Quanexus January 2018 Newsletter

Quanexus January 2018 Newsletter

It’s a new year, and we are off and running.

First, a big thank you to our many clients for making 2017 very successful. I hope you all had a great year, and are ready to make 2018 even better!

We opened the year with a security threat that affects every computer built within the last twenty years. Project Zero has identified two security vulnerabilities that affect Intel, AMD and ARM processors. AT&T and Verizon are leading the charge for the 5G network, which promises to be rolled out this year. The White House banned cell phones in the West Wing, and the Department of Homeland Security announced a breach.

Remember, the term “breach” needs to be used carefully. It has different legal definitions based on the laws of each state. Ohio is a breach notification state, which has clearly defined reporting requirements.

From Our President

We’re growing! 2017 was a wonderful year for us and I’m happy to say we have added three new employees to our Quanexus team within the last month.

Please join me in welcoming to our Data Division: Austin Elliott (Technician), Mark Crase (Technician) and Richard Poulsen (Network Engineer). Austin is currently helping the guys in the Voice Division with a couple of large projects. Mark is busy on the bench and offering help desk support. Richard is in the field, assisting with firewall and server installations.

We are all excited about our new employees and hope you will enjoy working with them as well.

Intel, AMD and ARM Processor Security Issue(s):

As many of you already know, there were two, serious security bugs found in Intel processors, and one security bug in AMD and ARM processors. The issue, discovered by Google’s Project Zero, has existed for over 20 years.

The bugs have been named “Meltdown” and “Spectre”. Meltdown only affects Intel processors, while Spectre affects AMD, ARM and Intel. These processors are used in computers, mobile devices and cell phones. Early research indicates that the cell phone and mobile device market is relatively safe for now, based on the complexity involved to create an exploit.

The vulnerabilities allow the attacker to access the privileged memory of a processor to gain access to key strokes, passwords, etc. Researchers have proven that it is possible that privileged memory access can be accomplished through java code execution in web browsers.

Microsoft, Google, Mozilla and others have been busy updating their browsers. Microsoft has also rolled out a patch for Windows 10, but it won’t install on many systems because of some technical compatibility issues with anti-virus engines. Additionally, it has been reported that the patch has caused the famous “Blue Screen of Death - BSOD”, so the cure may be worse than the problem.

The anti-malware vendors are stepping up their game by trying to block exploits. It is very important that companies keep their browsers and anti-malware signatures updated.

The problem’s root cause is in the processor’s protected memory section. Some researchers are speculating that the fix will cause systems to run as much as 33% slower.

Until January 4th, Intel had been quiet about the issue, but recently released a statement stating that the fix will not cause any performance issues. AMD released a statement confirming that the vulnerability exists in their chips, but further reported that “Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.”

Apple announced that they have already patched these vulnerabilities in last month's release of MacOS for Sierra and High Sierra, 10.13.3. Quanexus is closely watching these issues and will be implementing updates and patches as they become available. Any performance issues that a patch may create will be reviewed with our clients before being performed.  

Google's Project Zero

In July of 2014, Google announced Project Zero, which is a team of Google employees whose job is to find Zero-Day vulnerabilities.

A vulnerability identified as Zero-Day, represents the date when the company that is responsible, or has an interest in fixing the vulnerability, first learns of the issue.

When Project Zero first identifies a Zero-Day vulnerability, they provide the software manufacturer a 90 day notice before releasing the information to the public. The 90-day notice is Google’s way of implementing responsible disclosure.

The Spectre and Meltdown vulnerabilities were first identified by Project Zero in May of 2017 and provided AMD, ARM and Intel extra time to resolve the issues. Project Zero planned to go public with the information on January 9th, but the information got leaked to the public early.

First Lunch-n-learn for 2018 Scheduled 

Our first lunch-n-learn for the new year is scheduled for Wednesday, February 21st.

This event will be covering technology issues specific to nonprofit organizations in the Dayton area. You may already know the benefits of outsourcing your IT but perhaps you have other board members, CFO’s, or directors that would like to attend, or you have questions you would like to have answered.

If so, click here to register today.

White House Bans Personal Cell Phones

The White House is banning the use of personal cell phones in the West Wing for staffers and visitors.

Staff that need access to cell phones for work, either have, or will have, government assigned phones. Smart phone technology represents a risk, where confidential information is being viewed and discussed.

The ability to record audio and video without being detected, creates the potential for data leakage. Staffers are unhappy with the new ruling. Some unnamed staff members have spoken with the media, complaining that their government issued phones will not let them send personal text messages. Others believe that this decision is based on preventing data leaks on President Trump’s personal life in the White House.

With some of the new technology in smart phones and smart watches, it is easy to understand that these devices do pose a security threat, and this should have happened a long time ago.

5G is Coming

AT&T and Verizon are both reporting that they will have 5G in some markets in the second half of 2018.

