Here’s What You Can Do If You Aren’t Ready to Say Goodbye to Windows 7

Windows 7 is reaching the end of its life cycle on January 14, 2020. Here are your options if you want to keep using it.

The sun is setting on Windows 7. If you are still using this old but reliable workhorse in your business, it might be time to say goodbye and let it ride off into the sunset. However, that’s not always an option.

Although you can still use Windows 7 after it reaches the end of it life cycle on January 14, 2020, it is risky to do so. That’s because Microsoft will no longer provide free security updates or product support for this operating system or its built-in web browser, Internet Explorer. Using unpatched software will leave your business’s computers more susceptible to cyberattacks.

Fortunately, Microsoft is offering several options for companies still using Windows 7 when it reaches the end of its lifecycle. The options include:

  • Purchasing Extended Security Updates
  • Using Microsoft’s Windows Virtual Desktop service

Extended Security Updates

Microsoft is offering Extended Security Updates to any business using Windows 7 Professional or Windows 7 Enterprise through January 2023. You do not need to have a volume licensing agreement to take advantage of this offer.

You can purchase Extended Security Updates through Microsoft’s Cloud Solution Provider program. The updates, which will be delivered through the normal update delivery processes, will include patches for security issues discovered in the operating system and its components (including Internet Explorer). They will not include any bug fixes (i.e., patches for non-security issues such as glitchy functions), feature enhancements, or technical support.

The Extended Security Updates are sold on a per-device basis, so you only have to purchase the updates for the computers that need them. Similarly, you only have to purchase the updates for the timespan needed, as the updates will be sold in three 12-month increments (2020, 2021, and 2022). For instance, if you plan on updating your computers in 2021, you can purchase security updates for 2020 only. However, the security updates are cumulative, so continuous coverage is necessary. This means that you cannot, for example, just pay for the 2022 updates. If you buy the updates for the first time in the second or third year, you will have to pay for the preceding years.

Microsoft has not publicly released the price list, but sources note that the Extended Security Updates for Windows 7 Enterprise will cost $25 per device the first year, $50 per device the second year, and $100 per device the third year. Updates for Windows 7 Pro will cost $50 per device the first year, $100 per device the second, and $200 per device the third year.

Windows Virtual Desktop Service

Windows Virtual Desktop is a desktop and app virtualization service that runs in the Microsoft Azure cloud. You can virtualize Windows 7 and Windows 10 desktops as well as Microsoft and third-party apps.

Businesses virtualizing Windows 7 desktops will be provided with free Extended Security Updates through January 2023, according to Microsoft. Not having to worry about annual increases in fees for these updates means you will feel less pressured to rush through a migration. Plus, as desktops are upgraded, you will be able to manage both the Windows 7 and Windows 10 desktops using a unified management approach.

Being able to virtualize Windows 7 desktops can also come in handy if you have migrated to Windows 10, but have a few computers you cannot upgrade because the machines are running legacy business apps that are incompatible with Windows 10. With Windows Virtual Desktop, you can keep your Windows 10 computers local while running your legacy apps on virtualized Windows 7 desktops in the cloud.

You can use Windows Virtual Desktop to access Windows 7 Enterprise and Windows 10 Enterprise desktops and apps for no additional cost if you have one of the eligible licenses. You can find out which licenses are eligible on the “Windows Virtual Desktop pricing” web page.

To use Windows Virtual Desktop, you also need to have an Azure subscription. In addition, you need to have Azure Active Directory that is in sync with Windows Server Active Directory through either Azure AD Connect or Azure AD Domain Services.

Need More Information or Advice?

If your business is still using Windows 7, we can go over your options in more detail so you can make the best choice for your business based on its needs. Afterward, we will help you carry out that decision.

Windows 7 – Splash Screen” (CC BY-SA 2.0) by Brent Schmidt


Keep Tabs on Which Version of Windows 10 Your Business’s Computers Are Running

Windows 10 follows a different lifecycle than its predecessors. Learn about this lifecycle and how to check a computer to see if it is running an unsupported version of Windows 10.

With all the attention that Windows 7’s demise is getting, another deadline has passed with much less fanfare. On November 12, 2019, Windows 10 version 1803 reached the end of its service. This might come as a surprise to some people. However, Windows 10 follows a different lifecycle than its predecessors.

The Different Lifecycle of Windows 10

In the past, Microsoft typically stopped supporting Windows client operating systems a decade after their release. With Windows 10, this is no longer the case. Each version has its own end-of-service date. Windows 10’s version changes each time it receives a feature update, which occurs twice a year. For example, Windows 10 version 1803 is the version resulting after the Windows 10 April 2018 Update is installed.

The end-of-service date depends not only on the version but also the edition (e.g., Windows 10 Professional, Windows 10 Enterprise). Table 1 shows upcoming end-of-service dates for popular Windows 10 editions.

