Edward Jensen

Featured

QR code phishing

Breaking down a new tactic for phishing attempts: getting users to scan a QR code on their phone to bypass corporate security

I’ve been seeing a lot of QR code phishing attempts lately. If you’ve not seen the tactic in your environments, the recipient receives an email, and it asks them to scan a QR code on their phone to authenticate and open the link. Here’s a sample email I received from a colleague in my environment:

The image is the email, except I’ve blurred the QR code and censored out personal information in the email. And, honestly, this is quite a clever mechanism. Attackers know that there are most likely security mechanisms on company-owned and -managed computers that would block this going anywhere. But those security tools aren’t on our colleagues’ phones.

Being curious, I decided to check out where this QR code led. Now before you throw your computers across the room and scream at me for needlessly compromising my own environment, I uploaded the QR code image to a QR code web service and got the plain text version of that code. Nobody was hurt in the process. If someone scanned the QR code, here’s the initial site they would have gone to (with some elements of the URL changed to anonymize this):

https://doportal.documentmailbox.com/RedirectTarget.aspx?Action=EmailRedirect&BrandingID=ConEdison&IdToken=[guid]&CheckSum=[checksum]&TargetUrl=https://super-firefly-8102.on.fleek.co/#[user email address]

The first URL is to a service called documentmailbox.com. That seems to be a legitimate service, but attackers have compromised their APIs to allow redirects to other URLs. We’ve seen that with services like DocuSign in the past. DocuSign’s going to be a valid URL to make it through web filtering in a corporate environment, but super-spammy-site.biz is probably not going to make it through.

After a bit of other stuff, the target URL is hosted by a service called Fleek. Fleek is a service that claims to host websites using “decentralized” and “censorship-free” Web3 protocols, so of course it’s going to be used by bad actors. (Ed. note: we know you don’t like Web3, so save that for later.)

There have been some great write-ups on this exact service being used for phishing attacks similar to this. Over on SystemWeakness.com, Lena has done a fantastic analysis of where these URLs go. And of course, because Web3 is about resisting censorship, there’s no way to report to this hosting company that their site is being used for bad. I’m not going to speculate that this is by design… (Eds.: …)

Anyway, what are some things we can do to manage this style of threat? Obviously, the first thing is to tell anyone in your environment that scanning a QR code in an email to access something is not standard practice. If it is standard practice in your environment, then stop! There’s no legitimate reason why you need to authenticate in this way to share information to your users.

As for technical and administrative blocks, this one’s hard to assess. According to the summary email headers, the email was sent on behalf of someone. That’s not really a reason to block an email. The original email is from a .co.jp domain, so perhaps you could create a mail transport rule to send emails from some TLDs you don’t often see to send them to your users’ junk email folders. But that’s a policy decision that IT administrators would have to make with their respective risk management teams.

Coming on Friday: a new Friday Five talking about some security tools IT administrators can implement to help users make smart security choices.

Friday Five: Email Security Improvements

In today’s Friday Five: Some thoughts for IT administrators on giving tools to their users to make security-conscious decisions

Earlier this week, I wrote about a new email phishing tactic I’ve been seeing in my environment – bad actors are trying to get users to scan a QR code on their phones in an attempt to defeat any filtering or security measures that might be on a corporate computer. That got me thinking about what are some things that we can do as IT practitioners to help our users make informed decisions?

This isn’t going to be a typical security-related essay. I’m not going to focus on five things IT administrators can do or five things for our users to do to bolster security. While implementing technical blocks and controls are certainly important, in this world where working remotely is almost expected, educating our users and giving them tools to make security-conscious decisions is going to be way more important.

One last thing: This is going to be heavily geared toward Microsoft 365. If you use other platforms for email, some of these tools may be available, but your mileage may vary.

1. Be skeptical of any communications you weren’t expecting. I can’t remember how many times I have said to people something like this: “Don’t click links, download attachments, [and now scan QR codes] or do anything with emails you weren’t expecting to receive.” It’s probably way overdue to have a zero-trust mentality with email (assume nothing is, by default, deserving of trust), but I guess here we are.

