Category Archives: Security and compliance

Can’t upgrade to Windows 11? Maybe you can.

One of the ticking time-bombs we are all sitting on is the scheduled end of Windows 10.

I did an article on what this might mean for you, so I won’t go over that again. This article will deal with who can (or can’t) upgrade to Windows 11.

You will know if you can’t officially upgrade your PC to Windows 11 because your Windows Update window will look a bit like this.

What is happening here is that the Windows installer is checking the inside of your system’s hardware, and comparing it with the list Microsoft have mandated as the minimum required for Windows 11. If it doesn’t match? Well, ‘computer says no‘. But is that the final verdict?

Well, as it happens – no. We have been experimenting over the last couple of weeks to find out exactly what the limits really are. By muzzling the installer’s watchdog it turns out that we can get a perfectly workable installation of Windows 11 onto some older PCs. So, on the face of it, we can move PCs to Windows 11 without the cost of replacing your hardware. And, indeed we can – it’s quick & inexpensive and has – as far as we tell – no downsides.

But (you knew there would be a but!). There are some caveats. Here are some of them.

  • If your PC is too old to ‘officially’ upgrade to Windows 11 then it’s done a few years of service. And some of your hardware might be nearing the end of its service life. Upgrading to Windows 11 will not stop it dying at its allotted time.
  • Some hardware is simply too old for this to be achievable.
  • One of the bits of hardware it checks for is the TPM (Trusted Platform Module). This is a cornerstone of some modern digital security systems. If you don’t have a TPM then these systems will be unavailable to you. And no, you can’t graft a TPM into an existing system.
  • Microsoft might, in the future, take steps to circumvent the steps we take to circumvent the installer’s checklist. And there might be application software that does not (either now, or in the future) play nice.
  • We are only happy doing this as a ‘fresh install’ (i.e. a totally clean installation). We would advocate installing a new hard disk at the same time. This has two benefits: (i) it preserves the existing Windows 10 system intact, in case it all goes wrong (ii) the hard disk is the component most likely to die with age. And, at the end of the day, new hard disks are very cheap!
  • It is highly likely that your existing Windows 10 license would transfer across. It not there are plenty of options to resolve this.

 

Actual model supplied will vary

So practiced are we at this that we offer an all-in-one price: Installing Windows 11 with a new 240Gb solid state drive (2.5″ or NVMe as appropriate) into a standard PC or laptop is £145 all-in (including VAT!). If, despite the caveats, you are interested please contact us for a formal quotation.

So, there it is. A quick and inexpensive way to keep your existing PC viable for another couple of years, saving you the cost of replacing the whole lot next October. As usual, contact us on 01905 426364 to discuss your requirements.

Bitlocker – what is it & should I do it?

Bitlocker is Microsoft’s preferred hard disk encryption system. Which makes it as clear as mud…

Let’s start from the beginning. Your laptop (or PC or similar device) stores all your stuff on a “hard disk”. And your laptop gets lost/stolen. Apart from the annoyance & cost of replacing  your laptop, your personal data is now in the hands of some unknown third party

But you set a password to log in to Windows, so it’s all safe, right? No – very, very wrong! Because accessing all your stuff is trivially simple. All the bad guy has to do is physically remove the hard disk, drop it into his own PC and request access. His system will warn him that the files are password-protected – along with the helpful option to proceed anyway. And bingo – your personal data laid bare.

An encrypted hard drive (see the padlock?)

This is where hard disk encryption comes in. When you turn on this feature your laptop encodes all your data with a special key. When you want to read anything it decodes it with (a different) special key – which it remembers. So you go on using your laptop exactly as normal. If, however, the drive detects a significant change in the hardware (like being plugged into another computer) it will insist on you entering the decryption key. No key, no data. So your data is now pretty safe from prying eyes.