Why the End-of-Service Date Is Important

The end-of-service date is important to know because, once it is reached, the version is no longer supported. This means that Windows 10 will no longer receive the monthly quality updates, which include security patches and bug fixes.

When a Windows 10 version is reaching its end-of-service date, Microsoft will automatically try to update it on customers’ computers. However, the update might not occur for various reasons. For example, companies might control updates through management-system policies or a computer might not be connected to the Internet. Plus, in some editions, Windows 10 users have the ability postpone feature updates. For this reason, it is a good idea to make sure that your business’s Windows 10 computers are not running any unsupported versions.

Here is how to find out which Windows version a computer is running:

  1. Open the start menu by clicking the Windows icon in the bottom right corner of the screen.
  2. Click the gear icon, which will open the Settings app.
  3. Select “System”.
  4. Scroll down to the bottom of the left pane and click “About”.
  5. Scroll to the “Windows specifications” section in the right pane.
  6. Note the edition listed and its version number.

If one of your business’s devices is running an unsupported version of Windows 10 and you are not sure how to get it updated, give us a call.

 

Table 1: Upcoming End-of-Service Dates for Windows 10

Windows 10 Version Date Released Windows 10 Pro and
Windows 10 Home
End-of-Service Date
Windows 10 Enterprise and Windows 10 Education
End-of-Service Date
Windows 10 version 1909
(November 2019 Update)
Nov. 12, 2019 May 11, 2021 May 10, 2022
Windows 10 version 1903
(May 2019 Update)
May 21, 2019 Dec. 8, 2020 Dec. 8, 2020
Windows 10, version 1809
(October 2018 Update)
Nov. 13, 2018 May 12, 2020 May 11, 2021
Windows 10, version 1803
(April 2018 Update)
Apr. 30, 2018 * Nov. 10, 2020
Windows 10, version 1709
(Fall Creators Update)
Oct. 17, 2017 * Apr. 14, 2020
* End-of-service date already reached

Windows 10 Devices flickr photo by DobaKung shared under a Creative Commons (BY) license


Online Holiday Scams & How to Protect Your Data

December is the busiest shopping month of the year with several gift giving holidays within. Companies send out more email volume during this time to past purchasers or potential buyers and hackers are aware of this busy shopping season and will attempt to steal your information.

Earlier this month, the Department of Homeland Security issued a release with tips to avoid phishing and malware scams which are worth paying attention to. We list popular ways hackers are tricking shoppers and how to protect yourself this holiday season. Happy online shopping!

Picking up YOUR packages                                                            

Companies are tailoring their purchase process to easier consumer methods such as buying products online that are picked up at a physical location. Make sure when purchasing this way that the merchant has a secure method to picking up the products in person, as well as a secure checkout page when purchasing beforehand.

 

E-Skimming

Similar to skimming a card and stealing that information, e-skimming works on the checkout page with javascript running in the background that steals your card details. Sometimes the hacker’s code looks like an application installing to complete the checkout process, which should never be the case. Use protective tools your browser offers to protect your information with encryption, and make sure the website is secure with an ‘https’ before the URL.

Shimming

Bank and credit cards are now equipped with chip enabled technology to crack down on skimming, a method where criminals attached a device to a transaction machine which were commonly attached to gas stations. However, with advancement of secure technology comes the threat of criminals cracking the technology to steal your card information, and have now started “shimming” chip cards successfully. Hackers place a “shim” or a thin device into the slot where you would stick the chip end of your card and will save your card information and used in instances where chip technology is not required, such as online purchases. You can protect yourself by setting up transaction alerts every time your card is used or use the contactless feature when paying so information cannot be stored and sold to third parties later.

Quick Checklist

While there are always new methods of hacking your secure information there are easy solutions and methods you should use when shopping online:

  • Don’t download shopping apps directly from a link as it could be malware installing onto your device.
  • Make sure you have researched the party purchasing from.
  • Check the URL to be sure you are on the correct page, and not a 3rd party page claiming to be the original company.
  • Make sure the site is ‘https’ enabled, not ‘http.’
  • Do not shop on public wi-fi, use private wi-fi that is secure and password protected.
  • Setup transaction alerts to monitor your accounts.

Whether holiday shopping online or sending secure data for business operations, don’t allow an unsecured network put your financial data at risk. Ask how our secure network monitoring services can improve your online security.

Data Protection and Privacy flickrphoto by Cerillion shared under a Creative Commons (BY) license


5 Things You Should Know about Phishing

The more you know about phishing, the better you will be able to spot phishing attacks. Here are five phishing fundamentals that can help you avoid becoming the next victim.

Only 66% of working adults correctly answered the question “What is phishing” in 2019 Proofpoint survey. This means one-third of adults do not know that phishing is a form of fraud in which cybercriminals try to scam people into providing sensitive information (e.g., login credentials, account information) or performing an action (e.g., clicking a link, opening an email attachment) in order to steal money, data, or even a person’s identity.

