Phishing Attacks Continue Unabated

by Leave a Comment

Some phishing campaigns work by impersonating well-known organizations or brands. If cybercriminals send an email that looks just like one that comes from a company you are familiar with – and possibly even doing business with – then their hook is set. You can either take the bait or delete the email.

Microsoft is a tempting target for cybercriminals to spoof because it has a large number of subscription-based products, like Office, OneDrive, Outlook, and even Windows.

In mid-July, Abnormal Security, which specializes in preventing email fraud, discovered two different attacks designed to trap unsuspecting victims with subscription renewal. The crooks impersonated actual email notices from Microsoft. Their goal was to steal sensitive information from the recipients by convincing them that they need to renew their Microsoft Office 365 subscription.

The first campaign consists of an email telling the recipient that Office 365 is now called Microsoft 365 and that they should renew their subscription by a specific due date. The email contains a “Click to Renew” link that takes the recipient to a submission form requesting certain sensitive data, such as name, address, and credit card number.

In the second campaign, the email warns the recipient that their Microsoft 365 subscription has already expired and that by a particular date, they must renew it. A “Renew now” link takes the person to a PayPal page that prompts them to enter their PayPal payment details. (I had to look this up, but I learned that Microsoft does accept PayPal.) Typically, the transaction is processed directly, but in this case, it goes to the criminal’s PayPal account.
In both cases, anyone who took the bait will eventually find their PayPal payment information misappropriated and their Microsoft credentials compromised by the attackers.

Why These Attacks Work

A convincing phishing attack incorporates a variety of elements to trick its recipients. These two campaigns adopt several familiar tactics.

  • Official source. By pretending to look like an automated notice from Microsoft, the email gives the appearance of coming from an official source. As such, the recipients may be more likely to follow the instructions in the email.
  • Sense of urgency. Like any effective marketing campaign, the emails conveyed a sense of urgency by warning the recipient that their Microsoft 365 subscription needs to be renewed or has already expired. Further, both emails gave the recipient only a couple of days to renew before the deadline was up. Because Microsoft Office is considered an essential service by many individuals and small businesses, people may overlook the suspicious signs and quickly click on the link to try to renew.
  • Convincing landing page. Hosted on a web site called “office365family.com,” the landing page for the first campaign uses the Microsoft Office 365 name and branding to appear legitimate. The page also borrows images, links, and a website footer from Microsoft’s actual site. However, there are telltale signs that the page is not legitimate. The fonts are inconsistent and many of the header links are broken.
  • Real URL. The second campaign links to an official PayPal page. Yet, there’s no verification as to the product being purchased, no specific entity or individual as the payee, and no guaranteed transfer of goods.

How to Protect Yourself

To guard yourself against these types of phishing campaigns, take the following steps:

  • Double-check the sender’s name and email address to ensure that they’re coming from legitimate sources – don’t just trust the display name.
  • Double-check the webpage’s URL before signing in. Attackers will frequently hide malicious links in redirects or host them on separate websites that can be reached by safe links. This technique allows them to bypass link scanning within emails by traditional email security solutions.
  • If the web site name looks suspicious, do not enter your credentials! Instead, contact me if you have any questions.
  • Verify the information with your office administrator or IT solutions provider for cloud-based subscriptions.

Analysis

If you ask why anyone would do this, the answer is simple: these campaigns generate significant revenue for little effort. One result is straight-forward, because PayPal provides funds directly to the cyber criminal’s account. The one that gains access to a business’ email account is another way. How? Well with those credentials, they now have a list of all of their contacts. They can see who works for which business and can then craft a third, and more disconcerting scam: Business Email Compromise (BEC) or CEO fraud.

A follow-up campaign will be sent to those contacts attempting to claim missing accounts, or asking for wire transfer payments, or various “we need this funding by this time” emails that use social engineering to convince office administrators and in-house bookkeepers to send money to the stated claimant. Only, these emails are not from who they say they are. According to the FBI’s Internet Crime Complaint Center (IC3), businesses in the United States lost more than $1.7 billion in 2019 to BEC scams.

Protecting your business from this kind of malicious email threat follows similar rules to those I stated above. And I’ll add one more factor to keep yourself and your business safe: If you get an unexpected email that asks you to send funds, CALL the person who is requesting it to confirm they sent it. It takes one minute to make a call. It could save you and your business tens of thousands of dollars.

