On 14th July 2015 Microsoft will cease supporting Server 2003. This means that, going forward, there will be no more updates or patches for the Server Operating System, which will lead to a less stable and less secure server infrastructure for any businesses that choose to continue to use the system after this date.

Any organisation that is still currently using Microsoft Server 2003 needs to put in place a plan of action to migrate to a new server Operating System, or find an alternative IT infrastructure solution.

Edinburgh IT Support consultants, Consider IT, suggest getting in touch and we’ll provide options for moving forward to a secure and reliable solution.

SourceForge is a popular website that offers source-code repository, downloads mirrors, bug tracker and other features. It acts as a centralised location for software developers to control and manage free and open-source software development. What you might know it from is its usefulness in providing downloads of popular software, rather than having to go to the developer’s website to get it.

Since yesterday at least, SourceForge has now since started to distribute adware/malware in certain projects hosted on their site.

NMAP, an open-source network tool used extensively by IT Professionals has been hijacked by SourceForge and the developers have hit back on security notice boards:

Hi Folks! You may have already read the recent news about SourceForge.net hijacking the GIMP project account to distribute adware/malware. Previously GIMP used this Sourceforge account to distribute their Windows installer, but they quit after SourceForge started tricking users with fake download buttons which lead to malware rather than GIMP. Then SourceForge took over GIMP’s account and began distributing a trojan installer which tries to trick users into installing various malware and adware before actually installing GIMP. …

Anyway, the bad news is that SourceForge has also hijacked the Nmap account from me.

Despite promises to avoid deceptive advertisements that trick site visitors into downloading unwanted software and malware onto their computers, these malicious ads are appearing on projects that have been taken over by SourceForge’s anonymous editorial staff.

FileZilla was an early participant in DevShare, SourceForge’s revenue sharing plan for open-source developers. It was supposed to be opt-in only. By allowing SourceForge to wrap downloads in a Web installer that offered up to three different software bundles, open-source projects could generate some cash to support development.

But GIMP never enrolled in DevShare—SourceForge foisted the adware on the project’s Windows installer after taking over the project’s page. On Sunday, the GIMP team issued an official statement through Michael Schumacher, a maintainer of the GIMP website. It said that the GIMP team was never informed of what SourceForge was going to do.

“This was done without our knowledge and permission, and we would never have permitted it,” Schumacher wrote. Furthermore, he noted, the move broke a promise SourceForge made in November 2013: “We want to reassure you that we will never bundle offers with any project without the developers consent.”

SourceForge’s search engine ranking for these projects often makes the site the first link provided to people seeking downloads for code on Google and Bing search results.

Some of the software hosted on SourceForge are as follows:  openoffice, audacity, fedora, firefox, gimp, gnu privacy guard, joomla, libre office, multiwii, neverball, nmap, sqlite, simulationcraft, snort, texworks, transmission, vlc media player, wordpress, recaptcha, apache, mame, mysql, thunderbird.

We suggest avoiding SourceForge for the foreseeable!

PayPal and eBay have fallen out and are splitting up with each other on 1st July 2015. PayPal have published a new set of Privacy Policies that will come into force on the same day.

IF YOU DO NOT AGREE TO THE AMENDED USER AGREEMENT, PRIVACY POLICY OR ACCEPTABLE USE POLICY, YOU MAY CLOSE YOUR ACCOUNT BEFORE JULY 1, 2015 AND YOU WILL NOT BE BOUND BY THE AMENDED TERMS.

PayPal is nice enough to give its customers only two options when it comes to the new terms: begrudgingly accept them or close your account entirely.

There’s a temporary page showing all the new Privacy Policy changes in full with the highlighted points at the top. The top paragraph states several scenarios where PayPal may choose to automatically call or text you:

1. notify you regarding your account
2. troubleshoot problems with your account
3. resolve a dispute
4. collect a debt
5. poll your opinions through surveys or questionnaires
6. contact you with offers and promotions
7. as otherwise necessary to service your account or enforce this User Agreement, our policies, applicable law, or any other agreement we may have with you.

Some of these items are standard and fair, but the ones highlighted in red might start putting some of PayPal’s customers off the idea of using their service completely.

What are your thoughts on this? Pop a comment below!

The ICO has issued South Wales Police with a £160,000 fine for losing a video recording which formed part of the evidence in a sexual abuse case.

Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer.

The recorded interview took place in August 2011 and the loss was discovered by staff after an office move in October 2011 but the security breach then went unreported for nearly two years due to lack of training. Although the DVDs were stored in a secure part of the police station, South Wales Police had no specific force-wide policy in place to deal with the safe storage of victim and witness interviews in its police stations.

