12 May 2019

How to Avoid Documents with Unpleasant Hidden Surprises

Opening email attachments from people you don't know is unwise, but research suggests that nearly half of the people who receive such attachments will open them. That is troubling.

 Click any of the small images for a full-size view. To dismiss the larger image, press ESC or tap outside the image.

Because many computer users are aware of dangers posed by executable files and zip files, cyber-criminals have moved on. Most attacks are now based on infected document files. Researchers at Barracuda Networks say that 48% of all malicious files detected in the last 12 months were some kind of document and more than 300,000 unique malicious documents were identified.

Here's a message I received this week. It claims to be a purchase order, but I don't manufacture anything. It's from somebody I don't know. The attached file is a PDF inside a zip archive. Anyone who's even half awake should recognize this for what it is, a scam.

Barracuda reports that document-based attacks are increasing at an alarming rate. In the first quarter, 59% of all malicious files were documents, compared to 41% in 2018.

Cyber-criminals use email to deliver documents that contain malware. Either the malicious code is hidden in the document or a script that's attached to the document downloads the malware to the computer.

The Barracuda Networks report shown an example email that includes a file named to make the recipient think that it's an invoice. The file has a "doc" extension that, so it looks legitimate and the message uses "Invoice for Services" as the subject. One potential giveaway might be that the recipient has never heard of the sender and isn't expecting an invoice for services. Still, a message such at this arriving at a corporate accounts payable department might be sufficiently convincing that the recipient would open it.

Systems that attempt to identify and quarantine such messages use multiple procedures according to software engineer Jonathan Tanner at Barracuda:

• Blacklists can be effective because IP addresses are limited and an IP address might be used long enough that software can detect and blacklist it. Even with hacked sites and bot-nets, it's possible to temporarily block attacks by IP once a large enough volume of spam has been detected.
• Spam filters and phishing-detection systems look for subtle clues and then block messages and attachments that are suspect. These messages are held in quarantine so that they can be retrieved if they are legitimate. Many malicious emails appear convincing, but automated systems can identify many of them.
• Malware detection is effective when emails have malicious documents attached, both those with embedded malware and those that reference files on remote computers. If the document attempts to download and run an executable application, which no document should ever do, a protective application can shut down the process. Dangerous URLs can sometimes by identified by threat intelligence systems.
• Firewalls offer protection if a user opens a malicious attachment or clicks a link to a drive-by download. When the remote site attempts to send an executable file, the firewall can recognize the threat and terminate the connection.

Malware is usually sent to lists of addresses that the crooks have obtained on the dark web. In the old days, crooks had to perform their own reconnaissance. Now they can just buy mailing lists that have been compiled for them.

Email is the most common delivery method for malware, but some is still delivered via malicious websites. Social engineering and email work well together so that the crook can convince the potential victim to open a Word, Excel, PowerPoint, Acrobat, or PDF file that has been weaponized. Archive files (7z and zip, among others) and PowerShell script files are also used. When the user opens the document, the malware is automatically installed or an obfuscated script is used to download and install it from a remote site.

"Sextortion" scams (more about that in Short Circuits) increasingly plant malware in addition to the attempted blackmail aspect of the message.

Short Circuits

Nice Guy Promises Not to Expose You, but Only if You Pay

A friend sent a note with a question about an email he had received. The message claimed that the sender had hacked my friend's computer, explained how he did it, and then went on to say that my friend would have to pay to avoid having his porn files exposed and embarrassing pictures captured by the computer's camera sent to everyone in his address book.

My friend doesn't visit porn sites and doesn't have any porn on his computer. My friend said that he assumed it was a scam, but the message contained details about how he got into the computer "and even gave a password that I have used in the past, but not for the site listed."

Although it is possible to plant malware that operates the camera and captures keystrokes on a computer, any decent anti-malware application would find it. This con game has been around for a while and can safely be ignored even though the scammer provided a password my friend had used. The password bit is newer, but data breaches have been common in the past few years and passwords from these attacks are available on the dark web. That’s doubtless where the password came from and is also why the password isn't current and wasn't associated with the site specified.

