|
Message Center Major Change Update Notification
|
Weekly digest: Microsoft service updates
|
What is E-mail Spoofing?
What is Email Spoofing?
Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking the email originated from someone or somewhere other than the intended source. Because core email protocols do not have a built-in method of authentication, it is commonplace for spam and phishing emails to use said spoofing to trick the recipient into trusting the origin of the message.
The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more malicious varieties can cause significant problems, and sometimes pose a real security threat.
As an example, a spoofed email may purport to be from a well-known retail business, asking the recipient to provide personal information like a password or credit card number. The fake email might even ask the recipient to click on a link offering a limited time deal, which is actually just a link to download and install malware on the recipient’s device.
One type of phishing – used in business email compromise – involves spoofing emails from the CEO or CFO of a company who works with suppliers in foreign countries, requesting that wire transfers to the supplier be sent to a different payment location.
How Email Spoofing Works
Email spoofing is possible because the Simple Mail Transfer Protocol (SMTP) does not provide a mechanism for address authentication. Although email address authentication protocols and mechanisms have been developed to combat email spoofing, adoption of those mechanisms has been slow.
Reasons for Email Spoofing
Although most well-known for phishing purposes, there are actually several reasons for spoofing sender addresses. These reasons can include:
- Hiding the sender’s true identity – though if this is the only goal, it can be achieved more easily by registering anonymous mail addresses.
- Avoiding spam block lists. If a sender is spamming, they are bound to be block listed quickly. A simple solution to this problem is to switch email addresses.
- Pretending to be someone the recipient knows, in order to, for example, ask for sensitive information or access to personal assets.
- Pretending to be from a business the recipient has a relationship with, as means of getting ahold of bank login details or other personal data.
- Tarnishing the image of the assumed sender, a character attack that places the so-called sender in a bad light.
- Sending messages in someone’s name can also be used to commit identity theft, for example, by requesting information from the victims financial or healthcare accounts.
Email Spoofing Protections
Since the email protocol SMTP (Simple Mail Transfer Protocol) lacks authentication, it has historically been easy to spoof a sender address. As a result, most email providers have become experts at detecting and alerting users to spam, rather than rejecting it altogether. But several frameworks have been developed to allow authentication of incoming messages:
- SPF (Sender Policy Framework): This checks whether a certain IP is authorized to send mail from a given domain. SPF may lead to false positives, and still requires the receiving server to do the work of checking an SPF record, and validating the email sender.
- DKIM (Domain Key Identified Mail): This method uses a pair of cryptographic keys that are used to sign outgoing messages, and validate incoming messages. However, because DKIM is only used to sign specific pieces of a message, the message can be forwarded without breaking the validity of the signature. This is technique is referred to as a “replay attack”.
- DMARC (Domain-Based Message Authentication, Reporting, and Conformance): This method gives a sender the option to let the receiver know whether its email is protected by SPF or DKIM, and what actions to take when dealing with mail that fails authentication. DMARC is not yet widely used.
How Emails are Spoofed
The easiest way to spoof mails is for the attacker finds a mail server with an open SMTP (Simple Mail Transfer Protocol) port. SMTP lacks any authentication so servers that are poorly configured have no protection against prospective cyber criminals. It’s also the case that there is nothing stopping a determined attackers from setting up their own email servers. This is very common in In cases of CEO/CFO fraud. Attackers will register domains easily confused for the company they are impersonating, where the email is originating from – e.g. “@exarnple.com” instead of “@example.com”. Depending on the formatting of the email, it might be extremely difficult for a regular user to notice the difference.
Although email spoofing is effective in forging an email address, the IP address of the computer sending the mail can generally be identified from the “Received:” line in the email header. This is frequently due to an innocent third party becoming infected by malware, which hijacks the system and sends emails without the owner even realizing it.
Why Email Spoofing is Important
To prevent becoming a victim of email spoofing, it is important to keep anti-malware software up to date, and to be wary of tactics used in social engineering. When unsure of the validity of an email, contacting the sender directly, especially if sharing private or financial information, can help to avoid an attack.
Message Center Major Change Update Notification
|
Message Center Major Change Update Notification
|
.
How to add your NVR to Internet Explorer’s Compatibility View – Long Version
How to add your NVR to Internet Explorer’s Compatibility View
When you’re setting up an IP camera or NVR, some devices require a browser to pre-configure your camera. For many devices this means using Internet Explorer and the ActiveX plugin.
This setup can be frustrating if you can only see a white screen.
