Friday Five: Email Security Improvements

In today’s Friday Five: Some thoughts for IT administrators on giving tools to their users to make security-conscious decisions

Earlier this week, I wrote about a new email phishing tactic I’ve been seeing in my environment – bad actors are trying to get users to scan a QR code on their phones in an attempt to defeat any filtering or security measures that might be on a corporate computer. That got me thinking about what are some things that we can do as IT practitioners to help our users make informed decisions?

This isn’t going to be a typical security-related essay. I’m not going to focus on five things IT administrators can do or five things for our users to do to bolster security. While implementing technical blocks and controls are certainly important, in this world where working remotely is almost expected, educating our users and giving them tools to make security-conscious decisions is going to be way more important.

One last thing: This is going to be heavily geared toward Microsoft 365. If you use other platforms for email, some of these tools may be available, but your mileage may vary.

1. Be skeptical of any communications you weren’t expecting. I can’t remember how many times I have said to people something like this: “Don’t click links, download attachments, [and now scan QR codes] or do anything with emails you weren’t expecting to receive.” It’s probably way overdue to have a zero-trust mentality with email (assume nothing is, by default, deserving of trust), but I guess here we are.

2. Email admins should enable some sort of external email flag. And while you’re at it: Enable the First Contact Safety Tip as well. In the Exchange Admin Center, you can modify emails such that a bit of custom HTML can be put at the top. When coupled with a rule to apply to messages sent from outside the organization, this can be a useful banner to alert senders that an email is from outside of their organization. While I used to be somewhat skeptical about that, just seeing it as a bit of safety theater, with the rise in these different phishing attempts, I see it as a useful tool. Coupled with Defender’s First Contact Safety Tip, these two tools can work in concert to give users information to assess for themselves if an email is truly valid. “Why would an email from our CEO be coming from an external user and an email I’ve not seen before? Hmm… that must be a fraudulent email.”

3. Have users report spam and phishing emails using Outlook’s spam and phishing reporting tools. My biggest gripe about Microsoft Outlook on Windows is that it’s not easy to report spam or phishing emails as it is on Outlook for mobile, on the web, or for macOS. But do make your users report bad emails as such, because that helps everyone.

4. Enable Microsoft 365’s safe links and safe attachments features of Microsoft Defender. While also not a perfect catch-all, enabling Microsoft 365 Safe Links and Safe Attachments can help mitigate some attacks. If a user clicks on a link they shouldn’t have, that attack may be stopped in its tracks. But that’s also why these QR code attacks are so devilishly clever: it removes that defense mechanism from the chain. Now do you know why IT security people can’t really sleep at night?

5. Educate all users to use their company email for anything company-related – leave the personal email for personal matters. This might be the biggest one. It’s just a good idea to do this, because you’re now able to put better mechanisms in place to deflect possible spoofing attacks or worry about your colleagues storing information on things you don’t have control over. Plus, it’s helpful for data retention policies.

The last thing, and this is an essay in its own right, is that as IT professionals, especially in the nonprofit context, we have to be serious about security. But in being serious about security, we have to understand that our users need to do things for the mission, and IT can’t be what stops that. I’m not saying that we need to abandon our core principles as IT practitioners, especially when it comes to security, but we need to find a way to get from no to yes.

Aren’t our jobs fun?

QR code phishing

Breaking down a new tactic for phishing attempts: getting users to scan a QR code on their phone to bypass corporate security

I’ve been seeing a lot of QR code phishing attempts lately. If you’ve not seen the tactic in your environments, the recipient receives an email, and it asks them to scan a QR code on their phone to authenticate and open the link. Here’s a sample email I received from a colleague in my environment:

The image is the email, except I’ve blurred the QR code and censored out personal information in the email. And, honestly, this is quite a clever mechanism. Attackers know that there are most likely security mechanisms on company-owned and -managed computers that would block this going anywhere. But those security tools aren’t on our colleagues’ phones.

Being curious, I decided to check out where this QR code led. Now before you throw your computers across the room and scream at me for needlessly compromising my own environment, I uploaded the QR code image to a QR code web service and got the plain text version of that code. Nobody was hurt in the process. If someone scanned the QR code, here’s the initial site they would have gone to (with some elements of the URL changed to anonymize this):

https://doportal.documentmailbox.com/RedirectTarget.aspx?Action=EmailRedirect&BrandingID=ConEdison&IdToken=[guid]&CheckSum=[checksum]&TargetUrl=https://super-firefly-8102.on.fleek.co/#[user email address]

The first URL is to a service called documentmailbox.com. That seems to be a legitimate service, but attackers have compromised their APIs to allow redirects to other URLs. We’ve seen that with services like DocuSign in the past. DocuSign’s going to be a valid URL to make it through web filtering in a corporate environment, but super-spammy-site.biz is probably not going to make it through.