2. Email admins should enable some sort of external email flag. And while you’re at it: Enable the First Contact Safety Tip as well. In the Exchange Admin Center, you can modify emails such that a bit of custom HTML can be put at the top. When coupled with a rule to apply to messages sent from outside the organization, this can be a useful banner to alert senders that an email is from outside of their organization. While I used to be somewhat skeptical about that, just seeing it as a bit of safety theater, with the rise in these different phishing attempts, I see it as a useful tool. Coupled with Defender’s First Contact Safety Tip, these two tools can work in concert to give users information to assess for themselves if an email is truly valid. “Why would an email from our CEO be coming from an external user and an email I’ve not seen before? Hmm… that must be a fraudulent email.”

3. Have users report spam and phishing emails using Outlook’s spam and phishing reporting tools. My biggest gripe about Microsoft Outlook on Windows is that it’s not easy to report spam or phishing emails as it is on Outlook for mobile, on the web, or for macOS. But do make your users report bad emails as such, because that helps everyone.

4. Enable Microsoft 365’s safe links and safe attachments features of Microsoft Defender. While also not a perfect catch-all, enabling Microsoft 365 Safe Links and Safe Attachments can help mitigate some attacks. If a user clicks on a link they shouldn’t have, that attack may be stopped in its tracks. But that’s also why these QR code attacks are so devilishly clever: it removes that defense mechanism from the chain. Now do you know why IT security people can’t really sleep at night?

5. Educate all users to use their company email for anything company-related – leave the personal email for personal matters. This might be the biggest one. It’s just a good idea to do this, because you’re now able to put better mechanisms in place to deflect possible spoofing attacks or worry about your colleagues storing information on things you don’t have control over. Plus, it’s helpful for data retention policies.

The last thing, and this is an essay in its own right, is that as IT professionals, especially in the nonprofit context, we have to be serious about security. But in being serious about security, we have to understand that our users need to do things for the mission, and IT can’t be what stops that. I’m not saying that we need to abandon our core principles as IT practitioners, especially when it comes to security, but we need to find a way to get from no to yes.

Aren’t our jobs fun?

Autumn in Saint Paul

The last days before the first snow mean it’s time for photography

With the first snow of the 2023-2024 winter upon us, I took the opportunity last weekend to get some autumn photos around downtown Saint Paul, Summit Avenue, and Cathedral Hill.

Every Saint Paulite probably knows where this photo was taken on the south side of the Mississippi River:

The Cathedral of Saint Paul, the Minnesota State Capitol, and part of the downtown Saint Paul skyline emerge through a tapestry of red and orange leaves

This whole “fall” thing is new for this almost-lifelong Phoenician. But that means the first snow of the winter’s upon us. Oh well.

Sousa in Minneapolis

A Minneapolis connection for the composer of the Independence Day soundtrack: John Philip Sousa

As we settle in to the Independence Day holiday, one of the things that happens is that we hear all of the John Philip Sousa marches on the playlist. While his most popular marches like The Stars and Stripes Forever, Semper Fidelis, or The Washington Post get played a lot, there’s an obscure march of his that has a uniquely Minneapolis connection.

In 1929, at the opening of his eponymous tower in downtown Minneapolis, the businessman Wilbur Burton Foshay (1881-1957) commissioned a march from Sousa, called the “Foshay Tower-Washington Memorial March.” At 447 or 607 feet tall, depending if you count an antenna on top of the building, the Foshay Tower was the tallest building in Minneapolis from its 1929 opening until the nearby IDS Center surpassed it 43 years later. The building was built not only because Foshay had money, but it was to pronounce to the world that Foshay had money. (Most things built in this time did that.)

The run of good luck for Foshay was short-lived: Six weeks after the opening of the building, Foshay’s company was thrown into receivership. The $20,000 check to Sousa bounced, and Sousa ordered that the march penned for this occasion was never to be played until the debt was settled up. In 1932, Foshay was convicted of running a pyramid scheme with shares of his own stock, and sentenced to 15 years in prison. Even in marching band circles, few knew of this mysterious 135th Sousa march.