Being able to answer the question “What is phishing” is a good start. However, the more you know about this type of attack, the better you will be able to avoid becoming the next victim. Toward that end, here are five things you should know about phishing:

  1. Phishing Isn’t Just about Emails

People commonly associate phishing with emails. However, hackers carry out phishing attacks through other communication channels as well, including websites, text messages, and phone calls.

Most often, cybercriminals use emails and websites in their phishing attacks. Sometimes they even use both channels in the same scam. For example, they might try to get people to click a link in a phishing email, which sends the victims to a phishing site. Similarly, cybercriminals might try to get people to click a link in a text message, which leads to a phishing site.

Phishing calls are also becoming common. Mobile scam calls rose from 3.7% of all calls in 2017 to 29.2% of all calls in 2018, according to researchers at First Orion. This upper spiral is expected to continue throughout 2019.

  1. Phishing Sites Can Be HTTPS Pages

Cybercriminals are increasingly using HTTPS sites for phishing. Hackers are counting on people being lulled into a false sense of security when they see the “https” designation and the accompanying padlock icon in their web browser’s address bar. When some people see these two elements, they assume that a site is safe. However, the “https” designation simply indicates that any data sent between the browser and the website is encrypted. It does not signify that the website is legitimate or free from malware.

More than half of all phishing sites are HTTPS sites, according to Anti-Phishing Working Group’s “Phishing Activity Trends Report, 2nd Quarter 2019“. The situation is getting so serious that the US Federal Bureau of Investigation (FBI) issued a public service announcement in June 2019 warning people about this.

  1. Hackers Like to Reel In Certain Types of Victims

While phishing attacks were initially targeted at consumers, cybercriminals quickly discovered that businesses are also lucrative targets. In 2018 alone, 83% of businesses experienced phishing attacks, according to Proofpoint’s “2019 State of the Phish Report“.

Small and midsized companies are often targeted. In 2018, for example, employees in smaller organizations received more phishing emails than those in large organizations, according to Symantec’s “2019 Internet Security Threat Report“. Small and midsized companies are sought because they typically do not have the expertise or resources to properly secure their businesses against phishing scams and other types of attacks.

Cybercriminals are also selective about who they target within companies. Security experts note that popular phishing marks include:

  • Executives are highly sought because they typically have access to sensitive business information and the authority to sign-off on financial transactions such as electronic fund transfers.
  • Administrative assistants. Administrative assistants work closely with the managers and executives they assist. As a result, they often have access to information (e.g., an executive’s schedules) and accounts (e.g., a manager’s email account) that can help phishers plan and carry out scams.
  • Human resources (HR) staff. Cybercriminals like to target HR professionals because they have access to sensitive data such as employee records. Plus, they regularly respond to queries from employees (including manager and executives) as well as handle unsolicited communication from people outside the company (e.g., job applicants).
  • Sales team members are common marks because their contact information is often readily available. Furthermore, they are usually very responsive to unsolicited communication (e.g., emails, texts, or calls from potential customers).
  1. Cybercriminals Don’t Take Holidays Off

Hackers go phishing 365 days a year, which means people should not let their guard down, even on holidays. In fact, people might want to be more cautious around holidays, as cybercriminals often ramp up their efforts during certain seasonal events such as Black Friday, tax season, and even Amazon Prime Day. Cybercriminals also try to capitalize on unforeseen events, such as natural disasters. Preying on people’s compassion, they pretend to be collecting donations for disaster victims.

Nearly 80% of phishing attacks occur on weekdays, according to Vade Secure researchers. This isn’t too surprising given that hackers like to target businesses. Tuesdays and Wednesdays are the top two days cybercriminals carry out their attacks.

  1. Phishers Are Skilled Impersonators

Cybercriminals commonly impersonate legitimate contacts and companies to carry out their phishing scams. When targeting a business, cybercriminals often pretend to be someone within the company (e.g., an executive or employee) or an organization that does business with the company (e.g., a supplier or lawyer).

When targeting consumers, hackers typically masquerade as representatives from popular companies. For instance, in the second quarter of 2019, the top 10 companies that hackers pretended to be representing were:

  • Microsoft
  • PayPal
  • Netflix
  • Bank of America
  • Apple
  • CBIC
  • Amazon
  • DHL
  • DocuSign

A Serious Threat

Phishing attacks are a serious threat for not only consumers but also companies. We can help your business devise a comprehensive strategy to deal with phishing attacks, no matter if they are carried out through emails, websites, text messages, or phone calls.

Hacking flickr photo by Worlds Direction shared into the public domain using Creative Commons Public Domain Dedication (CC0)


Business App Upgrades You Might Want to Add to Your 2020 IT Budget

Microsoft will no longer support many business apps in 2020 because they are reaching the end of their lifecycles. Find out which popular programs are reaching this point so you can plan any needed upgrades and adjust your 2020 IT budget accordingly.

