Category Archives: Security and compliance

So you have WiFi broadband? Probably not…

It’s a common misconception that we hear a lot. So what and why? To explain I need to go into some brief details on how you actually use ‘The Internet’.

‘The Internet’ (at least the bit you use) is best thought of as a long chain of separate links. They all have to work in harmony, or you won’t be able to use the system. Let’s look at a (very simplified) example: you want to look at the BBC website.

 

  1. You type ‘bbc.co.uk’ into your web browser.
  2. Your laptop processes this and works out you need an Internet connection.
  3. According to it’s rules the laptop passes the request onto your LAN (Local Area Network) connection.
  4. Your LAN connection contacts your router/hub and forwards the request.
  5. Your router/hub acts according to it’s rules and sends your request to its WAN (Wide Area Network) connection.
  6. The WAN connection sends this request down the cable(?) that connects your house to your provider’s exchange unit.
  7. The exchange unit takes your message (along with many other customers’ requests) and relays them along the (increasingly high capacity) web of transmission systems that is the backbone of The Internet.
  8. At the appropriate point your message exits the Internet backbone and passes up the local cable to the BBC’s server facility.
  9. In this facility it passes through the appropriate firewalls & routers until it arrives at the server hosting the BBC website.
  10. This web server looks at your request, chooses the appropriate content. And them sends this back – essentially reversing down the path I have just described above.

Now, in all of this, your ‘Broadband’ or ‘Internet connection’ is just Step 6 – the bit that connects the router in your house to the exchange of your ISP (Internet Service Provider. And, overwhelmingly, this is delivered via a cable: either copper or – increasingly – optical fibre. The only people who have “Wireless Broadband” are cu

stomers of specialist services, like AirBand or Elon Musk’s StarLink. Otherwise you don’t have ‘wireless broadband’!

There is other alternative. You can use the mobile phone data network (a.k.a. 4G or 5G) to provide the link between your

router and the Internet. This is also a form of ‘wireless broadband’. We use this quite often to provide backup Internet connections where the cabled connection is unreliable or undergoing maintenance.

So where does this misconception come from? The answer is straightforward. Most devices these days (smartphones, tablets, many laptops) make the connection to your router (Step 4) using WiFi. And so users use the shorthand ‘WiFi broadband’.

And another thing. Look at the list above (which is somewhat shortened for simplicity!). It’s a sequential chain, and it only moves as fast as the slowest link. So when a user says “my broadband is slow” it could be any one (or more) of these links – most of which neither they (nor us) have any influence over. King Canute had it right, and I bow to his wisdom!

An easy trap to fall into

No apologies for going back to the subject of mail compliance. And this time it’s an obvious and easy trap that you could fall into when configuring your SPF record.

The SPF record for Back Office It

The SPF record for Back Office It

By way of explanation, your SPF record is something you publish: it contains a list of the server(s) that you have authorised to send out your emails. When we send out an email from backofficeit.co.uk the recipient looks at the source server, checks it against our published SPF list, and gives it the go/no-go based on what it finds. In this way recipients are protected against ‘spoof’ emails (scammers pretending to be us). The trap comes when you use Microsoft365 (Office365) for your emails. Your SPF record is now spf.protection.outlook.com – which sounds fine. But every other Office365 user on the planet comes off the same server. So the SPF record check does NOT say “this is definitely from backofficeit.co.uk”. It simply says “this is from an Office365 user & Office365 is good for backofficeit.co.uk”. Which is not where you want to be at all!

The solution is to use an outbound mail relay. The one we have partnered with has many useful features. But, in this case, it has its own SPF identity. And, as part of their system, they monitor for exactly the scenario we are guarding against: therefore we use that instead of the Office365 one. And now the receiver can say with much higher confidence that this email is really from us.

 

 

20% of the world’s computers offline?

Some shouty headlines tell us that 20% of the world’s computers were taken down by the CrowdStrike problem. Well, not really. Microsoft say the true figure is about 8.5 million – still a lot, but closer to 1% than 20%.

So, what & why? CrowdStrike is a high-end PC protection suite (think anti-virus and more) which is supposed to protect key Windows systems from falling foul of the bad guys & maintain high levels of availability. Oh, the irony.

On 19 July CrowdStrike released an update for its software. Due to an error in the update millions of Windows PCs around the world crashed. The reason it was so devastating is in the innocent phrase ‘high-end’. This meant it was a favourite for important systems, such as banks, airlines and so on. Hence the huge impact on the public & the economy. Read up on it here.

But here’s my question. Why is none of this stuff tested properly? Call me old fashioned, but if I wrote a bit of code that caused my test PC to go into a permanent sulk I’d probably think twice before punting it out to 8,500,000 customers.