Is there a downside? Well, yes – as you’d expect. The technology has been around for ages. But in the past there’s been a considerable performance hit, what with all that encrypting and decrypting. Now, however, modern solid-state drives have the encryption capability baked-in: so the performance hit is minimal. Of more concern is storing your keys. If you make changes to your laptop (something breaks & is repaired) this may trigger the key request.

Bitlocker demanding a key

And, if you can’t find it, no data. If you are a Microsoft365 customer the system can backup your keys into your cloud account, where you can retrieve it by logging in from another computer. Or you can save it to, say, a USB stick (which you then store in a safe place – and we know how that goes!). So, in general, we’d recommend turning it on: just make sure you keep tabs on where the key is, so you can lay hands on if it all goes bad!

Patches and updates. What are they & why do we need them?

Updates. Why?

It sometimes seems these days that everything you touch needs to ‘update’ before it will do what you purchased it for. It is one of life’s endless irritations. So what is going on, why do we need them and are they important?

Modern software consists of thousands – maybe millions – of lines of computer code. The reputable suppliers take a huge amount of care to try to get this code as fault-free as possible. But to get the system 100% perfect would be (even assuming such a thing is possible) so time consuming that the product might never make it to the shelf. It’s generally accepted that there will be imperfections hidden in there somewhere.

We also have to accept that technology develops over time – and this might require changes to the software in you PC.

For these (And other) reasons software suppliers create & release ‘updates’ or ‘patches’.

We can therefore group the drivers for these updates as:

  • Fixing faults in the software code.
  • Desire to add features.
  • Updates to meet more recent standards
  • Remediate security flaws discovered by researchers (or scammers!)

How?

Responsible software companies will support their software for a specified time after release. During that time they will research problems & create solutions. These solutions will normally be in the form of ‘patches’ that are download from the Internet and applied in the relevant place. Hence you will hear the expression ‘fully patched’ to indicate that the software in question has been fully updated with these remedials.

Out of support.

Once the end of the specified support period is reached the company will cease these efforts. This is often called ‘end of life’. The expectation is that the user will UPGRADE to a new version of the software, which will have its own support period off into the future. The catch is, of course, that getting a new version often costs money. The risk of NOT doing so is that, should any flaws remain in the system at the end of the support period, you are vulnerable to whatever effects those flaws allow. Which, in the worst case, may be to allow miscreants to access and exploit your system.

Should I?

That depends on usage.

Businesses should not, as a rule, continue to run ‘end of life’ systems. Especially if your system holds sensitive data of any sort. It puts that data at preventable risk. It might well invalidate your ‘cyber insurance’. It will be looked on askance by regulatory bodies like The Law Society & The Financial Conduct Authority.

Private users are no less at risk, but are not driven by the same imperatives that business users are. Additionally they are less of a target. So running your system a couple of years beyond it’s end-of-life date is probably a risk they are willing to run.

Why tell us know?

The driver behind this article being written now is the imminent demise of Windows 10. Microsoft will end support in October 2025. From that point on they will only support Windows 11. They announced this is the summer giving users – particularly businesses – 18 months to migrate their fleets onto Windows 11.

As a professional support company we strongly recommend you look into this in a rigorous manner, the sooner the better. Please don’t leave it until the last minute when (a) it’ll be a terrible rush (b) your IT support staff will be on holiday (c) hardware will be in short supply as everybody rushes to replace their kit at the same time (d) prices will be inflated due to the scarcity (e) all your systems will be being replaced together, so productivity will plummet. You’ve got 12 months, migrate 10% of your systems every month & spread the pain!

So you have WiFi broadband? Probably not…

It’s a common misconception that we hear a lot. So what and why? To explain I need to go into some brief details on how you actually use ‘The Internet’.

‘The Internet’ (at least the bit you use) is best thought of as a long chain of separate links. They all have to work in harmony, or you won’t be able to use the system. Let’s look at a (very simplified) example: you want to look at the BBC website.

