#24

Air Date: 04/28/2020

What Could Free Software be Costing You?

Transcription

Dan: Why, yes it is. Right now it's 8:30. Welcome back, and on the phone with me, let's see, I've got Vince and I have Sam on the phone with me. Good morning guys.

Sam: Good morning. Good morning.

Vince: Good morning.

Dan: Okay. We got both of you. Good. I was a little worried there for a minute, Vince. Okay, but we got you. Good. How have you guys been in this ... How have you guys been this past week? Everything good?

Vince: Yeah, everything's fantastic.

Dan: Good. No, everybody's safe. Nobody's sick. I love to hear that. Family's all good?

Sam: Yep.

Vince: Yeah. How about you, Dan?

Dan: Yes, sir. Everything's good so far. I can't complain yet, but if I do, I'll let you know.

Vince: All right. I've got my complaint numbers here.

Dan: Yeah, it's like that grenade. Take a number. I got you. All right guys. Man, I hate this thing. Okay. All right guys, I guess let's just go ahead and get right into it, man.

Announcer: Bit-Wizards Bits & Bytes.

Vince: Well today we're going to talk a little bit about printer and device security, and there was a great article that came out by Business News Daily that said Is Your Printer Your Weak Security Link? Printers are now pretty much multifunction devices. They print, they fax, they copy, they scan, and they're also networked, in two ways, sometimes they're hardwired and sometimes they're wireless, but because they're not typically a computer, people often overlook them for security, and so they are a weak point. And printers and these types of devices need security hardening too.

Sam: That's right. In the early days of computing, a printer was just something you hooked up to the back of your computer with one of those giant connectors that were three inches wide. And when you needed to print something, it just sent a couple of signals down the wire to this printer. But now we need lots of computers to be able to print, so we put it on the network, but what that means is the printer itself has become a computer of its own. But we don't think of it as a computer, we just think of it as a printer still. But actually it's another device sitting on the network, and it's very easy for IT staff to overlook the problem of printers because it feels like it's just a printer, and the biggest issues that happen with it is when a piece of paper jams, when you run out of toner, but actually the security risk involved is because it is a computer sitting on the network itself, it kind of exposes itself to the entire network as well. So one of the most critical moves that you could make is securing those printers. And probably the easiest step is just to go in and change the default password on all of those printers, because if you have a network printer, it has password options. And this is just so easily overlooked that I would say 99% of people do not change the default passwords. So anyone can look up online in about two seconds to find default passwords to those printers. And you think well, what's the big deal? So somebody gets into my printer. What are they going to do? They're going to print out some faxes? Well big deal, right. But actually it is quite a big deal because yes, someone could have access to your printer, but you got to think about a few things that are in that printer. And one of those is even giving someone access to print to the data that's stored on the printer. When you send your job to the printer to get printed, and it might be someone's paychecks that are being printed out, or it might be your QuickBooks summary report or whatever that is, that's getting stored on a tiny little hard drive inside of that printer wallet while it's spooling over there. So having someone have access to it as kind of a big security flaw.

Dan: Well on that note, it's also an intranet. Wouldn't it be the intranet for your office? Is there a way they could break into the intranet from the printer?

Vince: Absolutely. Because what they're doing is they can actually snip the packets as they come over the wire within there, or they can look at the print jobs and get inside information, it might give them access to other systems within your network. And so another thing that they can do is if you've got that center password, they can learn something about your network, right, because your printer is a network device, and so they can make unauthorized configuration changes that might redirect or make the print come out over on their network. And so they can change the route to the printer of those print jobs, they can insert new content, somebody could send a nasty picture or something like that through, so manipulating the print job, or deleting the log so that you can't see what different people have done. And then, of course, obviously you're giving them access to any data that is being printed, and they can get access to that from the memory, the file system, any of the print jobs or hard drives for the printers are decommissioned. Basically the printer's sort of an attack point because it's considered a low valued asset on the network, right. And it's often overlook, so that compromised printer can be used as that link point to sort of knock down the dominoes and get access to the rest of your network, or they could even insert some arbitrary malicious code, or attack other systems, or do some sort of a denial service attack.