After a bit of other stuff, the target URL is hosted by a service called Fleek. Fleek is a service that claims to host websites using “decentralized” and “censorship-free” Web3 protocols, so of course it’s going to be used by bad actors. (Ed. note: we know you don’t like Web3, so save that for later.)

There have been some great write-ups on this exact service being used for phishing attacks similar to this. Over on SystemWeakness.com, Lena has done a fantastic analysis of where these URLs go. And of course, because Web3 is about resisting censorship, there’s no way to report to this hosting company that their site is being used for bad. I’m not going to speculate that this is by design… (Eds.: …)

Anyway, what are some things we can do to manage this style of threat? Obviously, the first thing is to tell anyone in your environment that scanning a QR code in an email to access something is not standard practice. If it is standard practice in your environment, then stop! There’s no legitimate reason why you need to authenticate in this way to share information to your users.

As for technical and administrative blocks, this one’s hard to assess. According to the summary email headers, the email was sent on behalf of someone. That’s not really a reason to block an email. The original email is from a .co.jp domain, so perhaps you could create a mail transport rule to send emails from some TLDs you don’t often see to send them to your users’ junk email folders. But that’s a policy decision that IT administrators would have to make with their respective risk management teams.

Coming on Friday: a new Friday Five talking about some security tools IT administrators can implement to help users make smart security choices.

The A in AI stands for anchovies?

In which we merge two controversial topics: Generative AI and…anchovies on pizza??

I’m about to write probably the most controversial sentence I think on this blog in its decade-plus long history:

I like anchovies on pizza.

No, seriously, I do! But according to a 2023 YouGov survey, nearly 3 in 10 Americans definitively say that anchovies are their least favorite pizza topping. (The same survey said that only 2% of Americans preferred New Haven style apizza, which is clearly another conversation for another time!)

Lest you think I’ve departed from writing on tech matters and going full foodie on you, there is an actual tech angle to this. Presumably because anchovies on pizza is such a controversial thing, the number of pizzerias in the Twin Cities that offer this is not a lot. I’ve found a couple of places, but I’m still searching. I found a pizzeria in a grocery store – Pizzeria Pezzo in Kowalski’s Market in suburban Woodbury (and before you send me your letters, I wasn’t compensated for this pizza or paid to say this) – that had anchovies on their toppings list. Of course, a field trip had to be on the menu.

(To my readers back in Phoenix: Actual restaurants in grocery stores is quite a thing up here. And they aren’t fast-food burgers or sandwich shops — they’re proper standalone restaurants that happen to share a building with a grocery store! Also, Kowalski’s Market would be similar to AJ’s Fine Foods.)

My usual thought process is to have capers on this pizza, but those weren’t on the toppings list at this place. That led to a spot of inspiration: See what ChatGPT recommends. Maybe it might be spot-on; maybe it could be way out of its depth. But it was worth a go at least for some ideas, right?

I scanned the toppings list to my iPhone and copied the text into ChatGPT. I gave it the prompt: “Propose a pizza with 3-4 toppings from this list below. Anchovies have to be one of the toppings.” The toppings list was below my prompt sentence. Almost immediately, it responded:

I would recommend a pizza with the following toppings:

  1. Anchovies (required)
  2. Roasted red pepper
  3. Caramelized onion
  4. Fresh mozzarella

This combination of toppings will give your pizza a delicious blend of flavors, with the unique taste of anchovies complemented by the sweetness of caramelized onions and the smokiness of roasted red peppers. The creamy fresh mozzarella will provide a delightful contrast in texture. Enjoy your pizza!

So ladies and, in a broader sense, gentlemen: I present to you a pizza whose toppings were suggested by ChatGPT:

A pizza with anchovies on it
An anchovy pizza with other things. Rather tasty!

It was spot-on. And probably one of the 10 best pizzas I’ve had? (And also deserved a visit from the pizzeria manager, who said he appreciates someone who does anchovies on pizza.)

This is what I say when I talk about “doing more with more” – here’s a system that we can use to comb through different combinations and permutations of everything, and recommend something that makes sense. I gave it a baseline, and it went to work. What surprise and delight.

Doing more with more?

IT leaders and practitioners are often compelled to do more with less. But what if we leveraged tools to help us do more…with more?