Thanks, and safe computing!

A New Approach on the Road to Increased Computer and Network Security

by Leave a Comment

I have written frequently about various scams and wrongdoing that have been perpetrated by “bad actors” around the world. Their attempts to profit by phishing for your personal information, obtaining your company’s data, or by wreaking havoc on your computers to collect a ransom have continued unabated. According to several threat analysis reports, these violations are escalating.

Accordingly, I have built what I consider to be an adequate security solution to offset, if not lessen, those threats. But as we all know, these unscrupulous offenders are relentless in their pursuit of illegal gains – because of the high payoff from their activities.

While reducing the number of attacks is one thing, I no longer believe that it is possible to eliminate them. I want to make sure that small business owners are aware of a variety of defenses that they can put in place to help prevent various attacks from ending badly for them and their business.

If you think back in historical terms, a castle had many defenses: the moat, the drawbridge, the battlements, the inner wall, and finally, the walls of the building itself. A business must have similar levels of security mechanisms in place to prevent cyber-attacks from causing devastation. Because without multiple layers of protection, the likelihood is, something malicious will get through, and whatever that something is, it will wreak havoc on you and your business.

In mid-June, I attended a webinar that featured one session that blew my simple analogy to shreds. Bruce McCully, president of Galactic Advisors, has come up with a more sophisticated method of determining risk, and thus, identifying areas of improvement for security measures for small businesses.

His approach comprises six layers of protection, which surround the assets of a company. He defines assets as any file system data, a Human Resources system, Payroll data, or database. Those six layers are:

  1. Human
  2. Perimeter
  3. Network
  4. Endpoint
  5. Application
  6. Data

The Human layer describes, as you would expect, the actions taken by the employees of a company. They are the first line of defense against any attacks on any small business, but they are also the weakest. This is why policies, procedures, and training are so important.

The Perimeter layer describes the rules required by the company’s firewall. A firewall is an appliance that reads the incoming and outgoing internet traffic and scans for anything unusual.

The Network layer is one that focuses on how an organization connects their computers and devices.

The Application layer involves the remote monitoring and maintenance software that IT technicians employ.

The Endpoint layer consists of the computers that run next-generation antivirus security.

Finally, the Data layer is the one that details the company’s back-up and restore policies. After all, if you are not backing up your important files – with the foresight of knowing how quickly you can restore them in the event of any attack – you are not protecting your assets.

All of this seems reasonably straight forward, and it is. Where it gets more complicated is when McCully says that it is not enough to have those layers and apply rules to them. No, he adds that it is essential to add gradations to those layers. He proposes four, although not all four apply to each segment. Those categories are:

  • Prevent
  • Guard
  • Detect
  • Mitigate

Yes, it would help if you prevented terrible things from happening. It takes a significant amount of discussion with a business owner to determine just how he or she would want to go about doing that. But it would be best if you also guard against inadvertent data loss that is not necessarily controlled by people. Next is the ability to detect intrusions of almost any kind, and define the alerting mechanisms to ensure they are acted upon promptly. Finally, you must develop Breach Response Procedures and possibly involve a third-party Security Operations Center to track the elusive path of the threat vector that attacked your company — and clean up afterward.

McCully then describes three levels of business needs for each of these components:

  • Basic needs
  • Security compliance requirements
  • Compliance-driven mandates

For each of these, he includes the following scale:

  • Non-essential, meaning it is not a core component of the company’s security program.
  • Recommended, because it is necessary to educate the company about the solutions, whereby they will invest in a more secure environment.
  • Mandatory, which he defines as “table stakes items;” these are items that, if not implemented, are considered negligent.

This vast matrix of layers, categories, and levels is truly wonderful, and incredibly thought-provoking material. I plan to spend several weeks working to formulate my responses for each aspect of this new roadmap. And the very first step in this arduous journey will be to apply all of these elements to my business, and to shore up my documentation and defenses. I am certain the result of those efforts will be various proposals for new and improved ways in which to safeguard your home computers, your “work at home” laptops, and all the small business networks that I serve.

Thanks, and safe computing!

Month Two And Counting…

by Leave a Comment

As of April 28, 2020, more than 1,000 deaths in Bergen County have been attributable to Covid-19. Obtaining a test is still only available to people who are sick with the coronavirus symptoms (fever, cough, and shortness of breath). Governor Murphy says this situation will get better during the coming month.

