To Learn More - visit our website www.mmc.za.com
Or Contact us at info@mmc.za.com
Tuesday, October 26, 2010
Friday, October 15, 2010
Your 2nd FREE Keyboard Shortcut Chart - Download it Now!
In September, we delivered the first edition of our free Keyboard Shortcut Chart. This was a generalist shortcut chart to assist users in enhancing their experience of Windows 7. This month we have featured a selection of the best and most frequently used keyboard shortcuts that are suited specifically to Microsoft Excel 2010.
Print your chart out, hang it on your wall or notice-board for easy reference, share the chart amongst your colleagues and friends or even file for future reference, but whatever you do, be sure not to miss a single issue of our newsletter so that you add to your collection of valuable shortcut charts!
Please click on the link below to download your MMC Keyboard Shortcut Chart.
Print your chart out, hang it on your wall or notice-board for easy reference, share the chart amongst your colleagues and friends or even file for future reference, but whatever you do, be sure not to miss a single issue of our newsletter so that you add to your collection of valuable shortcut charts!
Please click on the link below to download your MMC Keyboard Shortcut Chart.
IT Personality Types: 8 Profiles in Geekdom
Forget Myers-Briggs. Here are the true archetypes that underlie the IT breed
In the workplace you'll generally meet three kinds of personalities: Type A, Type B, and Type IT. The last are a breed apart from the rest.We're not sure what it is about technology that draws certain types of people while repelling others. Maybe it's all those electrons spinning through millions of miles of circuitry; maybe it's just the lack of sunlight and human interaction.
In any case we've identified the eight classic personality types you'll find in virtually any reasonably sized IT department. Some are suits who've been exiled to IT against their will or sharks who would happily sell ice to the Inuits once they got done selling sand to the Saudis. Others are of the more typical geek persuasion -- from scary system administrators and angry support drones to those who'd rather blend into the shadows or do their best to shoot down any project that ventures inside their crosshairs.
We bet many -- if not all -- reside in a nearby cubicle at this very moment. Consider this your field guide to the flora and fauna of your work life.
IT personality type No. 1: The Empty Suit
Job title(s): Department manager, business analyst
Profile: Hired to be a liaison between top-level management and the techies -- with whom top-level management, or anyone on the business side, would rather not deal directly. Acts as a go-between during client visits to keep the geeks at a safe distance. Has memorized most of the important acronyms and mastered the art of nodding knowingly in meetings and then surfing Wikipedia afterward to find out what everyone was talking about. May possess an MBA from a dubious online university.
"This guy may not be the most detailed thinker, but he's the most popular guy on the team -- and he would agree," says Tim Jewell, CTO at Data Deposit Box, which provides online backup services for SMBs. "If you're looking for some fun, ask him a complex technical question and watch him wiggle around the room. Despite this, he's the only one who can talk to customers because he has verbal ability and may actually care about what the end-user has to say."
Despite making him the butt of inside tech jokes, the geeks at times flock to him because he's the only one in the department with a remote chance of picking up chicks, Jewell adds.
- Hobbies: Picking up chicks
- Last book read: "The ClueTrain Manifesto" (Cliff Notes only)
- Greatest accomplishment: Consistently losing at golf to the C-level executives, despite possessing a single-digit handicap
- Identifying marks: Cheap knockoffs of Brooks Brothers suits
- Role model: Michael Dell
- Most resembles: Michael Scott (Steve Carrell) in "The Office"
Job title(s): Network administrator, database administrator
Profile: Your company can't run without him -- and he knows it. Fortunately, he likes dealing with machines far more than people, so you can rest easy, confident that he spends way more time keeping your systems up and running than may even be necessary. Friends? Who needs friends? That's why God invented computers.
"This is the person on the team who will agree to do the 48-hour server upgrade on the weekend and have everything up and running by 6 a.m. Monday -- all for two extra-large pizzas and a case of Red Bull," says Jewell. "He's very helpful around the office because people interact with him -- unlike his dolls at home."
But get on his bad side, warns Jewell, and you'll find yourself swiftly locked out of all your computer accounts -- and possibly your home and your bank accounts as well.
- Hobbies: Getting certifications; writing network security subroutines in binary code to safeguard logic bombs or surreptitious SQL queries to the HR database
- Last book read: "Get Even: The Complete Book of Dirty Tricks"
- Greatest accomplishment: Holding the network hostage by refusing to release passwords to the Empty Suit
- Identifying marks: Handcuffs and an orange jumpsuit
- Role model: Terry Childs
- Most resembles: Terry Childs
Job title(s): Software developer, enterprise architect, systems administrator
Profile: No matter what task or project is presented, the Human Roadblock responds in exactly the same manner: It can't be done. This is then followed by a painfully detailed list of all the reasons why this task or project will cost too much, deliver too little, and can't be implemented in anything resembling the proposed time frame. And, oh yeah: It was a stupid idea to begin with.
"This individual presents this feedback under the auspices of being the only 'rational voice' in the room," says Travis Van, co-founder of ITDatabase, a research tool for IT professionals. "The points may often be valid, but typically lead to 'paralysis by analysis' for the development group -- when a more optimistic look at 'what's possible' would have been preferable to their predictable laundry list of 'why this is not possible'."
- Hobbies: Complaining
- Last book read: "I Hate This Place: The Pessimist's Guide to Life"
- Greatest accomplishment: Not accomplishing anything of note since 1979
- Identifying marks: Knit shirt with collar, khakis; still carries a slide rule
- Role model: Eeyore
- Most resembles: Marvin the Paranoid Android from "The Hitchhiker's Guide to the Galaxy"
Job title(s): Support tech (what else?)
Profile: Hired to schlep from desk to desk fixing the computers of people deemed unworthy of their time. Will do what you ask, and not one iota more. Know more than you do about computers -- a point they manage to work into virtually every conversation -- but not really interested in sharing useful information. Might otherwise be flipping burgers if they could be trusted to handle sharp instruments around other humans.
"The IT support position in a startup is invested with near magical skills from the perspective of peers and yet manages to consistently disappoint 90 percent of the people he deals with," says Don Rainey, general partner at VC firm Grotech Ventures.
So they'll install that printer you asked for, but they won't test to see that it works correctly. Why not? Because you only asked them to install it. And if you question their abilities or work ethic, prepare for the consequences.
"These people are like the Energizer Bunny of anger," Rainey says. "Maybe it's the line of work, or it's because they're the starting point of a feedback loop for whatever is going wrong with the product or customers. But in any case, the Angry Support Drone can create a special kind of crisis."
- Hobbies: Guns, shooting, random acts of violence
- Last book read: "What Color is Your Parachute?" (unfinished)
- Greatest accomplishment: Halo triple kill
- Identifying marks: Permanent scowl, pair of Nikes circa 1982
- Role model: William "D-fens" Foster (Michael Douglas) in "Falling Down"
- Most resembles: Milton Waddams (Stephen Root) in "Office Space"
Job title(s): Software engineer, senior programmer
Profile: Fiercely intelligent, stubbornly logical, and disturbingly anti-social. In other words, what most people think of when asked to describe a techie. In Myers-Briggs nomenclature, the Übergeek would be classified INTJ -- an introverted, intuitive-thinking, and judging person -- says Beth Armknecht Miller, co-founder of Executive Velocity, a professional coaching service. If the Übergeek absolutely must communicate with beings of inferior intelligence (i.e., you), she would rather do it by e-mail. But if she can avoid all human contact, that's OK, too.
"I call this type 'Mr. Artiste,'" says Don Rainey. "He is creating software -- sometimes the company's core product or hope for future success -- and he isn't limited by the contents of the requirements document. He isn't limited by it because he isn't reading it. He is creating, damn it, and brings his own vision. Plus, staying consistent with his vision keeps him closer to his imaginary specification with its imaginary time line -- and yes, he's on schedule."
- Hobbies: What are these things you call hobbies?
- Last book read: "Code: The Hidden Language of Computer Hardware and Software"
- Greatest accomplishment: Completely rewriting and debugging every line of system code without anyone noticing
- Identifying marks: Sometimes confuses real life with Second Life; unconscious "air typing"
- Role model: Mr. Spock
- Most resembles: Dr. Sheldon Cooper (Jim Parsons) from "Big Bang Theory"
Job title(s): Help desk, support tech, programmervista
Profile: There is only one true path -- and, more important, only one true operating system -- for this person. All nonbelievers are heretics whose tech needs will be quietly ignored. Though most commonly associated with Apple products, often aligned with Windows or, more likely, Linux -- the more obscure the distro, the better. Every conversation ends with a discussion of why their OS of choice is superior, despite the fact that your company doesn't use it. Actually solving your problem with the OS at hand is an afterthought.
"The 'I'm really an Apple fan' is misplaced in the IT world," says Kevin Lightfoot, vice president of Affiliated Computer Services, a managed services company. "He or she really should be focusing on Apple products but, because of poor career decisions, is forced to support your desktop needs. Their lack of aptitude always leaves your computer performing slower and with more bugs than it did when you first called the help desk."
"The Serious IT Guy wants nothing to do with your toy Macintosh or Linux machine," counters Brian Dunning, technical editor for FileMaker Advisor magazine. "He's a Microsoft-certified engineer all the way, and he'll stand for no tomfoolery. If you're experiencing any kind of a problem or you have a question, it's your fault for not following strict Microsoft security guidelines and published Best Practices. Since nobody actually does all of those things, nothing is ever his fault."
- Hobbies: Posting angry point-by-point rebuttals in the comments to online articles criticizing his/her OS of choice.
- Last book read: None; only reads blogs about his/her favorite OS
- Greatest accomplishment: Jailbreaking an iPhone, sticking with Windows Vista, taking complete editorial control over the Ubuntu wiki
- Identifying marks: White ear buds, non-ironic Microsoft Bob T-shirt, stuffed penguin
- Role models: Steve Wozniak, Bill Gates, Linus Torvalds
- Most resembles: Genius Bar lackey, Steve Ballmer, a stuffed penguin
Job title(s): Outbound sales, business development
Profile: There is nothing this person won't say to close a deal. You want features the original product was never designed to deliver? Done. You need it within six months? The Promiser will get it to you in three. Of course, he or she doesn't have to deliver anything -- that's a job for the developers. Delays, cost overruns, and impossible feature-set requirements are all someone else's headache. On the Insights Discovery Wheel, the Promiser would fall into the "Fiery Red" quadrant.
"The Promiser does not appreciate erratic emotional outbursts if they get in the way of getting things done," says Jewell. "A master strategist, he is a born leader and doesn't like to be told what to do; instead, he'll tell you what to do. He's the guy who will tell the customer the code can be written flawlessly in two months when he knows it will take six -- and then work the team until they drop and do it all over again on the next project. But you're thankful he's on the team because if it wasn't for him, you wouldn't be the star team you are."
- Hobbies: Golf, Michelob Ultra
- Last book read: "The Art of War" by Sun Tzu
- Greatest accomplishment: Closing a multimillion-dollar enterprise software deal using a demo downloaded off the Internet
- Identifying marks: Starched button-down blue oxford, used car salesman smile
- Role model: Blake (Alec Baldwin) in "Glengarry Glen Ross"
- Most resembles: Jack Donaghy (Alec Baldwin) in "30 Rock"
Job title(s): Unknown
Profile: It's not my problem, it's not my job, it's not my fault -- that's the mantra of the Shadow, who somehow manages to take up space in the IT department (and on the payroll) without actually filling it. No one's sure what the Shadow does, mostly because he or she has become expert at doing as little as possible. Over time, the Shadow may be handed management responsibilities, at which point this individual morphs into the Human Roadblock.
