The previous two blogs have walked through some of the basic structure and background of Microsoft’s complex, cloud-based account platform, and we’ve touched somewhat on the reasons why you might have one or more Microsoft accounts. You will definitely have one if you’ve ever had a Hotmail.com or Outlook.com email address, and less common a Live.com or Passport.com email address. You will also have a Microsoft account if you have or had an Xbox Live gaming subscription or used Skype on a mobile device, if you owned a Zune, their personal music player or the short-lived Windows phone. If you have some form of 365 service, whether it be email services, desktop Office applications, OneDrive, Teams or any various combination of those services, you will also have one or more Microsoft accounts that anchor those services.
The compelling argument for the Microsoft account
Marketing opportunities and conspiracy theories aside, there is a compelling and intentional use case for the Microsoft account, one that you might already be “enjoying” with a competing set of devices: Apple’s iCloud. In case you are unfamiliar with Apple’s similarly nebulous cloud-based account platform, the intent, just like Microsoft is for you to have one account that grants access to all your services, settings and data across all devices you own. In today’s implementation Microsoft is definitely chasing Apple’s service in this regard, even though the Microsoft account concept predates iCloud by a number of years. When iCloud evolved into it’s current iteration in 2011, Windows had already been using roaming profiles in Windows since 1993!
Regardless of who was first, the primary reason for using the Microsoft account is to (ostensibly) provide the ultimate portable, roaming profile. In essence, Microsoft (and Apple) would like you to store all your data, settings, passwords, browsing history – everything – in your cloud account which would allow you to use any compatible device and service, anywhere in the internet-connected world in conjunction with your account, providing you with a consistent, familiar and convenient digital environment. When done right, both platforms offer a surprising (and sometimes unsettling) experience whereby logging into a brand-new device almost instantly transforms it into a device that knows who you are and how you work without any tweaking of settings, looking up of passwords, or laborious transfer of documents and pictures. It’s the digital equivalent of buying a new pair of jeans having them instantly fit just like your old, tattered but perfectly-fitting old pair. Note the emphasis on “when done right,” as the Windows account implementation can be difficult to navigate, primarily because many Windows users have multiple accounts on top of having different services attached to the various accounts, which leads to the exact opposite of what the Microsoft account was supposed to do. Also note that if you intend to keep work and personal life separate on separate devices, it’s definitely possible to mix them all together if you aren’t very careful about which Microsoft account is logged into the various services, and disentangling them can be a confusing and frustrating experience.
Last week I wrote about the Microsoft Account that you may or may not be using properly on your Windows 10 machine. Thanks to some very poor user interface decisions from the Windows 8 days as well as Microsoft’s behind-the-scenes efforts to move their vast Hotmail/Outlook.com/Live.com users into a monolithic (sort of) platform, it’s highly likely that you have at least one or more Microsoft Accounts tied to your email addresses, regardless of whether they are Microsoft webmail services (Hotmail.com, MSN.com, Passport.com, Live.com, Outlook.com as well as all the international variants) or another popular “free” or bundled provider like Gmail, Yahoo, SBCGlobal, Pacbell, Roadrunner, etc. Also, if you subscribe to Office 365, either via a personal subscription for desktop versions of Office (Word, Excel, Powerpoint, etc) or for business emails with your company’s domain name, you have a Microsoft Account to which those services are tied.
How do I know if I’m using a Microsoft Account with my Windows PC?
It’s pretty easy to spot. Go to the Windows menu and select Settings (the gear icon) -> Accounts. In the window that pops up you should see your name and/or an email address. If it says “Local Account” you are using the “traditional” Windows profile that is not directly connected to the Microsoft Account platform. If it shows your name and an email address and right below that “Manage my Microsoft account” then you are logging into Windows with a Microsoft Account. The third option you may encounter will be an Active Directory domain account which will be very uncommon in home and small business environments. Depending on the type of AD account, under your name may appear your domain login which may be an email address OR may appear as “domain\username”. The key difference is that it will not say anything about managing your Microsoft account under your user name.
Why is this important?
If you are using a local or Active Directory login, your Windows login password is not controlled by the Microsoft Account platform. For local accounts, the password is machine specific and can only be changed on that machine and only by an administrator on that machine, which is usually you. Active Directory passwords are controlled by your domain administrator (usually your work’s IT team) and can be changed by you or your administrator (depending on the rules they have established), and may be changed regularly per your company’s policy. If you are using a Microsoft Account login and happen to change the password of that account, say in the course of updating your Office 365 Home subscription or changing a credit card on your Xbox Game Pass account, it changes the password you will use to log into your Windows PC but does not highlight that as a possible consequence. What confuses people is that they sometimes change that password from a completely different device (even on an iPhone or iPad) using Microsoft’s website and then when they get back to their Windows PC, discover that they can’t log in with their usual password. On top of this, you may have added a PIN or some other biometric login (face recognition or fingerprint) and if you change credentials it will sometimes invalidate those login processes as well, meaning you will HAVE to use the Microsoft Account password to get into your computer.