Sam: It's possible even for someone to put a computer on your network and have it pretend to be a printer, so it's receiving print jobs as if it were a printer, it's tricking everybody into thinking that, and actually it's just saving all of that information and harvesting all of that information. And there've been a few bugs in the past where people have been able to use that by tweaking the printer packets, by tweaking the things you're sending to the printer, it actually overrides systems and gives you admin access into the system. And so it's a very easily overlooked attack factor. And it's something that we focus on when we do our managed IT services for our clients, we make sure that we are scanning the entire network all the time specifically to keep an eye on these things, because the big problem with securing a printer is that, even though it is a computer, you don't have a login screen where you can go in and install some antivirus, and install a firewall and things like that. You can't install anything on it so you got to kind of protect it from the outside. So there's a few things you can do though to help fix that security. Like I said, a few things that we do at Bit-Wizards. And protecting your printer from threats isn't really that much different from protecting any other device on the network, but it begins with basic steps, like making sure that your printer is secure, not just your servers, but also these peripheral devices on the network. Making sure you're doing the updates on the printers to patch any vulnerabilities that are out there, because those happen quite a lot, and I guarantee you that the printers you have probably have updates that you haven't installed on them. And then, of course, changing the passwords on those devices, and making sure you turn on authentication if you haven't turned it on already. It's going to go a long way to locking those printers down.

Dan: Gosh, I guess you're right because I have never ever updated my printer. I guess that's something. Do You have to go in and look for that, Sam?

Sam: Yeah, so you can usually just right click on the printer on your computer and tell it to run the updates. That's what we do for our clients is we periodically check for new drivers for those specific printers, but even the printer itself can tell you if it's time for an update, if there is an update from the manufacturer for it. Usually the updates you don't have to install necessarily directly on the printer, it's the device drivers on all of the computers connecting to that printer that would have the security vulnerabilities that we're trying to lock down.

Vince: And sometimes too those printers, if you go out to the manufacturer site, they have firmware where you can actually update the actual software that exists inside of the computer. You can go out and check for those updates, and just make sure that you've got the latest firmware, and those have little auto updaters that will go in and they update that for you, and then the printer has the software. And oftentimes too it comes with some new features in addition to plugging vulnerabilities or other things that have happened.

Dan: Yeah, I would imagine a lot of people overlook that with their printers, don't they?

Sam: Well, I'll go so far to say it's not even just printers, it's a lot of devices on the network that we fail to think of as computers on the network. And a good example would be one of those hard drives that you have that's connected to the network so that you can have an external hard drive for several different computers, and it just plugs into the network, or jumps on the wifi. Well that's the same as one of those printers. Now it's a computer on the network that you can't install antivirus on, so you have to be able to come at it from the outside. Another example at a business would be when you swipe your key card to get into the door, well that's going through its own system, and that system is talking back home to the internet, and so it's another one of those devices, like a printer, that is connected to the network. We forget that it's a security vulnerability. But really, with the printers, it's something we can pretty much guarantee every single business has are network attached printers because you can't really survive without having those printers. So a few steps that we do, and that you can do as well is number one, keep the printer operating system up to date. Like Vince said, if you can find that firmware update, that's always a good thing because firmware is between software and hardware. Firmware is the software that runs on the device itself and is always there when you turn it on, and so it's what powers up the printer itself. And so if you can update those, that's great. Changing the default pins and passwords, and changing those regularly. It's super important because it's the same as a password on your computer. And I will say almost every printer I've encountered, someone will have one of those default number patterns on there, the one, two, three, four, or the four, three, two, one, or the zero, zero, zero, zero because it's a nice security ... It's a nice little convenient thing, " Oh, I can just punch in the number four times and it gets me in." But that's not a good thing to do, again, because it opens it up and it gives you a false sense of security. And if you can, there are third party services that give you what we call two factor authentication, which means when you go to send something to this device, it will confirm that you are who you say you are, and it'll send a text to your phone number, or it will ask a little popup on your phone so that you can identify who you are. And then, of course, a good idea is to turn off the features on the printer that you don't need. So if you never ever scan to email, then turn off that feature because it's leaving it open as a vulnerability to your organization. Or if you never print whatever it is, system or all of the different tools that come with that printer. If you don't need those features, turn them off because it's one less way for someone to get in there. And then, of course, the last thing, and we always talk about this, is don't ignore the employee connection, which is the human element of this. And so that's important, making sure that your entire company knows the security risks here, which means they, like a computer, can't give out the password to just anybody. You can't just let somebody onto your computer. And so having employee training is definitely a key part of that. And so for us at Bit-Wizards, just making sure all your devices are secure is critical to us. We're constantly trying to think of those edge cases that a lot of people will miss and ignore that become attack vectors for the bad guys. And so we understand that technology is a tool to help make your business more efficient, and to better serve your customers. And so for us, securing and monitoring all of the devices on your network, whether that's security, IP cameras that you've got in the parking lot, or printers that you've got throughout the network, or door controllers where you swipe your key card to get in, all of these network attached devices, like the storage and those kinds of things, you can go get off the shelf at Best Buy and they jump on your wifi, we're managing, and monitoring, and controlling, and setting up alerts on all of those devices for anything that seems to happen that seems a little suspicious to us.

