Category Archives: Security

Avoiding Email Scams

Being one of the more technologically capable members of my social circle, I am often asked if a specific email is a scam.

Usually it is.

But what if it seems real?  What do you do if that email honestly feels legitimate?  Well, I’ve been thinking about how to simplify my own rules and actions into general “rules of thumb” for others to easily understand and follow.

Here’s what I’ve got:

  • Is the email unexpected?
  • Get the URL / contact info with Google
  • Google the email itself

Let’s break these down.

Is the email unexpected?

Let me explain this with a couple examples.  If you go to a web page and click “I forgot my password,” I imagine the subsequent “password reset” email is fairly unsurprising.  It’s safe to say that this is not a scam.

Alternatively, let’s say you’ve simply been enjoying your day, doing cartwheels and whatnot, and then you get a “password reset” email.  Here, most likely, someone else is is trying to reset your password, or it’s a scam.  The link may take you to a fake (but identical looking) website, asking you to put your old and new passwords.  You’ll then be handing your password over to whoever runs that site.

If an email is spontaneous, if you weren’t expecting it, there’s a very strong chance that it’s a bad email that means you harm.

But is it possible for an unexpected email to be legitimate?

Yes.

That is the point of email after all, to notify you of things.  Sometimes those things require actions on your part.  Perhaps the site has suffered data loss due to a hack, and wants everyone to change their password.  Well, when something like this happens, consider my next rule of thumb.

Get the URL / contact info with Google

It doesn’t have to be Google, of course.  Feel free to use Ask Jeeves or… Bing.  But the spirit of this rule is to only allow the email to serve as a notification; don’t let it help you accomplish the task.  If it supplies a handy link to take you somewhere, don’t use it.  Pretend you deleted the email accidentally, but still want to do what it said.

Maybe that means going to the website manually and finding the option to reset your password.  Or, maybe that means googling for the contact info, calling, and asking about it – do NOT use a phone number supplied in the email.

The point is that by doing this you’re now doing something outside the control of the scammer. The whole mission of the scam is to scare you into clicking their link or calling their number.

Google the email itself

Another tip is to Google parts of the email.  Often this will take you to discussions about the very same email.  Reading through what others have to say can help you to determine if it’s a harmful email and even help you gain some insite as to how others know.

Hopefully this post can help even just one person avoid even just one scam.

Windows: Change Yourself From Admin to a Standard User

A practice that can help maintain security on your Windows machine is to not run as an Admin all the time.  It’s far more secure to run as a Standard User and when you need Admin privileges, you enter the credentials of a different user that is an Admin.

But what if you’ve already been running as an Admin for a while and have your account set up just how you like?

This was my thought process whenever I heard the advice of running as a Standard User instead of an Admin.

Next time I set up a machine for myself, I’ll set my main account as a Standard User…

But it turns out that was entirely misplaced hesitation because switching down to a standard user couldn’t be easier.

Simply create yourself an extra Admin account with a good password, and then in the Users section of the Control Panel, change the level of your own account down to Standard.  Done!

Expiring Passwords Hurt Security

It’s a common practice among enterprise policies – expiring passwords.  I’ve often been forced to change them on Windows, individual servers, work cell phones, and even the work voicemail.

The theory being that forcing changed passwords will make it harder for others to gain permanent access to a system.  For which I applaud the effort.  However, if you really think about the impact this policy has on the users, and the lack of impact it has on the pesky bad guys, you’ll understand what I mean when I say this policy is overall detrimental.

Patterns VS Security

By periodically rotating passwords, the attack surface shrinks due to voiding any compromised passwords.  Good.

But, the human factor of your users comes into play.  The users must be able to remember their password.  This causes them to use a memorable password, and when the password expires periodically, they require the password to be more than memorable.  They need to be able to think through what their password is.  They need to come up with a process that remains the same, but produces a different password.  As an example, users will often use one password, and change the number on the end.

This drastically expands the attack surface, because anyone who has compromised a user’s password, has the ability to read the password, and humans are pretty good at seeing patterns.

For example, let’s say you’re malicious, and you’ve gained your target’s password,

Work_1

And you gain access to the server for a while, do your evil deeds, and then one day it stops working, so you reach into your bag of tricks and get the targets password again,

Work_2

I bet you and everyone ever will be able to guess what the next password will be without needing to compromise anything.

And then, even though the company has dutifully enforced expiring passwords, and even without any kind of advanced persistent threat, your user’s credentials can be permanently compromised.

Is Malicious Expiring Access Better than Permanent Access?

Now, let’s really think about this policy.  It implies that you’re doing some good by having a malicious user lose access to your system after a while.  And there is a logic to that.  But imagine I told you that someone after your banking info was on your computer with full access, but don’t worry because after a week he had to leave.  I bet you’d still be worried.  There’s no way to know what they installed on your machine or did in general.  There’s no way to safely use that computer again unless you reformat and reinstall your OS.

Any malicious access is bad.  It’s not somehow OK because they lost access after a bit.  You want to keep them out at all times, not just most of the time.  Would you feel any safer from thieves in your home if every three months some magical force made them leave?  Probably not.  You don’t want them in at all, and don’t particularly care if they’re limited to three months access.

Bad Guys Don’t Wait

Lastly, the point I have left is that bad guys don’t wait.  Expiring passwords makes it seem like there’s a buffer between when a password is obtained and when it is used.  But imagine if you wanted access to someones bank and you got their password.  Would you sit around and wait two months before you used it?  Or would you test it out instantly, and do what you wanted to right then and there?

Put It All Together

And so, when you consider that expiring passwords causes users to use weaker passwords, and does close to nothing to stop unauthorized access, the overall security is hurt rather than bolstered.

Don’t expire your users passwords.