Using Windows 7 after Jan 14th 2020

The Windows 7 operating system is reaching end of support. Microsoft will soon begin displaying a warning on your computers that still run this OS:

I strongly recommend that you replace your Windows 7 PCs. Older PCs should be recycled, newer Win 7 PCs can be upgraded to Windows 10. But if, for whatever reason, you must keep using Windows 7, here are a few must-dos. These are good practice for anyone, but as a vulnerable target, they are particularly important when you are using Windows 7.

Here is the condensed version:

  • Don’t click links or open attachments in emails
  • Examine all search results very carefully before clicking
  • Run up-to-date security software that includes Internet protection

Most attacks on Windows 7 PCs will come via email or hacked web sites. So treat your inbox like a minefield, and your searches like a covert operation.

Windows 7 and Email

No matter how safe an email appears to be, you must not click any links or open any attachments until you are absolutely certain that the email is genuine. Every link and every attachment must be suspect. You cannot go by appearance — the attacks can look identical to a legitimate message from your bank, a shipping company, or a friend from your address book.

You can evaluate links, buttons and clickable images in an email by pointing at them without clicking. Most email clients will show a tool-tip or hint somewhere on screen that displays the actual content of the link. (Go ahead and try it with the links in the sidebar to the right. Remember, point, but don’t click.)

Using my bank as an example, let’s say I receive an email that tells me to check my account, with a link to First National Bank. If I then hover my mouse pointer on the link, a tip will pop up showing where the link will actually take you. If it’s genuinely First National, the link should look like this: https://fnbo.com/somepage… The fnbo.com part is the bank’s actual domain name. If the link is to anywhere else, like https://someotherplace.ru/…, you know it is a malicious email.

Windows 7 and the Web

When using a web search page, be extremely careful where you click! Don’t just look at the big bold titles of search results — just as with email links, check the URL (usually shown below the title.) It should have a believable domain name in it, related to what the title shows. Be wary of links that don’t end in .com, .net or .org. They may be legit, but country-code domains (.ru, .cn, .br, etc) are sometimes used for malicious purposes.

Sometimes you hear or are given a web address to visit. It may be a radio ad or billboard, or a friendly recommendation–“Hey, you should check out example.com!” When you already know where you want to go, do not type the address into a search box. This is almost guaranteed to return imposters and look-alikes. Instead, use the address bar at the very top of your browser window to enter URLs.

This image has an empty alt attribute; its file name is ksnip_20200110.png

Windows 7 and Security (AV) software

It goes without saying, but I will stress it anyway–a good security program like Bitdefender, ESET or Sophos is absolutely necessary on your Windows 7 PCs after Microsoft support ends. It must be the latest version, with an active subscription and up-to-date threat data. You need the most effective defense you can have on a vulnerable system.

The best option is still to not use Windows 7 anymore. But the real world sometimes overrules best practices for a variety of reasons. If you must keep using Windows 7, please follow these recommendations to stay as safe as you can.

Small Business Services That Save You Money

So far, the articles on this page have been about security issues that are important to small businesses. So for a little change this week, let’s talk about how you can save money by finding good but inexpensive business services. I’ll cover three this week.

Mobile

Mobile phone service is something almost every office needs, for C-levels, managers, sales, and on-site techs. If you are used to walking into a mobile provider’s store and buying a phone and a plan together, you may be spending too much. Buying a phone separately up front may seem like a big outlay, but compared to signing a two or three year contract, you will save money. The mobile operators really aren’t giving away free phones, you know.

Then discover all the mobile virtual network operators, or MVNOs, that resell one of the big four networks at a discount. You can get plans very like what the big names offer for significantly less, with no contract. Two that I have used and can recommend highly are Boom! Mobile (Verizon) and PureTalk (AT&T.)

Landline

While we are communicating, let’s look at landlines as well. Up front, the service you get from your local wire-in-the-ground provider will be the easiest to set up. But if you need multiple lines it’s going to cost you. Consider switching to Voice over IP, internet-based phone service. It’s not like the old days. If you remember the crackly unintelligible sputter that came from IP phones a decade ago, forget that. Today IP telephony is first-class.

You can’t just use your old telephones with VoIP. You need IP phones that connect to your local network via computer cables (Ethernet.) You can have a central PBX or set up the desk phones to connect directly to your VoIP provider and manage the call rules for routing and coverage there.

I have used VoIP.ms for my phone service for a number of years. They have been excellent on uptime and service. Of course there are other similar providers as well. With VoIP.ms, you only pay for calling time, and rates are under a penny a minute. Do the math and see if that will save you money based on your total talk time.

Personal Backup

I preach the gospel of backup, backup, backup. PLEASE make sure you have good backups of all your files — personal documents, pictures, music, all of it. You must know that storage hardware like hard drives and flash drives do die at some point. When they do, the data on that device is gone, gone, gone. If you only have one copy of any file, that file is right now at risk of being lost forever. You need a minimum of two copies of any file you care about to be safe.

Of course, for your business I recommend you choose Proactive Data Protection from ComputAssist. It includes off-site storage, versioning, regular testing and daily monitoring. It is also off-site but local, so in the event of a disaster, you can get all your files back in hours, not days.