I am hopeful that our local situation will start to get better sooner rather than later. Everyone I have spoken with recently is getting anxious about being house-bound. But the truth is, this virus is here, there is no vaccine, and at some point, you will most likely get it. How your body reacts to the infection will be different than anyone else’s. When that happens, I can only hope that it is mild, and your discomfort is limited.

That’s probably not what you wanted to read in a monthly newsletter that purports to be about technology, but I’m getting there.

Last week, Hope Rothenberg, Executive Director of the Fort Lee Regional Chamber of Commerce, posed the following challenge: “My biggest concern about going back to work/reopening my business is…” Here is my response.

As a practical matter, if I have to make a “house-call” in the next few weeks, I’m going to have to ask the prospect or my client to remain six feet away.  I’m also going to have to wipe down the keyboard and mouse (provided I don’t bring my own – but that will require sanitizing after each use) and wear mask and gloves throughout the process.  Having any sort of meaningful conversation will have to be done by phone (or Zoom) either before or after, because a mask hides most facial expressions.

My concerns are the same as other business owners whose businesses were shuttered and now have to reopen.

The critical question is: How do I obtain the necessary supplies required to reopen, such as thermometers, masks, gloves, wipes, and sanitizer gel?

Follow-on questions include:  What procedures am I, as a business owner, going to put in place for my organization?  And how can I get a blueprint of “best practices” so that I don’t have to re-invent the wheel?  In other words, what resources are available, and where can I obtain them?

We joke about those summertime beach establishments with a sign that reads, “No shoes, no service.” Well, that’s going to have to be adjusted to, “No mask, no gloves – you are not permitted inside.”  I believe it is essential for businesses that cater to outside guests, to be able to obtain and use a web-based app to monitor who enters and exits their store/business so that contact tracing can take place.  I know New Zealand has required this, but I haven’t yet heard of any organizations that have a solution here in the US.  Apple and Google have agreed to get something built, but it is probably going to be a while before we see one – long after most states will have reopened for business.

So let’s talk about that new app. The concept of this app is that if you find out — after being tested — that you are infected, you can indicate your status in the app. That status, and the resulting location information, will then allow anyone who has recently been near you to receive a notification that they should take protective measures (e.g., get a test or self-quarantine).

Several mechanisms provide location information using a phone’s GPS and Bluetooth functionality. Both Google and Apple acknowledge that using these features in an app will likely drain the battery quickly; if so, people won’t be inclined to use it. Thus, it is a hurdle they have to overcome.

Privacy advocates are fearful about the amount of data that will be made available and its contents. This is an argument that I find awkward, at best. After all, millions of people freely divulge vast quantities of personal information every single minute of every single day — and Facebook, Instagram, Google, and Apple take it all in, package it, and resell it. I guess in this case, the element of outrage is focused on the fact that government officials will have access to the data. App developers insist that they won’t make personally identifiable information available, that the data will only exist for 30 days, that secure data centers will be used, and that the app will be voluntary.

I simply want someone to make something that works effectively very soon. More importantly I want the app to be widely used, because if it isn’t adopted on a wholesale basis, it won’t be useful. (More data means more visibility into infection rates, hot spots, and possible causes, thereby allowing health care officials to respond more quickly.)

For additional information about Covid-19 in New Jersey, you can head over to https://covid19.nj.gov/

We are all in this together, so please take precautions to stay safe and healthy!

In a World Where…

by Leave a Comment

…You Need to Keep Your Distance, and No One is Safe

It is hard not to start this post without using the phrase made famous by Don LaFontaine in the 1980s and 1990s. He was the voice over announcer whose movie trailers frequently began with that line. For certain, we are living in a different world now than we were just a few weeks ago.

I want you to know that I am still working quite diligently because IT maintenance is considered one of the “essential” services. So, if you need help, you can always reach out to me by phone or by email. Note that in-person visits are going to be on an emergency basis only until the situation with Covid-19 resolves itself (and Governor Murphy issues a new executive order).

Last week, I informed the director of the Fort Lee Regional Chamber of Commerce that I am willing to help any small business owner (not just chamber members) set up their staff to work remotely. If you know of any small business owner who could benefit from this service, please tell them to go to https://www.heliotropicsystems.com/relief for more information — or have them call my office at 866-912-8808 option 1.

