I received an interesting email earlier this week that was almost consigned to digital oblivion when it showed up in my inbox. Throwing it in the trash was reflexive and it was only after my subconscious had a few minutes to chew on it that it occurred to me why it was different: it was in my inbox, not my spam folder. Even though I very clearly knew it was fake, Gmail’s usually reliable filtering had failed to detect anything wrong with the email. Not one to pass up an opportunity to teach vigilance, I’m sharing this little “gem” as a bite-sized lesson in spotting fake emails.

Here’s the culprit:

• Clue #1: I do have an digital fax account, but I can count on one hand the number of digital faxes I have received ever. I also didn’t recognize the area code, which a quick Google search reveals to be a Mexican area code. Seeing as receiving a fax is out of the ordinary, I knew this was probably fake, but I did look at it because it was in my inbox. Lesson: Anything out of the ordinary should be treated with a large helping of caution.
• Clue #2a: The use of “eFax®” to refer to digital faxes is like the corrupted use of “Xerox®” and “Kleenex®”. Officially, I’m pretty sure that eFax® isn’t using “omnesys[.]com” as a mail server, and if it was instead that company sending me a fax, a quick search reveals they are in New York, not Mexico. The footer of the email implies this is an official eFax® email, so why isn’t this email from “eFax[.]com”? Here’s where it gets interesting: Google didn’t flag this email as spam because it looks like it was actually sent by Omnesys’s authorized email server “secureserver[.]net” which happens to be a GoDaddy email server. Which means someone’s email account has been compromised. Lesson: Based upon the content of the email, does who sent the email make sense? Even the slightest inconsistency should be a red flag.
• Clue #2b: The fax was sent to info@. My digital fax account is not linked to that email address. Info@ is our website catch-all account, so anything sent to it is already held at arms length it not immediately marked as spam. Lesson: Look carefully at who the email was sent to, especially if you consolidate your email from multiple addresses.
• Clue #3: Rolling over (NOT CLICKING) the link shows me that the “fax” they want me to view goes to “1camper1tree[.]com”. I’m pretty sure that’s not a digital fax service website. Conclusion: totally fake email. Lesson: Checking the URL before clicking will save you from a world of heartache. Learn how to check URLs in whatever program you use to view your email. This is a critical skill you must learn if you want to be safe.

What’s likely to happen in the above situation if you clicked that link is the page you would be taken to would have a very legitimate-looking login prompt asking your email address and password. Entering of such would result in (a) those credentials being stolen and (b) a blank page or possibly a redirect to another website which will then attempt to install malware on your machine.

As I find more of these types of emails that readily illustrate other “tells” I’ll be sure to share them with you in future blog entries.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

In 2003, a man named Bill Burr wrote the password guidelines for the National Institute for Science and Technology (NIST) that went on to shape the password standards that have permeated the world of technology in the intervening 14 years, much to everyone’s continued annoyance. At the time, his heart and mind were in the right place: forcing us to use complex passwords and frequently change them was actually effective at the time they were initially drafted, but as humans often do, we shaped our practices and habits to adhere to the letter of the guidelines while taking the path of least resistance to reduce the hassle. This has led to passwords that appear complex and secure but are in actuality predictable because humans are nothing if not predictable. This makes them trivial to crack, especially in light of the massive data breaches and cheap, powerful computers. Thankfully, the industry seems to be slowly coming to its senses on traditional password guidelines and the NIST has just recently introduced a new set of guidelines that will hopefully make passwords less painful.

What this means for you

I know some of you might be feeling like this was all a cruel prank perpetrated by IT to torture you while we cackled like evil scientists. In reality, because of these mis-guided guidelines, “password reset” requests have been and continue to be the #1 help desk ticket by a landslide, so perhaps you’ll believe me when I say that your local IT professional definitely does NOT like the current state of passwords any more than you do. Our initial sense of relief and confidence when these guidelines were adopted evolved into a few years of complacency, and then slowly slid into an increasing sense of horror and helplessness as hardware grew powerful enough to completely dismantle passwords created and enforced by established guidelines we finally got everyone to adopt.

