Tag: email security

Safe computing practices in the coronavirus age

Coronavirus Covid-19

The coronavirus plague is having us at home, inside and online more….
(iStock by Getty Images)

The Covid-19 coronavirus plague is changing our habits more and more as we stay at home to avoid the virus or avoid spreading it onwards. Now we are strongly relying on our home networks and the Internet to perform our work, continue studying and connect with others in our social circles.

But this state of affairs is drawing out its own cyber-security risks, with computing devices being vulnerable to malware and the existence of hastily-written software being preferred of tasks like videoconferencing. Not to mention the risk of an increasing flow of fake news and disinformation about this disease.

What can we do?

General IT security

But we need to be extra vigilant about our data security and personal privacy

The general IT security measures are very important even in this coronavirus age. Here, you need to make sure that all the software on your computing devices, including their operating systems are up-to-date and have the latest patches. It also applies to your network, TV set-top and Internet-of-Things hardware where you need to make sure the firmware is up-to-date. The best way to achieve this is to have the devices automatically download and install the revised software themselves.

As well, managing the passwords for our online services and our devices properly prevents the risk of data and identity theft. It may even be a good idea to use a password vault program to manage our passwords which may prevent us from reusing them across services.  Similarly using a word processor to keep a list of your passwords which is saved on removeable media and printed out, with both the hard and electronic copy kept in a secure location may also work wonders here.

Make sure that your computer is running a desktop / endpoint security program, even if it is the one that is part of the operating system. Similarly, using an on-demand scanning tool like Malwarebytes can work as a way to check for questionable software. As well, you may have to check the software that is installed on all of the computing devices is what you are using and even verify with multiple knowledgeable people if that program that is the “talk of the town” should be on your computer.

If you are signing up with new online services, it may even be a better idea to implement social sign-on with established credential pools like Google, Facebook or Microsoft. These setups implement a token between the credential pool and the online service as the authentication factor rather than a separate username and password that you create.

As well, you will be using the Webcam more frequently on your computing devices. The security issue with the Webcam and microphone is more important with computing setups that have the Webcam integrated in the computer or monitor, like with portable computing devices, “all-in-one” computers or monitors equipped with Webcams.

Here, you need to be careful of which programs are having access to the Webcam and microphone on your device. Here, if newly-installed software asks for use of your camera or microphone and it is out of touch with the way the software works, deny access to the camera or microphone when it asks for their use.

If you install a health-department-supplied tracking app as part of your government’s contact-tracing and disease-management efforts, remember to remove this app as soon as the coronavirus crisis is over. Doing this will protect your privacy once there is no real need to manage the disease.

Email and messaging security

Your email and messaging platforms will become an increased security risk at this time thanks to phishing including business email compromise. I have covered this issue in a previous article after helping someone reclaim their email service account after a successful phishing attempt.

An email or message would be a phishing attempt if the email isn’t commensurate with proper business writing standards for your country, has a sense of urgency about it and is too good to be true. Once you receive these emails, it is prudent to report them then delete them forthwith.

In the case of email addresses from official organisations, make sure that the domain name represents the organisation’s proper domain name. This is something that is exactly like the domain name they would use for their Web presence, although email addresses may have the domain name part of the address following the “ @ “ symbol prepended with a server identifier like “mail” or “email”. As well, there should be nothing appended to the domain name.

Also, be familiar with particular domain-name structures for official organisation clusters like the civil / public service, international organisations and academia when you open email or surf the Web. These will typically use protected high-level domain name suffixes like “.gov”, “.int” or “.edu” and won’t use common domain name suffixes like “ .com “. This will help with identifying whether a site or a sender is the proper authority or not.

Messaging and video-conferencing

Increasingly as we stay home due to the risk of catching or spreading the coronavirus plague, we are relying on messaging and video-conferencing software more frequently to communicate with each other. For example, families and communities are using video-conferencing software like Zoom or Skype to make a virtual “get-together” with each other thanks to these platforms’ support for many-to-many videocalls.

