01905 426364info@backofficeit.co.uk
01905 426364info@backofficeit.co.uk

Category Archives: Security and compliance

Home » Security and compliance

It’s not as popular as they thought!

Posted on
By:Mark Pattison

For a decade now suppliers have been fixated with the ‘subscription model’ of commerce. This was based on one of the most often violated rules of statistics – you can interpolate but bot extrapolate.

It all seems to have started with the mobile phone boom – which, in the early days, saw the cost of the handset bundled into the monthly subscription for the phone service. And, so they reasoned, the public would be equally keen to buy pretty much everything else on the subscription model. Yea! Regular income! The added bonus (from their point of view) was the amount of personal data they could harvest along the way.

The public, however, were not so keen. We noticed the almost total resistance from clients over moving to Office365. Why, they reasoned, should they pay hundreds of pounds per month for a product that they had, historically bought outright?

But some companies took it even further. Our least-favourite printer manufacturer (HP) produced printers that were online 24/7 spying on you, automatically ordering consumables and snitching to Big Brother should you attempt to use compatible toners. And, in the early days, stopping the printer if you persisted. All the while plundering your bank account month in, month out.

Well, the public was less than enthusiastic – and HP have finally given up. Read the story here.

What does a ‘phishing’ email look like?

Posted on
By:Mark Pattison

It’s estimated that more than 80% of data breaches are initiated by the recipient dealing with a ‘phishing’ email inappropriately. So, what is happening?

Phishing email

‘Phishing’ emails are emails designed to get you, the recipient, to divulge personal/sensitive data to an unauthorised third-party (a.k.a. ‘scammer’).

The image is a screen grab of one we received today. Looks good, doesn’t it? It’s a very reasonable copy of the genuine HMRC emails that we get from time to time. But it’s definitely not!

The idea of the scam is to get you to click the inviting blue button to “view the important message’. This will take to a website – not HMRC, but one controlled by the scammers. I have no doubt that it too will look pretty much exactly like the official HMRC one. You will enter your HMRC login credentials into the inviting boxes you find there. And – bingo! – the scammers now have your HMRC login details.

“Ah ha” you cry! “I have 2FA set up” – I need to type the security key from my phone in addition to the username & password. This is not a problem. One way around this is that when you attempt to log in the fake website the login will be rejected for some spurious reason. The scammer has been alerted, and is now monitoring your actions. He’s on the real HMRC website with your login details entered. The fake website now asks you to login again. This time the scammer is waiting, sees the 2FA token you type in. And, as long as he can do it within the expiry time of the 2FA token, he now is into your account free and clear. Which won’t end well for you!

The scam revealed

How do you protect yourself against this sort of attack? Firstly nothing can be better than your own common sense and attention to detail. Be suspicious of absolutely everything.

You can start by hovering your mouse over the blue button (don’t click it!!). In most cases this will reveal the true destination of the button click. In  this case the destination website is ‘hairyerotica.com’ – which doesn’t sound like HMRC to me! Just be aware that this might not work well on your smartphone, so be really careful with this.

If it looks OK then you can proceed. If there’s the slightest element of doubt use the ‘sandbox‘ feature of your PC’s security endpoint. If a webpage opens make sure it really is where you expect to be (e.g. if it’s not .gov.uk then run a mile). Look at the SSL data. There’s a chance that your PC’s security endpoint will have a database of dodgy websites & jump in to protect you – but this isn’t 100%. There’s a new generation of protection systems designed specifically to protect you from this type of threat which are maturing as we speak. As ever, you can always give us a ring.

 

Look after your customers – reboot your router!

Posted on
By:Mark Pattison
A typical WiFi router

A typical WiFi router

If you offer WiFi to your customers you are probably letting them down! Whatever you might think about customers coming to your café, and then sitting glued to their smartphones, it is a service that most people expect. Certainly if you offer it then it’d better work! I’m sure you think everything is fine. Your customers – probably not so much! So, what’s the issue here? We need to go a bit technical, but the fix is easy!

Here are the salient points:

  • For a device (laptop, mobile, whatever) to connect to your network it needs an address. We don’t need to get too technical, but just know that there’s a limited number (about 200) available & each device has to have a number different to anything else on your network.
  • When the device connects, your WiFi router will hand it an unused number from it’s pool.
  • When the router runs out of unused numbers then no more devices can connect.

You might think 200 devices is plenty – and, in a domestic environment, it is. But in a busy shop, café, railway terminal etc. it’s not that generous. Sure, the provision of the number to a device has an expiry built in (called TTL or Time To Live). This means that, when a customer leaves, their number will eventually be returned to the pool for re-use. But, judging by the number of times I fail to connect to a facility’s WiFi, it doesn’t happen fast enough.