The scam works because a lot of people do view porn on-line. PornHub gets something like 75 million visitors every day, so there's a good chance that some of the people who receive the message have viewed porn on-line and then panic when they receive a message that seems to indicate that an intruder has been inside their computer. But a careful reading of the message will indicate that the scammer really doesn't know anything at all about the recipient.

There are many variants of the scam.

• The one my friend received contained a password that he once used. If the password specified is still in use anywhere, it should be changed and now might be a good time to say again that passwords should be unique and robust for any important sites you visit. Read "important" as "shopping, banking, or any other site with financial information."
• Some messages contain attachments. Of course you shouldn't open the attachment, but some research I saw recently said that nearly half of us will open attachments even if they're from someone we don't know.
• The email may appear to have come from your own address or from a friend's address, or even from your work address. Spoofing an email address is so easy that anyone can do it.

There are lots of people who would like to separate your money from you. Stay alert and don't become one of the victims.

Windows 10 Version 1903 is Coming Soon

About the time I think I've figured out Microsoft's numbering scheme they release version 1903 (March 2019) in May. Shouldn't it be version 1905?

The 1809 version (September 2018) was released and then pulled back, so Microsoft is being more careful with this semi-annual release and plans to start pushing it out in late May. The Windows Update function allows users to delay the update more easily than in the past, too.

There are some worthwhile features in 1903 and it's already been pushed out to computers in the Windows Insider Slow Ring. One of the most interesting is a "sandbox" function that allows users to install new applications in protected areas so that the new application can be more easily removed if it causes a problem. This is similar to installing in a virtual machine except that the new installation will be deleted when the computer is restarted. If the new application causes no problems, you can then install it normally.

• A small change fixes an uncommon annoyance. A computer that's used infrequently and then moved across several time zones can have problems with email if the clock is wrong by more than a couple of hours. You might think that Windows would just synchronize the clock, but security considerations keep that from happening. The Time & Language section of Settings now displays the date and time that the computer was last synchronized and there's a new Sync Now button that will get everything back in sync.
• Sometimes updates fail because of insufficient disk space. This is more likely to happen on computers with small solid-state drives that are used for both the operating system and data. Windows retains an old version of the operating system to allow the user to roll back an update if there's a problem. As a result, sometimes there's not enough space for an update and not even enough space to run the Disk Cleanup tool. Starting with version 1903, the operating system will ensure that there's enough space for updates, caches, and temporary files. The reserved space will be at least 7GB.
• If you use the Windows Subsystem for Linux (WSL), an improvement allows Linux files to be edited from within Windows. Editing these files was likely to cause file corruption because Windows and Linux have vastly different ways to handle permissions. The Windows Subsystem for Linux now has a process that handles the translations.
• Search has been ripped away from Cortana and if you want to talk to Cortana, you'll need to put the Cortana button back on the Task Bar. I've removed both Cortana and the Search box from the Task Bar because I rarely need to search the computer for anything and, if I do, there are better methods. This all looks like a solution in search of a problem.
• If you have a tablet or a computer with a touch screen, you'll probably like a new touch keyboard feature that tries to figure out which key you'll press next and then makes the most likely candidates larger. This was a popular feature on Windows phones and generally improved typing accuracy. The virtual keyboard still doesn't have a swipe function, though and that's a bummer.
• Windows Hello, which was added to Windows 10, allows users to log on using face recognition or a fingerprint. Users also have to establish a PIN, which Microsoft considers to be more secure than a standard password because it's stored only on the device. I disagree with that assessment, by the way. Users needed to create a standard password (complex, secure, and all the other standard requirements), which is just another password to forget unless you use a password manager. It's now possible to log in to your Microsoft account using your face or fingerprint if you link the account to a mobile phone.

Overall version 1903 doesn't have any blockbuster new features, but most of the new features will be welcome additions.

Scanning Documents Anywhere

A lot of people have decided that scanning documents and saving them on a computer beats saving stacks of paper. That's fine if you're in the office with a scanner most of the time, but you may have a scanner in your pocket.

What is a scanner, after all, but a camera that's designed to take a picture of a piece of paper. A smart phone camera can take a picture of a piece of paper, so all you need is a way to process the captured image so that it can be transferred to your computer.

