Blog

Archive for IT Support

There’s now one less excuse not to use a password manager

password-manager

LastPass becomes a great free option.

LastPass is making its password manager a much better option for people who don’t want to pay. As of today, it’s opening up to everyone the ability to sync passwords between an unlimited number of devices — something that used to be available only to subscribers.

Free users were previously limited to syncing LastPass to a single app, which is pretty limiting in a world where you very possibly need to access those passwords across multiple PCs, a phone, and a tablet. Now, there are no longer any big restrictions on the free version of LastPass (though it’s still offering a $1 per month subscription with some additional features).

Like other password managers, LastPass can be used to generate strong and unique passwords, keep track of which sites and services they belong to, and then enter them when needed. LastPass stores all passwords in the cloud, making them accessible from anywhere. That makes syncing simple, though it also opens the service up to some security concerns (ones that its competitors face as well).

Still, using LastPass or any other password manager is going to be a significant step forward for most people when it comes to security. We’ve seen a steady stream of hacks this year that have compromised usernames and passwords from major sites. Using a password manager lets you use a different password in every location, minimizing the potential fallout of a password leaking out. Password managers can be a bit of a hassle to use (compared to typing in a single memorized password), but it’s worth the effort.

Kastrenakes, Jacob. “There’s now one less excuse not to use a password manager.” The Verge. N.p., 2 Nov. 2016. Web.

Posted in: E-mail, IT Support, Security, Tech Tips for Business Owners

Leave a Comment (0) →

How to protect your Apple ID with Two-Factor Authentication

ios-9-two-factor-authenticationTwo-Factor Authentication strengthens the security of your Apple ID by preventing anyone from accessing or using it, even if they know your password. With Two-Factor Authentication, one of your trusted devices generates a one-time code when you make a purchase or sign in to your Apple ID, iCloud, iCloud.com, iMessage, FaceTime or Game Center account on a new device. Two-Factor Authentication is also required for Auto Unlock so you can unlock your Mac by wearing an Apple Watch.

In this tutorial we’ll show you how to protect your Apple ID with Two-Factor Authentication or, if you’re still using the older and less secure Two-Step Verification, upgrade to Two-Factor Authentication.

Two-Factor Authentication vs. Two-Step Verification

Two-Factor Authentication is the preferred protection system for Apple IDs.

It replaces Two-Step Verification and is more secure because it’s integrated deeply into the bowels of iOS and macOS. The older, less reliable Two-Step Verification system relies on different methods to trust devices and deliver verification codes.

With Two-Factor Authentication enabled, a six-digit code is required to verify your identity using one of your devices or another approved method before you can:

  • Sign in to your Apple ID account page on the web
  • Sign in to iCloud on a new device
  • Sing in at iCloud.com in a web browser
  • Sign in to iMessage, Game Center or FaceTime or a new device
  • Make an iTunes, iBooks or App Store purchase from a new device
  • Get Apple ID related support from Apple

See Apple’s support document for more information about Two-Factor Authentication, including an up-to-date list of countries where this feature is available.

System requirements for Two-Factor Authentication

In order to use Two-Factor Authentication, you must own one of the following devices:

  • iPhone, iPad or iPod touch with iOS 9 or later
  • Mac with OS X El Capitan or later and iTunes 12.3 or newer
  • Apple Watch with watchOS 2 and up
  • Windows PC with iCloud for Windows v5.0 or later and iTunes 12.3.3 and up

Logging into your Apple ID on a device that has software earlier than specified above may yield a message saying Two-Factor Authentication is unavailable so make sure your gadgets meet the requirements and run the latest software.

Protecting Apple ID with Two-Factor Authentication

If your Apple ID is protected with the older Two-Step Verification method, you must first disable it before you can opt in to Two-Factor Authentication, Unfortunately, Apple does not provide a direct upgrade path for Two-Factor Authentication.

If you already use the newer Two-Step Verification system, skip this section and proceed with the steps outlined in the section titled “Enabling Two-Factor Authentication”.

Disabling Two-Step Verification

1) Sign in to your Apple ID account page using a desktop web browser.

2) Click Edit under the Security heading.

3) Click Turn Off Two-Step Verification, then create three new security questions and verify your birth date and phone number when asked.

apple-id-1

You will receive an email from Apple confirming that Two-Step Verification for your Apple ID account has been turned off and the Apple ID account page will reflect the change.

apple-id-2

You can now protect your Apple ID with Two-Factor Authentication.

Enabling Two-Factor Authentication

1) Go to System Preferences → iCloud → Account Details → Security on your Mac. Alternatively, open Settings → iCloud → your Apple ID → Password & Security on your iPhone, iPad or iPod touch.

2) Click Set Up Two-Factor Authentication and follow the onscreen instructions.

apple-id-3

You must provide three security questions and answers, verify your birth date, add a rescue email and verify a mobile phone number where Apple will send you verification codes when your trusted devices are unavailable.