But as we rely on this software more, we need to make sure that our privacy, business confidentiality and data security is protected. This is becoming more important as we engage with our doctors, whether they be general practitioners or specialists, “over the wire” and reveal our medical issues to them that way.

If you value privacy, look towards using an online communications platform that implements end-to-end encryption. Infact, most of the respected “over-the-top” communications platforms like WhatsApp, Viber, Skype and iMessage offer this feature for 1:1 conversations between users on the same platform. Some, like WhatsApp and Viber offer this same feature for group conversations between users on that same platform.

Video-conferencing software like Zoom and Skype

When you are hosting a video-conference using Zoom, Skype or similar platforms, be familiar with any meeting-setup and meeting-management features that the platform offers. If the platform uses a Weblink to join a video-conference that you can share, use email or a messaging platform to share that link with potential participants. Avoid posting this on the Social Web so you keep gatecrashers from your meeting or class.

As well, if the platform supports password-protected meeting entry, use this feature to limit who can join the meeting. Here, it is also a good idea to send the password as a separate message from the meeting’s Weblink.

Some platforms like Zoom offer a waiting-room function which requires potential participants to wait and be vetted by the conference’s moderator before they can participate. As well these platforms may have a meeting-lockout so no more people can participate in the video-conference. Here, you use this function when all the participants that you expect are present in the meeting.

You need to regulate the screen sharing feature that your platform offers which allows meeting participants to share currently-running app or desktop user interfaces. Here, you may have the ability to limit this function to the moderator’s computer or a specified participant’s computer. Here this will prevent people from showing offensive imagery or videos to all the meeting’s participants. As well, you may also need to regulate access to any file-sharing functionality that the platform offers in order to prevent the video conference becoming a vector for spreading malware or offensive material.

Fake news and disinformation

Just like with the elections that count, the coronavirus issue has brought about its fair share of fake news and disinformation.

Here, I would recommend that you use trusted news sources like the respected public-service broadcasters for information about this plague. As well, I would recommend that you visit respected health-information sites including those offered “from the horse’s mouth” by local, regional or national government agencies for the latest information.

As well, trust your “gut reaction” when it comes to material that is posted online about the coronavirus plague, including the availability of necessary food or medical supplies. Here, he careful of content that is “out of reality” or plays on your emotions. The same attitude should also apply when it comes to buying essential supplies online and you are concerned about the availability and price of these supplies.

Conclusion

As we spend more time indoors and online thanks to the coronavirus, we need to keep our computing equipment including our tablets and smartphones running securely to protect our data and our privacy.

Should we be managing multiple email accounts?

Windows Live Mail client-based email interface

Multiple email accounts may be beneficial to your privacy and work-life balance.

Some of us may find it convenient to handle all of our email through one account. The advantages that are often seen include dealing with one inbox and sending from one account.

But we are increasingly entering a world where we have to deal with multiple email accounts.

Why run multiple email accounts?

One reason this is becoming important is to keep business and private email separate. Here, it may be about preserving a separate business and social persona, or simply to delineate your time between home and work activity. Similarly, the separate email address for business / work email is an advantage in preserving a professional appearance.

As well, the correspondence associated with your personal email address that you maintain yourself isn’t subject to the same kind of legal scrutiny that the correspondence associated with your business email address would be subject to. This is important if your workplace or business is to change hands or is a party to legal action of any sort.

People who have a public-facing business life such as politicians or celebrities will maintain a public-facing email address to maintain an email correspondence consistent with that public-facing role. This is becoming more important where people in the public eye are becoming more vulnerable to “dirt-digging” – the practice of trawling for any information to discredit one’s reputation.

This practice is also becoming important with the emails we “tie” with various social-network presences. Here, we may want to operate a professional-looking persona on the public-facing social-media profiles while keeping a private persona that you have on your personal social-media profiles.

The situation extends to where we have our email address on material that the public have easy access to, whether it’s that notice on the church noticeboard or our entry on that petition.

Those of us who engage in online dating are having to find that maintaining a separate email address for use with dating apps and Websites gives us greater control over what potential suitors know about us. It may also offer a chance to control when they can contact us while keeping this life private from family or work.