"The Shadow knows everything that's happening around the office, ignores it, and is very happy that way," says Deborah J. Graham, senior programmer/analyst for a teaching hospital in Massachusetts. "This person doesn't report anything bad happening for fear of the paperwork and making it his or her 'responsibility' to fix, and avoids additional responsibilities by declaring -- so everyone around can hear -- that the job/task/problem is not his or her job."
And when things go wrong, says Graham, the Shadow is quick to point the finger elsewhere: "They're always able to find someone else to blame, no matter how shaky a relationship between cause and effect. The Shadow is never the one to take the heat."
- Hobbies: Selling decommissioned company hardware on eBay during "breaks"
- Last book read: "Ninjutsu: The Art of Invisibility"
- Greatest accomplishment: Taking a month-long vacation without the boss noticing
- Identifying marks: None, because the invisible don't have any
- Role model: Sergeant Schultz (the late John Banner) in "Hogan's Heroes"
- Most resembles: An unidentified cell in a payroll database
5 Tips For a Smooth Windows 7 Migration
The move to Microsoft's Windows 7 will be one of the biggest technology migrations in years, so it's important to get it right.
"This is a once-in-a-decade movement," IDC analyst Al Gillen says. "People that move to Windows 7 can expect to be on Windows 7 for a pretty long life cycle, much like we have with XP today. So whatever you do, and whatever decisions you make are decisions you're going to have to live with for a long time."
But many organizations face problems because of insufficient planning. According to a Gartner report, most organizations undergoing Windows migrations "underestimate how long it will take them to test applications and fix problems; don't build a business case or properly track the benefits of their projects; and allocate insufficient time for their pilot."
There are probably too many Windows 7 migration issues to list in a single article. But here are five tips to help you on the path to Microsoft's latest operating system.
1. Virtualize applications and user settings
Desktop virtualization commands much of the attention in the IT market today, with some vendors saying the technology will ease migration to Windows 7. But this isn't the only type of virtualization that can make Windows 7 upgrades and future OS migrations easier than they might otherwise be.
Two technologies to consider are application virtualization and user virtualization. Nik Gibson, the enterprise desktop practice leader at Forsythe, a technology consulting firm, has worked with many large enterprises on virtualization projects, and says it's often easier to virtualize applications than desktops. "We see that a lot. It takes longer to virtualize the desktops than the applications," he says. "The desktops are more unique," with various use cases depending on the employee.
Gibson says "virtualize your applications" is the first tip he would give to customers planning a large Windows 7 migration. "And that just makes sense," he says. "If you can decouple your applications from the base operating system, it's going to be easier to migrate that operating system."
Application virtualization will not only aid the current move to Windows 7, it will also make future upgrades to Windows 8 easier too, IDC's Gillen says.
Application virtualization isn't exactly new, but has undergone a bit of a marketing makeover in the past few years. What Citrix used to call its Presentation Server product for application streaming is now referred to as XenApp and labeled a "virtualization" technology. VMware's ThinApp, based on technology acquired in 2008, is another option in this market.
But application virtualization won't help move each user's personal data and settings from one OS to another to another. That's where user virtualization comes in. Software such as VMware's RTO and AppSense's user virtualization product will take a user's profile, data files and settings, and move them easily from one machine to another, for example from a Windows XP computer to one with Windows 7, Gibson says.
User virtualization is still maturing, though. Although VMware acquired RTO technology in February, it has not yet integrated the software into its desktop virtualization product.
Microsoft itself offers a User State Migration Tool to ensure that user settings and files survive OS upgrades. AppSense technology is on the market, and can be used for Windows 7 migrations both on physical PCs and in conjunction with virtual deployments. Another user migration toolkit is available from Tranxition, which can also be used for migrations involving either physical or virtual desktops.
2. Test applications to prepare for potential incompatibility
In a Gartner report titled "Pitfalls to Avoid on the Road to Windows 7 and Office 2010 Migration," analyst Michael Silver says organizations need to test applications on Windows 7 to make sure they will run and also determine whether the makers of the applications will support them on Windows 7.
"Most organizations have more applications than they know about that users consider to be important or critical," Silver writes. "Many organizations that have tested applications for Vista believe that these programs will run with Windows 7, but ISVs often limit support to specific versions."
For critical applications, which may carry financial and legal risks if they fail, "lack of ISV support may represent too much risk to move to Windows 7," he writes. A decade ago, "Windows 2000 Professional broke a lot of applications," Gillen says.
With Windows XP, Microsoft created some compatibility tools to run earlier applications. But if an application made it onto XP only because of the compatibility tools, there's no guarantee it will run on Windows 7, Gillen says.
Complicating matters even further is that some customers use Web-based applications that work only on Internet Explorer 6, an out-of-date Web browser that is two releases behind the IE8 that comes pre-installed on Windows 7.
Some companies are spending money to buy new applications or upgrade existing ones so they will work with Windows 7 or new versions of Internet Explorer. Although expensive, this is often the best long-term approach.
"Our research tells us customers are very much looking forward to Windows 7," Gillen says. "They realize it's not going to be a completely smooth transition. The life cycle is over on XP and customers get that."
3. Use Windows XP Mode -- but not for long
Not every application has to make the move to Windows 7 immediately. That's because virtualization technologies let older applications run on guest operating systems. Microsoft's virtualization technologies include Windows Virtual PC, MED-V (Microsoft Enterprise Desktop Virtualization) and the related Windows XP mode, which lets you run a virtual instance of XP on a Windows 7 desktop.
"It's a definite option for people," but is usually not the first choice for a widely used application, says Nortec consultant Tim McGilvery. "It usually is one or two users."
XP Mode is a surefire way of supporting XP-based applications on Windows 7, but Gillen says it shouldn't be used as a long-term solution. Rather, it should simply be used to ease the transition between XP and Windows 7.
Challenges include the fact that "you have two operating systems to manage and be responsible for," Gillen says. "If you're running XP Mode, it doesn't take away the fact that the base operating system is out of Mainstream Support. It solves the short-term compatibility problem, but it doesn't solve the long-term migration problem."
Microsoft recently ended support for Windows XP Service Pack 2. Service Pack 3 is eligible for support until April 2014, but only for "Extended Support," rather than the more comprehensive Mainstream Support.
4. Get your licensing straight
OS migrations can be costly. Gartner estimates that moving from Windows 2000 or XP to Windows 7 costs between $1,035 and $1,930 per user, while an upgrade from Vista to Windows 7 costs $339 to $510 per user.
The Gartner cost model is based on 2,500 users and involves many factors including labor, training, systems integration, application development and hardware acquisitions. The difference between migrations from XP and from Vista is explained by extra costs related to testing and fixing applications and replacing hardware. (A machine that runs Windows Vista could be upgraded to Windows 7, and applications that run on Vista can likely operate on Windows 7).
The cost of Windows licenses is part of the Gartner equation, and has also been examined in detail by Directions on Microsoft analyst Paul DeGroot.
DeGroot says in a worst-case scenario, customers can pay three times for the same Windows license -- once for the OEM license that comes with a physical desktop pre-installed with Windows; once for an "upgrade license" as part of a volume licensing plan, and once again for Software Assurance, which guarantees access to new software versions.
Windows 7 Enterprise is available only to Software Assurance (SA) customers, so avoiding that payment is difficult. But there are a few strategies to consider, DeGroot said in a recent Network World article titled "5 tips for managing Microsoft licensing costs."
Customers can purchase the "Open License," which lets them buy Software Assurance for two years rather than three. Although SA rights will expire after two years, the customer has the right to use Windows 7 Enterprise indefinitely. Microsoft's "Select" agreements also offer discounts by letting customers purchase Software Assurance for terms shorter than three years.
Customers should remember it's always smart to negotiate, particularly when certain portions of Microsoft licensing agreements seem inflexible. Analysts say Microsoft is often willing to give discounts, particularly to large customers with thousands of desktops.
5. Plan ahead -- and then plan some more
This may seem too obvious for words, but Windows 7 migrations require a significant amount of planning. Unfortunately, IT organizations all too often fall short in this area, according to Gartner. Windows 7 pilots should last at least three months and include a first phase for pushing Windows 7 out to a group of users to ensure that all applications work; a second phase to improve the deployment process; and a third phase focusing on education and support.
"Many enterprises plan pilots as short as a few weeks," Gartner's Michael Silver writes. "Shortening the pilot increases risk significantly and often results in logistical and compatibility problems during deployment, which makes the project look less successful to the users. A project the user community deems unsuccessful cannot be considered a success by the IT department."
One organization that takes this advice to heart is Del Monte Foods, a San Francisco-based food production and distribution company, which plans to upgrade 3,000 business users to Windows 7 over three years.
David Glenn, director of enterprise operations for Del Monte, says his company is piloting Windows 7 within its IT organization, representing 140 users across the country. Network testing is one of the key factors. Del Monte is examining how various applications perform over different network connections, and is in general finding good results.
"Windows 7 does offer a lot more stability and performance capabilities than XP did," he says.
If your company is still primarily a Windows XP shop, it's time to start planning for Windows 7 now even if you don't plan to upgrade all desktops immediately. XP support ends in 2014 but software vendors are "unlikely to support new versions of applications on Windows XP starting in 2011 [and] by 2012 it will be common," Gartner says. By 2013, few new PCs will include Windows XP drivers.
Microsoft is technically offering Windows XP "downgrade rights" until 2020, but for the reasons stated above few businesses are likely to take that option.
The speed of a company's Windows 7 migration will vary based on the age of its hardware, whether it is running on XP or Vista, the types of users it has and other factors including the length of its typiMoving from Vista to Windows 7 should be a lot easier than moving from XP because of application compatibility, Gillen says. "If you've already deployed Vista, you've done 95% of the work," he says. Although most OS refreshes occur when companies roll out new PCs, it's only practical for a company with Vista PCs to upgrade those same PCs to Windows 7.
Regardless of whether the upgrade happens over the course of a few months or is phased in over a couple of years, planning should happen far in advance and IT departments should consider all the new technologies that make desktop management more efficient, including desktop virtualization.
Instead of simply porting existing applications to Windows 7 and "recreating the architecture you've lived with for the last decade," Gillen says "my advice to customers is to seriously consider all the options they have."
The goal is to make the end user migration quick and easy, but "it's not a quick process for the IT department," Gillen says.
But many organizations face problems because of insufficient planning. According to a Gartner report, most organizations undergoing Windows migrations "underestimate how long it will take them to test applications and fix problems; don't build a business case or properly track the benefits of their projects; and allocate insufficient time for their pilot."
There are probably too many Windows 7 migration issues to list in a single article. But here are five tips to help you on the path to Microsoft's latest operating system.
1. Virtualize applications and user settings
Desktop virtualization commands much of the attention in the IT market today, with some vendors saying the technology will ease migration to Windows 7. But this isn't the only type of virtualization that can make Windows 7 upgrades and future OS migrations easier than they might otherwise be.
