Technology Frustration Remediation®

Every so often, I get an email forwarded to me by a friend, client, or colleague, about the latest email circulating with a malicious attachment designed to entice people to click on it to launch a pernicious piece of malware. They always ask the same thing, “Is this for real?” Some of the warnings are hoaxes made up by people with too much time on their hands, but many are about real threats. Regardless, the concept is constant: If you click on an email attachment, it could trigger a nasty payload. Here is a recent example http://homelandsecuritynewswire.com/single.php?id=8378
Unfortunately, malware purveyors have gotten quite clever over the years, by latching onto interesting topics — Obama, Sarah Palin, swine flu, etc. Remember Anna Kournakova? The sender could appear to be a friend, prospective client or employee, the IRS, etc.

Microsoft makes it easy for malware distributors to trick people into clicking on malicious email attachments, by hiding extensions for known file types. For example, some slimeball could send you an email with an attachment named resume.doc.exe, and it would appear as resume.doc. Even Windows 7, the next generation operating system from Microsoft, has this “feature.” http://blogs.pcmag.com/securitywatch/2009/05/double_file_extensions_still_w.php Thanks, Microsoft.

How do you fix this giant security hole Microsoft put on your computer? Go into the Control Panel, and open Folder Options. Next, click on the View tab, and UNCHECK Hide extensions for known file types, then click on OK. That will help, but will not substitute for caution.

Con artists are targeting eBay users with a phishing email intended to steal personal information. The following image is a capture of an email I received this morning. When I moused over the link to take me to the eBay form, I saw that it did not in fact lead to ebay.com, but instead to cgi.ebay.com.jiki.com.mx — a fraud site. You could use the mouseover method I employed, or just open your web browser and go to Ebay to check your account. Do not click the link in the email! Also, you could forward the email to spoof@ebay.com for analysis.

These principles apply to any email you receive, especially those purporting to be from e-commerce sites, banks or other financial institutions. Sadly, neither Postini nor the Outlook 2007 spam filter quarantined this message. Remember, YOU are the last line of defense against fraudsters.

Phishing Email

Imagine how much more enjoyable reading our email would be, and how much less time we would waste, if everyone with whom we wish to communicate would practice proper email etiquette. Since training in proper email usage in not a prerequisite to getting an email account, many otherwise polite people don’t know the proper email etiquette to help them be considerate and respectful of other people’s time dealing with email. Here are a few basics.

SUBJECT. Every email message needs a descriptive one, so the recipient knows what you are writing about. If your name is Joe Schmoe, “From Joe Schmoe,” is not a useful subject. Email programs already tell us who the message is from. A proper subject makes it much easier for the recipient to find and followup with your message in the future.

TO, CC, BCC. As a general rule, when you send email to more than a few people, the recipients should be blind copied, to protect their privacy, keep their email addresses from being collected by viruses on other recipients’ computers, and to keep from cluttering the message. Nobody wants to have to look at a page of email addresses on top of a two sentence message! Many years ago, I maintained a distribution list of about seventy five people to whom I regularly sent important announcements. When somebody sent a completely off-topic reply to all, I learned to use BCC and never looked back. An exception to this rule is when your email is part of a discussion, and you want people to reply to all.

REPLY, REPLY to ALL. Before replying to all, consider whether or not others on the list need or want to see your response. If they do, go for it, but otherwise. . . Whatever you do, refrain from sending an off-topic response. Doing so is the email equivalent of belching at the opera. If you need to write on another topic, please create a new email message with a topic-appropriate subject.

FORWARD. We all get email forwarded to us, usually rumors and heart-wrenching stories about Johnnie the orphan. They usually start out, “This is a true story. I verified it on Snopes,” and end up with, “Forward this to everyone you know.” Delete it. These are very rarely true. Microsoft did not just email your friend about the worst virus outbreak ever; nor did the FBI email your friend’s coworker about six Middle Eastern men apprehended with photographs and descriptions of a nuclear power plant. If you are curious, Google it, but don’t forward the message. When you encounter something that would interest a friend or client — hopefully, nothing that’s mentioned above — clean out all the extraneous email addresses and comments make by others, and just send the actual content. Please do not make your recipient open several layers of nested attachments to get to the content.

CLEAN UP. Always consider what is necessary for recipients to see when you reply. It is not necessary to quote a two-page message and another page of email address when your response is, “I can make it to dinner Friday night.” In many cases, you can go into the body of the email message and hit Ctrl-A, to highlight the entire text, then hit Delete to delete it, before typing your message. In other instances, it’s appropriate to snip out extraneous text. Use your judgment regarding what’s appropriate.

RECYCLING. Sometimes it’s necessary to recycle an old email message, especially if you do not have a distribution list for your intended recipients. Make sure to change the subject line to one appropriate for this email message, and delete the entire original message before typing a new one.

cAPS lOCK. Make sure that it’s off, because when you type in all caps, it looks like you are SHOUTING!

DON’T BE the ONE to send out email like the following. Have mercy on the poor schmuck who needs to print out your address and six pages of extraneous junk comes out of his printer!