It wasn’t until 1988 when a group of Minnesotans paid Foshay’s debt to the Sousa estate, allowing the Foshay Tower-Washington Memorial March to be played again.

The A in AI stands for anchovies?

In which we merge two controversial topics: Generative AI and…anchovies on pizza??

I’m about to write probably the most controversial sentence I think on this blog in its decade-plus long history:

I like anchovies on pizza.

No, seriously, I do! But according to a 2023 YouGov survey, nearly 3 in 10 Americans definitively say that anchovies are their least favorite pizza topping. (The same survey said that only 2% of Americans preferred New Haven style apizza, which is clearly another conversation for another time!)

Lest you think I’ve departed from writing on tech matters and going full foodie on you, there is an actual tech angle to this. Presumably because anchovies on pizza is such a controversial thing, the number of pizzerias in the Twin Cities that offer this is not a lot. I’ve found a couple of places, but I’m still searching. I found a pizzeria in a grocery store – Pizzeria Pezzo in Kowalski’s Market in suburban Woodbury (and before you send me your letters, I wasn’t compensated for this pizza or paid to say this) – that had anchovies on their toppings list. Of course, a field trip had to be on the menu.

(To my readers back in Phoenix: Actual restaurants in grocery stores is quite a thing up here. And they aren’t fast-food burgers or sandwich shops — they’re proper standalone restaurants that happen to share a building with a grocery store! Also, Kowalski’s Market would be similar to AJ’s Fine Foods.)

My usual thought process is to have capers on this pizza, but those weren’t on the toppings list at this place. That led to a spot of inspiration: See what ChatGPT recommends. Maybe it might be spot-on; maybe it could be way out of its depth. But it was worth a go at least for some ideas, right?

I scanned the toppings list to my iPhone and copied the text into ChatGPT. I gave it the prompt: “Propose a pizza with 3-4 toppings from this list below. Anchovies have to be one of the toppings.” The toppings list was below my prompt sentence. Almost immediately, it responded:

I would recommend a pizza with the following toppings:

Anchovies (required)

Roasted red pepper

Caramelized onion

Fresh mozzarella

This combination of toppings will give your pizza a delicious blend of flavors, with the unique taste of anchovies complemented by the sweetness of caramelized onions and the smokiness of roasted red peppers. The creamy fresh mozzarella will provide a delightful contrast in texture. Enjoy your pizza!

So ladies and, in a broader sense, gentlemen: I present to you a pizza whose toppings were suggested by ChatGPT:

A pizza with anchovies on it — An anchovy pizza with other things. Rather tasty!

It was spot-on. And probably one of the 10 best pizzas I’ve had? (And also deserved a visit from the pizzeria manager, who said he appreciates someone who does anchovies on pizza.)

This is what I say when I talk about “doing more with more” – here’s a system that we can use to comb through different combinations and permutations of everything, and recommend something that makes sense. I gave it a baseline, and it went to work. What surprise and delight.

Doing more with more?

IT leaders and practitioners are often compelled to do more with less. But what if we leveraged tools to help us do more…with more?

A couple of weeks ago, I wrote on my LinkedIn about unashamedly using tools like ChatGPT to help out with tasks.

It’s something that I’ve been thinking of a lot lately, if I’m honest. In the IT world–and especially in the nonprofit IT world, the phrase “doing more with less” has become a mantra, as we are all constantly challenged to achieve greater outcomes with limited resources (whether real or artificial).

Seeing tools like ChatGPT come around, and the attendant press that’s come with it, makes me feel like we’re standing at the precipice of a major paradigm shift. These tools aren’t limiting us; rather, they can make us do more. In other words, we can do more with more.

By leveraging these tools, perhaps IT practitioners (nonprofit or otherwise) can focus on the creative aspects of our work, leaving the machines to do the mundane. And let’s be honest: Computers love mundane tasks.