Next week – why you would want to use a Microsoft Account for your Windows login, and why not.
When Microsoft introduced Windows 8 they introduced a new “feature” in the wizard that walks you through the process of setting up your new PC. This new feature was the ability to use a Microsoft account as your user login on the PC instead of the traditional user account that has been used for years with prior versions of the Windows OS. Unfortunately, they did an extremely poor job explaining what this actually was, or how it worked. This feature is still used extensively in Windows 10 PC’s today, it is still not explained well in the wizard, it’s still difficult to understand and can cause quite a bit of confusion when used unintentionally.
What this means for you
If you’ve ever walked through the process of setting up a new computer, you’ve come across and probably implemented this feature without even realizing the extent of it’s capabilities or how it differs from the “old” way of creating an account for your PC. Since the very early days of Windows, most people interact with the operating system and their apps through what’s known as a user profile. The profile mechanism allows more than one person to use the same hardware while retaining their own set of data and settings. On home PC’s typically you only had one profile and in versions past, you might have had one set up without a password, not realizing you were even logging into a profile at all. Up until Windows 7, this profile was a “local” profile on most personal and home PCs and for most users was something the only had a vague awareness of, if at all.
Starting with Windows 8, Microsoft implemented the means for a local computer profile to be synced to the internet, ostensibly to back up your settings and password to a “cloud profile” that was tied to your Microsoft Account. Though its intent wasn’t clear at the time, the end goal was to allow you build a profile that could be moved from PC to PC as you upgraded your hardware, or used on multiple PCs simultaneously, giving you perfectly synchronized data across all of them through the magic of the internet. Except at the time, Microsoft didn’t explain any of its vision at all well during the process, and we actually wouldn’t see the full vision realized until the arrival of Windows 10 and OneDrive many years later. On top of this, they would typically funnel you into creating a Microsoft Account by using your email address, which most people mistook for Windows just asking for their email password which, if your email account was provided by Microsoft, is actually what they are doing, but if you give them an non-Microsoft email account (say Gmail or AOL) then you would be prompted to create a Microsoft Account on the spot using your email address as the login name. Not confusing at all, right? This resulted in tons of questions: “Is Microsoft taking over my email?” “Am I converting my Gmail/AOL/Yahoo email into a Microsoft email?” “Which password should I use to log into Windows?” “How do I access my Microsoft Account?”
Now, let’s add Office/Microsoft 365 into the mix. With the arrival of Microsoft’s cloud platform, it’s actually possible to have TWO Microsoft Accounts that use the same email address. Let’s say you have your own domain name and email account, and you’ve just recently moved hosting to Microsoft 365. But prior to that, you set up a Microsoft Account using that same email address. Whenever Windows needs to access your Microsoft Account it will ask you for your email address, and if you happen to have two accounts, it will present you with a choice to pick between your Work or School Account or your Personal Account. But depending on which service you are accessing – let’s say your Xbox Game Pass subscription (Personal Account) or your OneDrive account (might be work, might be personal, you probably have both!), or even setting up your new PC with a new profile. You can use either one!! But which one to choose?!?
Next week – more details on Microsoft Account Madness!
Image by PIRO4D from Pixabay
Despite the fact that a database containing personal information scraped from Facebook on over half a billion people has appeared on the internet and is available for anyone with a modicum of technical skill, Facebook doesn’t appear to be concerned at all, dismissing this particular news with a hand wave, “This is old data that was previously reported on in 2019…We found and fixed this issue in August 2019,” per email statement sent to the Associated Press. And it seems they have good reason to downplay this “old news” as its stock hits a record high despite facing news that would be catastrophic for just about any other company. Unfortunately for us, this issue they “fixed” in 2019 might have been any number of security problems they had in that year, and yes, this database may be an amalgamation of several breaches. Which doesn’t make it any better.