Running into unanticipated expenses can blow a business’s IT budget. For this reason, it helps to know about business apps that are reaching the end of their lifecycles. When apps reach this point, the software developers typically stop providing security updates. Running programs that do not receive security updates puts companies at greater risk of cyberattacks.

Three popular Microsoft business apps — Office 2010, Windows 7, and Windows Server 2008 — are reaching the end of their lifecycles in 2020. Many other business apps are also facing the same fate. If your company is running any of these apps, it is a good idea to find out the upgrade options, select the best one for your situation, and adjust your 2020 budget accordingly.

Office 2010

After October 13, 2020, Microsoft will no longer support Office 2010 apps, no matter whether they were procured as part of an Office suite (e.g., Office 2010 Professional) or purchased individually. This means that popular business apps such as Outlook 2010, Word 2010, Excel 2010, and PowerPoint 2010 as well as lesser used apps like Access 2010, Publisher 2010, and OneNote 2010 will no longer receive security updates.

If you decide to upgrade, you have several options, with the main ones being:

  • Subscribe to Office 365. When you subscribe to Office 365, you pay a monthly or yearly subscription fee for each person using the cloud service. Microsoft has many business subscription plans that offer different combinations of Office apps, services, and storage options. With most of the plans, each licensed user can install the Office apps on five desktop computers (Windows or Mac), five tablets, and five smartphones.
  • Purchase the Office 2019 suite or standalone apps. With this option, you make a one-time purchase of Office 2019, which is on-premises software and not a cloud service. Five versions of the Office 2019 suite are licensed for business use: three versions for companies with five or more users and two versions for organizations with fewer than five users. Each licensed user can install the Office apps on only one computer. You can also make a one-time purchase of standalone Office 2019 apps (e.g., Outlook 2019, Word 2019) for use on one computer.
  • Subscribe to Microsoft 365. In Microsoft 365, Office 365 is bundled with other cloud-based services that enable companies to automate business processes as well as secure and manage Windows 10 desktops. The specific services depend on the subscription plan chosen. For example, Microsoft 365 Business is tailored for businesses with 300 or fewer employees, whereas Microsoft 365 Enterprise is designed for larger companies.

Windows 7

All support for Windows 7 ends on January 14, 2020. Besides eliminating free security updates for this operating system, Microsoft will no longer provide them for Internet Explorer web browsers running on Windows 7 machines. That’s because Internet Explorer is considered an operating system component, so the browser follows the lifecycle of the operating system in which it is installed.

Assuming you do not want to switch to a different vendor’s operating system (e.g., Apple macOS), your options include:

  • Upgrade to Windows 10. To entice Windows 7 users to switch to Windows 10, Microsoft initially offered free upgrades. However, that promotion ended long ago (July 2016), so you now need to purchase Windows 10. If you subscribe to Microsoft 365 Business and your computers are running Windows 7 Professional, though, you can upgrade at no additional cost.
  • Purchase Extended Security Updates. Microsoft is offering Extended Security Updates for Windows 7 (which will include updates for Internet Explorer) through January 2023. On October 1, 2019, Microsoft announced that these updates will be available to any business of any size. Previously, it was planning to make these updates available to only Windows 7 Professional and Windows 7 Enterprise customers with volume licensing agreements.
  • Use Windows Virtual Desktop. This desktop and app virtualization service runs in the Microsoft Azure cloud. Companies can use it to virtualize Windows 7 desktops. Companies doing so will be provided with free Extended Security Updates through January 2023.

Windows Server 2008

Companies rely on servers to perform crucial duties — referred to as roles — such as authenticating users, hosting applications, issuing public-key certificates, and storing files. Because servers carry out these roles, they need to be well secured — and not having security updates would make protecting them a difficult task. For this reason, you need to take action soon if your business is using Windows Server 2008 or Windows Server 2008 Release 2 (R2). On January 14, 2020, these server operating systems will reach the end of their lifecycles, which means they will no longer receive free security updates.

Microsoft recommends taking one of the following upgrade paths if your servers are running Windows Server 2008 or Windows Server 2008 R2:

  • Upgrade to a newer Windows Server version. If you want to keep your servers on-premises, you can upgrade to Windows Server 2019 or Windows Server 2016. However, you cannot directly migrate to one of these newer versions. Instead, you need perform several upgrades (e.g., first migrate from Windows Server 2008 to Windows Server 2012 R2, then upgrade to Windows Server 2016, and finally move to Windows Server 2019).
  • Purchase Extended Security Updates. Because of the complexity involved, upgrading to a newer version of Windows Server by January 14, 2020, might not be a viable option. To give you more time, Microsoft is offering Extended Security Updates through January 2023. These updates will be available for the Standard, Enterprise, or Datacenter editions of Windows Server 2008 and Windows Server 2008 R2.
  • Permanently migrate to Microsoft Azure. You can permanently move your Window Server roles to Microsoft Azure, which is Microsoft’s public cloud computing platform.
  • Temporarily rehost workloads in Azure. You can temporarily move your Windows Server 2008 or Windows Server 2008 R2 operations to virtual machines in Azure until you are ready to either upgrade your on-premises version or migrate permanently to Azure. If you decide to temporarily rehost the workloads in Azure, you will get three years of Extended Security Updates at no additional charge.