Using a video recording and management system can allow you to view and configure devices in some situations. There are still occasions when you can only change your settings through Internet Explorer (IE), especially with the lower-end cameras on the market.
Let’s take a look at how to set up Internet Explorer to allow ActiveX controls. However, we advise against this for security reasons, but acknowledge that some reputable manufacturers still insist on forcing camera config through ActiveX.
Setting up IE to view your IP camera
This should work for all IP cameras of any brand. If you are logged into your camera in IE and see nothing, this will most likely work for you.
This guide shows you how to set up Internet Explorer 11 to allow ActiveX controls. This will allow your camera or other network device to display and function correctly.
1. Enabling Compatibility View
To resolve this issue, your first step is to enable your browser’s compatibility mode. By turning on this plug-in you’ll be able to see your camera live view pages correctly.
In the main menu select the cog icon (or ‘Tools’ for older versions of IE).
Click on ‘Compatibility View settings’
This opens the settings dialogue.
2. Adding your camera address
Next add your camera’s IP address (or domain) to the list of websites to be opened. The settings dialogue will open with the current website or camera already visible as you can see below.
You’ll notice an option to ‘display intranet sites in Compatibility View’. If you only have a few cameras leave this unchecked.
3. Installing ActiveX
Once you close the dialogue the browser will behave like an earlier version of IE. So, a dialogue asking you to install ActiveX from your camera should be visible at the bottom of the screen.
Hit allow and you’ll see you’re browser reloading.
4. Enabling ActiveX
Check that you’ve enabled ActiveX, by clicking on the gear, then internet options, then the security tab.
Click the trusted sites tick and open the sites dialogue box.
Add your URL as a trusted site and it’ll appear in the ‘websites’ list. Uncheck the option to require server validation.
Remember to add both your internal and external IP addresses as trusted sites if necessary.
Next, you’ll be taken back to the security tab. Click on the ‘custom level’ button, which takes you into another dialogue box.
Enable all ActiveX controls.
That’s it! You should now be able to see the login screen of your device.
Viewing multiple cameras
If you want to view multiple cameras enable the option to display sites in Compatibility View. This is useful if you have a lot of cameras to view or configure. You can use different browser tabs to set up different cameras.
Please note this will affect all websites viewed through the IE browser. You can deselect this option later, if necessary.
Edge browser
Microsoft’s Edge browser behaves more like Firefox or Chrome and does not support plugin technologies like ActiveX. It doesn’t even support Microsoft’s own Silverlight player.
However, most cameras have a live view for viewing video, which is often displayed by default. Accessing configuration settings should be OK in most cases.
Where you require plugins to access your settings you will need to use the Internet Explorer 11 browser.
Microsoft has left IE11 on Windows PCs for just this reason. Compatibility View settings are in IE 11 but are absent from Microsoft Edge. Search your Windows PC for ‘Internet Explorer’ if you don’t see the icon.
Troubleshooting
One other small thing to note is that dialogues can sometimes take a while to show. After visiting your camera’s home page just wait a minute at least before assuming that nothing is happening.
The wrap up
Congratulations, you should now be able to remotely pre-configure your IP device, having enabled Compatibility View and installed ActiveX.
If you’re still having issues please Call Computers N’ Stuff of Waco at 254-735-0524 Opt 2 to open a ticket, or go to www.help.cnswaco.com
5 Cybersecurity Tips
Imagine waking up one day only to realize that the company you work for has been hacked. Your files are missing, bank accounts are hijacked, and sensitive information is on the loose. Although this sounds like a rare situation, it has become more prevalent in this day and age. While there are some solutions to catching hijackers and cybercriminals, the damage done can be quite extensive. Furthermore, cyber attackers can now attack a company from many different angles. This is why, today more than ever, it is extremely important to understand cybersecurity best practices and to make sure you’re staying as protected as possible. However, cybersecurity isn’t only about protecting your infrastructure and device endpoints. There are other assets that cyber attackers have been focused on — employees. While there are many employees trained in cybersecurity best practices, many employees act carelessly when it comes to staying protected. Employees may not care about protecting the company or they may not know how to best protect their information. Whatever the case may be, ensuring top-notch cyber protection at the workplace can help prevent a disaster. Not only can a hijacking lead to the release of confidential information, but it can also result in the termination of an employee. In this post, we’ll discuss 5 cybersecurity tips for employees.