Two technologies to consider are application virtualization and user virtualization. Nik Gibson, the enterprise desktop practice leader at Forsythe, a technology consulting firm, has worked with many large enterprises on virtualization projects, and says it's often easier to virtualize applications than desktops. "We see that a lot. It takes longer to virtualize the desktops than the applications," he says. "The desktops are more unique," with various use cases depending on the employee.
Gibson says "virtualize your applications" is the first tip he would give to customers planning a large Windows 7 migration. "And that just makes sense," he says. "If you can decouple your applications from the base operating system, it's going to be easier to migrate that operating system."
Application virtualization will not only aid the current move to Windows 7, it will also make future upgrades to Windows 8 easier too, IDC's Gillen says.
Application virtualization isn't exactly new, but has undergone a bit of a marketing makeover in the past few years. What Citrix used to call its Presentation Server product for application streaming is now referred to as XenApp and labeled a "virtualization" technology. VMware's ThinApp, based on technology acquired in 2008, is another option in this market.
But application virtualization won't help move each user's personal data and settings from one OS to another to another. That's where user virtualization comes in. Software such as VMware's RTO and AppSense's user virtualization product will take a user's profile, data files and settings, and move them easily from one machine to another, for example from a Windows XP computer to one with Windows 7, Gibson says.
User virtualization is still maturing, though. Although VMware acquired RTO technology in February, it has not yet integrated the software into its desktop virtualization product.
Microsoft itself offers a User State Migration Tool to ensure that user settings and files survive OS upgrades. AppSense technology is on the market, and can be used for Windows 7 migrations both on physical PCs and in conjunction with virtual deployments. Another user migration toolkit is available from Tranxition, which can also be used for migrations involving either physical or virtual desktops.
2. Test applications to prepare for potential incompatibility
In a Gartner report titled "Pitfalls to Avoid on the Road to Windows 7 and Office 2010 Migration," analyst Michael Silver says organizations need to test applications on Windows 7 to make sure they will run and also determine whether the makers of the applications will support them on Windows 7.
"Most organizations have more applications than they know about that users consider to be important or critical," Silver writes. "Many organizations that have tested applications for Vista believe that these programs will run with Windows 7, but ISVs often limit support to specific versions."
For critical applications, which may carry financial and legal risks if they fail, "lack of ISV support may represent too much risk to move to Windows 7," he writes. A decade ago, "Windows 2000 Professional broke a lot of applications," Gillen says.
With Windows XP, Microsoft created some compatibility tools to run earlier applications. But if an application made it onto XP only because of the compatibility tools, there's no guarantee it will run on Windows 7, Gillen says.
Complicating matters even further is that some customers use Web-based applications that work only on Internet Explorer 6, an out-of-date Web browser that is two releases behind the IE8 that comes pre-installed on Windows 7.
Some companies are spending money to buy new applications or upgrade existing ones so they will work with Windows 7 or new versions of Internet Explorer. Although expensive, this is often the best long-term approach.
"Our research tells us customers are very much looking forward to Windows 7," Gillen says. "They realize it's not going to be a completely smooth transition. The life cycle is over on XP and customers get that."
3. Use Windows XP Mode -- but not for long
Not every application has to make the move to Windows 7 immediately. That's because virtualization technologies let older applications run on guest operating systems. Microsoft's virtualization technologies include Windows Virtual PC, MED-V (Microsoft Enterprise Desktop Virtualization) and the related Windows XP mode, which lets you run a virtual instance of XP on a Windows 7 desktop.
"It's a definite option for people," but is usually not the first choice for a widely used application, says Nortec consultant Tim McGilvery. "It usually is one or two users."
XP Mode is a surefire way of supporting XP-based applications on Windows 7, but Gillen says it shouldn't be used as a long-term solution. Rather, it should simply be used to ease the transition between XP and Windows 7.
Challenges include the fact that "you have two operating systems to manage and be responsible for," Gillen says. "If you're running XP Mode, it doesn't take away the fact that the base operating system is out of Mainstream Support. It solves the short-term compatibility problem, but it doesn't solve the long-term migration problem."
Microsoft recently ended support for Windows XP Service Pack 2. Service Pack 3 is eligible for support until April 2014, but only for "Extended Support," rather than the more comprehensive Mainstream Support.
4. Get your licensing straight
OS migrations can be costly. Gartner estimates that moving from Windows 2000 or XP to Windows 7 costs between $1,035 and $1,930 per user, while an upgrade from Vista to Windows 7 costs $339 to $510 per user.
The Gartner cost model is based on 2,500 users and involves many factors including labor, training, systems integration, application development and hardware acquisitions. The difference between migrations from XP and from Vista is explained by extra costs related to testing and fixing applications and replacing hardware. (A machine that runs Windows Vista could be upgraded to Windows 7, and applications that run on Vista can likely operate on Windows 7).
The cost of Windows licenses is part of the Gartner equation, and has also been examined in detail by Directions on Microsoft analyst Paul DeGroot.
DeGroot says in a worst-case scenario, customers can pay three times for the same Windows license -- once for the OEM license that comes with a physical desktop pre-installed with Windows; once for an "upgrade license" as part of a volume licensing plan, and once again for Software Assurance, which guarantees access to new software versions.
Windows 7 Enterprise is available only to Software Assurance (SA) customers, so avoiding that payment is difficult. But there are a few strategies to consider, DeGroot said in a recent Network World article titled "5 tips for managing Microsoft licensing costs."
Customers can purchase the "Open License," which lets them buy Software Assurance for two years rather than three. Although SA rights will expire after two years, the customer has the right to use Windows 7 Enterprise indefinitely. Microsoft's "Select" agreements also offer discounts by letting customers purchase Software Assurance for terms shorter than three years.
Customers should remember it's always smart to negotiate, particularly when certain portions of Microsoft licensing agreements seem inflexible. Analysts say Microsoft is often willing to give discounts, particularly to large customers with thousands of desktops.
5. Plan ahead -- and then plan some more
This may seem too obvious for words, but Windows 7 migrations require a significant amount of planning. Unfortunately, IT organizations all too often fall short in this area, according to Gartner. Windows 7 pilots should last at least three months and include a first phase for pushing Windows 7 out to a group of users to ensure that all applications work; a second phase to improve the deployment process; and a third phase focusing on education and support.
"Many enterprises plan pilots as short as a few weeks," Gartner's Michael Silver writes. "Shortening the pilot increases risk significantly and often results in logistical and compatibility problems during deployment, which makes the project look less successful to the users. A project the user community deems unsuccessful cannot be considered a success by the IT department."
One organization that takes this advice to heart is Del Monte Foods, a San Francisco-based food production and distribution company, which plans to upgrade 3,000 business users to Windows 7 over three years.
David Glenn, director of enterprise operations for Del Monte, says his company is piloting Windows 7 within its IT organization, representing 140 users across the country. Network testing is one of the key factors. Del Monte is examining how various applications perform over different network connections, and is in general finding good results.
"Windows 7 does offer a lot more stability and performance capabilities than XP did," he says.
If your company is still primarily a Windows XP shop, it's time to start planning for Windows 7 now even if you don't plan to upgrade all desktops immediately. XP support ends in 2014 but software vendors are "unlikely to support new versions of applications on Windows XP starting in 2011 [and] by 2012 it will be common," Gartner says. By 2013, few new PCs will include Windows XP drivers.
Microsoft is technically offering Windows XP "downgrade rights" until 2020, but for the reasons stated above few businesses are likely to take that option.
The speed of a company's Windows 7 migration will vary based on the age of its hardware, whether it is running on XP or Vista, the types of users it has and other factors including the length of its typiMoving from Vista to Windows 7 should be a lot easier than moving from XP because of application compatibility, Gillen says. "If you've already deployed Vista, you've done 95% of the work," he says. Although most OS refreshes occur when companies roll out new PCs, it's only practical for a company with Vista PCs to upgrade those same PCs to Windows 7.
Regardless of whether the upgrade happens over the course of a few months or is phased in over a couple of years, planning should happen far in advance and IT departments should consider all the new technologies that make desktop management more efficient, including desktop virtualization.
Instead of simply porting existing applications to Windows 7 and "recreating the architecture you've lived with for the last decade," Gillen says "my advice to customers is to seriously consider all the options they have."
The goal is to make the end user migration quick and easy, but "it's not a quick process for the IT department," Gillen says.
Network World
How To Recruit And Hire Millennial Tech Employees
Dice.com CEO suggests ways that Millennials will continue to affect the workforce.
The Millennial generation increasingly streaming into the workforce is less focused on money and more on being challenged and contributing to the larger good, preferably at a job where technology is important to the overall operation and where it's acceptable to chat with friends via instant messaging and Facebook.
"This is the generation that wrote term papers while IMing and chatting on Facebook," said Scot Melland, CEO of Dice.com, a career website for technology and engineering professionals and their employees. "This is the ultimate multitasking generation we've seen so far."
Millennials are loosely defined as those born after 1980, who hit their 20s in 2000, and although they currently make up only about 15 percent of the U.S. workforce, as that percentage climbs, recruiters and prospective employers will find notable differences from other generations, Melland said.
"Generations, like people, have personalities, and Millennials ... have begun to forge theirs: confident, self-expressive, liberal, upbeat and open to change," found a major study of Millennials from The Pew Charitable Trusts, which is amassing a growing body of research and issuing reports about that generation. "They are history's first 'always connected' generation. Steeped in digital technology and social media, they treat their multi-tasking, hand-held gadgets almost like a body part -- for better and worse."
On the better side of the equation, at least as far as employers are concerned, Melland said that Millennials ask of prospective jobs, "is it challenging and is it giving back to the greater good -- these are admirable qualities." Those job attributes are far more important to this generation than a big paycheck, he added, but that presents a challenge for job recruiters.
"This is not just about putting up job postings and making people aware of your opportunities. You really have to sell them," he said. "It's a whole lot more work" for recruiters and employers to appeal to a generation that is focused on relationship building and social networks.
To that end, Melland is encouraging employers to establish a strong presence at sites like his, but also at Facebook -- that social media site came up again and again in a half-hour interview with Melland. Millennials also are more likely to be attracted to companies with well-developed corporate websites, regardless of the size of the business.
"We think the best way to reach them for recruiting is through the Internet and online because that's what they're accustomed to," he said.
On the flip side, employers and recruiters that check out information about job candidates at social media sites and personal blogs are likely to encounter information about religious beliefs, sexual orientation and other potential landmines. "When they go and they look at candidates at individual sites, we counsel them to be very careful because they may be exposed to information early on in the recruiting and hiring process that may be inappropriate" for them to have knowledge of, Melland said.
Oddly, for a group as Internet-savvy as Millennials, recent research has found that while the vast majority of employers use information they glean from social networking and other sites to evaluate candidates, only a small fraction of those candidates figured that prospective employers would be doing that, Melland said.
"Really, it was such a disconnect," he said, adding that he believes "they will definitely learn."
Other Pew research released in July, though, found that technology experts believe that Millennials will continue to share such personal details of their lives even as they age. Perhaps this suggests a way in which Millennials will influence and change the workplace and society, though at this juncture looking that far ahead is just guesswork.
Meanwhile, Melland suggested that employers who hire Millennials should focus on "continually reinforcing with them how their role adds to the success of the overall organization. They seem very sensitive to becoming a small cog in a big machine. They don't like being a small cog. ... They're less hierarchical. They believe they should be able to tap into senior people."