If you see a message that some of your devices are incompatible with Two-Factor Authentication, hit Turn On Anyway to continue. Enrolling in Two-Factor Authentication will replace your iCloud Security Code with your device passcode.

To enable Two-Factor Authentication on the web: log into the Apple ID account page, clickEdit under the Security heading, hit the link “Get Started…” below the Two-Step Verification heading and follow the onscreen instructions.

apple-id-4

The Apple ID account page lists under the Trusted Devices heading all your Apple devices which are capable of generating Two-Factor Authentication codes. Any iOS device with Find My iPhone enabled can generate these codes.

Now all that’s left for you to do is double-check that Two-Factor Authentication has really been enabled by following the instructions below.

Verifying that Two-Factor Verification is enabled

To double check that you’re using Two-Factor Authentication or that you’ve successfully upgraded your Apple ID from the older Two-Step Authentication system to the more secure Two-Factor Verification, do the following:

1) On your Mac, open System Preferences → iCloud, click the Account Details button, then click the Security tab and make sure Two-Factor Authentication is on.

apple-id-5

2) On your iPhone, iPad or iPod touch, go to Settings → iCloud, tap your name to reveal account details, then tap Password and Security and make sure that Two-Factor Authentication is on.

apple-id-6

3) If you own an Apple Watch, open the companion Watch app, go to My Watch → General → Apple ID and verify your Apple ID is showing.apple-id-watch-7

That’s it, your Apple ID account is now protected with Two-Step Verification.

How to use Two-Factor Authentication

With Two-Factor Authentication enabled, you’ll verify your identity by entering both your Apple ID password and a six-digit verification code any time you sign in to the Apple ID page or iCloud.com, make an iTunes, iBooks or App Store purchase from a new device or sign in to iMessage, FaceTime or Game Center on a new device.

apple-id-8

A prompt that goes up on your trusted devices includes a mini-map showing you where the sign-in attempt is coming from. Tap Allow to get a one-time six-digit verification code that you must type into your other device to verify the login attempt.

How to manually generate Two-Factor Authentication codes

You can also manually generate a verification code at any time:

On your iOS device, go to Settings → iCloud, tap on your account name at the top, then hit Password & Security and select Get Verification Code.

apple-id-9

On your Mac, click the Account Details button in System Preferences → iCloud, then click the button labeled Get A Verification Code found under the Security tab.

apple-id-10

Now enter your six-digit verification code into your other device to sign in.

With Two-Step Verification enabled, your Apple ID account will be more secure than ever and you will be able to use advanced features like Auto Unlock in macOS Sierra and watch OS 3 which lets you get into your Mac simply by wearing an authenticated watch.

Zibreg, Christian. “How to Protect Your Apple ID with Two-Factor Authentication.” Mid Atlantic Consulting Blog. idownload Blog, 21 Sept. 2016. Web.


Although the above article pertains to Apple ID, you can add this higher level of security to just about any of your accounts and/or devices.  One thing to realize is that two-factor authentication (2FA) is not a new solution and over the years many different 2FA options have developed. We know that narrowing down your options can be an overwhelming task, so we have done that part for you. We have a few solutions to the problem and will work with you to find the right one to suit your particular needs.

One of our experienced professionals would be a happy to discuss the best options for you and your organization.

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to schedule a consultation.

Posted in: IT Support, Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Two-Factor Authentication: Methods and Myths

images

When I mentioned to a few friends that I was writing a feature about two-step authentication, the typical response was an eye-roll and “Oh, that annoying thing?…” Yes, that annoying extra step. We’ve all had that thought when we needed to get a code before we could log in or verify our identity online. Can I please just login without a barrage of requests?

However, after much research about two-factor authentication (often referred to as 2FA), I don’t think I’ll roll my eyes at it anymore. Let’s get to know two-factor authentication a little better, the different options out there, and dispel some myths surrounding that “annoying” extra step.

Most Common Alternatives For Using 2FA

SMS Verification

It’s commonplace for apps and secure services to suggest you add 2FA at least via SMS messages, for example when logging into your account — either at all times or just when doing so from a new device. Using this system, your cell phone is the second authentication method.

The SMS message consists of a short single-use code that you enter into the service. This way, Mr. Joe Hacker would need access to your password and your phone to get into your account. One rather obvious concern is cell coverage. What if you’re stuck in the middle of nowhere without a signal, or traveling abroad without access to your common carrier? You won’t be able to get the message with the code and won’t be able to log in.

But most of the time, this method is convenient (we all live with our phone attached to our hand). And there are even some services that have an automated system speak the code so that it can be used with a landline phone if you can’t receive text messages.

Google Authenticator / App-Generated Codes

Potentially a better alternative to SMS because it doesn’t rely on your wireless carrier, there’s a good chance you’ve already used at least one short-term code generating app. Google Authenticator (made for Android and iPhone) is the most popular app in its category.