Keep an Eye on Your Devices
A top method for a cyber attack starts with the theft of important devices. Whether it’s a phone, computer, tablet, or even a notebook, these all can contain valuable information that might be used for a cyberattack. No matter how small your business is, keeping your devices safe is a best practice to follow. Devices such as laptops are very important to keep an eye on, as these can be used to stir up a great deal of confidential information. In addition, if you don’t need a password to enter into your device, it makes it that much easier for a cyberattacker to access very important material. Therefore, it’s always best to keep a close eye on your devices. If you have your devices in a public place, always have them in an arms reach. If you have to step away for a few minutes, take your devices with you. However, watching your stuff doesn’t only pertain to being in public. Even at the workplace, things get stolen and devices get hijacked. Always keep a close eye on your phone, laptop, and other devices. While this mostly pertains to large companies with many employees, small businesses too are also at risk. It’s best practice not to get careless with your devices and to always know where they are.
Practice Proper Web Browsing Techniques
Another popular way for cyberattackers to make their money happens when employees carelessly use the web. While an employee may feel that they’re doing nothing wrong, an attacker may take advantage of their careless mistakes. While there are some obvious threats that you know not to fall for, other threats aren’t so apparent. Keep reading to find out some common threats to be aware of while browsing the web.
Maladvertising
This threat is a type of malicious code that distributes malware through online advertising. This can be hidden within an ad, included with software downloads, or embedded on a web page. What makes this so threatening is that maladvertising can be displayed on any website, even ones thought to be trustworthy.
Social Media Scams
With the explosion of social media in the last 10 years, cyberattackers have been hard at work developing scamming techniques. Whether it’s through click-jacking, phishing techniques, fake pages, or rogue applications, hackers have been very successful with these social media scams. While Facebook is a common platform used for hacking, Twitter also poses many threats. This is because Twitter is both a microblogging site and also a search engine.
Web Browsing Tips
- Don’t click on any ads or links that seem fishy
- Don’t click on links in emails
- Only interact with well-known sites
- Confirm you’re using non-fraudulent sites
- Be cautious with online downloads
Keep Mobile Devices Secure
While you might think that the biggest threat to cyberattacks involves the use of your computer, your mobile devices are also something to pay attention to. With the growing sophistication of cell phones, tablets, and laptops, hackers are chomping at the bit trying to get their hands on any of these devices. Cell phones are basically a mini-computer nowadays and tons of confidential information can be easily assessable on them. This is why mobile security is more important than ever. However, given the small size of these devices, it poses many challenges to stay safe. Since laptops and phones are getting smaller by the day, it’s now harder to keep an eye on these devices, in addition to trying not to lose them. However, there are multiple security measures you can take to ensure that your mobile devices are secure. From security apps to creative passwords, there are numerous things you can do to keep these cyberattackers at bay. Take a look at a few of these solutions below:
- Keep Devices Clean — As with most things in life, a good cleaning is usually beneficial. Same goes for your mobile devices. With so much information on such a small device, it’s vital that you clean up your device from time to time by deleting files and using an antivirus program.
- Setup a Passcode — Sometimes all it takes to stay protected from a cyberattacker is a strong password. This is the first thing that the attacker has to crack, so this is your first line of defense. Make the password unique and difficult to guess.
Keep a Clean Desk
Another tip for staying safe in the workplace involves cleaning your desk. It may sound so simple, but a messy desk has a strong chance of obtaining some important information. Remember that note you got from your boss last month? How about those files that were put on your desk last Tuesday? If you forget about these materials and they contain some confidential information, you could risk a cyberattack. Furthermore, if someone steals something from your messy desk, it can be very difficult to notice. Sometimes days or even months go by before you notice that note is missing or that folder isn’t there anymore. While you’ve gone a long period of time without even knowing these materials went missing, you could already be a victim of a cyberattack. Here are some other common mistakes to avoid:
- Leaving USB drives or phones out in the open
- Writing down usernames and passwords and leaving them on your desk
- Leaving credit cards out in the open
- Forgetting to erase notes
- Leaving confidential papers on your desk for extended periods of time
- Forgetting to lock a cabinet or drawer
Be sure to avoid these mistakes as they can make it that much easier for a cyberattacker to access your important information.