As part of that, Millennials are proving to be a generation that thrives on being mentored and coached. "When you coach someone or mentor someone, that tells them that they're special," Melland said.
While Millennials are proving amenable to tapping into the knowledge of those who have more experience, their expertise also should be tapped in return, Melland said.
His advice to employers: "First, use what these kids know. They are a window into how the market is changing. They are the early adopters of the Web technologies and the mobile technologies and the social networks. Use their knowledge to help you with your business."
IDG News Service
The Millennial generation increasingly streaming into the workforce is less focused on money and more on being challenged and contributing to the larger good, preferably at a job where technology is important to the overall operation and where it's acceptable to chat with friends via instant messaging and Facebook.
"This is the generation that wrote term papers while IMing and chatting on Facebook," said Scot Melland, CEO of Dice.com, a career website for technology and engineering professionals and their employees. "This is the ultimate multitasking generation we've seen so far."
Millennials are loosely defined as those born after 1980, who hit their 20s in 2000, and although they currently make up only about 15 percent of the U.S. workforce, as that percentage climbs, recruiters and prospective employers will find notable differences from other generations, Melland said.
"Generations, like people, have personalities, and Millennials ... have begun to forge theirs: confident, self-expressive, liberal, upbeat and open to change," found a major study of Millennials from The Pew Charitable Trusts, which is amassing a growing body of research and issuing reports about that generation. "They are history's first 'always connected' generation. Steeped in digital technology and social media, they treat their multi-tasking, hand-held gadgets almost like a body part -- for better and worse."
On the better side of the equation, at least as far as employers are concerned, Melland said that Millennials ask of prospective jobs, "is it challenging and is it giving back to the greater good -- these are admirable qualities." Those job attributes are far more important to this generation than a big paycheck, he added, but that presents a challenge for job recruiters.
"This is not just about putting up job postings and making people aware of your opportunities. You really have to sell them," he said. "It's a whole lot more work" for recruiters and employers to appeal to a generation that is focused on relationship building and social networks.
To that end, Melland is encouraging employers to establish a strong presence at sites like his, but also at Facebook -- that social media site came up again and again in a half-hour interview with Melland. Millennials also are more likely to be attracted to companies with well-developed corporate websites, regardless of the size of the business.
"We think the best way to reach them for recruiting is through the Internet and online because that's what they're accustomed to," he said.
On the flip side, employers and recruiters that check out information about job candidates at social media sites and personal blogs are likely to encounter information about religious beliefs, sexual orientation and other potential landmines. "When they go and they look at candidates at individual sites, we counsel them to be very careful because they may be exposed to information early on in the recruiting and hiring process that may be inappropriate" for them to have knowledge of, Melland said.
Oddly, for a group as Internet-savvy as Millennials, recent research has found that while the vast majority of employers use information they glean from social networking and other sites to evaluate candidates, only a small fraction of those candidates figured that prospective employers would be doing that, Melland said.
"Really, it was such a disconnect," he said, adding that he believes "they will definitely learn."
Other Pew research released in July, though, found that technology experts believe that Millennials will continue to share such personal details of their lives even as they age. Perhaps this suggests a way in which Millennials will influence and change the workplace and society, though at this juncture looking that far ahead is just guesswork.
Meanwhile, Melland suggested that employers who hire Millennials should focus on "continually reinforcing with them how their role adds to the success of the overall organization. They seem very sensitive to becoming a small cog in a big machine. They don't like being a small cog. ... They're less hierarchical. They believe they should be able to tap into senior people."
As part of that, Millennials are proving to be a generation that thrives on being mentored and coached. "When you coach someone or mentor someone, that tells them that they're special," Melland said.
While Millennials are proving amenable to tapping into the knowledge of those who have more experience, their expertise also should be tapped in return, Melland said.
His advice to employers: "First, use what these kids know. They are a window into how the market is changing. They are the early adopters of the Web technologies and the mobile technologies and the social networks. Use their knowledge to help you with your business."
IDG News Service
How To Keep Employees from Stealing Intellectual Property
Your data is your business. And if you're not vigilant about your employees' access to that data, you're going to end up out of business. That's the advice of Patricia Titus, current CISO of Unisys and former CISO of the Transportation Security Administration.
Security quiz: How well do you know the insider threat?
Titus has first-hand knowledge of the insider threat in both the public and private sectors. We interviewed Titus about how she is managing this risk at Unisys through a combination of new technology and end user education. Here are excerpts from our conversation.
What trends are you seeing regarding the insider threat?
Probably the biggest problem is the consumerization of IT and the newer technologies which allow mobilization. While it increases efficiency, it also creates opportunity. As you start rolling out mobile applications, you want to get information into the right hands, but perhaps your access control isn't as good as it should be.
Do CISOs and CIOs realize what a big threat insiders are versus outside hackers?
Actually, we do. We do recognize the issues with our employees and data access, and that access management is a big problem. It's a problem in the public sector, and it's a problem in the private sector. Probably we are more focused on it in the private sector because data loss can be so damaging. We are spending resources to protect against the insider threat because of the amount of intellectual property we have and how valuable that information is outside the country. Especially for systems integrators like Unisys, the opportunity for employees to walk out of the building with our intellectual property so they can use it on the next contractor is quite great. There's a lot of right-sizing and a lot of transition in companies. Humans are creatures of habit, and as you try to change organizations to be more efficient, employees are unhappy. They might have access to HR information, and somebody forgot to remove their access. Employees are looking at an opportunity and thinking they won't get caught. CISOs and CIOs recognize this threat and are implementing those technologies that will catch the nefarious actors.
What technologies are CISOs deploying to address the insider threat?
One that we're getting ready to deploy is data-loss prevention technologies. The other is making sure that you are really looking at your access controls, to see who has access to what system and do they have the authority. That can be laborious, but it's critical. Lots of companies do an annual re-assessment of access control. We're finding out at Unisys that we're going to have to do it more frequently based on employee turnover. You need to make sure that you've got your applications tied to your Active Directory and make sure that your access is behind firewalls so that when you remove a person's domain, you remove their access to everything.
Which of these technologies is Unisys deploying?
We have integrated access cards, our Stealth product, data-in-motion and data-at-rest capabilities. For data-at-rest, we're moving to a stronger set of authentication, and we're moving toward hard-disk encryption for certain roles in the company. For data-in-motion, that data is encrypted as it is traversing our network. Unisys has created a product called Stealth that creates communities of interest, and data is encrypted from peer to peer. If you've got people working in HR with personally identifiable information, you want them to only communicate with each other and not have somebody who might be listening on the network who might be capturing their information. We've also integrated our common access card to a logical access card so the building card that gets me into the office physically also logically gets me into the remote access system. We're looking at integrated Security Information and Event Management technology, which integrates several different security tools into a single, consolidated analytical tool. We have a pilot of data loss prevention solutions. We're analyzing to see if white listing or black listing will work for us.
How do you address log files?
We have a tool that we use that looks for change management: if somebody makes a change in one place and it opens up a hole in another place and suddenly people have access to data. I also have somebody looking at the log files for certain behavior, such as large data transfers.
How do you address the insider threat in your hiring process?
I've just reviewed our hiring process that covers interns and employees. What we do is a corporate background investigation on every new hire.
What about IT staff? Do you find they are more likely to be involved in a security breach?
I wouldn't say they have a higher incidence of doing it, but I would say they have the tools to do it. You have to continue educating them. In the government, some of my folks thought they didn't need to follow the same rules that we were pushing to everyone because they were in security. The reality was they had the ability to crack passwords and eavesdrop on the network. We had those capabilities for good reason. As a CISO, you know that those people are the ones that can do the most damage. If you're letting a person go who has those types of rights, that person is someone you might want to say today is your last day but we'll give you two weeks pay. Most people do not want to do bad things because they want to keep their job. Usually there is a trigger for somebody, some sort of an HR change, and that's when you need to be really cognizant of what they have access to and what you need to do to protect the resources of the company.
What concrete things can CIOs and CISOs do to battle the insider threat?
We always talk about technology solutions, but I personally think that a lot of what you can do solve this problem is to educate. If you as CISO take the time to meet with the people in the trenches and give them the awareness of what to look for, they are the best at being able to find people sitting right next to them who are doing nefarious things. We tell them that if something is unusual, they should pass it off to the authorities in the company so we can look into it.
What data should companies focus on protecting?
You have to look at your business and your mission and figure out what data is critical to you. Look at what data is most valuable to you first, and then look at who has access to it. Then look at your third-party partners. They have access to a lot of data, and you need to know how they are protecting it on their site. Do they do corporate investigations of their employees? Do they have the right security protocols in place to protect the network? Small businesses are under attack, serious attack, and they don't necessarily have the corporate resources of Unisys or other major companies. These small businesses are also very high value targets, and they may not have taken the time to implement [proper security.] I'm going to venture a prediction that we see an upswing in lost data from third-party partners and small businesses.
How frequently do you find rogue insiders?
We find a handful a year. Most of the time it's people who are leaving the company who want to take information with them not recognizing that that information doesn't belong to them. I've been briefing people on situational awareness, current threats and vulnerabilities including the insider threat. Your biggest ally against the insider threat is having everyone pay attention to the guy next to him. The insider threat is going to be more serious as we look at companies losing their intellectual property, and it's going to affect their bottom line. Our CEO is very serious about protecting intellectual property. Companies that don't think the insider threat is real, won't be in business for too many years. Data is the business, and if you start losing the data, you're not going to be in the business for long.
Network World
Security quiz: How well do you know the insider threat?
Titus has first-hand knowledge of the insider threat in both the public and private sectors. We interviewed Titus about how she is managing this risk at Unisys through a combination of new technology and end user education. Here are excerpts from our conversation.
What trends are you seeing regarding the insider threat?
Probably the biggest problem is the consumerization of IT and the newer technologies which allow mobilization. While it increases efficiency, it also creates opportunity. As you start rolling out mobile applications, you want to get information into the right hands, but perhaps your access control isn't as good as it should be.
Do CISOs and CIOs realize what a big threat insiders are versus outside hackers?
Actually, we do. We do recognize the issues with our employees and data access, and that access management is a big problem. It's a problem in the public sector, and it's a problem in the private sector. Probably we are more focused on it in the private sector because data loss can be so damaging. We are spending resources to protect against the insider threat because of the amount of intellectual property we have and how valuable that information is outside the country. Especially for systems integrators like Unisys, the opportunity for employees to walk out of the building with our intellectual property so they can use it on the next contractor is quite great. There's a lot of right-sizing and a lot of transition in companies. Humans are creatures of habit, and as you try to change organizations to be more efficient, employees are unhappy. They might have access to HR information, and somebody forgot to remove their access. Employees are looking at an opportunity and thinking they won't get caught. CISOs and CIOs recognize this threat and are implementing those technologies that will catch the nefarious actors.
What technologies are CISOs deploying to address the insider threat?
One that we're getting ready to deploy is data-loss prevention technologies. The other is making sure that you are really looking at your access controls, to see who has access to what system and do they have the authority. That can be laborious, but it's critical. Lots of companies do an annual re-assessment of access control. We're finding out at Unisys that we're going to have to do it more frequently based on employee turnover. You need to make sure that you've got your applications tied to your Active Directory and make sure that your access is behind firewalls so that when you remove a person's domain, you remove their access to everything.