But for personal computers at home, I recommend iDrive. They offer five TB (terabytes) of storage along with an excellent backup application for around $70 a year. The app is non-intrusive. Once you set it up, it just runs in the background copying your local data to the iDrive servers. It’s very light-weight so won’t slow you down, and the user interface is quite good, making exactly what is being backed up easy to see. One iDrive account can be used to back up all your devices, even smartphones and tablets. They often have promotional discounts, so ask about them before you sign up.

[Note: I have received no financial rewards or incentives from any of the above-named companies.]

Phishing – part 2

Last time we looked at the reasons one needs to distrust all email. Here we continue with two more methods you can use to make sure you don’t get phished.

Digging deeper

Email servers use standardized ways to relay and deliver mail. Every time a server acts on a message, it adds a header to the message describing what it has done. Your email client, whether it is web mail, Outlook or some other, hides most of these headers for you. If it didn’t, you would have to wade through dozens of lines of server dialog to get to the message body.

But we can use these headers to our advantage, if we believe the message may be forged, fake or malicious. Your mail app provides a way to view the headers in their entirety. The steps are different for each app, but MxToolBox provides a page describing them all. Just click on your mail app in the left column and follow the steps provided.

Once you have the headers before you, you should be able to find the To, From, Date, and Subject headers in a group near the bottom. Start from there and work your way up. Very often the next line or two will answer the question.

  • Examine the Received From headers. Are the mail servers shown from other countries than where the sender is located? If the last letters after the last dot are not .com, .net, or .org, they will frequently be “country codes”. These are two-letter codes that are assigned to each nation in the world, for example, “.us” – United States, “.br” – Brazil, “.cn” – China. (For a complete list, refer to the ICANNWiki page.) A message from a source somewhere in the States should not have any Received From headers with server names like mail.xyz123.ru.
  • The part of the From address after the “@” should match the business domain name. For example, all messages from ComputAssist should have “@computassist.com” as the ending of the address. If it does not, it likely did not originate here.
  • If there is a Reply-To address header, does it differ from the From address? This is a way to hijack your reply to a hidden address.
  • Still not sure? Look for headers with SPF and DKIM results. The ideal result of these validation tests is a Pass score. A safe message may not always have a pass score, but fake ones never do.

Attachments can be dangerous

One way for phishers to get you hooked is to attach a malicious file to the message. Click it, and the attack on your computer and network begins. These attacks can appear quite genuine. It might look like a bank statement, or an invoice from a supplier, complete with corporate logo and boilerplate fine print.

  • Never trust an attachment that you were not expecting.
  • Even if it appears to be familiar, such as a monthly invoice, use the other techniques here to verify the authenticity of the message first!
  • Be especially careful with Office documents which can contain code that runs on your computer when opened.

Everyone who uses email is potentially a phishing target. These techniques will go a long way in keeping you from becoming a victim.

Looks Legit–How To Not Get Phished

An accountant in a small business office receives an email from her boss: “Please purchase (locally) some gift cards, scratch off the numbers, photocopy and send them to me by email. They are for giving to a person in need. I need this done immediately.” Everything looks believable including the salutation and the signature. But the request is unusual. The boss has never asked this before, and the accountant is not the person who normally would be making local purchases.

With email, lose your trusting nature

The above is an example of a phishing email scam. Phishing is a step beyond simple forging. It’s an attempt to use the appearance of credibility to fool the recipient into cooperating with the attacker. Messages are crafted to look like they come from known sources. They may use familiar corporate logos and colors, the names of others at your workplace, the From: address may even be in your address book. In the case above, the From address was familiar, but the Reply-to address (where a reply to the message would be sent) was an unknown party.

Because email phishing is one of the most common attack methods today, every person on the staff of any organization is a key part of the corporate defensive strategy. One slip could invite malware or ransomware into the whole network.

Phishing attacks get more sophisticated every day. As a user of email in a workplace, you need to up your game accordingly. Here are the top four tips on how to avoid getting phished.

1. Check your own awareness

Common phishing emails appear to be messages from co-workers, shipping company tracking numbers, invoices from known suppliers, and account notifications from online stores and financial institutions. Keep your guard up. You may not normally be a suspicious person. However skeptical you normally are, be more wary than usual when working with email. It’s a shame, but you must treat everything in your inbox as a potential threat to your organization.

Any visible part of an email can be faked. The From: address, the signature, familiar names and logos don’t prove the origin of the message. In a phishing message, all the dirty work is hidden. No matter how innocuous it looks, always use secondary means to verify a message’s authenticity.

2. Check clickable links

One giveaway of a phishing attempt is deceptive clickable links. On most computers, if you place your mouse pointer over a link but do not click, the actual destination address will be shown in a tool tip (pop-up text.) If the visible destination and the tool tip don’t match, you should become suspicious. For example, the link as shown in a message appears to be www.computassist.com, but when you hover your mouse over it, the tool tip displays svr3.doogielt.cn. This is a huge red flag – don’t click!

Check link spelling very carefully. For example, can you tell the difference between paypal.com and paypaI.com? (Depending on your browser’s default font, they may appear the same. The second link has a capital I in place of the l.)

If you receive an email asking you to update your account information on a frequently used site, don’t click the links in the email. Use your bookmark to that site instead.

Next time we will look at two more tips to keep you among the un-phished.