The new guidelines reverse rules that will hopefully make passwords easier for everyone (except the hackers, hopefully), but don’t pop the cork on that champagne just yet. It’s going to take the industry some time to shed the old ways. Yes, even the technology industry can be slow to change too! That said, here’s what you can look forward to based upon the new NIST password guidelines:

• No more frequent password changes. Research has shown that forcing people to change complex passwords wasn’t improving security. If anything the password was only incrementally changed, and that change was too predictable to result in any significant security gain. The new rules suggest only requiring a change if a security incident has occurred.
• The burden of password security should be on the service requiring a password. Instead of relying on the user to make sure their password is complex via seemingly arbitrary and complex rules, let them create longer, less-complex passwords and check their creations against a database of known or poor choices.
• Require longer but not necessarily more complex passwords. Simple phrases (checked against a central database of known or too easy to guess passwords) of sufficient length aren’t harder to memorize but become exponentially harder to crack as compared to shorter but more complex passwords. See xkcd’s (internet) famous explanation of this concept.
• No more password hints and secret questions. These practices were only crutches that propped up the complex password practice. Hints invariably were either too vague or too much information, and Google, for better or worse, has made knowledge-based authentication like “Mother’s maiden name” useless.
• Organizations and services will store passwords with stronger, more complex methods. The massive password breaches of previous years were only useful to hackers because they were stored in weakly protected databases. The NIST guidelines spell out methods and standards that will make stolen passwords much, much harder to decrypt.

Until your services shed their old password rules, you may still be forced through some seemingly passé password hoops. Keep in mind that even “old-school” passwords are better than none, and complex passwords are better than short, commonly-used ones. Until your providers get on board, start making a secret list of nonsense phrases to prepare for the password revolution.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

When Microsoft announced that Windows 10 would be available as a free upgrade to Windows 7 and 8 computers, millions of people took them up on the offer (some involuntarily). The upgrade was meant to jump start adoption of the new OS, and was intended to provide a way for older PCs to take advantage of a more powerful, versatile and secure operating system without having to go through a major hardware investment to do so. As many found out, the upgrade process wasn’t always the smoothest, but once your computer and you finally arrived on the proper side of Windows 10, the new OS actually performed surprisingly well on older hardware, something that couldn’t be said of previous Windows upgrades.

Unfortunately, older PCs are already being abandoned by Microsoft’s forced updates

Flash forward to present day, after the gamut of upgrade experiences, and after the most troublesome upgrades have turned the corner as productive computers, many users are finding that Microsoft’s forced updates are no longer available for certain hardware configurations or even rendering parts of their computers unusable.

As always, the fine print is where we “get got”:  When the free Windows 10 upgrade was first announced we were told that Windows would be kept up to date “for the supported lifetime of the device at no additional charge.” Just prior to the actual Windows 10 launch date, Microsoft clarified this stance with the following:

A device may not be able to receive updates if the device hardware is incompatible, lacking current drivers, or otherwise outside of the Original Equipment Manufacturer’s (“OEM”) support period. (emphasis mine)

What most people still fail to realize that on top of the Windows operating system being updated by Microsoft, there are typically a whole host of drivers that your computer manufacturer provides for the various bits of hardware that comprise your particular computer model. In the past, the manufacturer would launch a particular model line as “certified” for a particular version of Windows, allowing them to also build and maintain a set of hardware drivers that were designed for a specific OS. As Microsoft marches forward, the hardware manufacturers are forced with the choice of spending resources to patch (or even rewrite) drivers to keep up with Windows on their older hardware, or focus those resources on putting out new drivers on new hardware. It shouldn’t take much thought to see why both Microsoft and your PC’s manufacturer are leaving your old PC behind.

Sadly, you are now forced to make a choice. Roll-back (if you can, and some of my clients can’t) the update that killed your PC, and then figure out how to avoid the forced updates pushed out by Microsoft (inadvisable in the long run due to security risks), or cough-up for a new Windows 10 PC. While the first choice may save you some money in the short-run, you will eventually have to succumb to Microsoft’s update cadence, and unless your PC’s manufacturer takes the unlikely approach to releasing working drivers for your old hardware, it will be time to go computer shopping once again.

Normally I try to keep to pure technology news on this blog, but I believe this issue is important, probably more so than many of my clients realize. Net Neutrality is a simple issue made complex by sophisticated marketing, partisan politics and the fact that both sides have reasonable points. What’s currently at stake is this: the FCC, after previously passing rules in 2015 to “prohibit Internet providers from blocking, throttling, and paid prioritization—”fast lanes” for sites that pay, and slow lanes for everyone else,” is now seeking to repeal those rules due to a dramatic shift in FCC leadership. Predictably, money supporting the repeal of these rules is coming from ISPs, and they are spending a lot of money to lobby for Net Neutrality to NOT be protected.

Fortunately for consumers, many of the internet companies we use everyday (Spotify, Netflix, Amazon, Dropbox to name a few)  continue to fight for your right to unfiltered, unthrottled internet. July 12th has been named as a the “Day of Action” in support of Net Neutrality, and you may see sites all over the internet (like this one) sporting banners and images indicating that support. What are they asking you to do? Primarily, they are asking you to demonstrate your support by writing or calling your local congress-critter to let them know you are in favor of Net Neutrality and that FCC should reconsider their plans to repeal the rules that were established in 2015.