Which of these technologies is Unisys deploying?
We have integrated access cards, our Stealth product, data-in-motion and data-at-rest capabilities. For data-at-rest, we're moving to a stronger set of authentication, and we're moving toward hard-disk encryption for certain roles in the company. For data-in-motion, that data is encrypted as it is traversing our network. Unisys has created a product called Stealth that creates communities of interest, and data is encrypted from peer to peer. If you've got people working in HR with personally identifiable information, you want them to only communicate with each other and not have somebody who might be listening on the network who might be capturing their information. We've also integrated our common access card to a logical access card so the building card that gets me into the office physically also logically gets me into the remote access system. We're looking at integrated Security Information and Event Management technology, which integrates several different security tools into a single, consolidated analytical tool. We have a pilot of data loss prevention solutions. We're analyzing to see if white listing or black listing will work for us.
How do you address log files?
We have a tool that we use that looks for change management: if somebody makes a change in one place and it opens up a hole in another place and suddenly people have access to data. I also have somebody looking at the log files for certain behavior, such as large data transfers.
How do you address the insider threat in your hiring process?
I've just reviewed our hiring process that covers interns and employees. What we do is a corporate background investigation on every new hire.
What about IT staff? Do you find they are more likely to be involved in a security breach?
I wouldn't say they have a higher incidence of doing it, but I would say they have the tools to do it. You have to continue educating them. In the government, some of my folks thought they didn't need to follow the same rules that we were pushing to everyone because they were in security. The reality was they had the ability to crack passwords and eavesdrop on the network. We had those capabilities for good reason. As a CISO, you know that those people are the ones that can do the most damage. If you're letting a person go who has those types of rights, that person is someone you might want to say today is your last day but we'll give you two weeks pay. Most people do not want to do bad things because they want to keep their job. Usually there is a trigger for somebody, some sort of an HR change, and that's when you need to be really cognizant of what they have access to and what you need to do to protect the resources of the company.
What concrete things can CIOs and CISOs do to battle the insider threat?
We always talk about technology solutions, but I personally think that a lot of what you can do solve this problem is to educate. If you as CISO take the time to meet with the people in the trenches and give them the awareness of what to look for, they are the best at being able to find people sitting right next to them who are doing nefarious things. We tell them that if something is unusual, they should pass it off to the authorities in the company so we can look into it.
What data should companies focus on protecting?
You have to look at your business and your mission and figure out what data is critical to you. Look at what data is most valuable to you first, and then look at who has access to it. Then look at your third-party partners. They have access to a lot of data, and you need to know how they are protecting it on their site. Do they do corporate investigations of their employees? Do they have the right security protocols in place to protect the network? Small businesses are under attack, serious attack, and they don't necessarily have the corporate resources of Unisys or other major companies. These small businesses are also very high value targets, and they may not have taken the time to implement [proper security.] I'm going to venture a prediction that we see an upswing in lost data from third-party partners and small businesses.
How frequently do you find rogue insiders?
We find a handful a year. Most of the time it's people who are leaving the company who want to take information with them not recognizing that that information doesn't belong to them. I've been briefing people on situational awareness, current threats and vulnerabilities including the insider threat. Your biggest ally against the insider threat is having everyone pay attention to the guy next to him. The insider threat is going to be more serious as we look at companies losing their intellectual property, and it's going to affect their bottom line. Our CEO is very serious about protecting intellectual property. Companies that don't think the insider threat is real, won't be in business for too many years. Data is the business, and if you start losing the data, you're not going to be in the business for long.
Network World
Fake Browser Warnings Dupe Users into Downloading "Scareware"
Makers of phony security software spoof anti-malware alerts in IE, Firefox and Chrome.
Scammers are spoofing the anti-malware warnings of popular browsers to dupe Windows users into downloading fake security software, Symantec said Monday.
Several malicious Web sites are displaying phony versions of the alerts that Google's Chrome and Mozilla's Firefox present when users encounter pages suspected of hosting attack code, said Symantec researcher Parveen Vashishtha in a post to the firm's blog .
Rather than simply warn users that the page they're about to visit may be dangerous -- as do the legitimate alerts -- the sham versions also include a prominent message that suggests downloading a browser security update.
In reality, no browser offers its users security updates from its anti-malware warning screen.
Anyone who accepts the update actually downloads bogus software, often called "scareware" because it bombards users with endless fictitious infection warnings until people pay $40 to $50 to buy the useless program.
Even the cautious can be nailed by these sites. Users who refuse the mock updates are assaulted by a multi-exploit toolkit that includes attack code for 10 different vulnerabilities in Windows, Adobe Reader, Internet Explorer and Java. Windows PCs that have been kept up-to-date with bug patches will be immune from the exploit kit, however.
"Malware authors are employing innovative social engineering tricks to fool users -- it's as simple as that," said Vashishtha.
The strategy that Symantec pointed out isn't new. A month ago, Microsoft 's malware protection center warned that fake antivirus scammers were putting up bogus alerts in Internet Explorer, Firefox and Chrome.
"The similarity between the fake warning pages [and the real things] is so accurate that it can trick even highly trained eyes," Microsoft said in early September .
It's no surprise that scareware dealers are constantly looking for new ways to con users into downloading their good-for-nothing software: It's a serious business.
According to the FBI, rogue security makers have made at least $150 million by duping the public.
Little wonder, then, that the fake security software industry is huge. During the 12 months from July 1, 2008, to June 30, 2009, more than 250 different phony programs tried to get on more than 43 million machines worldwide, Symantec said in a report issued last October.
Computerworld
Scammers are spoofing the anti-malware warnings of popular browsers to dupe Windows users into downloading fake security software, Symantec said Monday.
Several malicious Web sites are displaying phony versions of the alerts that Google's Chrome and Mozilla's Firefox present when users encounter pages suspected of hosting attack code, said Symantec researcher Parveen Vashishtha in a post to the firm's blog .
Rather than simply warn users that the page they're about to visit may be dangerous -- as do the legitimate alerts -- the sham versions also include a prominent message that suggests downloading a browser security update.
In reality, no browser offers its users security updates from its anti-malware warning screen.
Anyone who accepts the update actually downloads bogus software, often called "scareware" because it bombards users with endless fictitious infection warnings until people pay $40 to $50 to buy the useless program.
Even the cautious can be nailed by these sites. Users who refuse the mock updates are assaulted by a multi-exploit toolkit that includes attack code for 10 different vulnerabilities in Windows, Adobe Reader, Internet Explorer and Java. Windows PCs that have been kept up-to-date with bug patches will be immune from the exploit kit, however.
"Malware authors are employing innovative social engineering tricks to fool users -- it's as simple as that," said Vashishtha.
The strategy that Symantec pointed out isn't new. A month ago, Microsoft 's malware protection center warned that fake antivirus scammers were putting up bogus alerts in Internet Explorer, Firefox and Chrome.
"The similarity between the fake warning pages [and the real things] is so accurate that it can trick even highly trained eyes," Microsoft said in early September .
It's no surprise that scareware dealers are constantly looking for new ways to con users into downloading their good-for-nothing software: It's a serious business.
According to the FBI, rogue security makers have made at least $150 million by duping the public.
Little wonder, then, that the fake security software industry is huge. During the 12 months from July 1, 2008, to June 30, 2009, more than 250 different phony programs tried to get on more than 43 million machines worldwide, Symantec said in a report issued last October.
Computerworld
The 17 Most Dangerous Places on the Web
The scariest sites on the Net? They're not the ones you might suspect. Here's what to watch for and how to stay safe.
Those photos of Jessica Alba may be murder on your PC. That Google search result that looks as if it answers all your questions may do nothing but create a serious tech headache. The fun you had watching that hilarious video you downloaded may not be worth the misery it can cause your system.
You've been warned that the Internet is something of a security minefield--that it's easy to get in trouble. You can do everything you can think of to protect yourself and still be taken by a malware infection, a phishing scam, or an invasion of online privacy. We'd like to provide a little help. Here are some of the hazards you may encounter, how dangerous they are, and what you can do to stay out of harm's way.
Not all Web dangers are created equal. Thankfully, our friends at the Department of Homeland Security have made our work of classifying Web threats a little easier. Will you get taken just by visiting that unfamiliar site? Or will you have to look for trouble? Let our threat level indicator be your guide.
The Place: Websites that use Flash
Adobe's Flash graphics software has become a big malware target in recent years, forcing the company to push out frequent security patches. But another danger you might not know about is associated with Flash cookies. Flash cookies are small bits of data that their creators can use to save Flash-related settings, among other things. But like regular cookies, Flash cookies can track the sites you visit, too. Worse still, when you delete your browser's cookies, Flash cookies get left behind.
If You Have to Go There: To help protect against Flash-based attacks, make sure you keep your Flash browser plug-ins up-to-date. And you can configure the Flash plug-in to ask you before it downloads any Flash cookies.
Threat 2 >> Shortened links that lead you to potentially harmful places
The Place: Twitter
Scammers love Twitter since it relies so much on URL shorteners, services that take long Internet addresses and replace them with something briefer.
And it's very simple to hide malware or scams behind shortened URLs. A shortened link that supposedly points to the latest Internet trend-du-jour may be a Trojan horse in disguise.
If You Have to Go There: Simply don't click links. Of course, that takes some of the fun out of Twitter. The other option is to use a Twitter client app. TweetDeck and Tweetie for Mac have preview features that let you see the full URL before you go to the site in question.
Some link-shortening services, such as Bit.ly, attempt to filter out malicious links, but it seems to be a manual process, not an automatic one. TinyURL has a preview service you can turn on.
Threat 3 >> E-mail scams or attachments that get you to install malware or give up personal info
Place: Your e-mail inbox
Although phishing and infected e-mail attachments are nothing new, the lures that cybercrooks use are constantly evolving, and in some cases they're becoming more difficult to distinguish from legitimate messages. My junk mailbox has a phishing e-mail that looks like a legitimate order confirmation from Amazon. The only hint that something's amiss is the sender's e-mail address.
If You Have to Go There: Don't trust anything in your inbox. Instead of clicking on links in a retailer's e-mail, go directly to the retailer's site.
Threat 4 >> Malware hiding in video, music, or software downloads
The Place: Torrent sites
Torrent sites (such as BitTorrent) are often used for sharing pirated music, videos, or software, and are a trove of malware. No one vets the download files--they may be malware in disguise.
Ben Edelman, privacy researcher and assistant professor at Harvard Business School, thinks torrent sites are the most dangerous places to visit, since they don't have a business model or reputation to defend (by comparison, many porn sites rely on being deemed trustworthy). "The torrent customers, they really don't want to pay," he says.
If You Have to Go There: It's probably best to avoid torrent sites entirely, given their untrustworthy content, but if you must visit, use a secondary PC to protect your main system. Use antivirus software, and keep it updated. Scan downloaded files and wait a couple of days before opening them. Brand-new malware can be tricky to catch, but the delay in opening may allow your antivirus software to get the necessary signatures.
Threat 5 >> Malware in photos or videos of scantily clad women
The Place: ‘Legitimate' porn sites
Porn sites have a reputation of being less secure than mainstream sites, but that assumption doesn't tell the whole story. "There is no doubt that visiting Websites of ill-repute is deadly dangerous. If you make a habit of it, it's a given that you'll be attacked at some point," says Roger Thompson, chief research officer with security firm AVG. "Unfortunately, staying away from those sites won't keep you safe by itself, because innocent sites get hacked all the time, and are used as lures to draw victims to the attack servers."