We’re seeing more of this. Products that break almost as soon as they are out of the box. Clearly they haven’t been tested in anything like a rigorous manner. It seems that, in this post-truth world, testing is old-fashioned, restrictive, time-consuming & expensive. And, conveniently for the bottom line, can be dispensed with. Trip to see the Titanic in an untested & unlicensed submarine anyone? I’m sure there were loads of people who thought it was cool & modern to sidestep all the boring testing & validation mandated for these things. Not so much now, eh?

It’s not as popular as they thought!

For a decade now suppliers have been fixated with the ‘subscription model’ of commerce. This was based on one of the most frequently violated rules of statistics – you can interpolate but not extrapolate.

It all seems to have started with the mobile phone boom – which, in the early days, saw the cost of the handset bundled into the monthly subscription for the phone service. And, so they reasoned, the public would be equally keen to buy pretty much everything else on the subscription model. Yea! Regular income! The added bonus (from their point of view) was the amount of personal data they could harvest along the way.

The public, however, were not so keen. We noticed the almost total resistance from clients over moving to Office365. Why, they reasoned, should they pay hundreds of pounds per month for a product that they had, historically bought outright?

But some companies took it even further. Our least-favourite printer manufacturer (HP) produced printers that were online 24/7 spying on you, automatically ordering consumables and snitching to Big Brother should you attempt to use compatible toners. And, in the early days, stopping the printer if you persisted. All the while plundering your bank account month in, month out.

Well, the public was less than enthusiastic – and HP have finally given up. Read the story here.

What does a ‘phishing’ email look like?

It’s estimated that more than 80% of data breaches are initiated by the recipient dealing with a ‘phishing’ email inappropriately. So, what is happening?

Phishing email

‘Phishing’ emails are emails designed to get you, the recipient, to divulge personal/sensitive data to an unauthorised third-party (a.k.a. ‘scammer’).

The image is a screen grab of one we received today. Looks good, doesn’t it? It’s a very reasonable copy of the genuine HMRC emails that we get from time to time. But it’s definitely not!

The idea of the scam is to get you to click the inviting blue button to “view the important message’. This will take to a website – not HMRC, but one controlled by the scammers. I have no doubt that it too will look pretty much exactly like the official HMRC one. You will enter your HMRC login credentials into the inviting boxes you find there. And – bingo! – the scammers now have your HMRC login details.

“Ah ha” you cry! “I have 2FA set up” – I need to type the security key from my phone in addition to the username & password. This is not a problem. One way around this is that when you attempt to log in the fake website the login will be rejected for some spurious reason. The scammer has been alerted, and is now monitoring your actions. He’s on the real HMRC website with your login details entered. The fake website now asks you to login again. This time the scammer is waiting, sees the 2FA token you type in. And, as long as he can do it within the expiry time of the 2FA token, he now is into your account free and clear. Which won’t end well for you!

The scam revealed

How do you protect yourself against this sort of attack? Firstly nothing can be better than your own common sense and attention to detail. Be suspicious of absolutely everything.

You can start by hovering your mouse over the blue button (don’t click it!!). In most cases this will reveal the true destination of the button click. In  this case the destination website is ‘hairyerotica.com’ – which doesn’t sound like HMRC to me! Just be aware that this might not work well on your smartphone, so be really careful with this.

If it looks OK then you can proceed. If there’s the slightest element of doubt use the ‘sandbox‘ feature of your PC’s security endpoint. If a webpage opens make sure it really is where you expect to be (e.g. if it’s not .gov.uk then run a mile). Look at the SSL data. There’s a chance that your PC’s security endpoint will have a database of dodgy websites & jump in to protect you – but this isn’t 100%. There’s a new generation of protection systems designed specifically to protect you from this type of threat which are maturing as we speak. As ever, you can always give us a ring.

 

Look after your customers – reboot your router!

A typical WiFi router

A typical WiFi router

If you offer WiFi to your customers you are probably letting them down! Whatever you might think about customers coming to your café, and then sitting glued to their smartphones, it is a service that most people expect. Certainly if you offer it then it’d better work! I’m sure you think everything is fine. Your customers – probably not so much! So, what’s the issue here? We need to go a bit technical, but the fix is easy!

Here are the salient points:

  • For a device (laptop, mobile, whatever) to connect to your network it needs an address. We don’t need to get too technical, but just know that there’s a limited number (about 200) available & each device has to have a number different to anything else on your network.
  • When the device connects, your WiFi router will hand it an unused number from it’s pool.
  • When the router runs out of unused numbers then no more devices can connect.