The End Is Near for Many More Business Apps

Office 2010, Windows 7, and Windows Server 2008 are not the only business apps reaching the end of their lifecycles. Many other programs share the same fate. Table 1 lists some of the more notable ones.

We can assess your IT environment to see whether it is running any of the apps that will no longer be supported in 2020 as well as help you decide on the best upgrade option. Making plans now will ensure a smooth migration and help you keep on-budget in 2020.

Table 1: Some of the Business Apps That Microsoft Will No Longer Support in 2020

Business App End-of-Support Date
Exchange Server 2010 January 14, 2020
FAST Search Server 2010 October 13, 2020
Forefront Unified Access Gateway 2010 April 14, 2020
Hyper-V Server 2008 January 14, 2020
Hyper-V Server 2008 R2 January 14, 2020
Office 2010 October 13, 2020
Project 2010 October 13, 2020
Search Server 2010 October 13, 2020
SharePoint Server 2010 October 13, 2020
System Center Service Manager 2010 September 8, 2020
Visio 2010 October 13, 2020
Windows 7 January 14, 2020
Windows MultiPoint Server 2010 July 14, 2020
Windows Server 2008 January 14, 2020
Windows Server 2008 R2 January 14, 2020

The App Store flickr photo by Glen Bledsoe shared under a Creative Commons (BY) license


Gift Card Payouts: A New Trend in Business Email Scams

Cybercriminals are increasingly conning companies into sending gift-card numbers and PINs. Learn about this new trend in business email compromise (BEC) scams and what you can do to defend your business.

Cybercriminals have been using business email compromise (BEC) scams for years because they are profitable. Between June 2016 and July 2019, for example, they used BEC attacks to steal more than $26 billion from companies, according to a September 2019 report.

In a BEC scam, cybercriminals pose as executives and other business professionals to con companies out of money. They typically use spear phishing emails, social engineering techniques, and other tools to carry out their attacks. Until recently, cybercriminals mainly tried to get businesses to send money via wire transfer. But that is no longer the case. Researchers at Agari found that 65% of the BEC scammers now try to get businesses to send gift-card account numbers and PINs.

The payouts from gift-card scams ($1,562 on average) are significantly less than payouts from wire-transfer cons ($64,717 on average), according to the Anti-Phishing Working Group’s “Phishing Activity Trends Report, 2nd Quarter 2019“. However, gift cards are easy to launder and hard to trace, making them the most popular payout method.

How Gift-Card BEC Scams Work

Here is how gift-card BEC scams typically work: Posing as a person of authority (e.g., an executive) at the targeted company, the cybercriminals craft a polished email that is specific to the business being victimized. The recipient will be an employee who is authorized to purchase gift cards on the company’s behalf.

In the email, the scammers will spin a tale of why they need the employee to purchase gift cards for them. Cybercriminals study their victims, so the reason will make sense to the employee. For example, if the company has an “Employee of the Month” award program, the scammers might say that the gift cards will be used to reward upcoming winners. Or, if it is December, they might say they want to give the company’s top clients or suppliers a holiday gift.

The cybercriminals will also tell the employee to send them the gift-card information — including the gift card account numbers and PINs — for their records once the cards are purchased. The most common gift cards requested by BEC scammers are Google Play, Steam Wallet, and Amazon, according to the “Phishing Activity Trends Report, 2nd Quarter 2019”.

The scammers will then send the email using a spoofed email address or hijacked email account to make the email seem legitimate. If the employee buys the gift cards and sends the card information to the scammers, they will immediately cash out the value of the cards.

How to Defend Your Business

To avoid becoming a victim of this type of BEC scam, you should:

  • Educate employees at all levels about BEC emails in general and gift-card BEC scams in particular.
  • Tell employees to be wary of an email request to buy multiple gift cards or a gift card with an unusually high amount, even if the reason for the request seems legitimate.
  • Educate employees at all levels about how to spot spear phishing emails, including how to check emails for spoofed addresses in the “From” field.
  • Be careful about what you post on your business’s website. Cybercriminals can use some types of information (e.g., employee job descriptions, email addresses) to determine who to impersonate and who to send the gift-card BEC email to.

If you would like to learn more ways to protect your company against BEC scams and other types of cyberattacks, contact us.