And as mentioned earlier, many porn sites operate as actual, legitimate businesses that want to attract and retain customers. That said, it may be hard to tell the "legit" porn sites from malware-hosting sites that use porn as a lure.
If You Have to Go There: Be suspicious of video downloads, or sites that require you to install video codecs to view videos (see the next threat, below). Using tools like AVG's LinkScanner and McAfee's SiteAdvisor can help you weed out the malicious sites.
And, again, consider visiting such sites on a secondary machine. You don't want your browser history on the family PC.
Threat 6 >> Trojan horses disguised as video codecs, infecting your PC with malware
The Place: Video download sites, peer-to-peer networks
If you watch or download video online, you've likely been told to download a video codec--a small piece of software that provides support for a type of video file--at least once. Usually, these bits of software are perfectly legitimate (for example, the popular DivX codec), but some less-than-reputable download services or video sites may direct you to download a piece of malware disguised as a codec. Security software company Trend Micro provides a good example of what these attacks look like.
If You Have to Go There: Your safest option is to stick with well-known video sites such as YouTube and Vimeo. And for catching up on the latest episodes of your favorite TV shows, sites and services like Hulu, TV.com, ABC.com, and iTunes are safer than peer-to-peer networks.
Threat 7 >> Geolocation--your smartphone and perhaps other parties know where you are
The Place: Your smartphone
The smartphone market is still in its infancy, really, and so are the threats. One possible concern is the use--or abuse--of geolocation. Although plenty of legitimate uses for location data exist, the potential for inappropriate uses also exists. In one case, a game listed on the Android Market was in reality a client for a spy app. In a less invidious example, a site called pleaserobme.com showed that--for a time--a stream of FourSquare check-ins indicated that a person was away from their home (the site's goal, mind you, wasn't to condone theft, but to raise awareness of the issue).
Apple recently updated its privacy policy to reflect changes in how it handles location data in iOS 4. The policy now states that "to provide location-based services on Apple products, Apple and our partners and licensees may collect, use and share precise location data." You can read more on Apple's new privacy terms and what they mean for you.
If You Have to Go There: Be particular about the location-based sites, apps, and services that you use. As shown in the screenshot at right services such as Yelp provide good examples of useful location-aware apps. On the other hand, weigh the privacy implications of services like FourSquare or the new Facebook Places feature, and consider how much you feel comfortable divulging. (Read more on how to retain privacy on FourSquare and Facebook Places.)
Threat 8 >> 'Poisoned' search engine results that go to malware-carrying Websites
The Place: Search engines
Search engine poisoning is the practice of building tainted sites or pages that are designed to rank high in a search on a given topic. For example, according to a recent study by the security firm McAfee, 19 percent of search results for "Cameron Diaz and screensavers" had some sort of malicious payload. Breaking news topics and Facebook are also common search targets for attackers.
If You Have to Go There: Pick and choose which sites to go to. Don't just blindly click search results; check each URL first to make sure that it really leads to the site you want. Although any site can be hacked, visiting the Washington Post's story on a hot news topic, for example, is probably a wiser choice than following a link to a site you've never heard of before.
Threat 9 >> Malicious PDFs that try to fool you into installing malware
The Place: Hacked Websites, plus your inbox
As Microsoft has become more serious about Windows security over the past few years, would-be attackers have had to find new ways to infect PCs. Attacking flaws in Adobe Acrobat is one of these newer methods. So-called poisoned PDFs are PDF files that have been crafted in such a manner that they trigger bugs in Adobe Reader and Adobe Acrobat; posted on a hijacked Website, they may let an attacker commandeer your PC and access your files and personal info.
A newer variant takes an otherwise innocent-looking PDF document and inserts malware into it. Adobe Reader may pop up an alert asking if you want to run the malware, but hackers can edit those messages to trick you into opening the file.
How serious is this problem? In 2009, attacks using malicious PDFs made up 49 percent of Web-based attacks, according to security firm Symantec.
If You Have to Go There: First, always make sure that you're running the latest version of Adobe Reader.
You can also use a different PDF reader, such as Foxit Reader. This can protect you from attacks on holes in Adobe Reader itself, but it won't make you immune to all PDF attacks, such as the newer ones that embed malware inside the PDFs. Make sure, also, that you update to Adobe Reader 9.3.3 or later (Reader 8 users should update to version 8.3.3 or later); these updates change the way Adobe Reader handles non-PDF attachments and reduce the risk from such attacks.
You can turn off Adobe Reader's ability to open non-PDF attachments by going to Preferences, clicking Trust Manager, and unchecking Allow opening of non-PDF file attachments with external applications.
The next major release of Acrobat and Reader will provide a new "protected mode" against these attacks.
Threat 10 >> Malicious video files using flaws in player software to hijack PCs
The Place: Video download sites
Attackers have been known to exploit flaws in video players such as QuickTime Player and use them to attack PCs. The threats are often "malformed" video files that, like malicious PDFs, trigger bugs in the player software that let the attackers in to spy on you, plant other malware, and more.
If You Have to Go There: Keep your player software up-to-date. Apple and Microsoft periodically release patches for QuickTime and Windows Media Player, respectively. Avoid downloading videos at random. Stick to well-known video sites such as YouTube, or to download services like iTunes.
Threat 11 >> Drive-by downloads that install malware when you visit a site
The Place: Hacked legitimate sites
A drive-by download occurs when a file downloads and/or installs to your PC without you realizing it. Such downloads can happen just about anywhere. Some sites are built to lure people into a drive-by download; but in a common attack method, criminals will hack a Web page, often on an otherwise legitimate site, and insert code that will download malware to your computer.
If You Have to Go There: The first thing to do is to keep your security software up-to-date, and to run regular malware scans. Many security suites can flag suspicious downloads.
Threat 12 >> Fake antivirus software that extorts money--and your credit card information
The Place: Your inbox, hacked legitimate sites
Fake antivirus programs look and act like the real thing, complete with alert messages. It isn't until you realize that these alerts are often riddled with typos that you know you're in trouble.
Most fake antivirus software is best described as extortionware: The trial version will nag you until you purchase the fake antivirus software-which usually does nothing to protect your PC. Once you send the criminals your credit card information, they can reuse it for other purposes, such as buying a high-priced item under your name.
You can get infected with a fake antivirus app in any number of ways. For example, in drive-by downloads (see the previous item), a malicious payload downloads and installs without the user realizing it or having any time to react.
If You Have to Go There: If you get an alert saying you're infected with malware, but it didn't come from the antivirus software you knowingly installed, stop what you're doing. Try booting into Safe Mode and running a scan using your legitimate antivirus software.
However, such a scan may not clean up all of the malware-either the scanner doesn't have a signature for one fragment, or that piece doesn't act like traditional malware. This may render behavioral detection (which spots malware based on how it acts on your system) useless. If all else fails, you may need to call in a professional.
Threat 13 >> Fraudulent ads on sites that lead you to scams or malware
The Place: Just about any ad-supported Website
Hey--ads aren't all bad! They help sites pay the bills. But cybercriminals have taken out ads on popular sites to lure in victims. Last year, the New York Times site ran an ad from scammers, and earlier this year some less-than-scrupulous companies were gaming Google's Sponsored Links ad program and placing ads that looked like links to major companies' Websites.
"The bad guys have become very clever at exploiting online advertising networks, tricking them into distributing ads that effectively load malicious content--especially nasty, scaremongering pop-ups for rogue antispyware," says Eric Howes, director of research services for security firm GFI Software.
If You Have to Go There: Most large sites, such as PCWorld.com, have ad sales departments that work frequently with a core group of large advertisers, so it's probably safe to click a Microsoft ad on the New York Times site. But as the Google Sponsored Links incident shows, nothing is entirely fail-safe.
Threat 14 >> Questionable Facebook apps
The Place: Facebook
Facebook apps have long been an issue for security experts. You don't always know who's developing the apps, what they're doing with the data they may be collecting, or the developers' data security practices. Even though you have to approve apps before they can appear on your profile and access your personal information, from there the security of your data is in the developer's hands.
If You Have to Go There: Be selective about the apps you add to your profile--don't take every quiz, for example. Check your privacy settings for Facebook apps, as well: Click the Account drop-down menu in the upper-right corner of Facebook's site, select Privacy Settings, and then click Edit your settings under ‘Applications and Websites'. There, you can control which apps have access to your data, and which of your friends can see what information from apps (such as quiz results); you can also turn off Facebook apps altogether.
Threat 15 >> Sites that lure you in, get you to sign up, then sell your e-mail address for spam
The Place: 'Free electronics' sites
You've no doubt seen sites around the Web blaring, Get a free iPad! Get a free notebook! A free iPod! It's easy! These sites aren't typically dangerous in the classical sense--you probably won't get infected with malware--but your personal information could be sold to other businesses, who can then use it to sell more stuff to you.
If You Have to Go There: Read the privacy policies. And then read them again. Also, beware of privacy policy loopholes--even though a site says that it won't sell your private data to third parties, depending on the language of the policy, they may still be able to give your information to "affiliates."
Threat 16 >> Phishing 2.0 on social networks that tricks you into downloading malware or giving your Facebook login information to a criminal
The Place: Social networks
Questionable Facebook apps and malicious shortened links aren't the only dangers lurking on social networks. Sites like Facebook have given rise to new forms of phishing. Scammers might hijack one person's Facebook account, then use it to lure that person's friend into clicking a malicious link, going to spam sites, or giving up their Facebook login information--thereby giving scammers one more Facebook account to hijack.
"One of the bigger dangers currently facing users is malware, adware, and spyware spread through social networks like Facebook and Twitter," says Eric Howes, director of malware research with Sunbelt Software.
"Users may receive spam via these networks offering them free deals, links to interesting videos, or even widgets to enhance their Facebook profiles. In many cases what's really being pushed on users is adware, spyware, or even malicious software that can exploit users' PCs."
If You Have to Go There: Don't trust every link posted to Facebook, even if one of your friends posted it. Be especially suspicious if the post is out of the ordinary for that person. Check the person's wall or Twitter @-replies to see if anyone is concerned that the person's account has been compromised.
And if you suspect that your account has been hijacked, change your password immediately. Both Facebook and Twitter have resources to help you keep up-to-date on the latest threats on both sites. Facebook users should visit its security page; if you're on Twitter, be sure to follow @spam and @safety for Twitter security best practices.
Threat 17 >> Oversharing--exposing too much personal information on your social network profiles
The Place: Social networks
How many times have you seen friends on Facebook or Twitter publicly divulge a bit more information than is necessary? Oversharing isn't just a matter of getting a little too personal--it can leave your private information viewable to the general public. But it's avoidable.
"There is a subtle danger that few people understand with the social networking sites, and that is the idea of information leakage," says AVG's Roger Thompson. "People, particularly teens, put all sorts of information online, without realizing that many more people than just their friends can see that data."
Oversharing could very well lead to more serious privacy issues further down the road, Thompson adds. "As today's young teens reach an age to apply for a credit card, I fully expect an onslaught of fraudulent card applications on their behalf, because they unwittingly divulged so much information. Harvesting is going on now, and we have no idea who is doing the harvesting."
