Secure That Login

So I got a call from a client “we can’t send email to company XYZ – the say we’re sending SPAM or something, can you please find out what’s going on?” (well, they didn’t quite say it like that but I figured I should paraphrase a little for clarity).

OK – I knew they weren’t an open relay but checked anyway (you know, telnet to port 25 and try to send mail through it hoping to get the “unable to relay for…” message. Whew – no fingers had been meddling.

They’d been listed with SpamCop as a source of SPAM so I kept digging. The anti-virus was up to date and functioning correctly so there was little chance of the server and PCs being infected (we check the network every week to make sure too). No flames please about bugs that bypass A/V too – I’m summarising here for the masses.

Looking in the Exchange mail queues I could see HEAPS of messages waiting for delivery to domains I just knew they didn’t really want to be talking to, so figured there was something nasty going on. The SMTP virtual server settings were also correct in not allowing relaying through the server from any IPs which confirmed my “not an open relay” check. Ahhh – there’s that checkbox a little lower down that allows authenticated users to relay through the server.

Knowing this client as I do, and their fear of passwords, I guessed an spammer had managed to guess a valid domain username and password and was using this authenticated account to relay mail through – slippery little suckers these guys are.

I removed the tick, cleared out the mail queues and voila – spam stopped. Now I just need to get them de-listed from the spammer list.

So, what’s the moral here? First, it’s not really the fault of the checkbox on the virtual server that caused them to become a source of spam – it’s the users who don’t want to use proper passwords (aka passphrases) to protect their login accounts and hence the network. Most mortals don’t realise how easy it is to crack a users login through guesswork or even using a list of common passwords (see a page full of common passwords here).

Removing the check from the box solves the problem for the moment though, as we go through the process of educating the users about why they really need to use passphrases instead of just passwords which are far too easily cracked.

And “what’s a passphrase?” I hear you ask? Instead of using a word for your “security” – like your dog’s name, or your birthdate or similar, use a phrase that combines both upper & lower case letters, numbers and even punctuation, to make your login much more secure but still easy to remember. If your dog’s name is Spike and you got him in 2001 then perhaps you could use something like “I got Spike in 2001 and hes really cool :)”. Simple to remember, very hard to guess and if someone happens to be “shoulder surfing” whilst you type it in (which I really don’t like and is very bad etiquette) they’ll find it difficult to follow and remember.

Simple isn’t it. Don’t wait until you get hacked to start practising safe logins – start today, right now in fact. It can be as easy as Ctrl-Alt-Del, Change Password and away you go. Go on, give it a go – you’ll be glad you did.

If you can come up with a reason to not start employing the use of passphrases please let me know – I can’t think of any!!

Business Networking Benefits

This morning I’m heading to my monthly meeting with a bunch of other small business owners. We meet at a hotel, with a business coach, and talk about all sorts of topics including business planning, financial planning, measuring business performance, staff, marketing etc etc. It’s a great environment as we’re all in different types of business, so it’s non-competitive, and we all get along really well, so there’s always great discussion.

This type of get together is a great way for business owners to talk with like-minded individuals. Helps you realise you’re not along in this big world.

This weekend, I take this to the next level – I’m meeting with Wayne Small and Stuart Applegate. Wayne runs a business very similar to mine in Sydney, and Stuart’s business is in Brisbane. We met through the SBS community which, around the world, is unique (hard to explain – you need to be in it to really know). We are also all SBS user group facilitators and so have a passion for helping others develop their business (not just the IT component) further.

We’re meeting to discuss … business! How we run our businesses – marketing, management, reporting, client service etc etc. It’s set to be a great weekend. Our wives are getting together too which will be great for them as they’re all married to “geek” husbands who don’t really know how to stop working, so they’ve already got a very strong similarity between them (we’ve all also got 2 kids each – this is getting spooky!).

So why are we doing this? It’s a means of not only helping to further develop our own business, but also to help each other. We have a great bond of trust between us which helps immensely too – a must of this type of get together to be really effective.

It also means we have resources we can draw upon for technical work in each others state, which serves to improve the level of service we can provide to our clients wherever they are, and we have a fall-back for both technical and business support if we decide to go on holidays.

All in all, business networking, when done with trust, honesty and genuine goodwill, serves to enhance both your business and personal life – and it’s after this that the profits should start to improve too. If you get into this with the intention of just making more money it won’t work – you’ll burn too many people and ultimately yourself. Start by looking to help others first. That’s certainly one lesson that comes through time and again in the SBS community too.

Give it a try – who knows where it could lead!

Welcome aboard

OK, so it was time to start blogging myself, after being encouraged, poked and prodded from my fellow geeks.

So, what is a blog? Why blog? Why read these ramblings?

Why not? We’ve all got 168 hours in a week and it’s up to us to fill them as much as possible – there’s always more to learn and reading a blog is about as personal as you can get, without actually talking face to face, to get to know someone. This is a bit like an online diary but without the “Dear Diary” beginning.

What can you expect to read here? Just about anything really. I will do my best to NOT regurgitate anyone else’s information by keeping this as original as possible. And it won’t all be technical either, although my life does tend to mostly involve electrons flying through some sort of silicon chip based device.

Right – so first post is up. Time for me to get back to work and I’ll think of something else to type about soon enough. Thanks for visiting – come back again 🙂