Money unfolding flickr photo by cafecredit shared under a Creative Commons (BY) license


New Android Ransomware Spreads Through Forum Posts and Customized Texts

Cyber extortionists have created new ransomware that encrypts files on Google Android devices. Find out how this ransomware infiltrates devices so you can avoid becoming a victim.

A new family of ransomware known as Android/Filecoder.C has been discovered. The initial infection occurs when Google Android device users download a malicious app by means of a link or quick response (QR) code in a forum post. Once on a device, the ransomware tries to spread itself by sending text messages to everyone on the victim’s contact list. Each message is customized with the recipient’s name to make the text seem more legitimate.

This ransomware could become a serious threat if the cybercriminals start targeting broader groups of users, according to security researchers. To avoid becoming a victim of this ransomware and similar variants, it helps to dissect past Android/Filecoder.C attacks to see how the ransomware infiltrated victims’ devices.

The Infiltration

When it comes to ransomware, looking at past attacks can help you prepare for new ones. Here is how the Android/Filecoder.C attacks in July and August 2019 were typically carried out:

To initially get the ransomware onto devices, cybercriminals posted messages in popular online forums such as Reddit and XDA Developers (a forum for mobile software developers). While most of the comments were porn-related, some dealt with technical topics.

The posted messages contained a malicious link or quick response (QR) code. In some cases, the hackers used the Bitly URL shortening service (aka “bit.ly” links) to hide the links’ real addresses. Other times, the hackers made no attempt to hide the links, which typically ended in “.apk”. Android Package Kit (APK) files are used to distribute and install mobile apps on Android devices. Cybercriminals sometimes hide malware in these files.

People who clicked the links or scanned the QR codes in the forum posts had Android apps containing Android/Filecoder.C automatically downloaded to their devices. When the victims launched the malicious apps, the apps displayed whatever was promised so the victims would not be immediately aware their devices were infected with ransomware. Nor were they aware that the ransomware was sending text messages to the people in their contact lists. The text messages tried to lure the recipients into downloading malicious apps. The messages included the recipients’ names to make them seem more legitimate.

Once the text messages were sent, the ransomware went to work encrypting more than 175 types of files and appending the file extension “.seven” to the original filenames (e.g., ProductPhoto0057.jpg.seven, QuarterlyReport.docx.seven). However, unlike some ransomware, Android/Filecoder.C did not lock the devices’ screens or prevent the devices from being used.

After the all files were encrypted, Android/Filecoder.C displayed its ransom note. The victims were instructed to pay the ransom in bitcoins. The amounts varied, usually ranging from $98 to $188 [USD]. Although the ransom note stated that the victims would lose their data if they did not pay within 72 hours, security researchers found nothing in the ransomware’s code to support that claim.

Be Cautious

Being cautious can go a long way in avoiding becoming a victim of Android/Filecoder.C and similar ransomware variants. For starters, you should avoid clicking links (especially if they end in “bit.ly” or “.apk”) and scanning QR codes in online forums and similar public venues. Typically, anyone can post messages — including cybercriminals — in forums. Even clicking links and scanning QR codes in a moderated forum can be risky. Forum owners might initially allow all messages to be posted, with a moderator reading them days later or only if there is a complaint.

Similarly, you should avoid clicking links in text and email messages from unknown sources. Clicking links can be risky even if a message is supposedly from someone you know. As the Android/Filecoder.C ransomware demonstrates, hackers know how to hijack text accounts. They are also skilled at hijacking email accounts. So, if a text or email message supposedly from someone you know seems odd, you might want to give the person a call to see if they sent it.

Besides being cautious about links and QR codes, you should be leery about installing apps from third-party sources on your device. It is best to install apps only from official stores like Google Play. Although a few malicious apps find their way into these stores, the risk is much greater if you download apps from third-party sources.

Even if an app is in an official store, you should research the app before downloading it. Reading the app’s reviews in the store and conducting Internet searches on the app might reveal security issues. Plus, you should find out the apps’ permissions. If they seem excessive for the types of functions performed by the app, you should avoid downloading it.

Be Proactive

Besides being cautious, you need to take preemptive measures to protect your device from Android/Filecoder.C. If you do not already have a mobile security solution installed on your device, it is time to get one. Mobile security solutions detect and block known types of malware, including ransomware. Some security solutions even scan apps for suspicious activity before you download them.

Another important measure is to make sure the software on your Android device is being regularly updated so that known vulnerabilities are patched. This reduces the number of exploitable entry points in your device. By default, the Android operating system and any apps you install from Google Play are automatically updated. It is a good idea, though, to make sure the updates are being installed. Plus, you need to make sure that updates for other apps are being installed.

Regularly backing up your mobile device is also important when it comes to ransomware. Although having restorable backups won’t help prevent a ransomware attack, you won’t have to pay the cyber-extortionists to get your files back if an infection occurs.