Verizon will be rolling out 5G in the Sacramento, California area and have partnered with Samsung to provide their first 5G devices. They plan to rollout three, 5G networks throughout the US by the end of 2018.

AT&T’s plan is more aggressive. They plan to roll out 5G to 12 metro markets by the end of 2018, and plan to be in 82 markets by mid 2019. AT&T currently offers a phony 5G network called 5G Evolution, which is currently in 23 markets. The phony 5G Evolution network stacks several 4G chips in a phone for increased speed. AT&T will continue rolling out their 5G Evolution network during 2018 to hundreds of metro areas.

5G technology is an essential component of the self-driving car. The high-speed network is needed for cars to communicate with each other fast enough to prevent accidents. 5G technology will also be able to deliver 4K video, and virtual reality experiences.

What to Consider Before Moving to the Cloud

The two most common cloud models are the Office 365 platform and hosting virtual servers.

The Office 365 platform provides organizations the ability to pick and choose individual services or bundle several popular services together. The most common bundles are Office 365 Essentials or Office 365 Business Premium. Both platforms include Hosted Exchange, SharePoint, OneDrive and Skype. The Business Premium bundle includes desktop applications (Word, Excel, PowerPoint etc.). Migrating to Hosted Exchange makes sense for many organizations.

Email has become just as important, or maybe more important, than a phone system. If you have a mail server in your office, you are dependent on physical infrastructure such as power, Internet access and the server. If any of these go down, you have no email. Moving email to the cloud could provide a much more robust and reliable email solution. Before deciding to move email to the cloud, you need to check two things:
1) The email client being used is compatible
  2)Applications that send email and or create appointments are compatible

Moving your file storage to the cloud takes some planning and may be complex, depending on the applications you use. The easiest file storage solution is Microsoft’s Office 365 SharePoint and OneDrive platforms. Other options are to spin up virtual servers in the cloud, but this model requires you to design and plan a network similar to the design and planning done for a premise-based solution, including virtual firewalls, terminal server, domain controller, etc.

Department of Homeland Security (DHS) Data Breach

It is not surprising that with all the security controls in place at Homeland Security, they had a data breach. This was not a cyber attack or an attack by external hackers. The DHS Case Management System (CMS) was the affected system.

The breach was discovered during a criminal investigation of a former employee, and the CMS database was discovered on the former employee’s computer. The database contained personal information on over 240,000 Homeland Security employees, plus information on witnesses and complainants.

DHS does not believe that the theft of the individual data was the target of the breach. The lesson to be learned is organizations need to know and control where their data resides. This is a huge challenge for most small organizations, and obviously for our government. If it wasn’t for the criminal investigation against this individual, they would have never known they lost control of their data.

What is a Data Breach?

The term breach has different legal definitions based on state law. There are states that have breach notification laws and Ohio is one of them.

The Ohio Revised Code (ORC) 13449.19 “Private Disclosure of Security Breach of Computerized Personal Information Data” defines what a breach is, and what must be done in Ohio if a breach occurs.

It is important to understand that if you are doing business in other states, you must understand each state’s laws and comply with them. It gets even trickier if you have information for individuals in foreign countries.

From the ORC: "Breach of the security of the system” means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.

It is interesting to note that it specifies computerized data and does not include paper records. Other things that need to be clearly understood are industry or regulatory requirements that you must meet. If you are in the medical industry, you need to be compliant with HIPAA, banking (GLBA), Finance (FINRA), Energy or Power Generation (NERC) and the list goes on.

Are You Following Us?

Did you know that you can find Quaneuxs on Facebook, Twitter, LinkedIn and even Instagram? We share blog posts, useful articles and pose questions to our followers, we also like to share pictures from time to time to give you a glimpse into what is going on in our office.

If you haven’t already subscribed to our email list, you will want to do that too. We regularly send out tech news and cybersecurity alerts, plus information on upcoming events, such as our February Lunch-n-learn.

Visit Quanexus.com to sign up and follow us.

For a fixed monthly fee, we are revolutionizing the IT industry with our Q-Works program. Quanexus' complete "managed services" package means that you will see increased performance, security, and reliability immediately, at an affordable price.

Your business success depends on your IT infrastructure. You need Quanexus to deliver proactive services that not only keep your network up and running, but running effectively and efficiently.

If you have any suggestions or topics you would like to see covered, please contact us with an email at: This email address is being protected from spambots. You need JavaScript enabled to view it. or give us a call at 937-885-7272.
We would love to hear from you.

Quanexus, Inc. | 571 Congress Park Drive | Dayton, OH  45459

Facebook Join My List Logo

Quanexus | 937.885.7272 | This email address is being protected from spambots. You need JavaScript enabled to view it. | www.Quanexus.com

Return on Investment... It Pays To Belong

When a business invests in the Xenia Area Chamber, it forms a partnership with over 400 other investors that leverage time, money, and other assets to create stronger individual businesses and a stronger community.