Based on all reports available now (the last week of March), things are going to get much worse long before they get better. The media (print, TV, and social) have made clear the key “rules” everyone should follow to keep themselves virus-free. Please adhere to them! I can’t stress how important it is to keep your distance, to wash your hands thoroughly and frequently, but most importantly to maintain a positive outlook while you are cooped up in your home or apartment.

Grifters Gonna Grift, Scammers Gonna Scam

by Leave a Comment

The Federal Bureau of Investigation (FBI) recently released the annual report from their Internet Crime Complaint Center (IC3). The 2019 Internet Crime Report contains some rather remarkable and sobering statistics recorded on the IC3 website during 2019.

One of the techniques I’ve learned about making a presentation to an audience is to engage with them physically. For example: “Please raise your hand if you’ve been a victim of some form of internet-based scam or fraud in the past 12 months.” Invariably some people in the audience will raise their hand. I’d continue by asking, “Now keep it raised if you went to the IC3 website to report it.” I would be very hard-pressed to convince you that any hands remained in the air. And with that little bit of background, let’s take a look at the numbers. I hope that after you read this newsletter you would contact the IC3 if you inadvertently fall victim to one of these scams.

In 2019, the IC3 received over 467,000 complaints with reported losses that exceeded $3.5 billion. That is approximately 1,300 reports per day and represents a 33% increase in the number of complaints from 2018 with a corresponding increase of 30% in losses. Those numbers reflect both the sheer volume of threats that are taking place and an enhanced effort by the FBI to let people know they should report scams to the IC3.

What accounted for the most substantial loss last year? 23,775 victims reported Business Email Compromise (BEC) attacks, which cost them over $1.7 billion in damages. BEC occurs when a bad actor compromises a legitimate business email account and requests a form of funds transfer. The FBI reports that a new variant of this scam appeared in 2019: diverting payroll funds. In this scheme, a human resources or payroll department would receive an email looking like it came from an employee with a request to update their direct deposit account information. The new account would generally route to a pre-paid card account. The likelihood of recovering those lost assets is extremely low.

Another high yielding scam from 2019 was Tech Support Fraud. The IC3 received over 13,000 complaints that amounted to more than $54 million in lost funds — a 40% increase from 2018. What is missing from this report is the number of victims who fell for the scam but who did not know to contact the IC3 to report their loss. Also missing is the total number of victims who didn’t succumb to the fraud in the first place. (I’d like to give a “shout out” to Rhea Hess for having received and faithfully ignored more of these fake tech support phone calls than anyone I know.)

Also on the list was the Ransomware category, comprised of 2,047 victims who lost $8.9 million. Now I have to admit, that is quite surprising given the high profile ransomware cases involving several cities, government agencies, and the health care industry last year. Again, that goes towards the question of who reports their victimhood to the IC3.

The final category is one that is significant yet frequently overlooked: Elder Fraud. Overall, the majority of losses and incidents occurred to victims who indicated their age was 60 years or over. That amounted to more than 68,000 individuals for a total of over $835 million in losses. Targeting this group is widespread because cybercriminals will invariably go to where they think the money exists.

The most treacherous scams for the over 60 age group involved Romance Fraud, Grandparent scams, and Family/Caregiver scams. The bad actor deceives the victim into believing there is a trusting relationship. The victim is persuaded to send money, or provide personal and financial information, to the bad actor. This situation frequently leads to Identify Theft or Account Takeover, where the criminal has sufficient personal identifying information that they can commit fraud against the victim’s financial accounts.

Steps You Can Take to Avoid Falling Prey — And What to Do If You Are a Victim

One of the best ways to avoid a lot of grief and heartache from these scams is to exercise a moment’s caution every time you encounter someone who is calling you for any personal information.

Similarly, if you need to contact any company for support, DO NOT search for their phone number! Scammers have already rigged the search results list on Google so that their fake phone numbers appear before the real ones. Those links go to fraudulent websites that will try to obtain personal or credit card information. If you need to contact any company, go directly to their website and look up the phone number.

If you think you’ve fallen victim to a scam, the first thing you should do is call me so that I can assess what has occurred. As appropriate, I will help you file a report with the local police, and work with you to contact your financial institutions.