Android flickr photo by dungodung shared under a Creative Commons (BY-SA) license


How to Protect Your Sensitive Business Files with Passwords

Protecting a file with a password can provide an extra layer of security for sensitive business documents. Learn how to password-protect your files in Microsoft Word, Excel, and PowerPoint.

This can come in handy if you want to, for example, email a report that contains your company’s sales figures or bring it along on a business trip.

Three Microsoft Office apps — Word, Excel, and PowerPoint — offer the ability to password-protect files. As Table 1 shows, this feature is available in nearly all supported versions.

Table 1: Microsoft Office Apps in Which You Can Password-Protect Files

Word Excel PowerPoint
Word for Office 365* Excel for Office 365* PowerPoint for Office 365*
Word 2019* Excel 2019* PowerPoint 2019*
Word 2016* Excel 2016* PowerPoint 2016*
Word 2013** Excel 2013** PowerPoint 2013**
Word 2010** Excel 2010** PowerPoint 2010**
  * Uses 256-bit AES encryption
** Uses 128-bit AES encryption

Before you protect a file, though, you should take the time to come up with a unique, strong password for it. Otherwise, it might be easy for someone to guess or crack it. And if you tend to forget credentials, you might want to keep a copy of the file’s password in a safe location. While not ideal, it beats not being able to open and use the file ever again. The apps do not have the ability to recover or reset a forgotten password.

How to Password Protect a File

Protecting files with a password is a straightforward process. Plus, the steps are easy to remember, as they are basically the same no matter whether your password-protecting a Word document, Excel workbook, or PowerPoint presentation.

To password protect a file, open it in the appropriate app and follow these steps:

  1. Click the “File” tab in the upper left corner.
  2. In the “Info” section, click “Protect Document” if you are in Word, “Protect Workbook” if you are in Excel, or “Protect Presentation” if you are in PowerPoint.
  3. In the drop-down menu that appears, select “Encrypt with Password”.
  4. Enter the password you want to use and click “OK”.
  5. Re-enter the password and click “OK”.
  6. Save and close the file.

When you later open the file, you will be prompted to enter the password you selected.


How to Remove Password Protection

You can remove a file’s password protection at any time. To do so, open the file in the appropriate app and follow these steps:

  1. Click the “File” tab in the upper left corner.
  2. In the “Info” section, click “Protect Document” if you are in Word, “Protect Workbook” if you are in Excel, or “Protect Presentation” if you are in PowerPoint.
  3. In the drop-down menu that appears, select “Encrypt with Password”.
  4. Delete the displayed password (it will be masked with asterisks) and click “OK”.
  5. Save and close the file.

You will no longer have to enter the password to open the file.

Password flickr photo by wuestenigel shared under a Creative Commons (BY) license


How to Determine Which IT Policies Your Company Needs

Having too few or too many IT policies can lead to problems. Here is a common-sense approach you can use to determine which IT policies your company needs.

Having too few IT policies can lead to problems. Policies are needed because the rules and requirements documented in them help ensure that a company’s IT resources are being used appropriately, productively, and securely.

Having too many IT policies can also be problematic. Policy overload can make employees feel that they are not trusted or allowed to think on their own, which can cause discontentment. It can also lead to employees not reading the policies, which means they might not be adhering to crucial ones.

To find the right balance, you can use a common-sense approach to determine which IT policies your company needs. This approach is also useful when determining what to include in those policies.

What to Do

Lists of must-have IT policies are easy to find. However, creating IT policies based on a one-size-fits-all list can result in unnecessary or missing policies. A better approach is to first identify the situations in which your company needs documented rules and requirements and then create policies to meet those needs. Common situations include:

The need to comply with laws or regulations that include IT-related requirements. An increasing number of laws and regulations are including IT-related requirements, such as the need to protect people’s privacy and properly secure their personal data.

If your company must comply with any laws or regulations that include IT-related requirements, you should check to see whether they mandate the creation of certain IT policies. For example, if you collect personal information from California residents on your company’s website, California state law requires you to post a privacy policy on that site that lets people know the types of personal data being collected and other pertinent information. Similarly, both the Security Rule and Privacy Rule of the US Health Insurance Portability and Accountability Act (HIPAA) stipulate that organizations under its jurisdiction must establish and implement policies to comply with the rules’ provisions. Even if a law or regulation does not specifically state that certain policies must be created, it is a good idea to do so. Having IT policies in place will help ensure compliance.

The need to document and formalize privacy practices. Laws and regulations like HIPAA are impacting most businesses, even those that do not have to comply. They are bringing to light people’s desire to have more control over their personal data and the assurance that their data is being properly handled and secured. If you want to let your customers and employees know that you are serious about protecting their privacy and personal data, it is important to create a privacy policy, assuming the information is not covered elsewhere (e.g., in the policies mandated by HIPAA). In the privacy policy, you can document how your company is collecting, storing, using, and disposing of customers’ and employees’ personal data.

