An easy trap to fall into

An easy trap to fall into

No apologies for going back to the subject of mail compliance. And this time it’s an obvious and easy trap that you could fall into when configuring your SPF record.

The SPF record for Back Office It

The SPF record for Back Office It

By way of explanation, your SPF record is something you publish: it contains a list of the server(s) that you have authorised to send out your emails. When we send out an email from backofficeit.co.uk the recipient looks at the source server, checks it against our published SPF list, and gives it the go/no-go based on what it finds. In this way recipients are protected against ‘spoof’ emails (scammers pretending to be us). The trap comes when you use Microsoft365 (Office365) for your emails. Your SPF record is now spf.protection.outlook.com – which sounds fine. But every other Office365 user on the planet comes off the same server. So the SPF record check does NOT say “this is definitely from backofficeit.co.uk”. It simply says “this is from an Office365 user & Office365 is good for backofficeit.co.uk”. Which is not where you want to be at all!

The solution is to use an outbound mail relay. The one we have partnered with has many useful features. But, in this case, it has its own SPF identity. And, as part of their system, they monitor for exactly the scenario we are guarding against: therefore we use that instead of the Office365 one. And now the receiver can say with much higher confidence that this email is really from us.

 

 

Did they really think that they could get away with it?

On Jan. 12, 2023, Intel announced full details and availability for the new 13th Gen Intel Core i9-13900KS. A photo shows the ​​13th Gen Intel Core i9-13900KS Special Edition retail packaging. (Credit: Intel Corporation)

Apparently so. We’re talking about Intel and the fiasco over their latest chips. To cut a long story short, Intel launched its latest chips (13th & 14th Generation CPUs) to the usual fanfare & premium prices. Only for some users to find that these chips were, in some cases, slowly failing. What was happening is that the chip was not regulating its own electrical power properly, and bit by bit it was cooking itself. Intel quickly released a software patch that prevents this happening. But, crucially, if you have already experienced the problem then tough luck – the damage is permanent. And Intel announced that this was just on certain batches, your bad luck, so sorry, never mind. Which isn’t nice, as the i9 illustrated above is the wrong side of £600 – assuming you can get one.

Now, however, that have (in small part) backed down. You can read about it here.

Maybe the fact that Intel is laying off 15,000 staff might be connected in some way. Maybe not. But here is another product that clearly has not been rigorously tested before being flogged to the paying public.

And before you get too smug looking at your AMD chip, have a read here…

20% of the world’s computers offline?

Some shouty headlines tell us that 20% of the world’s computers were taken down by the CrowdStrike problem. Well, not really. Microsoft say the true figure is about 8.5 million – still a lot, but closer to 1% than 20%.

So, what & why? CrowdStrike is a high-end PC protection suite (think anti-virus and more) which is supposed to protect key Windows systems from falling foul of the bad guys & maintain high levels of availability. Oh, the irony.

On 19 July CrowdStrike released an update for its software. Due to an error in the update millions of Windows PCs around the world crashed. The reason it was so devastating is in the innocent phrase ‘high-end’. This meant it was a favourite for important systems, such as banks, airlines and so on. Hence the huge impact on the public & the economy. Read up on it here.

But here’s my question. Why is none of this stuff tested properly? Call me old fashioned, but if I wrote a bit of code that caused my test PC to go into a permanent sulk I’d probably think twice before punting it out to 8,500,000 customers.

We’re seeing more of this. Products that break almost as soon as they are out of the box. Clearly they haven’t been tested in anything like a rigorous manner. It seems that, in this post-truth world, testing is old-fashioned, restrictive, time-consuming & expensive. And, conveniently for the bottom line, can be dispensed with. Trip to see the Titanic in an untested & unlicensed submarine anyone? I’m sure there were loads of people who thought it was cool & modern to sidestep all the boring testing & validation mandated for these things. Not so much now, eh?

Image from BBC news

It’s not as popular as they thought!

For a decade now suppliers have been fixated with the ‘subscription model’ of commerce. This was based on one of the most frequently violated rules of statistics – you can interpolate but not extrapolate.