After setting up a given service with Authenticator, you’ll be prompted to enter an authentication code in addition to your username and password. You’ll rely on the Google Authenticator app on your smartphone to provide you with a fresh code. The codes expire within the minute, so sometimes you’ll have to work fast to enter the current code before it expires and then the new code is the one to use. Even though the name is Google-centric, you can add a multitude of services to it beyond Gmail, including but not limited to Dropbox, Lastpass, Amazon Web Services, Evernote, and many others.

If you don’t want to rely on Google for this kind service, there are a few alternatives of which Authy is considered the most comprehensive. Authy offers encrypted backups of the codes generated over time, as well as multi-platform and offline support. Lastpass recently launched their own authenticator as well.

These apps will keep generating time-specific codes till kingdom come, with or without an internet connection. The only tradeoff is that setting the app setup is slightly complicated.

Physical Authentication Keys2016-08-19-image

If dealing with codes and apps and text messages sounds like a headache, there’s another option that is on the brink of popularity: Physical authentication keys. It’s a small USB device you put on your keychain (the FIDO U2F Security Key pictured above.) When logging into your account on a new computer, insert the USB key and press its button. Done and done.

Some companies are at work creating a standard called the U2F. Google, Dropbox, and GitHub accounts are already compatible with the U2F token. At some point in the future, physical authentication keys will work with NFC and Bluetooth to communicate with devices that don’t have USB ports as well.

App-Based and Email-Based Authentication

Some mobile apps skip the above options altogether and verify through the app. For example, enable “Login verification” on Twitter and when you log into Twitter for the first time from a new device, you must verify that login from the app on your phone. Twitter wants to make sure that you, not Mr. Joe Hacker, has your phone before you log in. Similarly, Apple uses iOS to verify new device logins. When logging in on a new device, you’ll get a one-time-use code sent to an Apple device you already use.

Email-based systems, as you probably figured out just from the title, use your email account as the second-factor authentication. When logging into an app or service that uses this option, the one-time-use code will be sent to your registered email address.

Myths / FAQ

What are common services where enabling 2FA is recommended?

  • Google / Gmail, Hotmail / Outlook, Yahoo Mail **
  • Lastpass, 1Password, Keepass, or whichever password manager you use **
  • Dropbox, Google Drive, iCloud, OneDrive (and other cloud services where you host valuable data)
  • PayPal and other banking sites you use that support it
  • Facebook / Twitter / LinkedIn
  • Your website hosting provider: WordPress, Softlayer, Rackspace, etc.
  • Steam (in case your game library happens to be worth more than your average bank account balance)

** These are particularly important because usually serve as a gateway to everything else you do online.

If you are wondering whether a certain site or service supports 2FA, twofactorauth.org provides a very comprehensive list.

If there’s a security breach, turn on two-factor authentication ASAP

The problem is that you can’t just flip a switch and turn on 2FA. Starting 2FA means tokens have to be issued, or cryptographic keys must be embedded in other devices. And since 2FA is so heavily reliant on user participation, don’t expect it to be up and running super quickly.

Should I enable two factor authentication or not?

Yes. Especially for critical services that contain your personal data and financial information.

Two-factor authentication is impervious to threats

No. 2FA depends on both, technologies and users that are flawed, so it is also flawed. A 2FA that uses SMS text as the second factor relies on the security of the wireless carrier. It’s also happened where malware on a phone intercepts and sends SMS messages to the attacker. Another way that 2FA can go wrong is when a user isn’t paying attention and approves a request for authentication (maybe it’s a pop-up message on their Mac) that was started by an attacker’s attempt to log in.

Two-factor solutions are (basically) all the same

This may have been true at some point, but there’s been much innovation to 2FA recently. There are 2FA solutions using SMS messages or emails. Other solutions use a mobile app that contains a cryptographic secret or keying information stored in a user’s browser. Reliance on third-party services is something to think about, and should be improved upon, as it has been breached and the authentication has failed in some instances.

Two-factor authentication is an annoying extra with little benefit

Well, with this attitude we’ll never get anywhere. In reality, some businesses or services approach 2FA as a compliance requirement, instead of something that can help reduce fraud. Some companies use the minimum required 2FA that barely does anything, just to check off the 2FA box. As a user, it can be annoying to use 2FA, but if the company is using a flexible authentication method (not just the bare minimum) it can reduce the possibility of fraud. And who doesn’t want that?

It’s the end of 2FA as we know it

Maybe. Everything you’ve just read is about 2FA today, and we don’t know a lot about the future besides that it will change and become more commonly used. The most hope-inducing and cool part of 2FA is that is can become much better as time goes on. Right now, 2FA is still sitting on the outskirts of the crowd. So, it will be interesting to see if 2FA security and ease of use can improve enough that it becomes a tool we all love.

