IT Services

Direct iT is a full-service information technology provider.

We offer services to a number of different business segments:

Small Businesses Without Inhouse IT

  • Complete Managed IT Services - your own IT department at a fraction of the cost.
  • On-call desktop support - knowledgeable help in minutes
  • Same day on-site services - from our top-notch engineers
  • Ongoing maintenance - catch problems before they happen
  • Long term planning - consultants you can trust

Small Businesses With Inhouse IT

  • Project Implementation - Leverage our expertise and our investments in product testing by letting Direct iT handle your next server implementation, network upgrade, or firewall project
  • Regular Maintenance - Let our maintenance experts check your logfiles, apply updates, and monitor hardware
  • Desktop Support - Free up your IT staff for more important projects by having Direct iT handle front-line support

Midsize and Enterprise Services

  • Projects and Consulting - cloud migrations, virtualization, WAN, backup systems - let our team handle your project over a weekend to minimize downtime.
  • Compliance Services - if you don't have time to study and manage your regulatory compliance challenges, let our compliance team lead you in the right direction.
  • Supplemental Support - reduce costs and IT staffing levels by outsourcing inhouse support services to a team you can trust.
  • Branch Office Support - free up your IT staff from having to manage branch offices.

IT Services Blog

Direct iT at the DefCon 25 Security Conference

Direct iT at the DefCon 25 Security Conference 

Hackers and security researchers from all over the world descended on Caesar’s Palace in Las Vegas last weekend for the DefCon 25 security conference.  Direct iT’s security and compliance team was onsite to hear about the state of the art in network security, and hear from antivirus vendors, chip designers, penetration testers, as well as representatives from the FTC, the Department of Defense, the Navy, and many major security product companies.  There were a lot of hot topics under discussion about the role of security research in a world where hacking has been increasingly influential.
A few of the hottest hacking topics included:
  • Microsoft’s WannaCry bug and related exploits –  Egyptian security researcher Saif El-Sherei demonstrated techniques for analyzing and reverse-engineering Microsoft patches to identify undisclosed security holes that those patches were addressing, and showed how he used this technique to also identify a new related undisclosed security hole.
  • Hardware-level security problems – a lot of new research was presented about the security implications of hardware bugs, including the SandSifter — a program for detecting and analyzing undocumented, hidden, or buggy instructions in x86 CPUs ( which was used to find bugs in Microsoft Azure virtual machines and in virtually all common CPUs).  This is a growing field within security research, based on the idea that no matter how secure our software is, that software has to run on hardware and if that hardware is not also secure we will still get hacked.   Other research was presented about how simple it is to produce counterfeit or backdoored hardware ( including relatively simple methods for implanting a hidden transmitter inside RSA 2-factor tokens, inside computer mice, and even for making counterfeit versions of special USB password-storing keys).
  • Cloud, SaaS, and hypervisor security –  there was a lot of focus on a new set of advanced tools for detecting and mitigating breaches that Microsoft is going to be giving free with Enterprise versions
  • Counterfeit and backdoored hardware hacks – there was a lot of discussion about how governments around the world place backdoors in computer and networking hardware, as well as how individuals also can exploit hardware.  One group of researchers presented a method for doing secure computation on insecure hardware.
  • IoT hacking – the takeaway from the IoT security part of the conference was not that hackers using advanced techniques could break into a few IoT devices — more that virtually all IoT devices are designed so insecurely that very standard, well-known security exploits are often all it takes to break into these devices.
  • Car hacking  – similar to the IoT findings, several groups presented research about car-related security hacks and also brought a few modern cars to the conference for hackers to analyze on-site.  What the research revealed was that car manufacturers are using out-of-date components to begin with and not doing any significant security hardening of car systems — for instance, modern Nissan and Infiniti cars were found to use a 10-year-old cellular chip that was used in the original iPhone, which has a number of well-known security exploits that can be used against the cars.  Similarly, radio researchers analyzed signals from Jeep wireless keys and found that anyone recording the radio signal from a Jeep key can easily clone that key.
  • Voting machine hacking – hackers at the conference took apart and analyzed several different types of common voting machine, quickly finding that many were based on Windows XP and were vulnerable to a number of common security exploits, including one that could be exploited over wireless.  In fact, it took less than an hour for them to break into one of the voting machines. 

Direct iT Meets White House Cybersecurity Coordinator

DIT CEO David Javaheri with Rob Joyce

Special Assistant to the President and White House Cybersecurity Coordinator Rob Joyce visited the Foley Hoag offices in Boston on 5/22/17. Joyce was in Massachusetts to speak about the President’s May 11 Executive Order on Cybersecurity and how IT and security companies can collaborate.

Federal Government Focusing on Cybersecurity

The meeting focused on a number of new initiatives including:
  1. CyberMA: Part of CyberUSA, CyberMA is a new threat sharing platform that allows security companies to securely share information about new threats with each other in order to collaborate (like the cyber-criminals do)
  2. Education: There was also a lot of focus on introducing cybersecurity as a career choice at all educational levels.
  3. Executive Order: Joyce explained the three primary points of the May 11 executive order — (1) securing the federal government, (2) securing corporate systems that are vital to our infrastructure, and (3) securing the global internet.   He also hinted that the President’s new office of innovation could potentially offer more resources for security in the future.