It all seems to have started with the mobile phone boom – which, in the early days, saw the cost of the handset bundled into the monthly subscription for the phone service. And, so they reasoned, the public would be equally keen to buy pretty much everything else on the subscription model. Yea! Regular income! The added bonus (from their point of view) was the amount of personal data they could harvest along the way.

The public, however, were not so keen. We noticed the almost total resistance from clients over moving to Office365. Why, they reasoned, should they pay hundreds of pounds per month for a product that they had, historically bought outright?

But some companies took it even further. Our least-favourite printer manufacturer (HP) produced printers that were online 24/7 spying on you, automatically ordering consumables and snitching to Big Brother should you attempt to use compatible toners. And, in the early days, stopping the printer if you persisted. All the while plundering your bank account month in, month out.

Well, the public was less than enthusiastic – and HP have finally given up. Read the story here.

Copper switch-off delayed.

To our complete lack of surprise, BT/OpenReach have announced that they have delayed the final switch off of the traditional phone lines (so-called ‘analogue’ or ‘copper’ phone lines). The grand plan was that all voice telephony would be delivered over your Internet connection by the end of 2025. The technical name for this is VOIP (Voice Over IP). When this plan was announced in 2021 anyone with any real-world knowledge knew it was unachievable. There were just too many connections to deal with – not to mention all the specialist services that only work on the copper. Like RedCare & emergency buttons for the elderly. Plus, of course, OpenReach’s ghastly reputation for not delivering the quality of broadband essential for voice communications.

And here we are. Bowing to the inevitable, OpenReach has pushed back the deadline by 13 months. That’s still ‘ambitious’. We shall see. My money is on a series of further delays as reality seeps in bit by bit.

You can read the BBC article here.

Having said that, if (and it’s a big if) you have the broadband to support it, voice telephony delivered over the Internet is very good, and very cheap. The system we use has been into our office for many years, and it works well. If you are interested talk to us about it. Call us on 01905 426365 (yes, it’s a VOIP line!)

 

What does a ‘phishing’ email look like?

It’s estimated that more than 80% of data breaches are initiated by the recipient dealing with a ‘phishing’ email inappropriately. So, what is happening?

Phishing email

‘Phishing’ emails are emails designed to get you, the recipient, to divulge personal/sensitive data to an unauthorised third-party (a.k.a. ‘scammer’).

The image is a screen grab of one we received today. Looks good, doesn’t it? It’s a very reasonable copy of the genuine HMRC emails that we get from time to time. But it’s definitely not!

The idea of the scam is to get you to click the inviting blue button to “view the important message’. This will take to a website – not HMRC, but one controlled by the scammers. I have no doubt that it too will look pretty much exactly like the official HMRC one. You will enter your HMRC login credentials into the inviting boxes you find there. And – bingo! – the scammers now have your HMRC login details.

“Ah ha” you cry! “I have 2FA set up” – I need to type the security key from my phone in addition to the username & password. This is not a problem. One way around this is that when you attempt to log in the fake website the login will be rejected for some spurious reason. The scammer has been alerted, and is now monitoring your actions. He’s on the real HMRC website with your login details entered. The fake website now asks you to login again. This time the scammer is waiting, sees the 2FA token you type in. And, as long as he can do it within the expiry time of the 2FA token, he now is into your account free and clear. Which won’t end well for you!

The scam revealed

How do you protect yourself against this sort of attack? Firstly nothing can be better than your own common sense and attention to detail. Be suspicious of absolutely everything.

You can start by hovering your mouse over the blue button (don’t click it!!). In most cases this will reveal the true destination of the button click. In  this case the destination website is ‘hairyerotica.com’ – which doesn’t sound like HMRC to me! Just be aware that this might not work well on your smartphone, so be really careful with this.