Pope, Devin Kate. “Two-Factor Authentication: Methods and Myths.”TechSpot. TechSpot, 21 Sept. 2016. Web. 06 Oct. 2016.


Although the above article pertains to Apple ID, you can add this higher level of security to just about any of your accounts and/or devices.  One thing to realize is that two-factor authentication (2FA) is not a new solution and over the years many different 2FA options have developed. We know that narrowing down your options can be an overwhelming task, so we have done that for you. We have a few solutions to the problem and will work with you to find the right one to suit your particular needs.

One of our experienced professionals would be a happy to discuss the best options for you and your organization.

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to schedule a consultation.

Posted in: IT Support, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Employee Negligence The Cause Of Many Data Breaches

data-breach

Enterprise privacy and training programs lack the depth to change dangerous user behavior, Experian study finds.

More than half of organizations attribute a security incident or data breach to a malicious or negligent employee, according to a new survey.

Sixty-six percent of the 601 data protection and privacy training professionals surveyed for the Managing Insider Risk through Training & Culture report say their employees are the weakest link in their efforts to create a strong security posture.

Awareness of the insider risk, though, is not influencing many companies to put in place practices to improve the security culture and training of their employees, the Experian Data Breach Resolution and Ponemon Institute report found.

Only 35% say senior executives think it is a priority to ensure that employees are knowledgeable about how data security risks affect their organizations, and 60% say employees are not knowledgeable or have no knowledge of the company’s security risks.

“It’s no surprise that employee-related security risk is their number one concern,” says Michael Bruemmer, vice president of Experian Data Breach Resolution. “As we have seen in our incident response service that we do for clients, about 80% of all the breaches we service have a root cause in some type of employee negligence.”

Training Programs Inadequate

Each of the organizations in the survey has a training program, but many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk. Only half of the companies agree or strongly agree that current employee training actually reduces noncompliant behaviors.

Forty-three percent of respondents say that training consists of only one basic course for all employees. These basic courses often do not provide training on the risks that can result in a data breach: 49% of the respondents say training in their organization does not include phishing and social engineering attacks. Only 38% of respondents say the course includes mobile device security, and only 29% say courses include the secure use of cloud services.

Less than half –45% — say their organizations make training mandatory for all employees. Even when mandatory, exceptions are made for certain individuals. For example, 29% of respondents say the CEO and senior level executives in their companies are not required to take the course.

Additionally, if an employee doesn’t pass a privacy test or do well on a training course, 60% of the companies in the survey don’t require them to do anything else but check off the right answers on the test, Bruemmer says.

Responsibility Starts At The Top

The responsibility for data protection and cybersecurity should start at the top with company board members and senior management, he notes. Cybersecurity should be one of the top five strategic priorities, he says. And if companies are setting up an organizational structure, the chief information security officer or an executive with that responsibility, must report at a minimum to the CEO, if not directly to the board.

“So cybersecurity, privacy, and data breach response must have a priority at the highest level of the organization,” Bruemmer says. To back up that argument, Bruemmer notes that 29% of the cybersecurity professionals surveyed say that the lack of senior executive buy-in contributed to the inefficient training.

“In this day and age, given the cost of a data breach, which is about $6.2 million per incident, to not spend the money upfront to address the number one cause of data breaches – a relatively low cost compared to some of the other preparations – it just seems like there is a real miss here,” Bruemmer says.

Mitigating the insider risk, according to Bruemmer, should include both culture and training. Sixty-seven percent of respondents say their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues.

The report recommends that companies should provide employees with incentives to report security issues and safeguard confidential and sensitive information, as well as better communicate the consequences of a data breach. Plus, companies should “gamify” training to make learning about potential security and privacy threats fun.

Meanwhile, federal cybersecurity professionals also recognize that people can be their organization’s greatest cybersecurity asset or greatest liability: 42% of cybersecurity executives surveyed for a new (ISC)² and KPMG LLP report say that people are currently their agency’s greatest vulnerability to cyberattacks.

Lack of accountability was also a consistent theme throughout the federal survey results, as some respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity. Federal cybersecurity executives are still struggling to understand how attacks could potentially breach their systems a year after hackers stole the personal information of 22 million people from the Office of Personal Management databases, according to the (ISC)² report.

Yasin, Rutrell. “Employee Negligence The Cause of Many Data Breaches.” N.p., n.d. Web.


In 2015 43% of data breaches were a result of employees, half were intentional, and the other half accidental.  So let us help you with the “accidental”…

Phishing, spearfishing, socially engineered email and links are designed to get your employees to open the door to malicious attacks, and they appear in various ways. We believe that the best approach is to take a defensive stance by arming your staff with the most updated information.  And since we believe that knowledge is power, we have put together a presentation to explain the many deceptive tricks of hackers and the most common mistakes made by end users. We also have a method to reinforce training by creating a phishing scheme which will test who will “click”.

Employee awareness is the key to fighting the cyberwar!