Beware of Phishing Attacks
Phishing is a fraudulent practice that involves emails being sent to entities to induce the exposure of credit card numbers, usernames and passwords, or other valuable information. Attackers may pose to be friends, family, or trusted businesses in order to gain information from an employee. Another tactic that makes these attackers successful is the appearance of authority. They may mention something requested by the CEO or something that involves some of the higher-ups. Since employees never want to disappoint the CEO, falling victim to these attacks is common. While it’s very common for an attacker to try to impersonate someone else, they might take another approach. Sometimes links are embedded into emails that will redirect the employee to a fraudulent web page, or sometimes the attacker might attach a file that can expose confidential information if downloaded. Understanding these different methods used by hijackers can help protect you from a cyber disaster. Take a look at a few other best practices below:
- Verify suspicious email requests by contacting them directly
- Utilize malware and antivirus protection programs
- Check the security of websites
- NEVER reveal personal or financial information via email
While phishing is a common technique used by cyberattackers, understanding how to protect yourself can make you well-prepared for anything that comes your way.
Say Goodbye to Cyberattackers!
Even with the many methods of attack for these cyber-hijackers, there are many things you can do to ensure you’re staying protected. While following the list above will get you well on your way to staying educated on the topic, your employers should also consider training their employees on best practices. Even if it’s done once a year, cyberattack trainings can go a very long way. Try talking to your boss about it in the next meeting or go the extra mile and talk to your whole team about it in a group discussion. Another method of protection involves hiring a company that specializes in cybersecurity. These companies are growing by the second and there are many services available for both large and small businesses. Whether you seek external resources for your cybersecurity efforts or you prefer an in-house approach, cybersecurity is something not to shy away from. Not only can a cyberattack lead to lost revenue and the exposure of confidential information, but it can also send a company burning to the ground. By using the five tips mentioned above, employees can stay safe from the trickery of cyberattackers.
E-mail etiquette
Emoji or no emoji? To sign on with a ‘Dear’ or a ‘Hi’, or nothing at all? What about whether to use ‘Yours sincerely’, or a ‘Cheers’?
Emails can be hard. A well-crafted email can make the difference between a successful working relationship or potential confusion, insult or conflict – all of which can be heightened if your employees are constantly working remotely.
The appropriate email communication can vary depending on multiple factors including what industry you work in, if you are writing to a superior or a peer, if you are writing to one or several recipients, and if you are writing across cultures.
However, there are some basic dos and don’ts that HR and People teams can use to guide employees.
1. Include a clear subject matter, and don’t shout
Always include a subject matter that succinctly captures what your email is about. If your email is urgent or requires immediate response, include this in the subject line, but do this sparingly. If your email isn’t urgent, then you will only annoy people by crying wolf.
Don’t capitalize all your letters, no matter how urgent your email is, as you will look aggressive – it’s like SHOUTING OVER EMAIL.
2. Always use an appropriate greeting
Salutations are hotly debated. Many argue that you should always use a formal greeting. This depends on the recipient. If you are writing to a close colleague or your team, an informal ‘Hi’ will likely be sufficient.
If you are writing in a chain of emails where the context has already been established in a prior email or even by phone, then it’s fine to write with no greeting.
If you are writing to someone you don’t know so well, then always add a formal salutation and an introduction.
3. Only use shorthand if you know your recipients
If you are writing to your own team about a project that you have been discussing, then you can write short, instructive emails with a list of bullet points. This means they can quickly understand the task and it’s far easier to read on a smartphone.
However, sending a note like this to people you don’t know can make you appear blunt, rude and even a bully. If you don’t have a pre-existing relationship with the recipient, then you need to build one up first before writing shorthand emails.
Equally, don’t write emails that are superfluous, as this will just bore the recipient.
4. Be wary of using humor or colloquialism across cultures
Be aware that funny sayings or colloquialisms may be completely misconstrued by your colleagues in overseas offices. At worst, you could insult them, at best; you can make them feel confused or left out.
5. Consider the purpose of your email
Always state if your email needs an action and by when. Open-ended emails can be confusing. Having an action or even letting the recipient know that no further action is required is helpful.
Whatever you do, before you click send, visualize what you want to achieve and modify your language as such.
6. Think before you smile
Emojis have crept into everyday use. With the increase of email and text communication, it’s impossible to see facial expressions so people add smiley faces to soften their emails. However, a 2017 study showed that this could make the sender appear incompetent.
It depends on the norm in your organization and sector but be mindful of when and to who you’re sending emojis to. If you’re sending them to people you know well, and you know will understand them, then that is fine. If not, then consider if they’re really needed.
7. Don’t hit reply all or CC everyone
Have you checked that you’re only communicating to the people you need to communicate to? It can be annoying to be copied into every email or to see every response in a chain if it is not relevant to your recipient.