Account types list in the Add Account option including option to add POP3 or IMAP4 accounts

It also applies to businesses and organisations who maintain a public-facing email address that is written on the public-facing material. This keeps a professional appearance and keeps your staff’s business and private email more private. Similarly, you can maintain multiple email address for particular job descriptions or workflow requirements.

Conversely, some of us maintain a separate email address that we give to marketers or online email newsletters as a crude method of spam control. Similarly, separate email addresses are being seen as important as a failover measure should one email server crash or as a security verification means for email services.

How is this achieved?

Who will provide the email inboxes

email settings in Samsung Android email app

Add Account option in email settings on Android (Samsung) email app

Your workplace will give you an email address that is tied to your tenure with that employer. The provision of a tied email address will also apply for most college students or staff who have access to college IT resources. If you run a small business or other organisation with a Web presence and own domain name, your Webhost or domain name provider will offer at least one email inbox under the main domain name you purchased.

Most ISPs or telcos will provide you with at least one email inbox as part of your Internet-service deal. It will be something that is very common with fixed-line Internet service especially from major providers.

Of course, there are the Webmail providers like Outlook.com and Gmail who will provide you at least one email address for free. It also includes the secure email hosts who provide a secure user experience at a premium price.

Now we are seeing the rise of dedicated service providers who provide email inboxes as their main business. Such providers will offer Web-based or standard client-based access to these mailboxes.

What to look for

Samsung Android email app account types

Account types offered by the Samsung Android email app

A feature I consider very important for email accounts is that they support multiple-device access and full “on-the-road” use. Typically it would mean use of a major Webmail host or a host that implements “hosted Exchange” or IMAP4 email protocols. This is important where we use a mobile device or secondary laptop computer to work our emails and want to work our email from anywhere.

You may find that a Webmail interface that allows the operation of multiple accounts from competing services may come in handy if you are using shared computers or public computing facilities.

How do you handle the multiple email inboxes

Different users may manage their email from multiple accounts using one of two paths. One is to use a single interface for all of the email accounts, with the other being to use different interfaces for different accounts.

It may include having all your personal email accounts operated with one interface like a Webmail interface while your work or business email accounts are operated with another interface like a business-optimised email client.

One email interface for all accounts

Most email interfaces, whether Web-based or client-based, will support the operation of multiple email accounts. In this case, using the one interface will underscore the idea of going to one email interface for all of your email activity.

Your email interface will have an option in its account-management settings to add or delete email accounts. Most of the current interfaces will have a “quick-setup” routine for the popular Webmail providers; and will have a setup option for accounts using Microsoft Exchange, POP3 or IMAP4 accounts.

Receiving email

The user experience for reading your email will have separate inboxes for each of the accounts you manage. You may also find that some of the email interfaces like the GMail Web interface may offer a combined-inbox view for all of your email accounts with better interfaces using visual clues to differentiate each account.

Sending email

Should you send an email, you will be asked to choose which account you use to send your email via.

On some email interfaces where you choose the account you are operating at the moment like Windows 10’s Mail app, the account you are operating would be the one you send your email via. Other interfaces may require you to determine which account you send the email from when you click the “Send” button. As well, most of these interfaces may offer a default-account setting for new email, with the option to override this when you compose your new message.

The default behaviour for replying and forwarding would be to use the email service you received the email via for sending the replies or forwarding the email.

Your contacts list

Of course the contact list kept in your email interface will, in most cases, be shared amongst all of the accounts you operate.

Different email interfaces for different accounts

On the other hand, some of us may choose to operate each inbox with its own interface setup. This may be due to an email client not handling multiple inboxes how we want it or simply to delineate the operation of each inbox as a separate task.

This is a simple task with operating each interface with its own account. You will have to copy across contact details you want to use across multiple accounts if you operate them with separate interfaces.

A combination of this situation and the former situation will apply if you choose to operate some accounts with one interface and others with another interface. This is a useful practice for those of us who want that “church and state” separation between business and personal or public and private email activity.

Conclusion

Operating multiple email accounts may come in to play as a measure to protect your privacy and manage our email inbox properly.