I am going to insist that you log the case with the IC3 (https://www.ic3.gov). Your complaint must contain all of the required data, including banking information.

In terms of BEC fraud, there are more specific actions to take. These include:

  • Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal as well as a Hold Harmless letter or Letter of Indemnity.
  • Never make any payment changes without first checking in with the intended recipient. Verify that email addresses are accurate when checking email on a cell phone or other mobile device.
  • And for heaven’s sake, call someone if there’s a significant amount of money involved, or if the request differs from your usual business process or procedures.

Thanks and safe computing!

How to Prepare Your Business for a Possible COVID-19 Quarantine

by Leave a Comment

In early March 2020, there have been nearly 3,100 deaths and more than 90,000 people infected with the respiratory disease known as COVID-19 across the globe.  After months of watching this take place in other countries, the previous few cases in the United States have begun to rise – including one here in Fort Lee, NJ.

For now, the Centers for Disease Control recommends several common-sense and very reasonable precautions.  These include regular hand washing or using alcohol-based hand sanitizer, covering coughs and sneezes (with your elbow or several tissues), and staying home and avoiding public spaces if you are feeling sick.  I’d like to point out that these are inherently smart things to do during flu season anyway, but I realize that most people don’t fear the flu despite the number of people who die from that disease each year.

So what should you do if local health officials declare a quarantine?  You should have a ready supply of your prescription medicine, tissues, pain-relieving medication (Tylenol or Advil), hand sanitizer (if you can find it), and face masks.  Don’t forget to keep your phone charged so that you can call someone for help if you develop symptoms (or they worsen).  There is significantly more information available by conducting an internet search (or using the Resources listed below).

But I want to shift this discussion to businesses – either the one you own or one for which you work.  How do you handle something completely different than your everyday normal?

Try to Prevent Further Infection

If your business has many employees or if it serves the public, you must think about ways that you can reduce the chance of spreading infection. Some options include providing hand sanitizer dispensers, wiping down frequently touched surfaces with household cleaners, and a more frequent cleaning schedule for common areas and restrooms.

If your business has delivery or service vehicles, you should clean the steering wheel, commonly touched dashboard or smart-drive appliances, door handles (both inside and out), and the key fob.

Given the current circumstances, you might begin to avoid shaking hands with customers and colleagues.  Touching elbows should suffice in a pinch or even a distinct nod of your head as a way of greeting.

Internal Communications

If public health officials discourage people from attending large gatherings, you should begin to think about how your company will communicate with staff members who are forced to stay at home.  Many businesses allow that kind of flexibility anyway, so you probably already have some informal communication channels via phone and email.

You should start to formalize those mechanisms now so that you are not scrambling at the last minute.  Make sure you have an updated list of contact information (phone numbers and email addresses), so everyone can contact co-workers quickly.  If your business uses VOIP, make sure that everyone understands how to use soft-phones, and provide a quick reference guide to configure an office phone at home.

Have your staff check to see if they can access their email at home from a web browser to ensure that all remote access rules are in place and that the staff members know their passwords.  If you have not yet implemented multi-function authentication (MFA) for your email, now is the perfect opportunity to do so.  Similarly, it’s worth making sure everyone has email access from their smartphones or tablets.

For some businesses, chat systems like Slack or Microsoft Teams can be effective mechanisms for your staff to remain in touch with one another in real-time.  Another alternative, if you need to conduct meetings frequently is Zoom.  If you don’t use this kind of technology now and are interested in investigating whether you should, please contact me for a discussion.

Remote Access to Your Business

Make sure your staff has access to your remote desktop access software and knows how to use it so that they can connect to their office computers.  (Don’t have remote access to your office? Again, contact me to discuss how your needs can be met.)

Do you have specific business resources, like your accounting system, that has unique security requirements?  If so, think about what additional provisions are necessary for someone working from home.

Your Office on Empty

If most or all your staff are working from home, what does that mean for your office?  Do your physical security systems or climate settings need to be adjusted?  Do you want to set up video cameras or other remote monitoring hardware?  Heck, who’s going to water the plants?  On a more serious note, if you have an on-premises server, you want to make sure it can be administered entirely remotely, including power cycling.

It’s also worth determining who will have responsibility for the office in the event of any problems, which could still occur even if no one is there.  What if a water pipe in the building breaks, or there’s a burglary?  Make sure it’s clear who will respond.