Office flickr photo by Leonid Mamchenkov shared under a Creative Commons (BY) license


5 Ways You Can Better Protect Your Windows 10 Computer Thanks to the May 2019 Update

More than a billion adults have been the victims of cybercrime. Here are five security-related improvements rolled out through the Windows 10 May 2019 Update that can help you avoid becoming the next victim.

People fear cyberattacks more than physical attacks or robbery — and for good reason. More than 1 billion adults have been the victims of cybercrime, with 800 million of them occurring in 2018 alone.

Taking measures to protect your devices can help mitigate the risk and fear of becoming a victim. The more security measures you implement, the better protected you’ll be. Toward that end, Microsoft keeps adding new and improved security tools and functionality to Windows 10 through feature updates. Here are five security-related enhancements that Microsoft rolled out through the Windows 10 May 2019 Update (version 1903) that you might want to take advantage of to better protect your Windows 10 computer:

  1. New Password-Less Way to Create and Sign In to Microsoft Accounts

Microsoft believes that passwords are “inconvenient, insecure, and expensive” so it is on a quest to create “a world without passwords”. As part of this endeavor, Microsoft has been providing alternative authentication methods through Windows 10 feature updates and other venues. The Windows 10 May 2019 Update introduces a new way you can set up and log in to your Microsoft account that does not involve using a password.

This is how it works: When you first sign in to Microsoft on a new or reset computer, you provide the phone number that is associated with your Microsoft account. Microsoft will then send you a text message that contains a security code, which you enter in the sign-in screen. Once logged in, you finish setting up the account. Afterward, you need to select and set up an alternative authentication method. For example, you can use Windows Hello to set up biometric authentication (e.g., face or fingerprint recognition).

  1. Redesigned “Sign-in options” Page in the Settings App

Microsoft redesigned the “Sign-in options” page in the Settings app to make it easier for Windows 10 users to select and set up an alternative authentication method if desired. Once the May 2019 Update is installed, the “Sign-in options” page — which you can find in the “Accounts” section of the Settings app — clearly outlines the available authentication methods. For example, the indistinct “Windows Hello” option has been replaced with the three main authentication methods available using this solution: “Windows Hello Face”, “Windows Hello Fingerprint”, and “Windows Hello PIN”. Plus, the “Sign-in options” page now includes the “Security Key” option so that you can set up a physical security key (e.g., USB security key) directly from that page.

Besides making it easier to select and set up alternative authentication methods, Microsoft has redesigned some of the supporting processes. For instance, the process used to reset Windows Hello PINs has been streamlined. It is now more like the process used to reset passwords online.

  1. Enhancements in the Windows Security App

The Windows Security app lets you view and manage Windows 10’s built-in security tools, such as Windows Firewall and Windows Defender Antivirus. Two enhancements to Windows Security are being rolled out through the May 2019 Update:

  • “Tamper Protection”. This new feature is designed to protect against unauthorized changes to security settings in Windows 10. It alerts you if someone or something (e.g., an app) is trying to change an important security setting.
  • Redesigned “Protection History” page. This page shows the actions taken by the Windows Security app to protect your computer. It now includes information about attempts to access controlled folders but were blocked by either the “Controlled folder access” tool in the Windows Security app or an Attack Surface Reduction Rule. Microsoft also made the information about the threats detected by Windows Defender Antivirus more detailed and easier to understand.
  1. Windows Sandbox

You can save money by using free apps from the Internet. However, there is always the risk that the apps contain malware. The new Windows Sandbox provides you with a safe way to test potentially dangerous apps.

When you launch Windows Sandbox, it uses virtualization technology to create an isolated desktop environment, which is called a sandbox. You then install the untrusted app in the sandbox and run it. If the app contains malware, it won’t infect the computer. When you close Windows Sandbox, the app and all its files are permanently deleted. Windows Sandbox is available in Windows 10 Pro and Windows 10 Enterprise only.

  1. Better Control Over Who Can See and Hear You

Spyware is a threat to both individuals and businesses. Hackers use it to get sensitive data or images, which they sell on the dark web marketplace. One way cybercriminals spy on their victims is by using the computers’ microphones and cameras.

To help detect spyware, the May 2019 Update adds a new icon that appears when a computer’s microphone is being used. You can find out which app is using it by hovering your mouse over the icon. If more than one app is using the microphone, it will display the number of apps using it.

In addition, you can now specify whether websites can use your camera and microphone if you use Windows Defender Application Guard. When Application Guard is enabled, Windows 10 launches Microsoft Edge in an isolated virtualized environment so that malicious web pages won’t harm your computer. Application Guard is available in Windows 10 Pro and Windows 10 Enterprise only.

Windows 10 upgrade flickr photo by bossco shared under a Creative Commons (BY-SA) license