So over the next few weeks, I’ll be writing some thoughts on this matter. Join me, won’t you, as we do more…with more?

Whither Microsoft Planner

Microsoft Planner can be so perfect if it had a few extra things. But for now, there’s PowerShell

I want to love Microsoft Planner. But there are some things it has in it that just confound me. Rather, I should say it has omissions that confound me and make me question its usability.

For the uninitiated, Planner is a user-friendly project management tool designed for teams to collaborate and stay organized. Planner helps users create tasks, assign them to team members, set due dates, and track progress visually on customizable boards. It’s not a full and formal project management software, like its older sibling Microsoft Project, which is way more robust and suitable for complex projects with intricate timelines and resource management. Planner is more accessible; Project is more involved. Still, Planner excels at promoting collaboration, task management, and maintaining an overview of project activities, making it ideal for smaller teams and less complex projects.

Here’s a perfect example for Planner that we’ve rolled out at my company: organizing all of the activities and tasks around what it takes to bring a new employee onboard and for their first few months on the job. It’s a perfect solution for that, because there are different buckets of tasks, a deadline for those tasks to take place, and different people responsible for those tasks (be it IT, HR, or the new employee’s manager). Instead of having these tasks live in a spreadsheet on someone’s desktop, they can now live in a collaborative environment.

Sometimes we get it wrong

Stories from misadventures in rolling out a new printing system, or: Sometimes we get it wrong

Back in January, we started down the path of migrating from PaperCut’s on-premises solution to their fully cloudy PaperCut Hive. Whilst I was initially skeptical about it at first, it seemed like it had enjoyed success in larger organizations, so certainly it should work for a small nonprofit of ~30 people?

Oops. Also, [expletive deleted].

Sometimes we get it wrong. The rollout went about as well as it could go. I’m still frustrated by the fact I had to manually deploy the print client to our users and that the software wasn’t any sort of identity- or directory-aware. Getting a executable file that’s coded in the installer for each user? That’s not nice. Requiring administrative permissions to install that? Go away or I shall replace you with a very small shell script.

What ultimately doomed the rollout for me was that we had users who had sporadic and random issues. There were no common threads among those who had printing errors (other than, presumably, they were trying to print and the day ended in y), so troubleshooting was next to impossible.

Since printing’s kind of a mission-critical task where I am, we made the decision to abandon Hive and go back to MF. And I’m fortunate that I have supportive management and colleagues who understand that sometimes, you get it wrong.

Friday Five-ish: A Year in Minnesota

Today marks a year since I moved to Minnesota. In this special edition of The Friday Five(-ish), here are some photos from the past year

Today marks one year since I boarded an airplane headed from Phoenix to Minneapolis to start a new chapter up here. In this special edition of The Friday Five-ish, here are a few photos from my first year up here.

