Home

ESET, the security and antivirus software provider, has released a short security Ebook entitled 'Social engineering handbook'. Its worth keeping up to date on this information even if it isn't new to you. It good to refresh your thinking on the topic. Security should be a perpetual focus.

Staff/User education is an important part of security also (...and they love it)

Get it here: https://digitalwelcomemat.com/files/ESET_Social_engineering_handbook_v6.pdf
 

BitLocker data encryption may be happening without your knowledge, that means that your automaticity getting extra security from Microsoft without any effort required on your part, but also a caution...

When you add an outlook.com home user account to a new Windows PC as part of the initialisation (as Microsoft now requires) Microsoft can/will/may auto-encrypt the hard drive with windows BitLocker. It does this without asking or telling you. It associates the long encryption key with your Microsoft account (normally a hotmail.com or outlook.com account) and stores the encryption key under your account on the web.
The reason that they do this is to make your PC more secure so if the hard drive is removed from the PC or laptop it can't be just plugged into another PC and have data read. While this is good in theory, forcing data encryption on unwitting home or small business users without asking or telling them I don't feel is a good policy. In an enterprise IT environment significant planning and testing would be implemented before even considering(!) encrypting the data. Having data is no use whatsoever if you can't access it.
There are a few things that can go wrong, under certain circumstances you PC may prompt for the key before stating Windows and if you don't have it your never (never ever, EVER) getting your 30 years worth of data back. Here are some examples:

• Sometimes Microsoft just doesn't store the key (yes, I have seen it!)
• A random Microsoft account may be used to setup the PC (for example a service providers account) then a local or domain accounts may be use from that point onward, in 5 years' time you may not know which Microsoft account was used or have access to it to find the key.
• What if you get hacked and locked out of your Microsoft account?

So what should you do? That's difficult, I'm not going to 'recommend' that you deliberately use 'less security' than you could but here are some thoughts.

• At least now you know, you've been warned
• Consider going on to https://account.microsoft.com/ and printing out your BitLocker key and putting it in a safe place
• BACKUP ALL YOUR DATA periodically to an independent medium or location

A PC that just sits in a factory, contains no data and/or just connects to a remote desktop session does NOT need BitLocker turned on its an unnecessary overhead.

Email scam, don't click...

I have encountered an unusual and concerning Office 365 antispam issue today. A customers emails with PDF attachments to an Office 365 mailbox have been 'silently' blocked (quarantined) by O365 because they had a PDF that contained a big pond (Telstra) email address in the footer. After a [long] period of investigation removing the big pond email address resolved the issue. The reason that was given by Office 365 was "Detection technologies: URL detonation reputation".

My biggest concern with this is that MS was 'quarantining' the email which means they weren't letting the recipient know that there was an email and wasn't letting the sender know that it wasn't being delivered. To me this breaks the fundamental rules of how email is meant to work. Either it should be delivered, or you should get an error message bounce back. This issue only occurred in the last week, the customer has been sending the same PDF for more than a year.

I will take this up with Microsoft and see what they say. My concern is how many other users have been sending PDF documents or quotes out to customers that contain emails or links that have them silently not delivered.

Note this finding is based on all the evidence I have been able to gather to-date.

Don't plug a heater or other high current draw appliances into a UPS:

With winter upon us I wanted to remind you not to plug a heater or other high current draw appliances into a UPS (uninterruptable power supply). A UPS is a 'box' that contains a battery and some electronics to allow for a limited amount of 'runtime' for your computer if the power goes off. They have the ability to deliver only a relatively small amount of current (stated in its VA/Watt rating) anything beyond that will overload the UPS, shut everything off and possibly cause damage.

Examples of equipment that should *NOT* be plugged into a UPS

• Laser printers
• Heaters
• Air conditioners
• Photo copiers
• Paper shredders
• Vacuum cleaners
• Kettles/jugs, anything that cooks or heats food
• Hair driers, curling irons

The only things that should generally be plugged into the UPS are computers, networking equipment (switches routers etc) another other small sensitive electronic equipment such as EFTPOS terminals and similar.

Plug your 'high current draw' devices direct into a power-point/wall socket, some experts suggest these should not even be plugged into a power board either for fire safety reasons.

If your using Microsoft Outlook, (i.e. the ~$250 value product that comes with Microsoft office) and you get an option to 'Try the new Outlook' I strongly suggest you don't do that, if you do you you will possibly lose a LOT of functionality and go from the business grade $250 value product to essentially the free web based version that everyone with a Hotmail or outlook.com email account gets for free. A lot of features will disappear including Outlook add-in utility's and any secondary emails you may have setup. 

You can see more detail here on this email from a Microsoft outlook add-in developer.

A number of people have reported receiving a "review document" email.

This email looks like a scam from my perspective and several organisations are reporting that this is the case. (Example https://us.norton.com/blog/online-scams/docusign-phishing-scams)

Don't click on the links in this email, just delete it

Microsoft Office 2013 has moved out of being officially supported this month. That means no more security updates and eventually, Outlook will stop working with office 365 at some point (no indication of when that will be). 