A second interview had to be abandoned due to the victim’s distress and the DVDs have still not been recovered. The defendants were eventually convicted in court.

Anne Jones, Assistant Commissioner for Wales said: “Without any doubt we would expect a professional police force, in a position of trust, dealing with this type of highly sensitive information from victims and witnesses on a daily basis to have robust procedures to keep track of the personal data in their care.

Google Chrome is ending support for Silverlight – used by NOW TV and BT Sport to play video.

The Microsoft runtime depends on an ageing plug-in protocol called Netscape Plugin Application Programming Interface (NPAPI), for which Google is currently phasing out support in its browser.

The Google Chrome team originally speculated that support for the old protocol would be removed from Chrome before the end of 2014.

Silverlight remains very popular with broadcasters because of the level of encryption it offers. Many broadcasters seem to be sticking with Silverlight instead of migrating to HTML5.

“With each step in this transition, we get closer to a safer, more mobile-friendly web,” said Justin Schuh, software engineer and plug-in retirement planner at Google.

Don’t be a victim of Counterfeit Software…

As an IT Support company, our clients put their trust in us to source and supply various hardware and software solutions. We purchase Microsoft Office by the bucket load and almost on a daily basis it’s one of the team’s job to go through the headache of unpacking the Microsoft Office box, pulling out the licence key, and going through the hassle of installing Office 2013 on the client machine. Today was different. We sourced our copies of Office from our normal supplier, took delivery, opened the boxes, and proceeded to download the software.

That part of the procedure is normal. What isn’t normal is being told by the Licence Card to visit a website that isn’t Microsoft’s. We almost got caught out by this. If we can almost get caught out, someone without genuine software to compare them to would almost certainly be an unknowing victim of software piracy. Microsoft do a lot to defend their intellectual property. What people take for granted is that Microsoft’s software (jokes aside) doesn’t contain Malware or Viruses. It doesn’t contain software that will spy on you when you’re purchasing your Summer holiday or moving money around your various bank accounts.

The software we almost downloaded could have.

Here’s a picture of the counterfeit version against a genuine one (click the picture for a full size version):

Can you guess which one is the counterfeit one? Exactly. Microsoft’s first line of defence is a special label they call their Certificate of Authenticity (or COA). This label has a few security features that should allow you to determine if what you hold in your hands is a genuine product. Have a look at the COA label on the two boxes below (we’ve kept the genuine one and the counterfeit one in the same place):

Got any clue as to which one is the genuine one yet? Assuming you didn’t take a look at the COA before opening the box, the only other real tell-tale sign that the product we have is counterfeit is the following:

Have you spotted it yet? Obviously Step 4 is missing on one of the cards, but the crucial issue is the website they’re sending us to: http://uk.msoffice13.com/hb This is not a Microsoft Website. It should go without saying not to visit the site, but if you do, you’ll start downloading a HomeBusinessRetail.exe file that looks like the genuine Microsoft product. In fact, even AVG, Malwarebytes and Avast! didn’t moan that this file wasn’t genuine. At this stage, we’re pretty confident that the product on the left is actually a knock-off. A genuine Microsoft COA label will have a hologram on the left hand side and a “microsoft” thread intertwined through the label itself. Here’s a picture of a genuine COA:

Notice on the left hand side the hologram (you can’t see it really well unless you move the label around the light) and the thread slightly to the right of the hologram which if you touch with your finger you can actually feel that it’s interwoven. And now here’s the fake closer up:

If you look at the label closely, you’ll see the hologram is actually just one solid colour and the thread that runs through the label has in fact been replaced with just a green line. Whilst we weren’t able to confirm if there was malware in the download of this counterfeit software (and the software had just been hacked to bypass the Serial Number checks Microsoft do) there’s still the possibility for counterfeit software to come packaged up with other nasties.

We also checked the licence key card against the official Microsoft download site and it came back as not recognised.

Microsoft have a very thorough website dedicated to checking if your products are genuine: http://www.microsoft.com/howtotell

We’ve also just noticed that if you scan the barcode on the COA, it comes back with the wrong numbers and not the ones shown.

The Heartbleed Bug

The Heartbleed Bug is a vulnerability in the popular OpenSSL cryptographic software library. This is the software that almost 60% of the internet will use to establish a secure communication between the server and the client. When you browse a website and you see the padlock sign, chances are it uses OpenSSL to establish this secure link. Windows Servers are generally unaffected by this issue, but other providers that use Linux (or OpenSSL specifically) will likely have had this vulnerability running for some time.