Everyday Business Functions

Think about the regularly scheduled aspects of running your business, with an eye toward those tasks that assume the presence of certain people.  Can they run payroll, accounts receivable, and accounts payable from a remote location?  Try to ensure that every key position has at least one backup, so if one person falls ill, your business’ ability to function won’t be compromised.

If international travel is a significant part of your business, you’re already figuring out how to compensate through videoconferencing and similar technologies.  But if you regularly travel only within the country or your area, think about which trips are essential and which you can replace by using online conferencing tools.

Finally, consider how your clients and customers will react to this new situation.  It’s unfortunately likely that there may be less work taking place so that you might see a decrease in your revenue stream; on the other hand, some businesses may see an increased workload.  For instance, if the number of patients in hospitals skyrockets, those business owners who support healthcare systems may struggle under the load alongside the doctors and nurses.

I hope and pray that all these preparations prove unnecessary, but they’re worthwhile to consider and implement just the same.  Too many businesses have failed after a fire, hurricane, or earthquake renders an office uninhabitable, and such natural disasters are all too common.  Others have closed their doors because a ransomware attack caused too much disruption to their day-to-day activities.  Planning for a better outcome now – while there is time to think clearly about what must take place – will ensure your continued business success.

Resources

World Health Organization

US Centers for Disease Control and Prevention

New Jersey Department of Health

New York City Department of Health

For goodness sake, please listen to me when I tell you: Do NOT use Internet Explorer any more!

by Leave a Comment

In mid-January 2020, Microsoft issued advisory ADV200001 warning of a vulnerability in the scripting engine of Internet Explorer.  Yes, I know, that’s gibberish to most of you.  It means that there could have been an attempt to execute code in attack mode via that browser.   How?  You could have received an email with a link that explicitly opened Internet Explorer (even if it wasn’t your default browser) and been sent to a malicious web site specifically designed by bad guys.   If exploited successfully, the attacker could have gained access rights to your computer.  As Microsoft put it at the time: “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

That’s very bad (I’d segue into the Ghostbusters “don’t cross the streams” theme about the definition of the word “bad,” but I’m sure you get the idea).

At the time, Microsoft did not have an immediate fix.  As of February’s “patch Tuesday,” they announced one with the heading “Security Advisory CVE-2020-0674.”  Microsoft will be patching desktop operating systems from Windows 7 clear through the latest version of Windows 10, plus a slew of server operating systems.

The Network Operations Center will be testing this set of updates for the next seven days.  If the patches pass those tests, then the updates will be available for all of you by the end of next week.  In the interim, I have only one thing to say:  DO NOT USE INTERNET EXPLORER, USE ANOTHER BROWSER!  There are several to choose from, for example, Mozilla Firefox, Google Chrome, Opera (which I didn’t recall as being around, but it still exists) or Brave (which I’m sure you’ve never heard of), heck there are probably some of you who use Edge in Windows 10 (heaven help you).  If you’re not sure what browser is your default, write to me and I’ll let you know.

But let’s get down to the meat of this:  If Microsoft announced the problem on January 17 and only released the solution on February 11, the bad guys had a considerable amount of time to take advantage of the vulnerability, and yet the world didn’t come to a screeching halt.  But I don’t – for one minute – want to suggest that you not patch a known vulnerability.  What I recommend, instead, is a moderate amount of common sense.  And the best way to implement that would be to stop using the problem-plagued browser, even after your computer receives the patches.

Bottom line:  this exploit is explicitly for IE – so to avoid any possible unpleasantness, don’t use it.  Simple really.

Thanks and safe computing!

Another Day, Another Data Breach Plus a Settlement

by Leave a Comment

At the end of July 2019, most of you probably heard about a data breach at Capital One. More than 100 million people in the United States and Canada were affected by this event. Thankfully, as of this writing (mid-August), very little of the information was made available to the normal group of bad actors who dwell in the Dark Web. This breach was simply the work of a zealous former Amazon Web Services employee who knew that there was a way to access the data. Pretty freakin’ scary!

To make matters worse, the woman who performed this hack had also obtained information from other organizations. Somehow she made the monumental mistake of publicizing those details. I’m not sure what — or even if — she was thinking. But the fact that someone has the wherewithal to accomplish these feats of what most of us consider the “dark arts” of computing is supremely unsettling.