Vince: And even something as simple as your phone, a lot of people overlook the phone. The phone is now a network device. You've heard us talk about before that every company is a technology company now, and so there's a plethora of devices that get attached to the network. We have voiceover IP phones, then we have people that have put their cell phones on. Think about how often you get an update on your phone. When that phone gets updated, it updates your iPhone or your Android operating system, it often updates the firmware at the same time. And the reason they do that is just to make sure that the latest security is out there, you get the latest features and functions, and that's how technology sort of marches on. And every time a new one of those things comes out, there's a potential for it to create a hole. This is why they've got security experts that are constantly out there looking at those things and making sure that we're constantly paying attention to those different attack vectors, those different things that people can do to get access into your systems.

Dan: Yeah. And so if a company, a small company or a large company, hires Bit-Wizards to come in and take care of their security on all their intranet devices, because a business wants to be able to focus on their business, and you guys will come in, your Bit-Wizards will come in, and you'll make sure that the intranet is secure. And you can check out all the devices that hook into their intranet, and make sure that they're safe and they're not going to be permeated by some outside source to start stealing their data and creating havoc.

Vince: Absolutely.

Dan: Awesome. All right.

Vince: With that, we should probably tie back into what's up our sleeve for today, Dan.

Dan: Absolutely.

Announcer: Bit-Wizards. What's Up Our Sleeve?

Vince: Hold on a second. Let me move my sleeve aside here and see what we've got.

Dan: Oh, there's a wand. Oh, there it is.

Vince: Oh, there it is. Let me pull out my wand. There we go.

Dan: Oh, an ace of spades too. I'll get that out the way.

Vince: There you go. Okay. Well, today's topic is that free software isn't really free. So a lot of people have heard of what's called open source software, or software that they think is free, and using it often makes you a penny wise and a pound foolish. So obviously working with free software sounds great, there's hundreds of free software that's easily accessible on the internet, but how are they free? There's got to be some sort of a catch. And I think small businesses and companies think that this looks really promising because they're saving money. You can freely distribute the software, you can modify it for your own use in some cases. Unfortunately you find out too late that there's an issue with free software because the people that make this stuff have to make money in some way, shape, or form, and there are additional costs that come along with using free software.

Sam: So there's free, and then there's free. There's different kinds of free software. And you might remember back in the day they used to have a thing called Shareware. You don't see it very much anymore, but it used to be you could run this program for a week, or maybe two weeks, and then after that time was up it would lock it down and say, " Sorry you can't use this program anymore." That model's kind of fallen out of favor, but really there are different kinds of free software right now, but the point of it is somebody still has to create that software. And so just like all the free games and apps that you can get on your phone, someone had to pay to make those, and so you got to kind of follow the money and ask yourself am I getting what I'm paying for here? Because one of the ways they can supplement that cost, of course, is with what we would call adware, which is where every time you break through a level on a game, or every time you try to access a new feature of this app or program that you have, another advertisement is going to pop up, another advertisement is going to pop up. And we're almost getting immune to all these ads that pop up because this is becoming really a form of funding the software. However, the ad where itself is saying that this piece of software is paid for by the ads that are going to go across your eyeballs, but it also allows the off the ... that it's not just directly paying the author for their software, but you're also allowing these people who are paying for these ads to have access to your software, and to see your habits as well. So one of the more important costs with software is also the support fees that go with it. And so often the free software that you can see online that we would call open source, that means you don't have to pay for it, the code is wide open, anybody can go get the code and make it themselves, the problem is there's no support with those. So if you start to run into a problem, who are you going to call? Well nobody, because there's nobody who owns this piece of software. And so then there are companies that pop up that provide support for those, but then you end up paying quite a lot more than you would for the kind of software you just buy off the shelf because you're having to pay for these expensive support contracts, or some experts have had to come in and show you how to use this free software that tends to crash, or tends to get a little bit buggy, or all those things. So that's one of the problems with open source software is there's really no guarantee that their services are going to still be there. So if you subscribe to some support service now, you don't know that they're going to be there tomorrow, or the next month, or the year because free software itself can disappear whenever it chooses to, and so the same with the support companies that go with it. And if you're not paying for a hosted site, then you're not getting any kind of guarantee that your site's always going to be there for you when you pay for it. In the end, most of the time we found you spend more money trying to maintain this free software than you would by actually using commercial software where you know you're getting what you pay for.