If your still running Office 2013 (or older) you need to make a plan to move to a supported version for security sake at least.

Office 2016 is no longer supported after October 2025

People who know about these things are getting a bit worried about the LastPass data breach. If you use LastPass you need to evaluate what action to take.

Late last year a hacker broke into LastPass and stole their entire data vault, that included all your logons and passwords if you use LastPass (or even have an old account that you don't use anymore).

LastPass say that they, and consequently the hackers, don't have access to your logon data because its encrypted and protected by the master password that only you know. They have advised that it would take 'millions of years' to crack open the vaults and get access to your data.

However, as time has gone on, we have been hearing that there are caveats to this and it depends on the length of the master password and some of the default settings that you had setup in LastPass, some of those settings have changed their defaults over time so If you have an older account, you may have less protection. The end result of that is that some online security sites are saying in reference to the 'millions of years' claim that in actuality "it may be a lot less than that!"

Advice is extremely varied about what to do, here are some examples:

• LastPass are saying 'millions of years' to crack open, assuming you have a 12 digit complex password, your PBKDF2 iterations is set to 100,100 or more and [OBVIOUSLY] you never reuse your master password on other websites
• Almost all are saying change the LastPass master vault password
• Some are saying change all your passwords for any accounts that are stored in LastPass and change the LastPass master vault password
• Some are saying dump LastPass altogether and move to another password manager, plus changing all your passwords as above

Whatever action you decide on, do it soon as the clock is ticking if the hackers are trying to brute force crack the data. Some sites are reporting that LastPass have been very coy about the details including when the data was even stolen and as such how long the hackers may have been working on the data, and some say that general communication about the whole event has been poor which brings about a loss of confidence in the service.

The LastPass notice:
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Some other sites information:
https://www.wired.com/story/lastpass-breach-vaults-password-managers/

https://www.bostonglobe.com/2023/01/09/business/lastpass-security-breach-was-worse-than-youve-heard-heres-what-do/

https://blog.1password.com/not-in-a-million-years/

Finally, almost all security experts still recommend a password manager for managing your passwords. The general consensus is that having strong complex passwords for all your sites and services that you don't have to remember, all stored within a very secure service, protected by a single unique, strong password still provides the best protection compared to the alternatives.

This blog post has been provided for the benefit of digitalwelcomemat IT customers. Treat this information as informative only and do not take actions or make decisions on the basis of the information contained here. All IT decisions and actions should be made after consultation with your chosen IT professional taking into account all the of the relevant factors.

Digitalwelcomemat will be on Christmas break starting this afternoon. I will be on leave from 22/12/22 - 08/01/23 inclusive then working part time for the week of 09/01 - 13/01. 

I will be checking email during this period for any urgent issues.

Thank you to all my customers for 2022 and I look forward to being able to support you in 2023, I hope you have a good break and a Merry Christmas.

This is a typical example of a phishing email. If you click on the link the bad guys will harvest your username and password and start using them to access you email inbox, send emails or worse.

This is a 'obvious' fake email, but people keep getting caught out so I will keep reminding you. Admin and management staff, consider sending this information on so your staff can be reminded.

Multi factor authentication on your Microsoft account will mitigate the impact of being fooled into clicking this. Talk to me if you want this turned on.

Some users are reporting a persistent password popup in their mail application this morning, this is due to Microsoft changing the Microsoft/Office 365 authentication method and requiring 'modern authentication' by default.

If you are using Outlook 2013 this can easily be solved by changing\adding a Registry setting in Windows which is normal and 'IT support level' change:

(more details here https://learn.microsoft.com/en-gb/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016?view=o365-worldwide)

This can also be easily pushed out by 'group policy' if you have a Windows domain.

If you're seeing this in another mail app for example on your phone this will require further investigation and planning.

Here is some further reading on the subject:
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437​

ACSC (Australian [Government] cyber security centre) are recommending that all business purchase their equivalent domain name to prevent "...to help protect your business from opportunistic cybercriminals" before 20 September 2022.

To help protect your business from opportunistic cybercriminals, the Australian Cyber Security Centre (ACSC) recommends that all Australian businesses with existing domain names register their .au equivalents before 20 September 2022. If a business does not reserve their .au equivalent direct domain name during this six-month period, that name will become available to the public on a first come, first served basis. 

https://www.cyber.gov.au/acsc/view-all-content/alerts/new-domain-name-changes-could-leave-your-business-or-organisation-risk

Digital pacific is reporting that the pre-order process for new .au domains now open now go here: https://digitalpacificdomains.com.au for details.

If you have reallylongdomainname.com.au this may be your opportunity to purchase imshort.au instead or to secure your business identity and reputation by purchasing mydomainname.au as well as your existing mydomainname.com.au (before your competitors do) I don't know what the allocation process is but I strongly suggest you act quickly if your interested.