Whilst a lot of the big players in the cloud world are saying that they have now patched their systems and that users do not need to change their passwords, we are taking the stance that it doesn’t hurt to change your passwords on a regular basis and this is as good a time as any. Therefore this notice is to advise you to change your password for all internet-based services, irrespective of whether or not the site in question has stated they are now secure or were never vulnerable.

If you use services such as Google, Dropbox, AmazonWeb Services, Facebook, Tumblr, Yahoo/Yahoo Mail, etc. then our formal and professional advice is to take ten minutes out of your day to go through all websites and change your password.

Please be aware that we also expect to see a rise in Phishing (scam) emails pertaining to be from these various sites asking you to change your password byfollowing a link in the email. Please visit the site directly in your browser to change your password!

There is a more technical overview of the Heartbleed Bug online at www.heartbleed.com

If you have questions, give us a call (0131 510 0110) or send us an email ([email protected])

Does the date 8th April 2014 mean anything to you?

If you’re a business and care about the security of your IT equipment then it should.

On the 8th April, Microsoft’s Windows XP and Office 2003 products will no longer be supported. The products wont stop working, but critical security updates will no longer be developed and rolled out for these products. That means that if a major security flaw is discovered, Microsoft will do nothing about it.

30% of PCs still use Windows XP and at least a handful of our clients still have one or two Windows XP machines in their office (thankfully they’re moving away this week).

Keeping your IT infrastructure secure is serious business and only at the beginning of March, The British Pregnancy Advice Service (BPAS) was fined £200,000 for not making sure the data they held about people was stored securely.

David Smith, Deputy Commissioner and Director of Data Protection said about the case:

“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”

The organisation’s failure to spot problems with their software has led to a serious breach of the Data Protection Act, caused substantial damage and distress to those affected and left the organisation with a fine of £200,000. The hacker, meanwhile, is now in prison.

For a small office environment, the steps you need to take can be relatively simple. Making sure you stay on top of the updates that need to be regularly applied to desktop and laptop operating systems is relatively easy to do. All of the major vendors have a system to regularly check for updates and a pop-up will usually display on the screen alerting you to the fact that a security update is required.

In a more complex environment you might need to test these updates first to make sure they are compatible with your existing infrastructure. Where you cannot apply an update, you may need to put additional measures in place to mitigate the risk.

The UK government’s National Technical Authority for Information Assurance (CESG) has published short-term mitigation advice for public sector organisations that are unable to fully migrate away from Windows XP prior to its end of support date.

You should also consider whether your other IT assets need an update. Recently, a number of vulnerabilities have been discovered in the firmware of routers and firewalls. You can check the manufacturer’s website to see if an updated firmware has been released. For the novice user these are not as easy to update as an operating system or desktop software. If you get the configuration of your primary defence wrong you could be leaving your organisation in a worse position than if you’d done nothing at all; so call in the professionals if you are unsure.

So if you are unsure whether your security software is up-to-date across all devices make sure you follow these three basic steps:

Step one – Carry out an audit of your IT equipment so you know the size of the problem. Make a list of devices, operating systems, serial numbers, installed software and which members of staff this kit is issued to.

Step two – Plan and Prioritise. Work out which updates you need to apply and in which order you are going to do these. If you are disposing of equipment that has reached the end of its life, make sure this is done securely by following the Information Commissioner’s Office’s IT asset disposal guidance and any other guidance provided by the manufacturer.

Step three – Roll out security updates to the remaining equipment where required and continue to keep the software up-to-date.

Remember, from 8th April 2014 there will be no updates to apply to Windows XP or Office 2003. Do not fall into a false sense of security by believing that because there are no updates then there are no vulnerabilities. Anyone using these two products must consider their options to look at migrating to a supported operating system. Failure to do so will leave your company’s network vulnerable over time and significantly increases the risk of a data breach that you could have prevented.

North East Lincolnshire Council has been fined a monetary penalty of £80,000 (eighty thousand pounds) for failing to encrypt a USB stick that contained personal information about the physical or mental health of pupils and their teaching requirements as well as information about their home life.

On 1 July 2011 an unencrypted USB memory stick containing personal and sensitive personal data was lost on the data controller’s premises. A special educational needs teacher had been working with the information held on the USB stick while using a laptop that was connected to the data controller’s networked computer system.

When logging off the system and leaving the office for the day, the teacher forgot to remove the USB stick. When the teacher realised the mistake and tried to retrieve the USB stick, it was gone. To date, the USB stick has not been recovered. The data controller completed an internal investigation in response to the incident.

Stephen Eckersley, ICO head of enforcement, said: “Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted.”

He went on to say: “North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented. This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly.”