesses should communicate to their clients/users if an OpenSSL vulnerability exists and when it has been “patched”
  4. As a best practice, businesses should also consider resetting enduser passwords that may have been visible in a compromised server memory
  5. Lastly, businesses should wait for instructions from their vendors (SaaS, webhost providers, third party apps, etc) on how to proceed.
  6. Businesses should not change their passwords till their vendors has instructed them to do so.

From a general Internet User’s perspective, your priority is to change your passwords when prompted and monitor your online accounts closely:

  1. Internet Users should be aware their data could have been seen by a third party if they used a vulnerable service provider
  2. Users should Monitor any notices from the vendors you use (Facebook, Google, etc).  Business Owners (Vendors) will likely suggest password resets.
  3. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so immediately.
  4. Users should not change their passwords before a vendor has instructed them to do so.
  5. Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
  6. Follow CNET’s Heartbleed Tracker to track which popular sites have patched the vulnerability.

 

What is Tier1Net doing?

Tier1Net has sent notices to its clients regarding the Heartbleed Vulnerability.  Tier1Net’s Professional Services clients do not use OpenSSL for Windows Servers or Certificates, so those devices are not vulnerable to the threat.  Tier1Net’s web servers do not use OpenSSL for websites hosted on its backbone.

However, certain Remote Access Devices, such as Sonicwall SSLVPN, may need firmware upgrades and patches.

Tier1Net is in direct contact with Sonicwall and several other hardware/software manufacturers to review the vulnerable devices and to develop appropriate action plans.

Tier1Net is also actively conducting a thorough review of any other potential devices within its clients’ networks that may be affected by this vulnerability.

Though there is no evidence that indicates this vulnerability has been previously exploited by hackers, Tier1Net recommends treating this vulnerability seriously and taking all appropriate security measures to protect yourself and your business.

 

For more information on the Heartbleed Vulnerability, please click the sources below:

 

http://heartbleed.com

http://www.symantec.com/connect/blogs/heartbleed-openssl-take-action-now

http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

As of April 8, 2014, support for Windows XP, including security updates and patches, will cease.

The lack of security updates will put Windows XP machines at significant risk of infection.  Without critical Windows XP security updates, machines running XP may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage business data and information.   Antivirus Software and Network Perimeter Intrusion Protection alone will not be sufficient protection against future security vulnerabilities discovered within the Windows XP operating system

Businesses that adhere to strict regulatory guidelines (HIPAA for example) and continue to use Windows XP machines may find themselves out of compliance after April 8th.

Third party applications, and peripheral hardware, are also subject to incompatibility with Windows XP machines after April 8th.

Tier1Net recommends replacing Windows XP machines with new devices running Windows 7 Professional or higher. 

Please contact Tier1Net for more information or assistance.

Regards,

Tier1Net, Inc.

 

Also retiring on April 8th: Microsoft Office 2003 will reach end-of-support on April 8, 2014.  Users are encouraged to upgrade to Office 2013.

 

Read more here:

http://windows.microsoft.com/en-us/windows/end-support-help

http://www.av-test.org/en/news/news-single-view/artikel/microsoft-puts-xp-in-the-firing-line/

 

“Tech Tax” Hits Massachusetts

Effective July 31st, the Massachusetts Department of Revenue is applying sales and use tax (6.25%) to previously untaxed Computer/Software services.  Known colloquially as the “tech tax,” these new taxable services include: the installation of computer systems (including servers, PCs, switches, firewalls, routers, etc), the planning, consulting, or designing of computer systems, and the installation, modification, or adaptation of most software.  This new tax on technological services was written into the legislature An Act Relative to Transportation Finance, sections 48 and 49.

Unfairly targeting the Information Technology industry, and completely unrelated to Transportation Finance, this new “tech tax” legislature is poorly written, poorly timed, and, as many argue, too reminiscent of previously failed attempts in this state to impose sales tax on services.    Not to mention it has a potentially crippling effect on small businesses in Massachusetts.

We are working with our state representative and local groups to petition the State to repeal, revise, or postpone this tax.  The Mass High Tech Council has teamed up with The Massachusetts Taxpayers Foundation to further push for a repeal.  There are also several blogs devoted to cataloging the repeal progress, including No Tech Tax and Repeal The IT Service Tax.  We recommend visiting both of those pages to join the repeal movement.

How the New “Tech Tax” Affects You

While Tier1Net is hoping that this tax is repealed, we also must remain compliant with current state laws. The DOR has issued guidelines and a FAQ explaining the new taxable services vs nontaxable services. We will be using the DOR’s guidelines in applying this new tax.

This means that any Computer/Software Services performed after July 31, 2013 and falling under the new taxable definitions set forth by the Massachusetts Department of Revenue will carry sales tax.