I believe it’s important for you to be aware of what’s at stake. The internet is an indispensable part of our lives both personally, professionally and politically whether we like it or not, so issues that affect your access and use of it should not be taken for granted. Please take a moment to familiarize yourself with Net Neutrality if only to understand what’s happening on the internet on July 12.

For those of us living in wildfire country, celebrating the 4th of July with any sort of pyrotechnics was typically accompanied with a constant refrain of keeping the holiday “safe and sane.” Seeing as I can’t legally or safely join you in feting our nation’s birth by blowing stuff up, I’ll instead share some tips on keeping your computer from joining the festivities with its own version of “bombs bursting in air”.

Computers don’t normally catch fire, do they?

Aside from the usual digital measures you should be taking to protect against virtual bombs blowing up your data, there are some practices you should follow to make sure your actual technology doesn’t go up in smoke:

1. Desktop computers should be blown out with canned air at least once a year, and if you happen to be in a dusty office or one with furry/hairy pets nearby, at least twice a year. You should take the device outside before blowing it out, and pay close attention to the fans and vents. Vacuums are OK to use as long as you are grounded properly, otherwise its possible to create enough static electricity to damage older computer components. Laptops can be blown out with canned air as well – just puff the air into any exposed vents and keep your face away from the device while doing so or you might get a snoot full of dust.
2. When using a laptop on anything other than a hard, flat surface make sure it has enough area around the vents on the sides and bottom to properly cool itself. If you are using it on your lap, make sure it isn’t surrounded by your clothes or other things you are using to keep it off your lap (like a jacket or pillow). Newer laptops can shut themselves down when they get too hot, but repeatedly overheating your device in this manner will considerably shorten its useful life.
3. Batteries can melt, burst and even explode with enough heat and force to seriously injure someone. If you notice your device is getting too hot while plugged in, unplug it immediately and discontinue use of the device until it cools down. Have the battery and your AC charger checked if it the battery continues to behave this way.
4. Do not overload an outlet or surge protector with too many devices, especially if your technology is sharing a plug with something like a portable heater that draws a lot of amps. The combined load can blow a circuit breaker if the electrical is wired properly, but not before melting your surge protector and shorting your device’s power supply.
5. Be wary of cheap, off-brand chargers for your portable/mobile devices. If they spark, get too hot, or smell funny when plugged in, stop using them immediately. The same goes for cords. If your cord has exposed wires, burnt casing or has to be twisted “just right” to get it to work, stop using it and replacing it with a new cord.

Older devices will succumb to heat related problems more often than not, especially if they are used constantly. Though there are rare exceptions, most computers have a usable life of 6-8 years, and this period is shortening as we move forward towards present day. Technology today is manufactured to be replaced more frequently than in years past now that prices have dropped to the point where its often cheaper to replace than repair. Keep that in mind when judging whether its time to put that old device out to pasture for good.

After nearly 30 years of working in the industry on the business end of technology failure I can confidently attribute this inevitability to two things: humans and entropy. The first one is obvious – to err is human and the second cause is really more of a cop-out: technology, just like anything, is subject to a certain degree of decay. Sometimes it’s so gradual we don’t notice the slow decline, and occasionally it’s so sudden and random that it feels like a plot twist in a bad spy film. Regardless of the cause, getting it fixed means calling your IT professional. The more prepared you are for the call, the quicker the issue will be resolved. Assuming you’ve tried the things we’ve been training you to do before calling (turning the power on and off, checking your cable connections, etc.), getting prepped prior to the call will help your IT pro get to a resolution that much quicker.

Ten things you can do to get ready for the call

1. Get a picture of the error or problem. Smartphone cameras are helpful with this if you can’t get a screenshot on your computer. Make sure it’s in focus and big enough to read any text on screen, then email or text it to us.
2. Can’t get a picture? Write down the error message. The exact wording on error messages is VERY important.
3. If you can reproduce it (without causing further damage), write down how you got the problem to occur. You can also record a short movie with that omnipresent smartphone.
4. If you can’t reproduce it, write down what you were doing when it occurred. Details are important, so doing this as close to the event as possible will save the later struggle of trying to remember details that might be relevant.
5. Have associated passwords handy. It’s OK if you don’t know the password – just let us know up front.
6. If you’ve done something silly, foolish or dumb, come clean as soon as possible. True IT pros have seen it before and we are paid to be non-judgmental. You might get a lecture afterwards, but we are only trying to save you from future grief.
7. If you can’t spend time with us to troubleshoot – let us know up front so we can schedule the work accordingly.
8. We know it’s urgent but if you can sit back and really evaluate how urgent, it helps us prioritize your call.
9. If possible, prepare yourself and your computer for our call: save and close unrelated work and applications. If you are likely to be interrupted, let us know up front so we can prep for that possibility.
10. Take a deep breath and smile, even if you are ready to tear your hair out. We are here to help, and we can usually get to a resolution faster when everyone is calm.