Why anyone would want to subject themselves to the notoriety of having accomplished this act, when there was no useful purpose, confounds me.

Around the same time, the Federal Trade Commission concluded its work with Equifax and fined them close to $700 million. Almost immediately afterwards, so-called “consumer advocates” started a loud chorus of “Sign up and get your $125 from Equifax!” on news stations and social media.

They did this without telling people the “fine print” of the FTC agreement said there is only $31 million in that particular reward pot. So if just half of the more than 146 million affected individuals filed a claim, each one would end up with about 42 cents. That is sheer stupidity!

The best approach for dealing with this debacle is to sign up for the free credit monitoring that is being offered. It is supposed to last for 10 years. Do that here: https://www.equifaxbreachsettlement.com/file-a-claim.

Even though other forms of free monitoring are available, you usually only get one year. It is in your best interest — given the extent of the potential damage caused by the Equifax breach — to take the longest possible term of protection available.

Task View and Multiple Desktops

by Leave a Comment

There is a feature of Windows 10 that some people might find useful. It is called Task View, and it has the ability to create multiple desktops.

To activate Task View, click its icon — a large rectangle with two smaller rectangles flanking it — in the Windows Taskbar just to the right of the Search box. When you do, Task View (and its associated feature Timeline) opens.

At the very top of the screen you’ll see a “New desktop” button, and beneath that, thumbnails of all of your currently running applications arrayed against the desktop so you can quickly see what you’ve got running. You can click any thumbnail to switch to that application or press the Esc key to leave Task View and return to where you were.

Beneath that you’ll see Timeline, with thumbnails of documents you’ve worked on over the last thirty days. For all businesses and most home users, I have disabled this feature to afford you more privacy. Microsoft tracks this information, and I do not feel comfortable providing them with more telemetry than necessary. However, if you think this could be useful, let me know and I can tell you how to reactivate it.

Now, if you were used to using the Alt-Tab key combination to cycle through open applications in Windows 7, you can still do that as well, but Task View adds a couple of extra twists. If you hover your mouse over any thumbnail, a small X appears in its upper-right corner. You can click the X to close that application.

Task View also lets you create multiple virtual desktops, each with different Windows applications running on them. To create a new desktop, open Task View and click “New desktop” at the upper left of the screen. You can run a different set of Windows applications inside the new desktop. For instance, you could dedicate one desktop to your Microsoft Office applications, like Word, Outlook, and Excel, and another desktop to handle your various browser applications, and another for your accounting software.

To switch among these virtual desktops, click the Task View icon and click the desktop to which you want to switch. You can keep creating new desktops this way and switch among them.

Let me know your reactions to using this new Windows 10 feature by posting a Comment.

Microsoft’s Windows 10 Update System is a Hot Mess

by Leave a Comment

I used to consult for Fortune 100 companies, and it never ceased to amaze me how management could make some of the moves it did. Sometimes plans that were identified as “not well thought out” (i.e., half-baked) saw the light of day — and projects failed. So when Microsoft announced it was changing the way in which Windows 10 semi-annual updates were going to be released, it got my attention.

When Windows 10 was released in July 2015, Microsoft said that it was working towards the concept of “Software as a Service.” It established a strategy of twice-a-year Feature Updates; one in the spring and one in the fall, which were tagged “yymm” (e.g., 1809 or 1903). Each Feature Update had an 18-month lifespan before support would no longer be available, and the computer would be forced to jump to the then current version. For the first couple of iterations, that worked (sort of).

Apparently, it took some time before Microsoft realized that it couldn’t maintain the drumbeat of an update feature every six months. Instead, they are going to implement one Feature Update a year, and another form of update — what used to be called a “service pack.” This is still two major updates a year, but they have not indicated if they plan to change the 18-month support restriction.

I realize that this will be revealed in time, but right now, before the end of July’s Microsoft worldwide partner conference, things are still very much up in the air. Every IT support organization that has tuned the Windows Update settings to protect computers from unexpected updates is going to have to find out what the new settings are and reconfigure them. Every IT support organization is also going to have to figure out how to go from one Feature Update to another without adversely affecting the computer. And everyone is going to have to decide if they want to remain on a merry-go-round where the conductor keeps changing the speed of the carousel.