Most of our clients will first see the Computer/Software Services Sales Tax on their September 1st invoice.

What You Can Do

We understand the impact that this service tax will have on your business.  If you wish to join us in a repeal effort, we recommend any of the following:

>>Contacting your local state representative

>>Signing the online petition at http://www.change.org/petitions/massachusetts-state-legislature-repeal-the-tax-on-it-services

>> Sending your comments and concerns directly to the Massachusetts Department of Revenue at: rulesandregs@dor.state.ma.us

>>Learning more about this tax by following any of the sites above

As we learn more, we will be updating this blog.  Please let us know if you have any questions.

Tier1Net Team

 

After more than two weeks, Apple has finally acknowledged the iOS6.1 bug and is promising a fix in an upcoming software update.

As reported earlier in the week, a critical compatibility error between Apple’s iOS6.1 and Microsoft’s Exchange Server was causing major strain to server’s CPU usage and storage capacity. To mitigate risks to Exchange servers, workarounds were suggested from disabling Calendar sync to blocking Exchange access altogether.

We advised our own clients to refrain from upgrading to iOS6.1 (or 6.1.1.) For those who had already upgraded, we advised to them to temporarily disable Calendar synching on their device, or at the very least, to restrict their mobile calendar use to “read-only” mode.

Apple has just released a Knowledge Base Article acknowledging the bug, and stating that they have “identified a fix and will make it available in an upcoming software update.”

We will let our clients know as soon as this update becomes available.

Attention Apple iOS 6.1 Users:

Within the last week, a potentially critical problem has been detected with the latest version of iOS (6.1) for iphone/ipads with regards to synching to an Exchange server.

Though not officially announced yet, many online reports, including first-hand instances from our own clients, confirm that mobile devices running on iOS 6.1 are creating excessive log files on the Exchange server.  These excessive log files run in a continuous loop and will eventually exceed Exchange server disk space, causing failure on your Exchange server.

From Windows IT Pro:

Some forums have started to register problems with excessive growth of transaction logs for databases hosting the mailboxes of iOS devices that have been upgraded to iOS 6.1 For example, this note describes a situation where upgraded devices seemed to go into a loop and ended up by generating some 50 GB of transaction logs

 
At this point, the problem is believed to be isolated to the synchronization of Calendar Items.  It is also isolated to devices running iOS 6.1.  Devices running iOS 6.0 or earlier versions are not affected.

Unfortunately there is no fix for the problem at this time (from either Apple or Microsoft.)

From ZDNET:

Until the bug is fixed, corporate users are advised to not upgrade to iOS 6.1. For users who have already upgraded, though, there is no way to revert to the previous version. IT administrators have no control over when their BYOD users upgrade, so many of them have resorted to blocking iOS 6.1 from accessing Exchange as a temporary mitigation to prevent server outages for everybody else

 
Some corporations are already taking precautions against potential Exchange failures by disabling all mobile device activesync.  However, this will prevent users from any Exchange related functions on their mobile device, including all email functions, calendaring, etc.

Prior to taking this step, Tier1Net recommends the following actions:

Recommended Actions for Users on iOS 6.1:

If you have upgraded, please remove calendar synchronization by performing the following steps.

  1. From your mobile device, confirm your iOS version by going to Settings > General > About > scroll down to Version.
  2. If your iOS Version is 6.1, remove calendar synchronization by going to Settings > Mail, Contacts, Calendars > Selecting your Exchange account > slide the Calendar to the Off position > select Delete from my iPhone. This will remove the copy of your calendar from the device.

Please note that this will REMOVE your Exchange Calendar from your mobile device.

If your company is running the latest version of Microsoft Exchange, Tier1Net will be able to provide you with a list of all devices currently upgraded to iOS 6.1. Please contact us if you would like us to compile this list of devices for you.

Additionally, Tier1Net recommends that you immediately notify all employees to REFRAIN FROM UPGRADING IPHONE/IPAD to iOS6.1 until further notice.

If one of your users is running iOS6.1 and cannot effectively work without viewing their mobile calendar, please contact us for a potential work-around.

Meanwhile, we will continue monitoring your Exchange server for excessive logging.  If excessive logging continues from any particular device, Tier1Net will have to disable activesync from that mobile device.  Removing activesync access will disable all Exchange access from that device (mail, calendar, etc.)

UPDATE: Apple has just released iOS version 6.1.1 but it is does not appear to address excessive logging issues. At this time, we still recommend taking the above precautions and refraining from upgrading.

UPDATE: Microsoft has released a Knowledge Base Article confirming the excessive logging threat and stating “Apple and Microsoft are investigating this issue. We will post more information in this article when the information becomes available.”

Please let us know if you have any questions.

Tier1Net Team