I advised last week that there were problems with the 21H2 Windows update from Microsoft. Microsoft has reported that the 'MSI install issue' is resolved now with another patch. As far as the Intel sound card driver conflict goes this is a Windows 11 only issue so Windows 10 users can allow updates to naturally instal now as usual. If you put a 7 day pause on your windows updates they will automatically begin again in a few days.

For Windows 11 users MS has setup a compatibility block so the offending upgrade shouldn't auto install however they say 'We recommend that you do not attempt to manually upgrade using the Update now button or the Media Creation Tool until this issue has been resolved and the safeguard removed.

Here is the link if your running Windows 11 and want to track this issue:
https://docs.microsoft.com/en-au/windows/release-health/status-windows-11-21h2#2746msgdesc

For those customers where I manage Windows updates via Windows Update services, I have now release the 21H2 update for Windows 10 as it resolves a number of vulnerabilities.

Just a reminder about allowing Windows updates to install, I strongly recommend logging off each evening and restarting your computer once a week. This allows a few things to happen which should enhance your computing experience as well as allow for better security. I also recommend leaving your computer on overnight at least once per week to allow installs to complete (that is if you don't leave it on all the time anyway)

Some of the befits of logging off and restarting:

• It allows windows updates to auto-occur when they are needed, at least on a 24 hour basis.
• Logging off closes all your programs/applications which releases all the memory back to windows to be 'cleaned-up' and reused, it closes all open programs and resolves any transient 'weirdness' that may be happing. 
• Restarting does the same as logging off but it also does same for system processes and Windows services
• If you have roaming user profiles setup in your organisation data is only saved back to the servers when you log off, if you have a power outage before that time data may be lost.
• It forces you to clean-up, save your documents and close off the clutter. It could be just me but I can't see how having 15 word documents open at the same time for a month helps with productivity! (but perhaps that's just me:-/ )
  

 A number of users are reporting and issue when saving-as from within Adobe acrobat reader. When trying the save, instead of a dialogue box allowing you to choose the save location all you see is a blank dialogue box form/screen.

Click here for the workaround

Every now and then someone asks me about a backup strategy for home, this is my current recommendation. I suggest you investigate what's suitable for your own environment before making decisions.

Macrium reflect free: Full *system* backup, install and run this periodically even if only once when you get a new PC and its fully setup. This allows you to go back to a working state if you get virused or you have a hard drive failure or a bad windows update.

https://www.macrium.com/reflectfree
Cost $free

Notes:
Make sure you make a "rescue disk" on a USB thumb drive when you install the software

• You will need a backup drive to store the backup such as this (cost ~$80): https://www.officeworks.com.au/shop/officeworks/p/wd-elements-se-2tb-usb3-0-portable-hard-drive-wdel2000se. Don't buy Seagate I have had so many of those fail its just not worth it
• Note this is not intended for a "data" backup in this context just for restoring windows and saving yourself hundreds of dollars of IT labour if this is necessary

Backblaze: Continuous backup of all^ *data* files to the internet for off-site cloud/internet storage. Unlimited storage

https://www.backblaze.com/cloud-backup.html
Cost US$70 per year

Notes:

• May not be suitable if you don't have good internet
• May not be suitable if you don't have unlimited internet
• Doesn't keep "versions" (at the base cost)
• Backups files only stored for 30 days after deletion
• ^Check that it *IS* including that weird folder location that your [insert weird software product name here] is using

• Hint: Make an automated copy of all your data to one "always-on" PC in the house and you can back up an unlimited number of PC's

Remember all PC's will fail eventually, there is a good chance that you will eventually lose all your data if you don't have some strategy in place.

EXTRA NOTE:
saving all your data on an external hard drive is NOT a backup. That's just data on an external drive, which is arguably more susceptible to failing that your actual PC. A backup is a second copy of your data.

A example spam/phishing message, obviously don't click on these:

From Wikipedia, the free encyclopedia
Phishing is a type of social engineering where an attacker sends a fraudulent ("spoofed") message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim.[1] As of 2020, phishing is by far the most common attack performed by cyber-criminals, with the FBI's Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.[2]

Recommended answers to the "stay signed in to all your apps" question for Office 365:

When you connect to or interact with Microsoft office 365 in some way using your PC or laptop, such as when you setup your mail in Outlook, you will often get the popup below asking you if you want to "remember your account". While this may seem like a reasonable idea, unless you explicitly know what this is will do and want that to happen I strongly suggest you chose "no, sign in to this app only".

This will avoid some potentially undesirable consequences such as "binding" your PC to your organisations Azure active directly security for administration, setting up for you files *not* to be saved to your PC or network share by default, but instead being saved to your organisations online "SharePoint" server. If this happens by accident these and some other consequences will need to be reversed, sorted out, and things put back where they belong.

This is also why I also recommend that all PC's are initially installed as standalone PC's with a local administrator account.

If you're a digitalwelcomemat customer, your organisations centralised security and file store won't be Microsoft Azure or SharePoint so there is no advantage to using this Microsoft "feature".