Massive Stolen Password Lists From LinkedIn and MySpace Put Over 500 Million Passwords in Hackers’ Clutches

Massive Password Lists Stolen and Shared

In the past few weeks, there has been a massive uptick in cyber attacks involving the use of stolen passwords to gain access to corporate email and other IT systems.  This increase can be traced to two recent events from May.  First, a hacker sold a list of 167 million LinkedIn account credentials (many including email addresses, usernames, and passwords) on the dark web.  Then, a few weeks later, the same hacker sold a bigger list containing 427 million MySpace usernames and passwords.  Very soon, both of these lists had been re-sold, copied, and shared around with hacker groups around the world.

Why These Password Thefts Matter   vicepwds

Now, most of us aren’t particularly worried about hackers getting into our LinkedIn or Myspace accounts as nothing critically important is kept there. However, the real impact of these breaches is due to the fact that millions of people re-use the same usernames and passwords for everything, and therefore this same list of usernames and passwords can be used to login to many corporate e-mail, IT, online banking, and other vital accounts.

What You Can Do About It

1. Make sure you never re-use old passwords

2. Periodically review and change all important passwords on your network

3. Use strong passwords

4. If you ever used a password on LinkedIn or Myspace or any other breached site, make extra sure that you have not reused that password for anything else.

 

Sources:

https://motherboard.vice.com/read/another-day-another-hack-117-million-linkedin-emails-and-password

http://motherboard.vice.com/read/427-million-myspace-passwords-emails-data-breach

Microsoft Sues Justice Department Over Spying

lawsuitbuttonOn April 14th, Microsoft filed a lawsuit against the Justice Department in the Federal District Court in Seattle.  The lawsuit alleges that federal law enforcement agencies have used an unconstitutional interpretation of the Electronic Communications Privacy Act of 1986 in order to access to thousands of Microsoft customers’ data that is stored in the cloud (primarily email such as Office 365 and Hotmail).  Microsoft claims that because this spying is so widespread, and because many of the orders also demand that the spying be kept secret, and have no end date (either for the spying or the secrecy), this violates the Fourth Amendment right to protection from unlawful search and seizures. Microsoft also claims that their First Amendment right to inform customers they are being spied on is also being violated.

“From September 2014 to March 2016, Microsoft received 5,624 federal demands in the United States for customer information or data. Nearly half — 2,576 — were accompanied by secrecy orders.”

Often, gag orders prevent companies from reporting government spying on their customers.  However, some companies use what is referred to as a “warrant canary” — which is a statement somewhere on their website/service that they have never been subject to any warrants/spying.  The idea is that when the government begins spying, the company can remove the canary notice from their site, so that users can realize the notice is gone and become aware that spying may have occurred, without the company specifically notifying the users in violation of the gag order. You can read more about warrant canaries at https://canarywatch.org/  

You can also read the coverage in the New York Times at  http://www.nytimes.com/2016/04/15/technology/microsoft-sues-us-over-orders-barring-it-from-revealing-surveillance.html?_r=0

 

Hackers Impersonating CEOs In Wire Fraud Attempts

email-encryption

Local businesses are being targeted by a new category of phishing attacks, called BEC (Business Email Compromise) or CEO scams.  According to the FBI, the total losses from BEC scams is over 1.2 billion dollars.  BEC scammers impersonate CEOs by sending emails to business associates (such as attorneys, accountants, partners, assistants, etc) asking them to authorize a wire transfer. There are a few things that are different about these BEC scams compared to e-mail fraud we are used to:

  • The request for a wire transfer is usually very specific and well-written — customized for the particular target
  • Details about the targeted business and its employees from LinkedIn, Facebook, and other public websites are integrated into the email to make it seem more legitimate
  • Sometimes fake domain names are registered that are very very similar to real domain names as part of the scam, so that the attacker can send and receive email pretending to be someone else.  For instance, if your real business domain name was abccompany.com, the hackers might actually register abcccompany.com so they could send and receive messages that look extremely similar to your real email address
  • Sometimes the hackers also might try to find publicly-posted emails from you or trick someone at your firm into sending an email so they can see what your standard signature / style of email is, so that the fake email they craft can have your real salutations and signatures.
  • In some cases they may use stolen passwords to actually gain access to an email account if possible

 

According to the FBI’s Internet Crime Complaint Center statistics, the average loss from successful BEC scams is around $100,000.  There are a few things you can do to protect your business:

 

  • Training, training, training.  The #1 most important step for security is to make sure your employees understand the risks and take them seriously.
  • Make sure your accountants and associates know to not authorize any wire transactions based only on e-mail
  • Use strong passwords and never re-use your corporate password for other sites
  • Remember never to click on unfamiliar or suspicious links or attachments in email

 


Call Direct iT Today!

781-996-4918

One of our IT specialists is waiting to talk to you.

Sign up for a Free Network Audit

LIMITED TIME ONLY
For no charge, Direct iT will have one of our engineers audit your servers and network infrastructure.

Name (required)

Email (required)

Phone

About Direct iT

Direct iT, Inc. is a New England based IT services firm offering products and services for small businesses in Greater Boston, New Hampshire, Rhode Island, and the rest of New England. Cloud, compliance, and document management services are also available worldwide. Many of our customers are along the Route 128 technology corridor.

Direct iT, Inc. Main Offices

39 Emerson Rd. Suite 215
Waltham, MA 02451
Sales: 781-890-4400
Support 781-890-1907
sales@directitcorp.com