When purchasing or selling a business, one largely overlooked procedure that is perhaps equally important as a financial and legal review (and often one effects the other) is a technology audit. This should be performed by a third party and never by the staff of the business to be audited – for obvious reasons. Most would agree that businesses rely heavily on computer systems to perform daily operations, so ignoring this vital part of the equation would be a mistake. Here I will discuss questions that should be asked and answered as part of the discovery process.

Step 1: Hardware

Taking inventory of technology assets such as PC hardware, printers, and network equation is the first step. How old is the hardware? Are all  the systems different? Were they purchased at different times or all at once? Are they on a life cycle – and if so, are they reaching the end of that cycle? What kind of fault tolerance do the systems have? Are there proper backups? Is there a server? Is it being utilized efficiently? Is there a high failure rate of existing hardware? What network hardware supports the environment? Is it secure both physically and from the internet?

Step 2: Software

Software audits may be even more important and if rushed can be disastrous. Are all systems the same OS or is the environment mixed? Are they updated consistently with security patches? Are they protected by antivirus and antimalware systems? Does the business run behind a firewall? Is access to sensitive information limited to specific users or groups, or is information security loose and trusting? Is the server properly maintained? Is all the on-site software licensed correctly? This last question is especially important for mid-sized businesses that have experienced rapid growth, as they typically struggle to maintain IT compliance to match business expansion, and Microsoft notoriously audits these types of enterprises.

Step 3: Other Assets and Liabilities

Does the business in question have outstanding contracts or obligations to IT professionals? This goes hand in hand with a financial audit, but it should still bears mentioning. The business website, if applicable, should also be considered. Does it look good or is it abhorrently ugly (thus driving away potential clients)? Is it maintained properly? Does it adhere to modern web standards? Are their security risks associated with it (i.e. private client information accessible online)? Are there broken links or functions?

These are just a few examples of questions that should be asked when looking at a purchasing or taking over a business.

Even a short investigation will reveal a clearer picture of the true assets and liabilities involved, and can at the same time identify possible improvements and cost savings before acquisition.

I often receive messages from concerned parties stating that their email account has been hacked or compromised, or that there is a virus infecting their system. They come to this conclusion based on the messages bounced back from "mailbox not found" or "unknown address", AKA the 550 error – but these returned messages were never sent in the first place.

The sad truth is, one need not hack,corrupt or subvert an email account in order to use it. Just spoof it.

Yesterday, I received one such message from a friend, who of course worried he had a virus. I asked him to forward the returned message to me so that I could analyze the header information codes and perhaps trace the source. I traced it back to a legitimate-looking site and I notified the technical contact in charge of the hosting, which is about all I can do to resolve the end on that side. Afterwards I notified my friend that his account was not corrupted and I would demonstrate what happened.

I threw together a PHP script that took me literally less than 30 seconds, and with it I sent him a spoofed email both from and to his own address.. I could have sent him an email from any name and account. Any number of celebrities would have made an interesting analog, but I decided impersonating him would best fit the spirit of the spoofing demonstration.

I’ve said for years that email as a technology wasn’t well thought out, and in its current state is broken. According to RSA, over 260 million malicious emails are sent to consumers every day impersonating a trusted company in attempts to lure them into installing malware or handing over private account information. Gartner Inc. estimates the direct costs of repairing the damage from phishing{{1}} and spoofing{{2}} at $3.6 billion a year.

Imagine for a moment that I unscrupulously wanted to destroy someone’s reputation with the same PHP script I wrote earlier. All I would need is to know some of his contacts (or business contacts if I were feeling particularly nasty). From there, it would be too easy to send abusive spoofed messages to friends, family, or random people which could at the very least add him to publicly available spam blacklists, and at worst, lose him friends and clients.

There is a clear and present danger with it comes to electronic communications identity.

So how do you protect yourself from spoofing?

The most current technology standard in the battle against email spoofing and spam is something called SPF, or "sender policy framework". To see how this works, here’s a bit of background info. When sending an email, servers communicate similar to the way people do. They greet each other, identify themselves, and continue with the conversation (email transmission). But one can force a server to lie, or at least to distribute a lie. When someone sends an email, it goes from their outbox to their server, which then passes it along to the recipient server who passes it to the final destination. Unless security measures are in place, this is essentially all that happens and nothing prevents anyone from masquerading as anyone else. SPF allows servers to ask two questions: "are you really who you say you are?" and/or "are you authorized to speak on their behalf?". So when server X identifies itself as ALPHA (even though it is not), server Y will look up the real ALPHA and ask for its SPF record to see if the impostor’s IP address matches who it claims to be. Since it is not, it will reject the message.

What does it take to create an SPF record? About 30 seconds of work and access to your domain’s DNS server. When finished, it looks like this:

v=spf1 mx mx:servername -all

That’s it. One little txt record in your DNS settings.