What this means for you
To put this in perspective, here is a visualization of just how big a number 533,000,000 actually is:
The above is just the first of 4 slides so click through for other 3 slides – it’s worth a look. The amount of data leaked is larger than the population of the USA. Unfortunately for the world, the leaks seems to have been global in scale, affecting 106 countries in total and over 32 million Americans. On a personal level, the data contains information that would be classified as Personally Identifiable Information including names, physical addresses, phone numbers and email addresses. This is enough info to put your identity at serious risk (if it wasn’t already before) for theft, and as such, at minimum you should be putting a freeze on your credit reports. This leak may also pose a risk for anyone who has a need to keep such data private, such as celebrities, or abuse/stalking victims, or just your regular social media user who had no idea their “personal” information could be made so widely available.
Seeing as Facebook does not seem to be taking any sort of ownership on this, you will have to rely on third-party site HaveIBeenPwned.com to see if you were one of the 533 million affected by this latest leak. At this point, even if you weren’t affected by this particular breach, I can almost guarantee that if your email address is more than year old, you are likely still going to find yourself on that site. You can also check at this newer site by phone number, just to cover all the bases.
Some of us maintain Facebook accounts because we have to, but if you aren’t using it anymore or want to stop using it because this was the last straw, you can delete your account here: https://www.facebook.com/help/224562897555674. On top of this, you should be:
- Using two-factor authentication for all your important email, financial and work-related accounts,
- Backing up your data to the cloud via a reputable platform like BackBlaze, Carbonite or iDrive
- Using unique, complex passwords for everything, and
- Managing those passwords through a like LastPass, 1Password, Dashlane or Roboform.
Oh, and you put a freeze on your credit reports, right?
Image by Tumisu from Pixabay
Last week I wrote an article about another mega-corporation that starts with “A” that presents a more benevolent public image than they actually behave, but in the case of AT&T, I don’t think anyone mistakes them for a business with a progressive ideology. As a matter of fact, you could say their latest blog as purportedly written by one of their executive VP’s is exactly the opposite with a very conservative view on what America needs in terms of internet speeds. The blog appears to be in response to the Biden administration’s call to define a new baseline for internet broadband at 100mbs for both upload and download speeds as well as proposals from the Administration and Congress to subsidize infrastructure development in under-served geographical and income-challenged populations.
What this means for you
Let’s cut to the chase: AT&T believes that rural America doesn’t need 100Mbs upload speeds. As a matter of fact, according to their blog post [emphasis ours]:
“The pandemic has broadened the consensus opinion that it’s time to revisit the FCC’s current broadband definition of 25/3 Mbps. To be clear, service at that speed is sufficient to support zoom working and remote learning.“Defining BroadbandFor the 21st Century – AT&T Public Policy
To be fair, they do go on later to say that the 25Mbs download speed is less than optimal for a family of four, especially in light of the pandemic. But what they are objecting to is the current Administration’s attempt to redefine the baseline standard of broadband any higher than their current infrastructure can support, and a 100Mbs upload speed is way more than their ancient DSL (top speed of 3Mbs in most areas) networks can handle. They are also objecting to the proposals that would provide billions of dollars in subsidies to competitors, including municipal-backed co-ops and smaller ISPs that would challenge their monopoly (or duopoly if you are lucky) in most broadband markets, including urban and commerce hubs. I’m pretty sure they know that most Americans, given a choice, will absolutely consider other options, especially if they are competitive (and not AT&T), and AT&T hasn’t had to compete in decades in a large part of their market. Hopefully the current administration can push forward some serious upgrades to the nation’s infrastructure that includes establishing a broadband speed standard in every part of the country, breaking the monopolistic inertia that is holding large swaths of our population hostage with 90’s-era technology and speeds.
How can you do something about this? Contact your elected officials and let them know you want faster internet and a choice of providers. This isn’t a partisan issue – everyone should have fast, affordable internet.
Image by kewl from Pixabay
If there is one thing that has been consistent with the Apple brand throughout the years, it’s that they have a fiercely loyal customer base that has expanded from what was once a very small percentage of the market, to worldwide dominance through their mobile devices. The reasons why Apple’s brand is so popular could be the subject of numerous dissertations on the power of marketing, psychology and design aesthetics, and for the most part, their hardware and software has consistently been of high quality (with a handful of high-profile exceptions) since the very first Apple computer took the world by storm. If you are choosing Apple products for their hardware, software, or design aesthetic and can afford their comparatively higher cost, I find no fault with that reasoning. However, if all other things being equal (hardware, software, design) when determining which brand to pursue, and you select Apple based on their perceived ideological stance, it may be worth considering the below.