This is the follow up to last week’s “Get rid of those old email accounts” blog wherein I presented you two great reasons to thin out your collection of email accounts. Hopefully you’ve thought long and hard about this and have come to the realization that you can, in fact, give up at least one old or unused email account, but there are emails that you want to keep. Given how much drama “old emails” seems to have caused our country in the past months, it’s hard to imagine why anyone would want to keep them around, but we’ll assume (a) you have legitimate reasons, and (b) are not improperly storing classified data. If true, read on.

Why can’t I just leave them where they are?

In most cases, email is stored on a server somewhere on the internet, aka “hosted” email service. When that account is canceled, all data associated with that account is deleted, usually immediately. Sometimes there is a grace period of 30 days where you can recover the account, but don’t count on it, especially if it’s a “free” email account. If the account is located on a mail server that is managed by your (former) organization, this is known as “on premise” email service, and whether your email box is retained or deleted will be determined by that organization’s internal policy. In either case, the objective is to stop that mailbox from receiving email so that your problem isn’t compounding over time, especially since it’s likely all spam and malware, and the only way to do this is to remove that mailbox from the internet.

Most “freemail” providers like Yahoo, Gmail, Hotmail etc. offer a method to “export” your emails, and unless you’ve alredy been maintaining an archive through a program like Microsoft Outlook, this will be the quickest way to grab a full set of all emails. This process will typically provide you with an MBOX file which can then be imported into most major email programs like Outlook or Apple Mail. It’s also possible to use those programs themselves to “export” the email to dedicated archive files, allowing you more granular control over what is kept and what is not. OSX includes Apple Mail as part of its base installation, but if you don’t already own Microsoft Outlook, there are other, free mail clients that may work for you, such as Thunderbird or SeaMonkey, both of which are available for either operating system. Importing old emails into an archive creates an “offline” email box in your program of choice, which as you might have guessed by the name, is only available to that machine.

Another option you can consider is importing that old email into your current mailbox. Only do this if the number of emails you are importing is small and your current mailbox isn’t already too large. “Too large” is not a fixed number, but most email programs struggle when dealing with more than 500K old emails, or email file sizes in excess of 20GB, and that is even on a well-equipped computer with 8GB or more of RAM. Importing old email into your current mailbox will provide you with the ability to search your email from devices other than your computer, but may severely impact performance, so choose carefully.

Archiving email can be a complicated process, and is often fraught with strange issues. If the old emails are important, you may want to consider hiring a professional to ensure your old emails are kept safe and accessible.

Image courtesy of Stuart Miles from FreeDigitalPhotos.net

You know it’s a problem when even a company like Google can’t keep bad apps out of it’s own Play Store. While we’ve seen several instances of lone bad apps sneaking into public release on the official Android app store, this latest batch of malware is surprisingly prodigious and apparently managed to go undetected for almost a month. The majority seemed to have been released as games from a South Korean developer, all of which feature a character named “Judy”. The malware, dubbed the same as the titular character, isn’t actually part of the game (which has its own unavoidable advertising to click through) but is installed after the game is loaded, and is designed to open other advertisements and click them to generate revenue for the advertisers. This particular denizen of hell is known as an ad-clicker, and as you can imagine, having it clicking ads on millions of phones will add up to some serious dollars.

What this means for you

Up until maybe a year ago, my standard advice to all smartphone users has been to restrict your app browsing to the official Google and Apple stores, though Amazon has done a decent job keeping the riff-raff out as well. Most malware infections and hacked phones were typically traced back to “side-loading” apps found on “unofficial” stores, but this latest batch of nastiness was downloaded by millions of people from Google’s own backyard. My most recent addendum to this advice has been to make sure you read the reviews on the app, and to carefully monitor the permissions it requests before installing, as well as to keep an eye on the apps data consumption. Unfortunately, one of the other areas in which Google and Apple are being outplayed is in the review system which is under assault by comment bots and overseas sweatshops designed to pump store ratings on bad or spammy apps that otherwise would be downvoted into oblivion, so this method of determining legitimacy is now much less trustworthy. If you don’t have the technical chops to determine if the permissions requested for an app install are appropriate, make sure you ask an expert. And if you are at all in doubt, maybe a virtual playdate with Judy isn’t something you need on your smartphone right now. There are plenty of completely legitimate, free apps available for install that won’t turn your device into a zombie for the ad-clicking bot swarm, but it will take some vigilance to find the right one.