The main failing of this measure is for it to work, it requires action both by the sender’s domain (or server host) and the receiver’s. If one wishes to protect their address from being spoofed, one must create an SPF record for their domain. To protect your domain from receiving spoofed messages, the email server must be configured to look for those SPF records. Any failing on either side makes both vulnerable.

Ultimately, the answer is obvious: SPF records MUST be a standard procedure for all domains and email servers (both hosted and internal). Without it your brand is extremely vulnerable.

[[1]]From Wikipedia: Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.[[1]]

[[2]]From Wikipedia: E-mail spoofing is e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. Because core SMTP doesn’t provide any authentication, it is easy to impersonate and forge emails.[[2]]

Homepage feature image courtesy of empty_inbox.

Update: TechRepublic released a supporting article dated April 11, 2011. http://www.techrepublic.com/blog/security/identity-theft-businesses-are-at-risk/5324

A few weeks ago I was helping a friend take care of a hardware problem with his MacBook Pro, which I determined would be covered by Apple (despite being several months out of warranty). I called two local Mac-centric stores, the first of which didn’t answer their phone after repeated attempts, and so it was obvious they didn’t want Apple’s money and therefore I moved onto the next. They were friendly and helpful as I expected and so together my friend and I went to this store and while he spoke with the service desk, I stood back and observed and waited within earshot in case I was needed for assistance.

While he was taking care of his issue, a woman came in with her iMac, and I overheard her telling another technician the problems she was experiencing. I could tell immediately it was a software configuration issue with her Email client, which was Microsoft’s Entourage. To my horror, the tech promptly told her that they don’t support Entourage because it’s old and nobody uses it anymore, and because it’s a Microsoft Product.

Despite not being in a position to help the woman (and the impropriety of soliciting business while inside a store providing a similar service), I was quite irritated to say the least.

I was formally trained on Microsoft’s Windows operating systems, and I hold a number of certifications that cover them. But to make an excuse like he did would be like me saying I don’t support Apple’s QuickTime software or iTunes because they’re Apple products. Besides which, Entourage is by no means an old obsolete Email client.

I’m often asked which computer is better: Mac or PC? Typically those asking such questions won’t even consider Linux as a viable option. But it is a loaded question. It is a question I cannot answer, because I would say “both”. Each one has their benefits and limitations, and each have their place. Even Linux has some very user-friendly and viable options freely available.

Personally, my desktop (and not coincidentally the computer I’m using to type this) is a Mac Mini. I use this computer for all my web development, writing, billing, research, database development, and media authoring, and I find the software for most of those tasks to be equal or better for Mac OS X. For example, I am currently using Twitter’s first party Twitter app for OS X that I downloaded from Apple’s App store. No such first party software exists on the Windows platform. Conversely, my laptop is a Windows 7 Dell XPS 1530, which affords me more versatility in software options and configurations. Many of the tools I use as an IT consultant are more readily available or easier to use for Windows. It is near impossible to find a Mac equivalent for some tools I use. For the average user, however, I can see the draw to Apple.

My other desktop, which is actually one I gave to my wife, is also Windows 7, but it can also boot up into Ubuntu Linux 10.04 “Lucid Lynx”, which has a great user-friendly interface and compelling options… and it’s 100% free and open source (foss). I keep a number of Ubuntu installations around so I don’t fall behind the technology, but most of my time is spent between Mac and Windows because those are the two computers I have most readily available.

Apple’s OS X tends to be more media-focused. With iMovie, GarageBand, and iWeb you can create a movie, dub it, give it a soundtrack and publish it to youtube or even your own blog, and admittedly when finished the end product will look, and sound, far better than anything Microsoft has yet released.

On the other hand, Microsoft tends to be more business and office-centric, with a focus on word processing, email, and centralized administration. Windows has built itself to meet the demands of current IT security measures and standards. One server can control thousands of client computers in an organization. This is a feat that OS X is still catching up on, however they are gaining ground.

For businesses requiring a full-featured server, the competition gets a bit more interesting.

A business owner recently asked me to provide a quote for a server which will initially serve as a simple file server, with more functionality possibly being needed down the road. My first response was to go over the Windows option because it’s the standard option, however when I crunched the numbers, the cost disparity between OS X Snow Leopard Server and Windows Server 2008 was a bit of a surprise. Windows was up to five times the price of the Apple option, but had fewer features, and would have required an additional fee for many of the features which may need to be added in the future. On the other hand, if the business were part of a bigger enterprise with restrictive IT policies, the result wouldn’t be the same, and to integrate OS X into a greater infrastructure would take a relatively significant amount of configuration to perform.

I don’t have a “favourite” operating system. It comes down to personal preference and what you need it to do. I do, however, support all of them.