21 April 2022: The last photo taken on the ground as a Phoenix resident, from a Delta 757 getting ready to scream down Runway 25R at Sky Harbor
21 April 2022: On climb out from Sky Harbor
21 April 2022: This photo of the downtown Saint Paul skyline seems even more prophetic
11 May 2022: Not quite three weeks in, and severe weather’s already on the menu. A line of severe thunderstorms and embedded tornadoes rolled through Minnesota that night
21 May 2022: After converting it from a storage closet, my office at Meda becomes my own. Photos from Phoenix adorn the walls
15 June 2022: Minneapolis-henge in downtown Minneapolis
18 June 2022: And there was arts. The Bach Roots Festival presented the Saint Matthew Passion
16 July 2022: The International Day of Music in downtown Minneapolis culminated with the Minnesota Orchestra playing outdoors at Peavey Plaza, and whose concert concluded with Mussorgsky’s Great Gate of Kyiv accompanied by pealing bells from six downtown churches
30 July 2022: City House in Saint Paul – a converted grain elevator is now a lovely outdoor restaurant
19 August 2022: The St Paul Saints!
29 August 2022: And the Minnesota Twins from a perch way up on high
21 October 2022: When I got tickets for this concert, the appointment of Thomas Søndergård to succeed Osmo Vänskä as the Minnesota Orchestra’s music director hadn’t been announced. The first of 3 Minnesota Orchestra concerts I attended this year
5 November 2022: The Twin Cities chapter of the American Guild of Organists organized a “pipe organ crawl” of five instruments of the late Minnesota organ builder Charles Hendrickson. Here is his III/46 op. 51 (1979 from the Church of Saint Mark in Saint Paul
14 November 2022: The first of the many many inches of snow. Driving in it wasn’t fun at first, but it became pretty okay
2 December 2022: My apartment in downtown Minneapolis had this view on most winter mornings
31 December 2022: It was wonderful to be able to take a trip back to Phoenix over the end-of-the-year holidays. The sun sets on the wild ride that was 2022
1 January 2023: While back in Phoenix, I got got to see
20 January 2023: After a few false starts, I finally have a place of my own over in downtown Saint Paul. I have expansive views of Lowertown, the Mississippi River, and St Paul Downtown Airport
3 February 2023: This is the coldest temperature I saw this winter. Thank goodness for good winter clothing and lots of layers!
22 February 2023: The week of snow and blizzards. But doesn’t Mears Park look like a scene from a snowglobe?
3 March 2023: One last look from my patio of my now-former downtown Minneapolis apartment. It was a great place, and I definitely miss my neighbors
17 March 2023: After a few years in storage, my bike is ready to go again. Lowertown Bike Shop in downtown Saint Paul’s Union Depot upgraded the components on the bike so it’s the newest vintage bicycle in Saint Paul
1 April 2023: A no-foolin’ April Fools snowstorm dumps 8 inches of snow in downtown Saint Paul
1 April 2023: And later that night, it’s time for a concert back with the Minnesota Orchestra in downtown Minneapolis
18 April 2023: Play ball! The first of many Saints games this year, and when you’re four blocks from CHS Field, of course you’re going to go a lot

Five Things for PaperCut Hive

A return of the Friday Five and some of my observations on PaperCut Hive, a software stack I’m currently deploying

Where I work, we’re almost complete with a migration from PaperCut MF on-premises to the fully cloud PaperCut Hive product. For the most part, I’m pretty pleased with how it’s gone and how it supports some of our organization’s transition goals to less on-premises. But there are some things that have been some definite head-scratchers in the process.

1. There’s no migration. That’s right: there’s no migration. Any data or user provisioning settings in MF don’t transfer over. You’re starting from scratch. Do you have RFID badges for your employees that they use to authenticate to the copier or MFP? Gone. Custom scan locations? Gone. While I’m thankful that I have a small number of colleagues and they have been more patient with me than I deserve, imagine if you have to have hundreds or thousands of employees re-authenticate on the new system. At least it’s a one-time only process.

2. There’s an app, but you don’t need it. PaperCut makes a big push to have users download their app for print management. I have issues with making people download company software to their own personal smartphones. Thankfully, even though PaperCut makes this push, you can ignore them.

3. Communicate early, often, and concisely. One of the questions I received a lot was about why we were doing this and how this would affect them. Fortunately, by planning the deployment, I was able to say that except for two initial tasks, everything would remain the same. And I told them why this change was being made, which was to support our organization’s future technology stack.

4. If you have multiple copiers/printers/MFPs, don’t move everyone over all at once. Keep both printing systems running in parallel so that you don’t have to sweat it having some users unable to use the printers and you have to rush the migration. By having some machines on the new system and some on the old system, you don’t have to be so aggressive in moving everyone over.

5. What automation? What year is it again? There is no way to use automated tooling to deploy PaperCut Hive software to our colleagues’ computers. To install the software, I had to go to each machine, download the unique software that PaperCut generates for each user, install it using my administrative credentials, and go on. That worries me, because that means the software is not directory aware and also means that I can’t include it in a base deployment configuration. While I’ve heard that this may change in the future, had I known this limitation, I would have postponed our deployment until later.

Those are some of my observations about this. It’s been received well by my colleagues, but some of the initial challenges made for a fun week.