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to set up an appointment for a security consultation.

 

Posted in: Business, IT Support, Security

Leave a Comment (0) →

Ransomware Alert: Don’t be Unlucky With Locky

locky 2Ransomware is a rapidly growing plague on computer users, and the latest variant of Locky adds malicious Word macros to its weaponry.

If you must open Word documents created by others, here are some ways to ensure you don’t become a ransomware victim.

When you’re unlucky enough to get Locky

Locky ransomware show up in many formats, but in most cases it’s disguised as an invoice, shipping document, or similar-seeming legitimate attachment. Typically, those attachments are Word or Excel documents, but the malware might also be hiding inside a ZIP or RAR file.

No matter how Locky arrives, the end effect is the same — and frighteningly obvious. You’ll discover that all your documents are encrypted: not just those on the infected computer, but also files on mapped external drives and network locations. Even cloud-based documents are at risk. It can also disable Windows’ volume shadow copies.

It gets worse: Locky will look for bitcoin wallets and try to encrypt them as well.

Locky can even store information in the Windows Registry.

Here are some reminders of ways to protect yourself from this latest variant:

The first line of defense remains unchanged

Regular Windows Secrets readers should already know the first rule of blocking ransomware and similar forms of malware: Don’t open email attachments that did not come from truly trusted sources. I’d even avoid attachments forwarded by those you know well — you can’t know the original source of the document.

Note that the ransomware payload typically isn’t triggered by simply viewing the email message; you have to open the malicious attachment to become infected.

The next best defense is using an email service that filters your email. If you never see the attachment, you won’t be tempted to open it. Many major Interest service providers will filter and clean email — it’s in their interests to protect their subscriber traffic.

If your ISP doesn’t provide effective mail filtering and cleaning, you should sign up for one of the free providers that do. You can, for example, forward your mail through Gmail or Outlook.com. I also recommend creating a separate account on one of the free, online mail services; then use that address for the sites that might lead to more spam in your inbox.

Many of the malicious emails and attachments look as if they came from legitimate businesses. It can be hard to tell a bogus FedEx notification from a real one. If you’re suspicious of an email, open it on a platform that’s less likely to be hit by ransomware. For example, I often use my iPhone to open up suspect mail. If it proves safe, I will then open it on one of my Windows machines. But even that’s not foolproof. As noted in a recent Reuters story, some OS X machines saw their first successful ransomware attack. The “KeRanger” exploit was piggy-backing on torrent sites. (That’s what you get for illegally downloading media — I jest: there are legitimate reasons for using BitTorrent.) Experts reportedly expect to see new forms of attachments on Macs.

Preventing infection by blocking macros

Locky’s use of Office-based macros is somewhat unique. If you’re unlucky enough to launch the malware, and if you’ve not taken precautions to block certain macros, the encryption process will begin. Microsoft’s Malware Center hasposted tips for protecting yourself from bogus macros.

It starts with checking whether you have any Word docs or Excel worksheets that contain macros. If you don’t have or use macros, take the following steps to better protect yourself from malicious documents that might slip onto your machine.

  • Open a Microsoft Word document.
  • Click the File tab and then Options.
  • In the Trust Center, click Trust Center Settings.
  • In the Macro Settings section, check that the default Disable all macros with notification is enabled.
  • Click OK.

If you do use macros, the better option is: Disable all macros except digitally signed macros. This will ensure that unsigned macros don’t launch when you open a document.

Looking for the yellow banner when opening files

If you have a newer Office platform — 2010 through 2016, it knows where opened documents have come from. Opening Word or Excel email attachments will trigger the yellow warning shown in Figure 1. (The wording will vary slightly with different Office versions.) Earlier platforms might also display the warning — if you’ve installed specific updates. But as I’ve pointed out in a Patch Watch column, the updated Office versions weren’t perfectly successful when dealing with file opening on older platforms.

lockey image

Figure 1. Office’s warning that a document that arrived in email could be malicious

If you’re using .docx and .xlsx formats, newer Office versions tend to be more effective at spotting and blocking macros. But the key is still to always watch for the yellow banner at the top of opened files. If the document came via the Web, you can enable macros — but, again, only if you truly trust the source.

What do you have access to?

An often overlooked step for limiting damage from ransomware is checking what you have access to from your PC. If you can browse to a location on an internal drive, on an external USB drive, in the cloud, and so forth, the ransomware payload has access to that location, too.

With that in mind, review how your backup software is set up. It’s one of the reasons I don’t completely trust Windows 10’s File History system; it saves a copy to an external USB hard drive that you — and ransomware — have full access to. File History makes no attempt to hide the location of archived files; hiding them would help protect them from ransomware encryption.

I wouldn’t turn File History off, but I would add the old-school method of rotating backup media (to multiple, external USB drives). Combine that strategy with cloud backup that includes versioning. In short, never rely on one backup system.