If it looks OK then you can proceed. If there’s the slightest element of doubt use the ‘sandbox‘ feature of your PC’s security endpoint. If a webpage opens make sure it really is where you expect to be (e.g. if it’s not .gov.uk then run a mile). Look at the SSL data. There’s a chance that your PC’s security endpoint will have a database of dodgy websites & jump in to protect you – but this isn’t 100%. There’s a new generation of protection systems designed specifically to protect you from this type of threat which are maturing as we speak. As ever, you can always give us a ring.

 

Retain control of your assets.

This is a problem we see occasionally – clients who don’t have control of their key assets. Mainly because it’s something they don’t think about at the beginning – when the opportunity is there. It only becomes an issue later – when, maybe, the opportunity has passed by. The most frequent area we see this problem is a company’s domain name. It’s quite common for a business to hand over the whole business of “the website” to a third-party. They do the lot – domain name registration, web hosting, web design & site maintenance. That’s OK – it’s convenient, and all the settings are handled by the same people. The problem comes if the relationship with that supplier goes awry. Maybe they go out of business, or a key member of staff leaves, or you just fall out with them. And then you are in trouble – because your website – especially your domain name – is the key to your online identity. And unless you can access this to manage the settings you are storing up big problems for the long term. We have had numerous examples of going for what should be a simple configuration change – only to spend days going around the houses while the client tries to get that essential access.

Our advice is that you get a grip early. (i) make sure in the contract that you are clearly the owner of the asset in question. (ii) make sure that you have the credentials to access that asset. (iii) make sure you check regularly that those credentials work.

Look after your customers – reboot your router!

A typical WiFi router

A typical WiFi router

If you offer WiFi to your customers you are probably letting them down! Whatever you might think about customers coming to your café, and then sitting glued to their smartphones, it is a service that most people expect. Certainly if you offer it then it’d better work! I’m sure you think everything is fine. Your customers – probably not so much! So, what’s the issue here? We need to go a bit technical, but the fix is easy!

Here are the salient points:

  • For a device (laptop, mobile, whatever) to connect to your network it needs an address. We don’t need to get too technical, but just know that there’s a limited number (about 200) available & each device has to have a number different to anything else on your network.
  • When the device connects, your WiFi router will hand it an unused number from it’s pool.
  • When the router runs out of unused numbers then no more devices can connect.

You might think 200 devices is plenty – and, in a domestic environment, it is. But in a busy shop, café, railway terminal etc. it’s not that generous. Sure, the provision of the number to a device has an expiry built in (called TTL or Time To Live). This means that, when a customer leaves, their number will eventually be returned to the pool for re-use. But, judging by the number of times I fail to connect to a facility’s WiFi, it doesn’t happen fast enough.

What does it look like when your customers suffer from this lack? Their mobile will say “connected, obtaining IP address” and not have Internet access.

So, what can you do?

  • The first, and easiest, remedy is to regularly power-cycle the router. Yes, the old “turn it off, then turn it on again!” trick. Make this part of your morning start-up routine.

For the rest, we need access to the router – more specifically the DHCP portion. If this is beyond you then you can always give us a ring.

  • Inspect the DHCP ‘pool’, and ensure it’s a big as possible. Different routers display the setting in different ways. But you should make sure that the pool is at least 225.
  • Turn down the TTL. This is normally expressed in seconds, so 3600 is one hour. Probably plenty. If this is too large then the router will hold onto that allocation well after the customer has left*.
  • Change the WiFi password regularly. If you don’t then that one-time visitor from last year will walk past your café, automatically connect, and bag an address from the pool.

A few notes for the curious.

  • What we are talking about here is IPv4 addressing. This is generally expressed as four clusters of three digits (e.g. 192.168.121.064). You can’t fiddle with the first three clusters, it’s only the last one that changes: and it varies from 000 – 255 For various technical reasons you can’t use the first or last. And the router will use one, generally 001 (or 254 if you’re a BT customer). I generally set the pool at 011 – 240. If you are really curious have a look here.
  • If the TTL expires while the device is still connected it simply gets renewed, so not a problem.
  • If you have ‘static’ kit (network printers, tills, card machines etc.) then always deal with these using a “DHCP Reservation” – NEVER NEVER allow them to have a “hard-coded IP address”!