Microsoft's Office Lens application does exactly that. I should point out here that this isn't exactly a new concept, but Office Lens makes the process quick and easy. The free application is available for both IOS and Android devices. Images you scan can be saved as a PDF document, added to One Note, uploaded to OneDrive, stored as a PowerPoint slide, saved as a Gallery image, or be processed by an optical character recognition application and saved as a Word document.

When I said easy ... well, let's take a look. (1) I had a document from American Electric Power, so I put it on the desk and held the phone over it. Office Lens determined that it was a document. The other options are white-board, business card, and photo. The initial scan area was the entire page, but I moved the phone in a bit so that it would capture only the table.

(2) Even though I didn't hold the camera exactly square to the paper, the application did a good job of adjusting it.

(3) The next step is to specify how to save the image. I selected OneNote so that it would be transferred to my cloud-based OneNote account. From there it would be downloaded to OneNote on my office computer.

The next time you open OneNote, you'll find a new document in Quick Notes or in whichever location you've selected for new documents.

The ability to scan a receipt in a restaurant, a research document in a library, a white-board presentation at a conference, or any other document saves time and effort. Although Office Lens is intended to be used with Microsoft Office, much of its functionality still exists even if you don't use the connections to the Office suite.

Install Office Lens on an Android device by visiting the Play Store or on an IOS device by visiting the Apple Store.

Spare Parts

Adobe Boosts the On-Line Color App with New Features

Color is an essential part of design and Adobe's color management tools continue to evolve. Creative Cloud members can save and share color pallets, but the cloud-based application is accessible even by non-members.

The company refers to Adobe Color as a creative community where artists create and share color themes and inspiration. These themes can be used in Creative Cloud applications.

Since the beginning, users have been able to develop their own palettes by starting with a base color and choosing a palette type or by giving the application an image from which it can extract colors. Once created, the palette can be saved, shared, downloaded, or added to the user's Creative Cloud Library. Two new features were added this week.

Explore is a new feature allows users to identify the kind of color they're seeking by scrolling through images that are integrated through Adobe Stock and Behance libraries. Adobe Sensei adds machine learning capabilities to recognize words such as "moody", "happy", "peaceful", or even "blog" and then suggest appropriate colors.

From there users can click through to Adobe Stock to license images or move to Behance and follow an artists, find out more about the artwork, or see the entire project.

New Pantone integration allows users to convert palettes into Pantone swatches and use them in Adobe applications. Pantone is a color matching service that provides precise methods for specifying colors.

The new Trends feature includes artwork galleries that focus on design areas such as graphic design, illustration, and fashion. The galleries give users a way to view projects that other designers are working on and to examine emerging trends.

You can see what's new by visiting the Adobe Color website.

Your Browser's Incognito Mode: Maybe Not so Incognito

Most modern browsers have an incognito mode, but they don't all use the same name. Although incognito mode provides some protections, it may not do everything you think it does.

Google Chrome calls it incognito; Firefox and Safari refer to it as private; Edge and Internet Explorer call it InPrivate. They all do about the same thing.: They delete cookies when you close the window and they keep the browsing history empty. They do not hide browser traffic from third parties like your ISP, the government, or your network admin and they do not protect the browser's traffic from hackers or other attacks and vulnerabilities.

These incognito modes have other shortcomings. If you log in to Facebook, Amazon, or any other service while in incognito mode, incognito mode will no longer offer any protections. And if you sign in to any of Google's apps using Chrome's incognito mode, Chrome will start saving cookies and recording history. This essentially eliminates incognito mode.

If you want really private browsing, you'll need to use the TOR browser (extremely slow), Vivaldi with some specialized security settings enabled, or Firefox with some special settings enabled. Or you can use a virtual private network (VPN). Most VPNs slow your internet connection a bit, but all of them are far faster than TOR. A VPN application replaces your IP address with the IP address of a remote VPN server and this makes it impossible to track you via IP address alone. It also encrypts the browser's traffic so that your ISP and other third parties can't see it. If security is important to you, now might be a good time to check into VPN applications.