Ransomware is getting only cleverer at tricking computer users into downloading and launching malicious code. As it adapts, so too must we. Open only those attachments you expected to receive — and don’t worry if your friends think you are a tad paranoid when you call them to check that they really sent an email with any form of attached file.

A little paranoia helps keep us all safe.

Bradley, Susan. “Don’t be Unlucky With Locky” Windows Secrets March 17, 2016

Posted in: IT Support, Security

Leave a Comment (0) →

One in the eye for ransomware: Microsoft adds new macro controls to Office 2016

Office 2016As you probably know, a lot of ransomware arrives by means of believable-looking Word documents.

You receive an email that looks just like a customer requesting a quote, or an invoice that you need to pay, or a courier delivery that went astray.

You’re supposed to consult the attached document for details…

…but when you do, there’s some problem viewing it, but you can fix that…

…if only you click the [Options] button and enable macros.

The problem is that a macro is essentially a miniature program embedded inside the document, and it can do almost anything that a regular program can do, such as connecting to a web server, downloading some software, and running it.

In other words, an email telling you to enable macros in a document is as dangerous as an email telling you, “Please download and install this unusual version of NOTEPAD.EXE, ignoring all security warnings, to read this email properly.”

Macros don’t run by default, for security reasons, but an outright block on macros can get in the way, because many legitimate Word and Excel files use macros for perfectly unexceptionable purposes, such as helping you fill in forms or perform complex calculations.

That means that in most businesses, users can enable macros if they think they need to – so that just one bad judgement call could let ransomware, or any other malware, into the organization.

Microsoft has therefore added a new policy option into Office 2016 that allows finer control over documents with macros.

You can now limit the functionality of the macro programming system so that even if users normally have the chance to enable macros, they can’t if the macros came in an Office file from the internet.

The option is well-named: Block macros from running in Office files from the internet.

Is this end of ransomware?

Sadly, the answer is,”No.”

Malware, including ransomware, can arrive in many other ways.

Instead of using attachments containing Word macro downloaders, crooks can use numerous other infection techniques.

A common trick is to send a .js attachment (JavaScript) instead of a .doc file; scripts written in JavaScript have much the same powers as those written as Office macros, and protection based on controlling macros won’t help in this case.

And crooks can also use booby-trapped documents that work by exploiting bugs in Word itself, so that no macros are needed at all.

Lastly, there’s still plenty of malware that get in without using email, thanks to USB flash devices, malvertising, and booby-trapped websites.

Nevertheless, if you are using Office 2016, this new anti-untrusted-macro execution protection is well worth using.

Dicklin, Paul. “One in the eye for ransomware: Microsoft adds new macro controls to Office 2016” Naked Security March 23, 2016

Posted in: IT Support, MS Office Tips and Tricks, Security, Tech Tips for Business Owners

Leave a Comment (0) →

How to Stop the Free Windows 10 Upgrade

Windows10updateMicrosoft’s Free Windows 10 Upgrade Offer is perhaps the most generous the company has ever been with a new software upgrade. Anyone who has Windows 7, Windows 8 and Windows 8.1 can take advantage of the Windows 10 Upgrade offer and get it running on their old notebook, desktop or tablet in hours. It’s unprecedented. For some it’s also unwanted.

No matter how much you plan for a software upgrade to be painless, things are going to happen. The hardware requirements for Windows 10 are the same as Windows 8 and Windows 7, but that doesn’t mean everything flawlessly works. Some have reported their printers not working after the upgrade or software that they rely on every day simply not loading up anymore. Initially, Microsoft only upgraded those who actively sought out the software refresh. Yes, you can go back to your earlier version of Windows after the upgrade, but that’s not enough. Some don’t want to risk installing a new operating system on their devices at all.

Instead, they want a way to block the Windows 10 update and silence the Free Windows 10 Upgrade Offer that won’t stop trying to grab their attention from the Taskbar.

Here’s how to stop the free Windows 10 Update on your system:

Before we Begin

Before we begin, it’s important that you understand the ramifications of stopping the Windows 10 Upgrade in its tracks. Windows 10 is absolutely free to download and will receive free upgrades over time. Unless there’s a feature in Windows 7 and Windows 8 that you absolutely can’t live without – like Windows Media Center – stopping the upgrade isn’t the best idea.

That’s because Windows 7 and Windows 8 don’t have long, always-updating lifespans of their own. Support for both operating systems will eventually expire. When they do, you’ll be more vulnerable to the kinds of internet threats that could put your personal information at risk.

As for reasons not to upgrade. Early reports that Windows 10 monitored users when explicitly told not have been debunked by Microsoft. You can disable the Cortana personal assistant and the operating system does have controls for avoiding sharing location. Privacy is a legit, if slightly overblown worry with any software upgrade like this.