Dan: Well that makes perfectly good sense, because oftentimes, like you said before, if they're going to make software, somebody somewhere is going to have to make money off of it, whether it's collecting your information and selling it, or sending the ads across it, so hopefully people aren't being duped in thinking wow, free. That's great. Out of the goodness of their heart, they made this software for me to use.

Vince: Yeah. And software is expensive. Because Bit-Wizards writes custom software for company software. It's very expensive to build right, maintain, and go forward. Oftentimes the open source or free software that's out there, that software is not often maintained. There's no product roadmap for it. There's nobody looking to make sure there are no security vulnerabilities, or patching, or updates. There's several pieces of software out there right now that you can get them for free. But then if you want the updates, you've got to pay for them, or you've got to pay for the support, as Sam talked about. The other thing is that a free softwares often is put on there with spyware, and they actually use it. And you click and say that I agree to the end user agreement. And what it does is it spits all the packets on your computer, it picks up your data, it gets data about or information about you, like your name, your address, what websites that you frequently visit whether or not you buy certain products or things like that on Amazon, and then they sell that information, and that's how they make the money to support that particular software. But the bigger issue there is that oftentimes with free software, you've got hackers and you've got people that put stuff out there just so that you'll download it, because they know some unsuspecting person will find it, and what they'll do is they inject malware into your computer, and they use it for nefarious purposes. And so you don't even know that they've infected your computer with some sort of malware, or ransomware, or some other type of spy software, and they're getting your information and using it for nefarious purposes, and you didn't even click a EULA, or an end user agreement, or a software agreement that gave them permission to do that, you just simply downloaded some software from some source, you didn't even know who it was, and put it on your computer.

Dan: Oftentimes, I guess that's when people just want something for nothing, want it free. And so they just load it with this other, like you're talking about, spyware, and they just go right in and do what they want.

Vince: Yeah. Your business is just ... I'll say it again. Every business is now a technology business. Your business is just too important. And I would even venture to say your personal life, your privacy, your information, your stuff, your pictures on your network at home, those types of things, those are too important to open up to ... People do this. You got to value what's important, and electronic data, electronic information, and the things that you have there are very critical. I've had people come to us here at Bit-Wizards literally in tears because they've had a hard drive that basically has all of their personal pictures, their family pictures from years and years and years, since we started doing it digitally, or they've gone out, and they've got them all scanned, and then brought them in, and then that hard drive has failed. It's not backed up. It's not secured. It's not put away. Or somebody ransomwared it. And now they don't have access to those family memories. And so you can't overstress this too much. It's very important that you keep this type of stuff secure.

Dan: And that's wonderful because Bit-Wizards, you guys go over all of this with all of your clients to ensure that everything is backed up, and I'm sure you educate them on what to click on, what not to click on. If you need some software, let's talk about the software that you really need, and don't go running out and get this wonderful free software that's going to just ruin everything.

Sam: That's absolutely right. We try to help companies differentiate between the difference between it's okay for you to use this freebie for your kids at home, who are just surfing the internet, or playing games, whatever it is, but when you have your business, you get what you pay for, and you really need to think in those terms of this is for my company, I wouldn't use free this, I wouldn't use free that because of the value that I get. And so it's the same with the software and the hardware that you have in your environment, we think the same way about those items, and evaluate the software you have, and say, " What's the proper business application for what you're doing right now?"

Vince: And the other thing that's kind of scary, Dan, is that you've got other IT companies out there that this is how they do their business. They actually go out and get a bunch of free software, and that's how they provide their services. And that's a pretty scary prospect when you think about it. They're trying to keep it super low cost, and that's what they do. They get this free and this open source software that they say that they've vetted or whatever, and then they utilize it within your business. We've learned that that's just not the way to go. You want to run your business like medium and large businesses do. You need to be thinking in terms of using software things that have a technology roadmap, that have a company behind it that's going to back it, keep it up to date, and that's properly vetted.