What this means for you
Since taking over for Steve Jobs in 2011, Apple CEO Tim Cook has work studiously and successfully to elevate Apple’s branding to represent the company as having a more socially and environmentally conscious stance. This includes several, high-profile incidents such as where he challenged stockholders to sell if they disagreed with Apple’s increasing investment in renewable energy, Apple’s public filing of a friend-of-the-court brief on Trump’s intent to cancel DACA, and most recently in the spat with Facebook over recent changes to the Apple iOS to provide more transparency on the apps that track their user’s activities. While there is nothing wrong with these stances – they are each of them laudable – these are the ones that Apple wants you to recognize them for, and not for other, more questionable decisions, such as their removal of a Hong Kong protest app at the request of the Chinese government, and most recently, their change in policy to allow phones sold in Russia to prompt users to install state-approved Russian apps, something they have never done for any other country or market…until now.
As I’m sure you are aware, Apple is a publicly traded company and is, in the end, beholden to its shareholders, regardless of its stated ideals. Yes, Tim Cook told disgruntled investors to sell if they don’t like Apple’s decision to invest in renewable energy sources, but as time has since revealed, this appears to be a shrewd forecasting of the world’s turn towards renewables. Likewise, Apple punished Facebook in January of 2019 in a highly-publicized incident where Facebook was revealed to be using an app to scrape users phones for data. Apple appeared be championing privacy for its users, but in fact the punishment levied against Facebook was for violating the licensing terms Apple extended to Facebook for the app – the license granted Facebook the ability to distribute apps for non-public apps, which this “research” app was clearly not. They were not punished for the intent of the app nor did Apple address the fact that participants were paid by Facebook for access to their data.
Social media has popularized a concept known as “virtue signaling” (controversial on its own) which seems to fit Apple’s publicity model. While Wikipedia’s definition seems to imply that Apple (as a company) should not been seen as a champion of human rights while quietly doing the opposite when it serves them, they aren’t the only company doing this, and this is not something new to for-profit companies. In the advertising world, this is known as “good branding” and Apple, if nothing else, is a textbook example of excellent brand management. Make no mistake, as long as you recognize Apple (or any other company behaving similarly) as company with a bottom line and not an entity forwarding an agenda, their ideological stance should be viewed first as a marketing strategy and evaluated on what they do, and not what they signal.
I would hazard a guess that a large percentage of Facebook’s user base was actually alive at the time it was first created as a dating app for college students, but it’s very clear that a significant portion of Facebook users now look upon it as an (if not their only) authoritative information source, valuing the opinion of their social circles more than scientific evidence and fact-checked expertise. An internal Facebook study has confirmed that a very small number of accounts out of the 3.3 billion total on its platforms (including WhatsApp and Instagram) account for half of all “vaccine hesitancy” content appearing on the platforms. While Facebook has only recently started banning false and misleading content related to the Coronavirus Pandemic, apparently there is still a vast amount of content expressing concerns about vaccine effectiveness or severity of side affects.
What this means for you
Conversations about vaccine hesitancy and fears are considered nuanced enough to fall well short of being labeled as “harmful” and rightly so – Facebook is a place for people to share their opinions. However, when those opinions are formed from what may have been deliberately planted misinformation, they can sway large swaths of populations into making choices that may prove detrimental to everyone’s health, such as vaccine reluctance in 30% of Americans. According to the Facebook’s own study, there appears to be 111 accounts that were the source of half the content published on Facebook that is causing a widespread distrust of a vaccines. Social media communities, especially ones that identify around a single (possibly controversial) belief tend towards reinforcing narratives instead of challenging them. The basic human need for validation has always created “echo chambers” in society, even well before the internet, but the size and speed of platforms like Facebook allow for the viral spread of both harmless fun and extremely harmful ideology with horrific outcomes.
To deliberately misquote a line from one of my all-time favorite movies, “What can we do against such reckless misinformation?” Riding out on a horse, while glorious, isn’t going to be effective. Make sure you are challenging misinformation by gathering information from a wide variety of sources. Don’t just assume those sources are reputable or trusted because they are on the internet or worse, found in your own echo chamber. Facebook can be a source of information, but as has been demonstrated time and time again, not one that should be fully trusted any time soon.
Image by Pablo Jimeno from Pixabay
As if the SolarWinds fiasco wasn’t enough to completely undermine any trust in technology security, Microsoft is warning everyone about a significant exploit in its Exchange email platform that is actively being leveraged by a Chinese advanced persistent threat group dubbed “Hafnium.” According to Microsoft’s Threat Intelligence Center, this group is known for targeting entities in the United States primarily to steal data and intellectual property from a wide swath of industry, political and government organizations, but with this recent exploit, the attackers have spread globally, attempting to compromise as many servers as they can before administrators can patch vulnerable servers.