Stopping the Free Windows 10 Upgrade

Microsoft has so embedded the Free Windows 10 Upgrade Offer into Windows 7 and Windows 8 that there’s no real way to get away from it without a software upgrade. There’s no toggle that you can push to permanently ignore it, for example. You’re going to need to download some extra pieces of software onto your device to fully suppress it.

A straight forward and easy to use software utility for stopping the free Windows 10 update is called Never10. Developed by Gibson Research, there’s not a lot to it really. The utility kills the upgrade with a single button press. There’s nothing to configure.

Never10 can be uninstalled once you have killed the upgrade offer, but it’s a good idea to keep it around in case you ever decide that you do want to upgrade. Lots of people report having a great experience with this tool.

GWX Control Panel

GWX CP 1_7_1 Only

The appropriately named GWX Control Panel is pretty feature rich. (GWX stands for “Get Windows 10.”) The app itself isn’t all that attractive but it does its job very well.

After it’s installed, you get a breakdown of how your system was changed to accommodate the Free Windows 10 Upgrade Offer. A breakdown shows you if the icon for the offer is enabled and how much space Windows Update is using on your system to store the upgrade in case you ever decide to take advantage of it.

It then gives you the option to start reversing every change it lists. There’s a button for disabling the icon that always pops-up asking you to download operating system. Another button lets you quickly delete anything that Windows Update downloaded to your system. This is option is a life-saver, the Windows 10 download can take up as much as 4.8GB on a single device. That’s a lot of space.

You’ll want to click the Disable ‘Get Windows 10’ App button to insure that you and no one else in your household ever accidentally gives the upgrade the go ahead. You’ll also want to click the Prevent Windows 10 Upgradesbutton too.

GWX Control Panel can be configured to monitor your device and make sure that none of these settings chance, just a virus scanner, but I’d say that might be overkill at this point. Only enable this if you suddenly find yourself looking at the upgrade offer without warning again.

Again, keep GWX installed so that you’re able to reverse the decision in the future.

Good luck stopping the free Windows 10 Update. We hope this helps.

Pope, Travis. “How to Stop the Free Windows 10 Upgrade” GottaBe Mobile April 3, 2016

 

Posted in: IT Support, MS Office Tips and Tricks, Tech Tips for Business Owners

Leave a Comment (0) →

Save Time and Money with Managed IT Services

If there is one thing most small businesses can agree on is that time equals money. Small business owners are in a position where they have to be a jack-of-all-trades, often spending most of their day wearing different hats. This is the nature of the small business and while expected is not always the best use of time. In order for a small business to be successful and remain competitive in an industry, there must be designated time for the owner to focus on growing and building the business. In many cases small businesses fail as a result of being unable to handle emergencies or other situations that are simply beyond the control and expertise of the owner. Leveraging Managed IT Services can help.

Any business that relies on technology, which covers almost every business operating today, can benefit from managed services. Managed services providers understand that not every business has the ability to pay for an internal IT department which can be very expensive yet necessary to ensure all aspects of technology are supported. Without this backup, many small businesses find themselves in a position where they have to foot a very expensive bill to recover from a disaster or emergency. In other situations, using out-of-date or ineffective technology is simply a waste of both time and money on the part of the small business.

Here we look at how small businesses can make the most of their time and money by hiring a managed services provider.

  • Focus on running the business- One of the major benefits of outsourcing your technology needs is that the owner and employees of the company can focus 100% on their individual duties to keep the business moving in the right direction. This is the most valuable use of time for all parties involved, instead of hours or even days lost when trying to deal with technological issues that in house employees are not trained to handle.
  • Offer expert advise – There are many small businesses that simply do not know what they need to improve the functionality of their business. The old adage, “what you don’t know can’t hurt you” does not apply in all cases. By consulting with a managed services provider you may discover areas of your business which can be improved that you previously thought were working “just fine”. Expert advice may be able to help you improve the efficiency of your business while positioning you better within the industry.
  • Support when you need it – Managed IT Services Providers are not only there in the event of an emergency or recovery, but also provide monitoring which can invaluable in preventing problems before they can impact the business.

It is important for every small business to carefully examine their technical needs in order to see what services will be most beneficial to the company. Managed IT Services Providers can offer services that not only reduce technology costs over time but also improves functionality which in turn saves time. When this balance is achieved a small business is in the perfect position to thrive and grow.

Click here to learn how Trinity Worldwide Technologies, LLC can help you save time and money with our Managed IT Services for your business in Marlboro, NJ and surrounding cities.

 

Posted in: IT Support, Tech Tips for Business Owners

Leave a Comment (0) →

Keeping Your Computing Environment Secure

I am sure you have heard about all the hacking activities going on in the Internet, some even targeting organizations that you would think would have their systems so tightly secured that no one would even think of trying to compromise.

None of us are immune to these hacking attacks.  As small business owners, you might think that no one would be interested in breaking in to your computing system.

You may ask…”Why me?”