Dan: Yeah, it sounds to me like, with you and Vincent, Sam, you guys do it the right way. Don't try to cut corners, and try and be cheap, and try and get free because you'll have little presents that'll be given to you that you don't want. Do it the right way and everything should be good.

Sam: That's right.

Vince: You don't want to get caught with your pants down. You need to protect your privacy.

Dan: Protect your privacy. I love it. And with that, let's get some mystery going here.

Announcer: Bit-Wizards, From the Spell Book.

Sam: So we always just demystify technical geek speak, and you may have actually heard us talking about this term just in the last few minutes and wondered what we were talking about, and that is the term open source. Now, a lot of people are quite open source with free software, and there's the correlation there, but it is not exactly the same thing. So open source, it means where the underlying code of the software they're using is open for anyone to see on the internet. Anybody can see, anybody can take that source code and make changes if they want to, and open source products include access to the source code, or to the design documents, or the content of the product. It often refers mostly to the open source model of the model itself, which is where the software or other products are leased under this licensing that says nobody can own this code, it has to be free for everybody as part of an open software movement. The term originated itself with software, but it has expanded beyond the software sector to cover other content and forms of open collaboration. I know a famous sci-fi writer, Cory Doctorow, writes all of his sci-fi books under open source, which means you can go buy the paperback book if you want to on Amazon, or you can just go download the book itself and figure out how you're going to read it yourself. If you want to print it out on 200 pages out of your printer, you can, or you can load it onto your iPad, or whatever that is. And so we are always trying to stay on top of the current software that's out there right now, and what's trending and what's not. And so we keep track of these open source license. In fact the biggest contributor, which is surprising to a lot of people, I bet, the biggest contributor right now to open source software is Microsoft. And so people are always very surprised about that because they make great money with the software that they write, like Windows, and Office, and all the other tools they have, but they actually also contribute very heavily to the community of the open source that helps propel the industry forward. And so Bit-Wizards, we're always working with you to keep your company's IT up to date and compatible while helping you maximize your return on your technology investments.

Dan: That's interesting.

Vince: I think the key thing with it ... Go ahead, Dan.

Dan: Oh, no. I was just going to make a comment. I said open source, not open sores. That's good to know.

Sam: That's different. That's leprosy. That's a little bit different. It's its own kind of virus.

Dan: Right.

Sam: Well I think we're going to have to wrap it up here, but as usual we want to always give a shout out to some of our clients. And actually today we wanted to give a big Bit-Wizards thank you, and a shout out, and welcome to our newest client, it's CareerSource. CareerSource, Okaloosa Walton is working to ensure that every citizen has the opportunity and the skills necessary to engage in a meaningful employment throughout Okaloosa and Walton counties, and that every business has access to educated and prepared employees that meet their needs. And I know they are working to help with those people right now that are looking for work, and helping them apply for unemployment benefits. So I want to say a special thank you to Michele Burns, and Mary Travis, and Therese Baker for choosing Bit-Wizards. They're working to utilize technology as a strategic enabler to help the citizens of our community of Okaloosa and Walton County to match people looking for work with employers who are hiring, as well as providing valuable job skills and training. And so I want to say a big thank you to the whole hardworking team there for allowing Bit-Wizards to serve you. We love working with CareerSource already.

Dan: Yeah, you guys are providing them a good service, I'm sure. And they provide a good service to our community.

Vince: That they do, and I know they're working right now hard with the chamber, and with the Okaloosa County to sort of bridge that gap that we've got going on with all the folks that are out of work right now. I've been in several different discussions with my chamber hat on, and CareerSource is definitely working hard to make sure that the citizens of Okaloosa and Walton County are serviced, and that they're tied back in. And I think after this whole thing ends, the Fort Walton Beach chamber is going to be working with the county and CareerSource to sort of have a jobs fair where we compare businesses that are looking for workers and people that are looking for work together, and help people get their unemployment benefits. But I know they're doing it while they can virtually right now, while people are sheltering in place.

Dan: That's awesome. You guys are a good match, with CareerSource and Bit-Wizards, and well, any small company would be smart to hire you guys. So guys, we have to take a break for now. Until next week. I appreciate you guys coming on the show and sharing your information.