What does it look like when your customers suffer from this lack? Their mobile will say “connected, obtaining IP address” and not have Internet access.

So, what can you do?

  • The first, and easiest, remedy is to regularly power-cycle the router. Yes, the old “turn it off, then turn it on again!” trick. Make this part of your morning start-up routine.

For the rest, we need access to the router – more specifically the DHCP portion. If this is beyond you then you can always give us a ring.

  • Inspect the DHCP ‘pool’, and ensure it’s a big as possible. Different routers display the setting in different ways. But you should make sure that the pool is at least 225.
  • Turn down the TTL. This is normally expressed in seconds, so 3600 is one hour. Probably plenty. If this is too large then the router will hold onto that allocation well after the customer has left*.
  • Change the WiFi password regularly. If you don’t then that one-time visitor from last year will walk past your café, automatically connect, and bag an address from the pool.

A few notes for the curious.

  • What we are talking about here is IPv4 addressing. This is generally expressed as four clusters of three digits (e.g. 192.168.121.064). You can’t fiddle with the first three clusters, it’s only the last one that changes: and it varies from 000 – 255 For various technical reasons you can’t use the first or last. And the router will use one, generally 001 (or 254 if you’re a BT customer). I generally set the pool at 011 – 240. If you are really curious have a look here.
  • If the TTL expires while the device is still connected it simply gets renewed, so not a problem.
  • If you have ‘static’ kit (network printers, tills, card machines etc.) then always deal with these using a “DHCP Reservation” – NEVER NEVER allow them to have a “hard-coded IP address”!

Blocking scam emails

Posted on
By:Mark Pattison

I thought you’d like to see what all this email compliance effort looks like in practice. The image is of stats for our outgoing email, as seen by our monitoring system. The green represent compliant (i.e. genuine) emails that we have sent – viewed as a percentage of our mail traffic. The red represents non-compliant (i.e. scam) emails that we didn’t send (mostly originating in Russia). There is a lot of them! These emails claim to be from us (i.e. someone @backofficeit.co.uk) – but, because they fail the compliance checks we have put in place, the receiving servers have blocked them. Which is what we want.

It’s to avoid this deluge of scam emails that servers around the world are tightening up on compliance. If your email is non-compliant one of two things are going to happen.

  1. People are going to receive scam emails claiming to be from you. This is why many professional bodies are now insisting that email systems are made compliant, because you can see how much damage this could cause.
  2. Well-behaved servers will receive your email and, because it isn’t compliant, delete it just to be safe.

I leave it to you to decide which is the worst option.

What amazes me is how many people we tell about this have still not done anything about it. Apart from an hour of someone’s time there is no cost*. And yet we point all of this out to people and, weeks later, nothing has improved. Why? It just needs to get done.
* For all the features & delivery stats there is a small annual fee. But the important basics are free.

The end of Windows 10

Posted on
By:Mark Pattison

Winver displayMicrosoft are starting their countdown to the end of Windows 10. If you have the very latest version (Windows 10 22H2) then that date is October 14th 2025. Older versions expire sooner! An yes, this is because Microsoft want you to move to Windows 11!

What does this mean to you, and what do you need to do about it? Let’s dive in.

  1. What version have I got? To find out type winver into your computer’s search box on the taskbar & press return. You’ll get a box like the one in the illustration. You can see my PC is Windows 11 Version 23H2.
  2. When does my version expire? Microsoft have published a guide here.
  3. Can I update? If you go to the Windows Update task on your computer you’ll see what you can update on your current system. This page will tell you if you can update to Windows 11 – or not, as the case may be.
  4. Should I update? In general, the answer is ‘yes’. Keeping your Windows (indeed, all your software) updated is a crucial part of maximising the security of your system.
  5. My machine says I can’t upgrade to Windows 11 – what can I do? In general this means a new PC/laptop. This is because certain key security features in Windows 11 rely on bits of hardware that may not be present in older systems.
  6. And if I don’t? Your PC will not stop working overnight! What will actually happen is that Microsoft will stop researching & developing fixes for problems within the Windows10 operating system. The concern is that should a hacker discover a flaw in Windows10 they can exploit it a will, as the flaw will not be discovered & remediated by Microsoft. If you are a domestic user then that might be a risk you are willing to run. For a business user, however, this is unacceptable. Your Cyber Essentials certification, and probably your business insurance, let alone your liabilities to your customers & suppliers would all be in a dire straight, should you be running an unsupported version of Windows.

 

As ever, if you need help or advice, give us a ring on 01905 426364