A couple of weeks ago, I wrote on my LinkedIn about unashamedly using tools like ChatGPT to help out with tasks.

It’s something that I’ve been thinking of a lot lately, if I’m honest. In the IT world–and especially in the nonprofit IT world, the phrase “doing more with less” has become a mantra, as we are all constantly challenged to achieve greater outcomes with limited resources (whether real or artificial).

Seeing tools like ChatGPT come around, and the attendant press that’s come with it, makes me feel like we’re standing at the precipice of a major paradigm shift. These tools aren’t limiting us; rather, they can make us do more. In other words, we can do more with more.

By leveraging these tools, perhaps IT practitioners (nonprofit or otherwise) can focus on the creative aspects of our work, leaving the machines to do the mundane. And let’s be honest: Computers love mundane tasks.

So over the next few weeks, I’ll be writing some thoughts on this matter. Join me, won’t you, as we do more…with more?

Whither Microsoft Planner

Microsoft Planner can be so perfect if it had a few extra things. But for now, there’s PowerShell

I want to love Microsoft Planner. But there are some things it has in it that just confound me. Rather, I should say it has omissions that confound me and make me question its usability.

For the uninitiated, Planner is a user-friendly project management tool designed for teams to collaborate and stay organized. Planner helps users create tasks, assign them to team members, set due dates, and track progress visually on customizable boards. It’s not a full and formal project management software, like its older sibling Microsoft Project, which is way more robust and suitable for complex projects with intricate timelines and resource management. Planner is more accessible; Project is more involved. Still, Planner excels at promoting collaboration, task management, and maintaining an overview of project activities, making it ideal for smaller teams and less complex projects.

Here’s a perfect example for Planner that we’ve rolled out at my company: organizing all of the activities and tasks around what it takes to bring a new employee onboard and for their first few months on the job. It’s a perfect solution for that, because there are different buckets of tasks, a deadline for those tasks to take place, and different people responsible for those tasks (be it IT, HR, or the new employee’s manager). Instead of having these tasks live in a spreadsheet on someone’s desktop, they can now live in a collaborative environment.

Continue reading “Whither Microsoft Planner”

Sometimes we get it wrong

Stories from misadventures in rolling out a new printing system, or: Sometimes we get it wrong

Back in January, we started down the path of migrating from PaperCut’s on-premises solution to their fully cloudy PaperCut Hive. Whilst I was initially skeptical about it at first, it seemed like it had enjoyed success in larger organizations, so certainly it should work for a small nonprofit of ~30 people?

Oops. Also, [expletive deleted].

Sometimes we get it wrong. The rollout went about as well as it could go. I’m still frustrated by the fact I had to manually deploy the print client to our users and that the software wasn’t any sort of identity- or directory-aware. Getting a executable file that’s coded in the installer for each user? That’s not nice. Requiring administrative permissions to install that? Go away or I shall replace you with a very small shell script.

What ultimately doomed the rollout for me was that we had users who had sporadic and random issues. There were no common threads among those who had printing errors (other than, presumably, they were trying to print and the day ended in y), so troubleshooting was next to impossible.

Since printing’s kind of a mission-critical task where I am, we made the decision to abandon Hive and go back to MF. And I’m fortunate that I have supportive management and colleagues who understand that sometimes, you get it wrong.

Five Things for PaperCut Hive

A return of the Friday Five and some of my observations on PaperCut Hive, a software stack I’m currently deploying

Where I work, we’re almost complete with a migration from PaperCut MF on-premises to the fully cloud PaperCut Hive product. For the most part, I’m pretty pleased with how it’s gone and how it supports some of our organization’s transition goals to less on-premises. But there are some things that have been some definite head-scratchers in the process.

1. There’s no migration. That’s right: there’s no migration. Any data or user provisioning settings in MF don’t transfer over. You’re starting from scratch. Do you have RFID badges for your employees that they use to authenticate to the copier or MFP? Gone. Custom scan locations? Gone. While I’m thankful that I have a small number of colleagues and they have been more patient with me than I deserve, imagine if you have to have hundreds or thousands of employees re-authenticate on the new system. At least it’s a one-time only process.

2. There’s an app, but you don’t need it. PaperCut makes a big push to have users download their app for print management. I have issues with making people download company software to their own personal smartphones. Thankfully, even though PaperCut makes this push, you can ignore them.

3. Communicate early, often, and concisely. One of the questions I received a lot was about why we were doing this and how this would affect them. Fortunately, by planning the deployment, I was able to say that except for two initial tasks, everything would remain the same. And I told them why this change was being made, which was to support our organization’s future technology stack.