If you have ever had a business relationship with a financial institution, you should know that they have access to a variety of your personal information. You may not realize that they can, without your permission, disclose this information to their “affiliates” and non-affiliated third parties. Additionally, they can change their disclosure policies at any time. Here is a typical financial institution privacy notice, which outlines what type of information they collect and disclose to others. They make it your obligation to “opt out” of disclosure. They also make it your problem to figure out and provide your account numbers. So, if you have a checking account, savings account, and a CD, you must provide account numbers for all three, to prevent disclosure of your personal information. Although they do freely provide your personal information to their other business units and affiliates, if you are a customer of one of these units or affiliates, you are on your own to separately contact them to “opt out” of disclosure.

Clearly, the rules make it easy for financial institutions to monetize your personal information and difficult for you to prevent disclosure of your personal information. What’s wrong with this picture? Isn’t it time to change our privacy laws to require explicit permission to release your personal information? For your privacy, you should demand that your elected officials enact “opt in” privacy laws.

Occasionally, I hear from clients who suddenly cannot send email, even though they can receive it, using Outlook, Outlook Express, Thunderbird, or another client-based email program. Email they attempt to send is stuck in their Outbox. [NOTE: If you get an authentication error, you will need to resolve that with your email provider; otherwise, read on.] Sometimes their ISP — usually a cable company — decides to block port 25, the standard outgoing SMTP email port, in which case changing the SMTP port to 587 usually fixes the problem. More often than not, however, the problem is with the email they are attempting to send. Here’s how to tell.

First of all, as soon as you attempt to send one problem email, i.e., one that gets stuck in the outbox, subsequent emails are stuck in the outbox, waiting for the first one to go out. Create a new folder within your Inbox. Name it Test, or give it another name if you prefer. Drag the oldest email message — the first one to get stuck — from the Outbox into the new folder. Hopefully, the other messages, if any, stuck in the Outbox will go out. If not, drag them one at a time, starting with the oldest one first, into the new folder, until newer ones automatically go out, or the Outbox is empty. Alternatively, you can drag them all at once into the new folder. Now the Outbox is empty. Assuming that the Outbox did not automatically empty itself, create a test email, carefully addressed to yourself. The subject and body can both just say “Hello.” If it does go out, you are ready to troubleshoot the problem email messages; otherwise, your problem is beyond the scope of today’s post.

More often than not, the problem is with invalid email addresses. One by one, click on the email addresses of the recipients, to verify that they are real email addresses. You will need to fix invalid ones. Quite frequently, your invalid “email addresses” are actually business fax numbers. Microsoft Outlook was designed to show fax numbers as email addresses when you select names via the To or CC buttons. In their infinite wisdom, Microsoft equates electronic addresses, which include fax numbers, with email addresses. One workaround to this architectural flaw is to precede fax numbers with text, such as F for fax. This way, fax numbers will not show up as email addresses. Microsoft offers links to third-party vendors, such as Sperry Software http://www.sperrysoftware.com/outlook/Hide-Fax-Numbers.asp to fix the problem. Your last option is to be careful not to select “email addresses” that are actually fax numbers. For some people this option will work successfully, but for many will result in having to seek this article again in the near future.

Most information security professionals agree that passwords, in order to be effective, need to be complex and use at least three of the following: uppercase letters, lowercase letters, numbers, and special characters (i.e., !, $, ), ?, etc.). There is, however, strong disagreement about usability. For example, many will argue that Z9!*pQZ7Rn! is a good password. Not in my book! In order to be effective, a password has to be both strong and memorable. Aside from being terribly hard to type, the only thing memorable about Z9!*pQZ7Rn! is that it’s nearly impossible to remember. Passphrases, but not common ones like America’sTeam can be quite effective. Redskin fans may be inclined to use HailToTheRedskins, but instead should modify it to something like rail,2theHEADskins. You should be able to make your own quirky passphrases that cannot be guessed or easily cracked by password-breaking software attacks. Anybody who knows you should know the names of family members and pets, so they fail the first criterion. For Windows log ons, any password under eight characters can be easily broken, as can most under fifteen characters. Wireless network encryption keys should be at least twenty-eight, to be effective. In most cases, the key only needs to be typed once, so such a long key is not usually a big problem. On the flip side, asking paying customers in a coffee shop to type a twenty-eight character encryption key would be a risky business proposition!

It’s important to consider just what you are protecting with your passwords. For most people, your password to a newspaper web site is not that important, unless they have your credit card number, or other confidential or proprietary information; however, if you have a high profile, you certainly do not want people making unauthorized comments in your name. Bank and brokerage accounts are intuitively obvious, but email accounts are also very important. For example, once someone has access to your email, that person can attempt to log in to any online account and click the Forgot Password link. Many sites will email the password or a password reset link. It gets quite ugly from there!

Lastly, consider physical security. If you are in a location with access by those who should not have your passwords, do not have your passwords written down. Likewise, do not let your web browser manage passwords for any accounts that you need to protect. There are many robust password safes that require a master password to access. Norton’s Identity Safe is one such product.

Please remember — it’s your privacy. Do what you can to protect it.