 

  1. You type ‘bbc.co.uk’ into your web browser.
  2. Your laptop processes this and works out you need an Internet connection.
  3. According to it’s rules the laptop passes the request onto your LAN (Local Area Network) connection.
  4. Your LAN connection contacts your router/hub and forwards the request.
  5. Your router/hub acts according to it’s rules and sends your request to its WAN (Wide Area Network) connection.
  6. The WAN connection sends this request down the cable(?) that connects your house to your provider’s exchange unit.
  7. The exchange unit takes your message (along with many other customers’ requests) and relays them along the (increasingly high capacity) web of transmission systems that is the backbone of The Internet.
  8. At the appropriate point your message exits the Internet backbone and passes up the local cable to the BBC’s server facility.
  9. In this facility it passes through the appropriate firewalls & routers until it arrives at the server hosting the BBC website.
  10. This web server looks at your request, chooses the appropriate content. And them sends this back – essentially reversing down the path I have just described above.

Now, in all of this, your ‘Broadband’ or ‘Internet connection’ is just Step 6 – the bit that connects the router in your house to the exchange of your ISP (Internet Service Provider. And, overwhelmingly, this is delivered via a cable: either copper or – increasingly – optical fibre. The only people who have “Wireless Broadband” are cu

stomers of specialist services, like AirBand or Elon Musk’s StarLink. Otherwise you don’t have ‘wireless broadband’!

There is other alternative. You can use the mobile phone data network (a.k.a. 4G or 5G) to provide the link between your

router and the Internet. This is also a form of ‘wireless broadband’. We use this quite often to provide backup Internet connections where the cabled connection is unreliable or undergoing maintenance.

So where does this misconception come from? The answer is straightforward. Most devices these days (smartphones, tablets, many laptops) make the connection to your router (Step 4) using WiFi. And so users use the shorthand ‘WiFi broadband’.

And another thing. Look at the list above (which is somewhat shortened for simplicity!). It’s a sequential chain, and it only moves as fast as the slowest link. So when a user says “my broadband is slow” it could be any one (or more) of these links – most of which neither they (nor us) have any influence over. King Canute had it right, and I bow to his wisdom!

An easy trap to fall into

No apologies for going back to the subject of mail compliance. And this time it’s an obvious and easy trap that you could fall into when configuring your SPF record.

The SPF record for Back Office It

The SPF record for Back Office It

By way of explanation, your SPF record is something you publish: it contains a list of the server(s) that you have authorised to send out your emails. When we send out an email from backofficeit.co.uk the recipient looks at the source server, checks it against our published SPF list, and gives it the go/no-go based on what it finds. In this way recipients are protected against ‘spoof’ emails (scammers pretending to be us). The trap comes when you use Microsoft365 (Office365) for your emails. Your SPF record is now spf.protection.outlook.com – which sounds fine. But every other Office365 user on the planet comes off the same server. So the SPF record check does NOT say “this is definitely from backofficeit.co.uk”. It simply says “this is from an Office365 user & Office365 is good for backofficeit.co.uk”. Which is not where you want to be at all!

The solution is to use an outbound mail relay. The one we have partnered with has many useful features. But, in this case, it has its own SPF identity. And, as part of their system, they monitor for exactly the scenario we are guarding against: therefore we use that instead of the Office365 one. And now the receiver can say with much higher confidence that this email is really from us.

 

 

20% of the world’s computers offline?

Some shouty headlines tell us that 20% of the world’s computers were taken down by the CrowdStrike problem. Well, not really. Microsoft say the true figure is about 8.5 million – still a lot, but closer to 1% than 20%.

So, what & why? CrowdStrike is a high-end PC protection suite (think anti-virus and more) which is supposed to protect key Windows systems from falling foul of the bad guys & maintain high levels of availability. Oh, the irony.

On 19 July CrowdStrike released an update for its software. Due to an error in the update millions of Windows PCs around the world crashed. The reason it was so devastating is in the innocent phrase ‘high-end’. This meant it was a favourite for important systems, such as banks, airlines and so on. Hence the huge impact on the public & the economy. Read up on it here.