Let me tell you that it is not that the hackers are actually targeting you.  To them, your computing system is just one of the myriads of devices out on the Internet. They use computer software that programmatically checks out different Internet addresses to see if there is any vulnerability.  If they see one that responds, the software will try to log in, systematically using a list of commonly used passwords and words or word-combinations from the dictionary.

Many of you have very functional server systems that include remote access capabilities, giving you the ability to remotely work from home or when you are travelling.  Guess what, the hackers use these remote access portals to try to hack in.

Are you alarmed yet?  If not, you should be.  These remote access portals are used by many companies around the world, and are designed to allow secure access for an increasingly offsite workforce.  However, they are only as secure as the weakest link – most often, an insecure or simple password.

So my question is – is your organization still using the default password that was assigned for your users during the initial implementation of your server system?

That password was not meant to be kept around beyond the initial implementation period.  If you are still using that password, or a simple variation of it, I strongly urge you to take immediate steps to change the password to something complicated.

Creating a “strong” password

For example, you could use the first letters of a favorite phrase like “Trust in the LORD with all your heart”.  The password would then be TitLwayh. Now because it would be easy to remember your favorite phrase, you would have no problem remembering the complicated password, but a hacker would have a hard time figuring it out.  To make the password even stronger, substitute the letter “i” with a number “1”, the letter “o” with the number “0”,  and the letter “a” for the character @, which will make the resultant password T1tLw@yh.

How to change your password now

To change your password, while you are already logged on, press Ctrl-Alt-Del and click [Change Password].  Don’t forget to ask all the others in the company to do the same.

If you so desire, you can expire the password of all your users, forcing them to change it at the next login.

Do not wait until your computing system has been compromised before “closing the barn door”. Do it NOW!

By the way, “closing the barn door” once a server and network has been compromised could get pretty expensive, and could be very disruptive to your business.

We value your business. We trust you value our advice.

Posted in: Business, IT Support, Security, Tech Tips for Business Owners, Technology

Leave a Comment (0) →

6 Yearly PC Maintenance Tips

A little simple maintenance now can help prevent many headaches throughout the year. Regular maintenance is the key to creating a safe, secure, productive environment, protecting your technology, and getting your greatest return on your investment.  This is a customized list of tasks for monthly, quarterly, and yearly maintenance that everyone should minimally perform.

1.      Remove the Junk
At a minimum, run Disk Cleanup: You’ll find this utility on the Start Menu submenu: Start > (All) Programs > Accessories > System Tools.  With less junk files on your computer you will gain back valuable disk space and your computer will run quicker as well.

2.      Patch And Update
Start with Windows Update, and ensure that your operating system is fully up to date with all necessary patches, fixes, and updates.  Do likewise for all your software, especially your antivirus, antispyware, and other security tools, visiting the vendor sites to download any and all updates and patches for your applications and utilities.  Finally, check your hardware vendors’ Web sites for driver and other updates for your video card, audio system, motherboard components, etc.

3.      Reorganize
The end of the year is a great time to reorganize the files and folders on your hard drive.  Some users like to organize first by topics, then by chronology; others do it the other way, first by year, then by topic.

The organizing principle doesn’t matter as long as you end up with an organized “tree” of data files that you can traverse with ease to locate whatever files you may later need.  You want to avoid the too-common syndrome where every data file on the PC ends up in an undifferentiated mass in “My Documents” or in similar, uselessly cluttered, generic folders.

4.      Simplify
While you’re reorganizing your hard drive, keep an eye out for files and software that you no longer use or need.  These can be moved to long-term storage (via backup; or perhaps by moving to an unused disk or partition) or you can simply delete/uninstall them from your system.

Removing unused files and software saves space, avoids clutter, and can actually improve system speed and responsiveness.  For example, keeping large numbers of unneeded files on the system can bog down searches and slow the indexing of the rest of the drive’s contents.  Carrying unneeded software clutters the Registry and may delay system startup and shut down as unnecessary components are loaded or unloaded.

5.      Reorder
Once your hard drive is as organized, cleaned, and simplified as you can make it, reorder the files for fastest access, and to make most-efficient use of the disk space.  This “defragmentation” of the system’s files is best done on a regular basis, but at the very least should be done after a major cleanup.  You’ll find this utility on the Start Menu submenu: Start > (All) Programs > Accessories > System Tools.

6.      Backup
Having come this far, you should backup your files in your newly organized file structure with an external USB hard drive such as the Seagate FreeAgent.  You can also use the built-in backup program that comes with your operating system.  This can be invoked through the menus, or by typing “backup” on the Run line.

Wouldn’t it be great if you could somehow preserve your PC’s current lean, clean, fully-updated and defragged setup so that, should you ever need to in the future, you can restore your PC to its current perfected state in just minutes?  Try a disk cloning product such as Acronis Backup & Recovery.

Posted in: Business, Computer Maintenance, IT Support, Security, Tech Tips for Business Owners

Leave a Comment (0) →