What this means for you
First and foremost, if your email is provided by an on-premise Exchange Server that is not being actively maintained by a qualified technology professional, you may be in danger, and you should contact an IT professional or a company like C2 immediately. It will be important to patch your servers immediately and then determine if the server has been breached. If you are breathing a sigh of relief because your email is hosted in the cloud, it’s still important to make sure your vendor has taken appropriate steps to make sure their platform is properly secured as they may be using Exchange to provide email services to you.
If your email is provided by Microsoft 365 or Google, this exploit does not impact you directly, but keep in mind that vendors and clients you work with may have been compromised, which may also have implications for your organization. Information stolen from a client or vendor in breach could be used to impersonate a trusted individual in an attempt to trick you or someone in your organization into any number of activities that could end up directly affecting your bank account. One of our clients recently notified us that one of their vendors fell for an email spoofing campaign that resulted in that vendor writing a very large check to pay off our client’s invoice, but that check was sent to a fake address. Even though you might not be directly impacted by the Hafnium campaign, the sheer size of the information breach means that someone likely very close to your organization may be affected. As such, you and all your organization’s employees should treat any unusual emails or transaction requests with caution and skepticism for the foreseeable future.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Despite their best efforts, SolarWinds isn’t going to be able to slip back into obscurity anytime soon. Up until late last year, most regular folks wouldn’t have any idea who SolarWinds was, let alone what they did. But when one of the world’s largest outsource IT providers gets hacked, leading to the compromise of approximately 100 very large companies and NINE federal agencies including the National Nuclear Security Administration, you aren’t going saunter casually out of sight after such a massive gaffe. You might try a little misdirection by throwing an underling under the bus, but all that is doing is making things worse, regardless of whether it’s true or not.
True leaders know where the buck stops
As the SolarWinds “saga” started to slowly unfold for us in December and January in all of its terrible glory, one of the minor “subplots” that was revealed involved a comically weak password that was used to secure a SolarWinds server. If you ever want to bring a rain of derision and reproach from the technology community, use a password like “solarwinds123” as part of your infrastructure while providing IT to the agency that manages our nuclear arsenal. And if you want to double-down on your foolishness, blame an intern for it.
It’s entirely possible that an intern might actually be at fault; all of us were young and “wet behind the ears” at some point in our careers, and let’s face it, there are a ton of people out there who might think that this is at least an OK password. But let me tell you something: every single SolarWinds technician, engineer, senior engineer and up that typed in that password KNEW it was a bad password and didn’t bother changing it. Everyone reading this article knows this is a bad password, and if you’ve been a reader for any amount of time, you’ve known this for years. It’s reasonable to assume that a fresh-faced intern with no IT experience may have chosen such a password, but it should have never survived the moment any SolarWinds employee had to use it even once. Regardless of who made the initial mistake, allowing it to continue being used is absolutely leadership’s fault – all the way to the CEO. Bad passwords have consequences, but excusing and ignoring them is even worse.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Not even three months into Apple’s release of new computers powered by the Apple M1 processor, researchers have discovered at least two malware platforms that seems to have been specifically written to target Apple’s new CPU. One of the new apps, “GoSearch22” is actually a recompiled version of a known adware app called “Pirrit”. The new M1 variant has already been decertified by Apple, meaning that it will be blocked from running in the OS if your Mac is current on updates. The other malware app, dubbed “Silver Sparrow” appears to be brand new and is showing up on at least 30K Macs both M1 and Intel-powered machines, but at the moment, researchers aren’t quite sure what it’s intended to do.
What this means for you
For the majority of Windows users this is not relevant and you can carry on worrying about the myriad other security concerns that the platform is infamous for, but if you happen to use Apple computers for your daily work, take note. At the moment, Silver Sparrow isn’t doing anything except existing and looking very suspicious. It may never be deployed – think of it as a sleeper agent whose cover has been blown. The fact that it exists and a version of it written explicitly for Apple’s new M1 CPU means that cybercriminals are leaving no stone unturned in their pursuit of exploiting every internet connected device. Where before Apple users could work knowing that because of their relatively small market share they were unprofitable targets for malware developers and as a result slightly more secure than their Windows brethren, this is clearly no longer the case. OS X is definitely being targeted by mature, sophisticated adversaries. While security through obscurity was never a good enough reason to not run malware protection on OS X, it’s definitely been invalidated by the sudden and widespread appearance of Silver Sparrow. Make sure you are running up to date and effective malware on your Mac, old or new. If you don’t know what to install, contact us for advice or a managed solution.