But here’s my question. Why is none of this stuff tested properly? Call me old fashioned, but if I wrote a bit of code that caused my test PC to go into a permanent sulk I’d probably think twice before punting it out to 8,500,000 customers.

We’re seeing more of this. Products that break almost as soon as they are out of the box. Clearly they haven’t been tested in anything like a rigorous manner. It seems that, in this post-truth world, testing is old-fashioned, restrictive, time-consuming & expensive. And, conveniently for the bottom line, can be dispensed with. Trip to see the Titanic in an untested & unlicensed submarine anyone? I’m sure there were loads of people who thought it was cool & modern to sidestep all the boring testing & validation mandated for these things. Not so much now, eh?

It’s not as popular as they thought!

For a decade now suppliers have been fixated with the ‘subscription model’ of commerce. This was based on one of the most frequently violated rules of statistics – you can interpolate but not extrapolate.

It all seems to have started with the mobile phone boom – which, in the early days, saw the cost of the handset bundled into the monthly subscription for the phone service. And, so they reasoned, the public would be equally keen to buy pretty much everything else on the subscription model. Yea! Regular income! The added bonus (from their point of view) was the amount of personal data they could harvest along the way.

The public, however, were not so keen. We noticed the almost total resistance from clients over moving to Office365. Why, they reasoned, should they pay hundreds of pounds per month for a product that they had, historically bought outright?

But some companies took it even further. Our least-favourite printer manufacturer (HP) produced printers that were online 24/7 spying on you, automatically ordering consumables and snitching to Big Brother should you attempt to use compatible toners. And, in the early days, stopping the printer if you persisted. All the while plundering your bank account month in, month out.

Well, the public was less than enthusiastic – and HP have finally given up. Read the story here.

What does a ‘phishing’ email look like?

It’s estimated that more than 80% of data breaches are initiated by the recipient dealing with a ‘phishing’ email inappropriately. So, what is happening?

Phishing email

‘Phishing’ emails are emails designed to get you, the recipient, to divulge personal/sensitive data to an unauthorised third-party (a.k.a. ‘scammer’).

The image is a screen grab of one we received today. Looks good, doesn’t it? It’s a very reasonable copy of the genuine HMRC emails that we get from time to time. But it’s definitely not!

The idea of the scam is to get you to click the inviting blue button to “view the important message’. This will take to a website – not HMRC, but one controlled by the scammers. I have no doubt that it too will look pretty much exactly like the official HMRC one. You will enter your HMRC login credentials into the inviting boxes you find there. And – bingo! – the scammers now have your HMRC login details.

“Ah ha” you cry! “I have 2FA set up” – I need to type the security key from my phone in addition to the username & password. This is not a problem. One way around this is that when you attempt to log in the fake website the login will be rejected for some spurious reason. The scammer has been alerted, and is now monitoring your actions. He’s on the real HMRC website with your login details entered. The fake website now asks you to login again. This time the scammer is waiting, sees the 2FA token you type in. And, as long as he can do it within the expiry time of the 2FA token, he now is into your account free and clear. Which won’t end well for you!

The scam revealed

How do you protect yourself against this sort of attack? Firstly nothing can be better than your own common sense and attention to detail. Be suspicious of absolutely everything.

You can start by hovering your mouse over the blue button (don’t click it!!). In most cases this will reveal the true destination of the button click. In  this case the destination website is ‘hairyerotica.com’ – which doesn’t sound like HMRC to me! Just be aware that this might not work well on your smartphone, so be really careful with this.

If it looks OK then you can proceed. If there’s the slightest element of doubt use the ‘sandbox‘ feature of your PC’s security endpoint. If a webpage opens make sure it really is where you expect to be (e.g. if it’s not .gov.uk then run a mile). Look at the SSL data. There’s a chance that your PC’s security endpoint will have a database of dodgy websites & jump in to protect you – but this isn’t 100%. There’s a new generation of protection systems designed specifically to protect you from this type of threat which are maturing as we speak. As ever, you can always give us a ring.