4. If you have multiple copiers/printers/MFPs, don’t move everyone over all at once. Keep both printing systems running in parallel so that you don’t have to sweat it having some users unable to use the printers and you have to rush the migration. By having some machines on the new system and some on the old system, you don’t have to be so aggressive in moving everyone over.

5. What automation? What year is it again? There is no way to use automated tooling to deploy PaperCut Hive software to our colleagues’ computers. To install the software, I had to go to each machine, download the unique software that PaperCut generates for each user, install it using my administrative credentials, and go on. That worries me, because that means the software is not directory aware and also means that I can’t include it in a base deployment configuration. While I’ve heard that this may change in the future, had I known this limitation, I would have postponed our deployment until later.

Those are some of my observations about this. It’s been received well by my colleagues, but some of the initial challenges made for a fun week.

A blogging renaissance?

Are we standing at the front door to a blogging renaissance?

Back in October, I put some thoughts out on LinkedIn about the future of social media and if we’re headed toward a renaissance of the blog. Given the public agita about the current social media landscape and the associated issues regarding content moderation, ownership of those platforms, and bullying and minimization of minority communities.

Personally, while it had been festering for some time, I finally pulled the plug on my use of Twitter. While I had been using it for 15 years, it felt to me like it had run its course and was far more noise than signal. And, to be absolutely fair, the whiplash changes to that platform under its new ownership helped push me to making this decision. It doesn’t feel like a huge loss for me.

The heir apparent to Twitter seems to be Mastodon, but I’m not sure if I’ll go on that. Not because I have issues with that tech stack – it sounds fantastic and totally dismantles the so-called web3 notion that anything decentralized has to have blockchain technology and some sort of transactional monetization to work – but because I’m not sure if I need to be on that. You might recall my essay on Five for the New Year 2023, in which I said one of the things I’m going to work on in 2023 is limiting digital distractions. It’s also why I want to spend my time in this world, and not some digital “metaverse” world that is definitely totally happening* at some point in the future.

I’m therefore led to make the following bold proposition: One of the major moments in the changing of the internet from independent communities to being controlled by a handful of social media companies was when Google killed Google Reader ten years ago. Instead of a choose-your-own Internet that was based on what you wanted to read from the sites and sources you chose, social media companies sucked us in to their sites and subjected us to their algorithms and rage. If you wanted the latest news from major news organizations, you are left to the whims of the social media networks whether they’d even allow it, or if the platforms were even telling publishers the truth. And that all led to the advertising dollars going to the websites that got the most views, which were not the traditional journalism outlets and newspapers, but rather internet content farms.

I digress. This isn’t about my views on the internet, but on blogging specifically and my proposition that blogging will see a renaissance in 2023. I realize my blog is a special case, because this is not a revenue-generating operation for me. With platforms like WordPress still out there, and even with some free or relatively inexpensive, there’s no barrier to entry.

I’ve been at this for well over a decade now, and I think I quite like it. In 2023, it takes a renewed interest with more frequent essays and columns, and frequent photography. The best part? It’s mine. Not Meta’s or Twitter’s.

Mine.

blog image derived from a photo by 4motions Werbeagentur on Unsplash

Behind the Weather Dashboard

Editor’s note: Due to ongoing systems and networking upgrades, the weather dashboard is temporarily offline.

The second COVID-19 vaccine knocked me out for a couple of days, so while I was recuperating from that, I created a Grafana dashboard with data from my weather station. The station is perched atop a building in midtown Phoenix. The dashboard is still quite a work in progress, but I’m pleased thus far with how it’s coming along.

For those who aren’t in the IT world, Grafana is a software platform that creates visual dashboards from various sources, including time series databases (TSDBs). TSDBs work by collating discrete metrics over time, and they’re usually found in the world of information technology. Instead of network I/O or CPU usage, the principle works for weather statistics: At this time, it was this temperature or the wind speed was that.

Continue reading “Behind the Weather Dashboard”

The Home Server

The past year has brought upheaval, but it’s given me a good space to rethink my computing portfolio. Join me on Fridays as I share discoveries and new things

Over this past year of COVID-19 lockdowns, I’ve taken the opportunity to re-conceptualize my personal (and business) IT portfolio. Prior to the pandemic, I was rather haphazard about things. Even though I espoused the benefits of having a master plan and having things fit into that plan, in practice for my personal IT estate at least, it was a different story. I focused on getting things stood up quickly rather than robustly. It worked, but it sometimes incurred a price.

Continue reading “The Home Server”