8. Reply in a timely fashion
Always reply within 24 hours, even if it is to acknowledge an email and explain that you will revert with an appropriate response within a defined timescale. People don’t like to be ignored!
9. Think about where your email could end up
Never use inappropriate language in a work email. The reality is that your email will remain on the server long after you have deleted it.
The issue may be resolved but your email will still be in existence and you would not want to cause offence or get into trouble for something you foolishly wrote without much thought.
10. Always spell check
Sending emails with spelling mistakes and grammatical errors can be infuriating for colleagues. They could imply that you’re too lazy to use the spell checker before you click send. Take the time to re-read your emails, make sure they make sense and have the right tone before you send them.
It’s all about context
Ultimately, there are so many ways to write an email and each employee has a different and unique style.
It all boils down to context. Who are your employees writing to? How well do they know the recipient? Do they know them in person or just virtually? How will the email be interpreted? And what are they trying to achieve through the communication?
HR and People teams can guide employees in the different internal communication styles and set the tone for the organization – both by setting an example, but also through things like inductions, and in training for managers.
Make sure your employees know the dos and don’ts of internal email communication and if you’re not sure if they do, ask them. It’s better to be safe than sorry!
How to Spot a Phishing E-mail
With the recent surge in Cyber crime, we at CNS want to start posting some articles from the top experts and other industry leading experts to help our customers and other users understand how better to protect themselves.
Today’s article is from Mike James at the National Cyber Security Alliance, original article: https://staysafeonline.org/blog/5-ways-spot-phishing-emails/
A phishing attack is a form of social engineering by which cyber criminals attempt to trick individuals by creating and sending fake emails that appear to be from an authentic source, such as a business or colleague. The email might ask you to confirm personal account information such as a password or prompt you to open a malicious attachment that infects your computer with a virus or malware.
Phishing emails are one of the most common online threats, so it is important to be aware of the tell-tale signs and know what to do when you encounter them. Here are five ways to spot phishing attacks.
- The email asks you to confirm personal information
Often an email will arrive in your inbox that looks very authentic. Whether this email matches the style used by your company or that of an external business such as a bank, hackers can go to painstaking lengths to ensure that it imitates the real thing. However, when this authentic-looking email makes requests that you wouldn’t normally expect, it’s often a strong giveaway that it’s not from a trusted source after all.
Keep an eye out for emails requesting you to confirm personal information that you would never usually provide, such as banking details or login credentials. Do not reply or click any links and if you think there’s a possibility that the email is genuine, you should search online and contact the organization directly – do not use any communication method provided in the email.
- The web and email addresses do not look genuine
It is often the case that a phishing email will come from an address that appears to be genuine. Criminals aim to trick recipients by including the name of a legitimate company within the structure of email and web addresses. If you only glance at these details they can look very real but if you take a moment to actually examine the email address you may find that it’s a bogus variation intended to appear authentic ‒ for example: @mail.airbnb.work as opposed to @Airbnb.com
Malicious links can also be concealed with the body of email text, often alongside genuine ones. Before clicking on links, hover over and inspect each one first.
- It’s poorly written
It is amazing how often you can spot a phishing email simply by the poor language used in the body of the message. Read the email and check for spelling and grammatical mistakes, as well as strange turns of phrase. Emails from legitimate companies will have been constructed by professional writers and exhaustively checked for spelling, grammar and legality errors. If you have received an unexpected email from a company, and it is riddled with mistakes, this can be a strong indicator it is actually a phish.
Interestingly, there is even the suggestion that scam emails are deliberately poorly written to ensure that they only trick the most gullible targets.
- There’s a suspicious attachment
Alarm bells should be ringing if you receive an email from a company out of the blue that contains an attachment, especially if it relates to something unexpected. The attachment could contain a malicious URL or trojan, leading to the installation of a virus or malware on your PC or network. Even if you think an attachment is genuine, it’s good practice to always scan it first using antivirus software.
- The message is designed to make you panic
It is common for phishing emails to instill panic in the recipient. The email may claim that your account may have been compromised and the only way to verify it is to enter your login details. Alternatively, the email might state that your account will be closed if you do not act immediately. Ensure that you take the time to really think about whether an email is asking something reasonable of you. If you’re unsure, contact the company through other methods.
Ultimately, being cautious with emails can’t hurt. Always member this top
STOP. THINK. CONNECT.™ tip:
When in doubt, throw it out: Links in emails, social media posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.