If You Have to Go There: This particular threat is relatively easy to avoid, in that a little common sense can go a long way: Just be mindful of what you post. Do you really need to publish your home address and phone number to your Facebook profile?
Finally, be certain to check your privacy settings to make sure that you're not divulging your deepest, darkest secrets to all 500 million Facebook users.
What Happens When You Surf Unprotected
11:45 a.m. I start the experiment with a pristine, clean PC running Windows Vista.
11:55 a.m. I need to check my e-mail. I download what appears to be a résumé file. Strange, I'm not hiring. I open it anyway. My screen flickers a little, but nothing starts. Hmm...
12:00 p.m. I start poking around on the Web, and start out easy. I run a Google search for free smilies, and sure enough, I find some. Who am I to refuse?
12:29 p.m. A couple smiley packs later, I am up to three browser toolbars. Junkware, but no malware...yet.
12:41 p.m. I download some random freebie antivirus software I've never heard of. Let's see what this does...
12:48 p.m. More random downloads, and my desktop is getting junked up. I now have icons for free games and 1000 free songs littered all over, plus more browser toolbars than I care to have.
12:55 p.m. IE is hating me right now. Still no signs of malware, but something's sure eating up system resources.
1:03 p.m. My PC locks up for a few moments.
1:25 p.m. After a restart, Windows throws up a warning about a program at C:\Users\PCW\AppData\Roaming\host32.exe. I have no idea what it is.
1:40 p.m. I think I killed IE. I can't launch it. Malware? But I uninstall a couple of toolbars, and it seems to work again.
3:00 p.m. It's unclear whether I've gotten infected by anything on the Web, but so far I haven't done anything too terribly risky. However, I've got to check my e-mail again; I'm expecting an important file from a friend.
3:05 p.m. Whoops. I think I clicked on the wrong file. I've got fake antivirus!
3:25 p.m. I now have three or four fake antivirus programs running. Malware has also planted three shortcut links to porn sites on my desktop. And whenever I open something in IE, a fake antivirus app kicks in with a fake warning.
4:13 p.m. Something just forced my PC to shut down and restart. I think I've successfully hosed this computer.
Tips from the Pros:
Top 5 Ways to Stay Safe Online
Stay up-to-date, stay paranoid, stay protected. That's the message from the security experts we spoke with while developing this story. Here are a few of their top tips and suggestions for protecting your computer against malware and hackers.
1) Keep up on patches.
Be sure to run Windows Update, as well as the software update features in the other programs that you use every day.
2) Be password smart.
As tempting as it is to use the same password in multiple places, don't. And use longer passwords, too-they're harder to crack. If you have lots of accounts to manage, use a password manager.
3) Use security software.
That may seem self-evident, but it can help block malware or software that is acting suspiciously, and security software companies are hard at work devising new ways to stop infections before they ever reach your PC. Check our antivirus and security software page regularly for the latest on security products.
4) If it sounds too good to be true... well, you know the rest.
No, someone in a faraway land isn't really offering you millions of dollars. No, attractive women from Russia probably aren't seeking you out specifically. No, those aren't magic cure-all pills.
5) Assume that everyone's out to get you.
PC security is one area where it pays to be paranoid. Just remember that no security software is fail-safe, and that you're still the one sitting at the keyboard. Assume that no site is safe. And don't automatically trust a link or file download, even if a friend sends it to you.
And a few final thoughts:
From Eric Howes, director of research services for security firm GFI Software:
"The user is always the weak link. Even the best antimalware protection and security patches cannot protect a PC from malware if the user sitting at the keyboard is being irresponsible while surfing the Web."
From Roger Thompson, chief research officer, PC security firm AVG:
"Good software designed to detect this stuff (in our case, LinkScanner) helps, but unfortunately, these are areas where the problem is in relative infancy, and is going to get much worse."
PC World
Those photos of Jessica Alba may be murder on your PC. That Google search result that looks as if it answers all your questions may do nothing but create a serious tech headache. The fun you had watching that hilarious video you downloaded may not be worth the misery it can cause your system.
You've been warned that the Internet is something of a security minefield--that it's easy to get in trouble. You can do everything you can think of to protect yourself and still be taken by a malware infection, a phishing scam, or an invasion of online privacy. We'd like to provide a little help. Here are some of the hazards you may encounter, how dangerous they are, and what you can do to stay out of harm's way.
Not all Web dangers are created equal. Thankfully, our friends at the Department of Homeland Security have made our work of classifying Web threats a little easier. Will you get taken just by visiting that unfamiliar site? Or will you have to look for trouble? Let our threat level indicator be your guide.
The Place: Websites that use Flash
Adobe's Flash graphics software has become a big malware target in recent years, forcing the company to push out frequent security patches. But another danger you might not know about is associated with Flash cookies. Flash cookies are small bits of data that their creators can use to save Flash-related settings, among other things. But like regular cookies, Flash cookies can track the sites you visit, too. Worse still, when you delete your browser's cookies, Flash cookies get left behind.
If You Have to Go There: To help protect against Flash-based attacks, make sure you keep your Flash browser plug-ins up-to-date. And you can configure the Flash plug-in to ask you before it downloads any Flash cookies.
Threat 2 >> Shortened links that lead you to potentially harmful places
The Place: Twitter
Scammers love Twitter since it relies so much on URL shorteners, services that take long Internet addresses and replace them with something briefer.
And it's very simple to hide malware or scams behind shortened URLs. A shortened link that supposedly points to the latest Internet trend-du-jour may be a Trojan horse in disguise.
If You Have to Go There: Simply don't click links. Of course, that takes some of the fun out of Twitter. The other option is to use a Twitter client app. TweetDeck and Tweetie for Mac have preview features that let you see the full URL before you go to the site in question.
Some link-shortening services, such as Bit.ly, attempt to filter out malicious links, but it seems to be a manual process, not an automatic one. TinyURL has a preview service you can turn on.
Threat 3 >> E-mail scams or attachments that get you to install malware or give up personal info
Place: Your e-mail inbox
Although phishing and infected e-mail attachments are nothing new, the lures that cybercrooks use are constantly evolving, and in some cases they're becoming more difficult to distinguish from legitimate messages. My junk mailbox has a phishing e-mail that looks like a legitimate order confirmation from Amazon. The only hint that something's amiss is the sender's e-mail address.
If You Have to Go There: Don't trust anything in your inbox. Instead of clicking on links in a retailer's e-mail, go directly to the retailer's site.
Threat 4 >> Malware hiding in video, music, or software downloads
The Place: Torrent sites
Torrent sites (such as BitTorrent) are often used for sharing pirated music, videos, or software, and are a trove of malware. No one vets the download files--they may be malware in disguise.
Ben Edelman, privacy researcher and assistant professor at Harvard Business School, thinks torrent sites are the most dangerous places to visit, since they don't have a business model or reputation to defend (by comparison, many porn sites rely on being deemed trustworthy). "The torrent customers, they really don't want to pay," he says.
If You Have to Go There: It's probably best to avoid torrent sites entirely, given their untrustworthy content, but if you must visit, use a secondary PC to protect your main system. Use antivirus software, and keep it updated. Scan downloaded files and wait a couple of days before opening them. Brand-new malware can be tricky to catch, but the delay in opening may allow your antivirus software to get the necessary signatures.
Threat 5 >> Malware in photos or videos of scantily clad women
The Place: ‘Legitimate' porn sites
Porn sites have a reputation of being less secure than mainstream sites, but that assumption doesn't tell the whole story. "There is no doubt that visiting Websites of ill-repute is deadly dangerous. If you make a habit of it, it's a given that you'll be attacked at some point," says Roger Thompson, chief research officer with security firm AVG. "Unfortunately, staying away from those sites won't keep you safe by itself, because innocent sites get hacked all the time, and are used as lures to draw victims to the attack servers."
And as mentioned earlier, many porn sites operate as actual, legitimate businesses that want to attract and retain customers. That said, it may be hard to tell the "legit" porn sites from malware-hosting sites that use porn as a lure.
If You Have to Go There: Be suspicious of video downloads, or sites that require you to install video codecs to view videos (see the next threat, below). Using tools like AVG's LinkScanner and McAfee's SiteAdvisor can help you weed out the malicious sites.
And, again, consider visiting such sites on a secondary machine. You don't want your browser history on the family PC.
Threat 6 >> Trojan horses disguised as video codecs, infecting your PC with malware
The Place: Video download sites, peer-to-peer networks
If you watch or download video online, you've likely been told to download a video codec--a small piece of software that provides support for a type of video file--at least once. Usually, these bits of software are perfectly legitimate (for example, the popular DivX codec), but some less-than-reputable download services or video sites may direct you to download a piece of malware disguised as a codec. Security software company Trend Micro provides a good example of what these attacks look like.
If You Have to Go There: Your safest option is to stick with well-known video sites such as YouTube and Vimeo. And for catching up on the latest episodes of your favorite TV shows, sites and services like Hulu, TV.com, ABC.com, and iTunes are safer than peer-to-peer networks.
Threat 7 >> Geolocation--your smartphone and perhaps other parties know where you are
The Place: Your smartphone
The smartphone market is still in its infancy, really, and so are the threats. One possible concern is the use--or abuse--of geolocation. Although plenty of legitimate uses for location data exist, the potential for inappropriate uses also exists. In one case, a game listed on the Android Market was in reality a client for a spy app. In a less invidious example, a site called pleaserobme.com showed that--for a time--a stream of FourSquare check-ins indicated that a person was away from their home (the site's goal, mind you, wasn't to condone theft, but to raise awareness of the issue).
Apple recently updated its privacy policy to reflect changes in how it handles location data in iOS 4. The policy now states that "to provide location-based services on Apple products, Apple and our partners and licensees may collect, use and share precise location data." You can read more on Apple's new privacy terms and what they mean for you.
If You Have to Go There: Be particular about the location-based sites, apps, and services that you use. As shown in the screenshot at right services such as Yelp provide good examples of useful location-aware apps. On the other hand, weigh the privacy implications of services like FourSquare or the new Facebook Places feature, and consider how much you feel comfortable divulging. (Read more on how to retain privacy on FourSquare and Facebook Places.)
Threat 8 >> 'Poisoned' search engine results that go to malware-carrying Websites
The Place: Search engines
Search engine poisoning is the practice of building tainted sites or pages that are designed to rank high in a search on a given topic. For example, according to a recent study by the security firm McAfee, 19 percent of search results for "Cameron Diaz and screensavers" had some sort of malicious payload. Breaking news topics and Facebook are also common search targets for attackers.
If You Have to Go There: Pick and choose which sites to go to. Don't just blindly click search results; check each URL first to make sure that it really leads to the site you want. Although any site can be hacked, visiting the Washington Post's story on a hot news topic, for example, is probably a wiser choice than following a link to a site you've never heard of before.
Threat 9 >> Malicious PDFs that try to fool you into installing malware
The Place: Hacked Websites, plus your inbox
As Microsoft has become more serious about Windows security over the past few years, would-be attackers have had to find new ways to infect PCs. Attacking flaws in Adobe Acrobat is one of these newer methods. So-called poisoned PDFs are PDF files that have been crafted in such a manner that they trigger bugs in Adobe Reader and Adobe Acrobat; posted on a hijacked Website, they may let an attacker commandeer your PC and access your files and personal info.