You might think 200 devices is plenty – and, in a domestic environment, it is. But in a busy shop, café, railway terminal etc. it’s not that generous. Sure, the provision of the number to a device has an expiry built in (called TTL or Time To Live). This means that, when a customer leaves, their number will eventually be returned to the pool for re-use. But, judging by the number of times I fail to connect to a facility’s WiFi, it doesn’t happen fast enough.

What does it look like when your customers suffer from this lack? Their mobile will say “connected, obtaining IP address” and not have Internet access.

So, what can you do?

  • The first, and easiest, remedy is to regularly power-cycle the router. Yes, the old “turn it off, then turn it on again!” trick. Make this part of your morning start-up routine.

For the rest, we need access to the router – more specifically the DHCP portion. If this is beyond you then you can always give us a ring.

  • Inspect the DHCP ‘pool’, and ensure it’s a big as possible. Different routers display the setting in different ways. But you should make sure that the pool is at least 225.
  • Turn down the TTL. This is normally expressed in seconds, so 3600 is one hour. Probably plenty. If this is too large then the router will hold onto that allocation well after the customer has left*.
  • Change the WiFi password regularly. If you don’t then that one-time visitor from last year will walk past your café, automatically connect, and bag an address from the pool.

A few notes for the curious.

  • What we are talking about here is IPv4 addressing. This is generally expressed as four clusters of three digits (e.g. 192.168.121.064). You can’t fiddle with the first three clusters, it’s only the last one that changes: and it varies from 000 – 255 For various technical reasons you can’t use the first or last. And the router will use one, generally 001 (or 254 if you’re a BT customer). I generally set the pool at 011 – 240. If you are really curious have a look here.
  • If the TTL expires while the device is still connected it simply gets renewed, so not a problem.
  • If you have ‘static’ kit (network printers, tills, card machines etc.) then always deal with these using a “DHCP Reservation” – NEVER NEVER allow them to have a “hard-coded IP address”!

Blocking scam emails

I thought you’d like to see what all this email compliance effort looks like in practice. The image is of stats for our outgoing email, as seen by our monitoring system. The green represent compliant (i.e. genuine) emails that we have sent – viewed as a percentage of our mail traffic. The red represents non-compliant (i.e. scam) emails that we didn’t send (mostly originating in Russia). There is a lot of them! These emails claim to be from us (i.e. someone @backofficeit.co.uk) – but, because they fail the compliance checks we have put in place, the receiving servers have blocked them. Which is what we want.

It’s to avoid this deluge of scam emails that servers around the world are tightening up on compliance. If your email is non-compliant one of two things are going to happen.

  1. People are going to receive scam emails claiming to be from you. This is why many professional bodies are now insisting that email systems are made compliant, because you can see how much damage this could cause.
  2. Well-behaved servers will receive your email and, because it isn’t compliant, delete it just to be safe.

I leave it to you to decide which is the worst option.

What amazes me is how many people we tell about this have still not done anything about it. Apart from an hour of someone’s time there is no cost*. And yet we point all of this out to people and, weeks later, nothing has improved. Why? It just needs to get done.
* For all the features & delivery stats there is a small annual fee. But the important basics are free.

The end of Windows 10

Winver displayMicrosoft are starting their countdown to the end of Windows 10. If you have the very latest version (Windows 10 22H2) then that date is October 14th 2025. Older versions expire sooner! An yes, this is because Microsoft want you to move to Windows 11!

What does this mean to you, and what do you need to do about it? Let’s dive in.

  1. What version have I got? To find out type winver into your computer’s search box on the taskbar & press return. You’ll get a box like the one in the illustration. You can see my PC is Windows 11 Version 23H2.
  2. When does my version expire? Microsoft have published a guide here.
  3. Can I update? If you go to the Windows Update task on your computer you’ll see what you can update on your current system. This page will tell you if you can update to Windows 11 – or not, as the case may be.
  4. Should I update? In general, the answer is ‘yes’. Keeping your Windows (indeed, all your software) updated is a crucial part of maximising the security of your system.
  5. My machine says I can’t upgrade to Windows 11 – what can I do? In general this means a new PC/laptop. This is because certain key security features in Windows 11 rely on bits of hardware that may not be present in older systems.
  6. And if I don’t? Your PC will not stop working overnight! What will actually happen is that Microsoft will stop researching & developing fixes for problems within the Windows10 operating system. The concern is that should a hacker discover a flaw in Windows10 they can exploit it a will, as the flaw will not be discovered & remediated by Microsoft. If you are a domestic user then that might be a risk you are willing to run. For a business user, however, this is unacceptable. Your Cyber Essentials certification, and probably your business insurance, let alone your liabilities to your customers & suppliers would all be in a dire straight, should you be running an unsupported version of Windows.

 

As ever, if you need help or advice, give us a ring on 01905 426364