A newer variant takes an otherwise innocent-looking PDF document and inserts malware into it. Adobe Reader may pop up an alert asking if you want to run the malware, but hackers can edit those messages to trick you into opening the file.
How serious is this problem? In 2009, attacks using malicious PDFs made up 49 percent of Web-based attacks, according to security firm Symantec.
If You Have to Go There: First, always make sure that you're running the latest version of Adobe Reader.
You can also use a different PDF reader, such as Foxit Reader. This can protect you from attacks on holes in Adobe Reader itself, but it won't make you immune to all PDF attacks, such as the newer ones that embed malware inside the PDFs. Make sure, also, that you update to Adobe Reader 9.3.3 or later (Reader 8 users should update to version 8.3.3 or later); these updates change the way Adobe Reader handles non-PDF attachments and reduce the risk from such attacks.
You can turn off Adobe Reader's ability to open non-PDF attachments by going to Preferences, clicking Trust Manager, and unchecking Allow opening of non-PDF file attachments with external applications.
The next major release of Acrobat and Reader will provide a new "protected mode" against these attacks.
Threat 10 >> Malicious video files using flaws in player software to hijack PCs
The Place: Video download sites
Attackers have been known to exploit flaws in video players such as QuickTime Player and use them to attack PCs. The threats are often "malformed" video files that, like malicious PDFs, trigger bugs in the player software that let the attackers in to spy on you, plant other malware, and more.
If You Have to Go There: Keep your player software up-to-date. Apple and Microsoft periodically release patches for QuickTime and Windows Media Player, respectively. Avoid downloading videos at random. Stick to well-known video sites such as YouTube, or to download services like iTunes.
Threat 11 >> Drive-by downloads that install malware when you visit a site
The Place: Hacked legitimate sites
A drive-by download occurs when a file downloads and/or installs to your PC without you realizing it. Such downloads can happen just about anywhere. Some sites are built to lure people into a drive-by download; but in a common attack method, criminals will hack a Web page, often on an otherwise legitimate site, and insert code that will download malware to your computer.
If You Have to Go There: The first thing to do is to keep your security software up-to-date, and to run regular malware scans. Many security suites can flag suspicious downloads.
Threat 12 >> Fake antivirus software that extorts money--and your credit card information
The Place: Your inbox, hacked legitimate sites
Fake antivirus programs look and act like the real thing, complete with alert messages. It isn't until you realize that these alerts are often riddled with typos that you know you're in trouble.
Most fake antivirus software is best described as extortionware: The trial version will nag you until you purchase the fake antivirus software-which usually does nothing to protect your PC. Once you send the criminals your credit card information, they can reuse it for other purposes, such as buying a high-priced item under your name.
You can get infected with a fake antivirus app in any number of ways. For example, in drive-by downloads (see the previous item), a malicious payload downloads and installs without the user realizing it or having any time to react.
If You Have to Go There: If you get an alert saying you're infected with malware, but it didn't come from the antivirus software you knowingly installed, stop what you're doing. Try booting into Safe Mode and running a scan using your legitimate antivirus software.
However, such a scan may not clean up all of the malware-either the scanner doesn't have a signature for one fragment, or that piece doesn't act like traditional malware. This may render behavioral detection (which spots malware based on how it acts on your system) useless. If all else fails, you may need to call in a professional.
Threat 13 >> Fraudulent ads on sites that lead you to scams or malware
The Place: Just about any ad-supported Website
Hey--ads aren't all bad! They help sites pay the bills. But cybercriminals have taken out ads on popular sites to lure in victims. Last year, the New York Times site ran an ad from scammers, and earlier this year some less-than-scrupulous companies were gaming Google's Sponsored Links ad program and placing ads that looked like links to major companies' Websites.
"The bad guys have become very clever at exploiting online advertising networks, tricking them into distributing ads that effectively load malicious content--especially nasty, scaremongering pop-ups for rogue antispyware," says Eric Howes, director of research services for security firm GFI Software.
If You Have to Go There: Most large sites, such as PCWorld.com, have ad sales departments that work frequently with a core group of large advertisers, so it's probably safe to click a Microsoft ad on the New York Times site. But as the Google Sponsored Links incident shows, nothing is entirely fail-safe.
Threat 14 >> Questionable Facebook apps
The Place: Facebook
Facebook apps have long been an issue for security experts. You don't always know who's developing the apps, what they're doing with the data they may be collecting, or the developers' data security practices. Even though you have to approve apps before they can appear on your profile and access your personal information, from there the security of your data is in the developer's hands.
If You Have to Go There: Be selective about the apps you add to your profile--don't take every quiz, for example. Check your privacy settings for Facebook apps, as well: Click the Account drop-down menu in the upper-right corner of Facebook's site, select Privacy Settings, and then click Edit your settings under ‘Applications and Websites'. There, you can control which apps have access to your data, and which of your friends can see what information from apps (such as quiz results); you can also turn off Facebook apps altogether.
Threat 15 >> Sites that lure you in, get you to sign up, then sell your e-mail address for spam
The Place: 'Free electronics' sites
You've no doubt seen sites around the Web blaring, Get a free iPad! Get a free notebook! A free iPod! It's easy! These sites aren't typically dangerous in the classical sense--you probably won't get infected with malware--but your personal information could be sold to other businesses, who can then use it to sell more stuff to you.
If You Have to Go There: Read the privacy policies. And then read them again. Also, beware of privacy policy loopholes--even though a site says that it won't sell your private data to third parties, depending on the language of the policy, they may still be able to give your information to "affiliates."
Threat 16 >> Phishing 2.0 on social networks that tricks you into downloading malware or giving your Facebook login information to a criminal
The Place: Social networks
Questionable Facebook apps and malicious shortened links aren't the only dangers lurking on social networks. Sites like Facebook have given rise to new forms of phishing. Scammers might hijack one person's Facebook account, then use it to lure that person's friend into clicking a malicious link, going to spam sites, or giving up their Facebook login information--thereby giving scammers one more Facebook account to hijack.
"One of the bigger dangers currently facing users is malware, adware, and spyware spread through social networks like Facebook and Twitter," says Eric Howes, director of malware research with Sunbelt Software.
"Users may receive spam via these networks offering them free deals, links to interesting videos, or even widgets to enhance their Facebook profiles. In many cases what's really being pushed on users is adware, spyware, or even malicious software that can exploit users' PCs."
If You Have to Go There: Don't trust every link posted to Facebook, even if one of your friends posted it. Be especially suspicious if the post is out of the ordinary for that person. Check the person's wall or Twitter @-replies to see if anyone is concerned that the person's account has been compromised.
And if you suspect that your account has been hijacked, change your password immediately. Both Facebook and Twitter have resources to help you keep up-to-date on the latest threats on both sites. Facebook users should visit its security page; if you're on Twitter, be sure to follow @spam and @safety for Twitter security best practices.
Threat 17 >> Oversharing--exposing too much personal information on your social network profiles
The Place: Social networks
How many times have you seen friends on Facebook or Twitter publicly divulge a bit more information than is necessary? Oversharing isn't just a matter of getting a little too personal--it can leave your private information viewable to the general public. But it's avoidable.
"There is a subtle danger that few people understand with the social networking sites, and that is the idea of information leakage," says AVG's Roger Thompson. "People, particularly teens, put all sorts of information online, without realizing that many more people than just their friends can see that data."
Oversharing could very well lead to more serious privacy issues further down the road, Thompson adds. "As today's young teens reach an age to apply for a credit card, I fully expect an onslaught of fraudulent card applications on their behalf, because they unwittingly divulged so much information. Harvesting is going on now, and we have no idea who is doing the harvesting."
If You Have to Go There: This particular threat is relatively easy to avoid, in that a little common sense can go a long way: Just be mindful of what you post. Do you really need to publish your home address and phone number to your Facebook profile?
Finally, be certain to check your privacy settings to make sure that you're not divulging your deepest, darkest secrets to all 500 million Facebook users.
What Happens When You Surf Unprotected
11:45 a.m. I start the experiment with a pristine, clean PC running Windows Vista.
11:55 a.m. I need to check my e-mail. I download what appears to be a résumé file. Strange, I'm not hiring. I open it anyway. My screen flickers a little, but nothing starts. Hmm...
12:00 p.m. I start poking around on the Web, and start out easy. I run a Google search for free smilies, and sure enough, I find some. Who am I to refuse?
12:29 p.m. A couple smiley packs later, I am up to three browser toolbars. Junkware, but no malware...yet.
12:41 p.m. I download some random freebie antivirus software I've never heard of. Let's see what this does...
12:48 p.m. More random downloads, and my desktop is getting junked up. I now have icons for free games and 1000 free songs littered all over, plus more browser toolbars than I care to have.
12:55 p.m. IE is hating me right now. Still no signs of malware, but something's sure eating up system resources.
1:03 p.m. My PC locks up for a few moments.
1:25 p.m. After a restart, Windows throws up a warning about a program at C:\Users\PCW\AppData\Roaming\host32.exe. I have no idea what it is.
1:40 p.m. I think I killed IE. I can't launch it. Malware? But I uninstall a couple of toolbars, and it seems to work again.
3:00 p.m. It's unclear whether I've gotten infected by anything on the Web, but so far I haven't done anything too terribly risky. However, I've got to check my e-mail again; I'm expecting an important file from a friend.
3:05 p.m. Whoops. I think I clicked on the wrong file. I've got fake antivirus!
3:25 p.m. I now have three or four fake antivirus programs running. Malware has also planted three shortcut links to porn sites on my desktop. And whenever I open something in IE, a fake antivirus app kicks in with a fake warning.
4:13 p.m. Something just forced my PC to shut down and restart. I think I've successfully hosed this computer.
Tips from the Pros:
Top 5 Ways to Stay Safe Online
Stay up-to-date, stay paranoid, stay protected. That's the message from the security experts we spoke with while developing this story. Here are a few of their top tips and suggestions for protecting your computer against malware and hackers.
1) Keep up on patches.
Be sure to run Windows Update, as well as the software update features in the other programs that you use every day.
2) Be password smart.
As tempting as it is to use the same password in multiple places, don't. And use longer passwords, too-they're harder to crack. If you have lots of accounts to manage, use a password manager.
3) Use security software.
That may seem self-evident, but it can help block malware or software that is acting suspiciously, and security software companies are hard at work devising new ways to stop infections before they ever reach your PC. Check our antivirus and security software page regularly for the latest on security products.
4) If it sounds too good to be true... well, you know the rest.
No, someone in a faraway land isn't really offering you millions of dollars. No, attractive women from Russia probably aren't seeking you out specifically. No, those aren't magic cure-all pills.
5) Assume that everyone's out to get you.
PC security is one area where it pays to be paranoid. Just remember that no security software is fail-safe, and that you're still the one sitting at the keyboard. Assume that no site is safe. And don't automatically trust a link or file download, even if a friend sends it to you.
And a few final thoughts:
From Eric Howes, director of research services for security firm GFI Software:
"The user is always the weak link. Even the best antimalware protection and security patches cannot protect a PC from malware if the user sitting at the keyboard is being irresponsible while surfing the Web."
From Roger Thompson, chief research officer, PC security firm AVG:
"Good software designed to detect this stuff (in our case, LinkScanner) helps, but unfortunately, these are areas where the problem is in relative infancy, and is going to get much worse."
PC World
Subscribe to:
Posts (Atom)