A timely reminder to beware of suspicious emails in your inbox

Windows Live Mail client-based email interface

Slow down when you check those emails so you are safe

Increasingly people are receiving emails that are becoming very dangerous to their personal or business security.

This happens during November and December, especially between when the American community celebrates Thanksgiving (last Thursday in November) to Epiphany / Twelfth Night (January 5), where there is a lot of Christmas-driven communications and most, if not all, of us are thinking about Christmas. This includes responding to the shopping offers that are being made available through this time. Here, these emails are being sent in a manner as to “get at” the user and take control of their computing equipment or data..

Over this past weekend, some friends of mine from church had approached me about email issues and I had found out that the husband fell victim to a phishing attack against his Outlook.com Webmail account with it ending up being used to send spam messages. Here, I visited these friends on Monday night for dinner and to help him change his account’s password and report it as being compromised. Then a close friend of his rang him about receiving the Australia Post phishing emails and I suggested to that friend to delete that email immediately.

One example is to supply  malware as an attachment typically obfuscated as a compressed “file of files” or a malformed document file; or direct users to pick up the questionable software at a Web link. The idea is to get users to install this software of questionable provenance on their computer so that it makes it become part of a large botnet that is intended to wreak havoc on other computer users, steal your personal or business information, or extort money from you.

Another example is a link that send users to a forged login or other customer-interaction page for a Webmail, banking, Social Web or similar online service to steal their personal details. This is typically to steal the user’s money or identity, create a bank account or similar financial account for laundering ill-gotten gains, or use an email mailbox and contact list to send further spam to computer users.

The email is suspicious if

It is out-of-character with the sender

This may be reflecting a situation that you know the sender is not in, such as them or their business being in financial dire straits. It may also simply be an email of a kind the don’t normally send.

Contains nothing but enticing “click-bait” text

You may find some enticing text written in the Subject line or in the body of the message that gets you to either open the attachment or click on that link.

Implores on you to open it or click on the link under pain of losing service continuity or something similar

Looks very official and has copy that threatens you that you will lose access to your funds or continuity of a service you use, or something similar; and requires you to click on a link in that message to take action to remedy the situation. This may also be about the pending arrival of a parcel or some funds and you have to click on a link or open an attachment to print out a “claim form”.

What to do?

Do not click on the links in that email or open the attachment

Under no circumstances should you click on any links in the suspicions email or open any attachment that is part of that email.

Check the email out

In the case of a personal email, check the email address that purports to be in the name of your contact to see if it is one that you and your contact regularly use. Here, some people may operate a business email address alongside a personal email address and you need to confirm these addresses through conversation, business collateral that they supply, amongst other things.

In the case of a business email, check to see if the email looks as though it genuinely represents that organisation. If the email is requiring you to do something to assure “continuity of service”, access to funds, etc. contact that business directly using their customer-service number or email.

One obvious red herring would be if you receive a contact from a bank or other business you don’t do any business with. Another red herring is an email that isn’t addressed to you personally, rather it uses a generic “all-call” salutation like “Dear Customer”. Yet another red herring is the quality of the document. Here, you look out for whether the email represents the company’s current “trade dress” such as current logos, colour schemes and the like. As well, you look for the quality of the document to see that it reflects what is expected for a business document coming from the company’s location of business, such as spelling, grammar, punctuation, etc.

Sometines, what may appear in the “To” list may be contacts, including “virtual contacts” which represent a cluster of email address, whom you don’t have anything to do with. This is also a sign of a suspicious email.

Check with the sender

If you receive an email from a contact of yours which appears to be out-of-character with them, contact them about that email. You must do this not by replying to that email but by either calling them on the phone, sending an SMS or instant-messaging message to them or sending a separate email to them.

If it is business-related like correspondence from your bank or other organisation, log in to the business’s Website yourself using its commonly-publsihed or commonly-known Web address. Here, you type the address in to your Web browser’s address bar or, if you do regular business with the site, go to the bookmark or favourite link you have created for it. As well, it may also be of value to contact the organisation on their published phone number to check the veracity of that email. Here, you may find this in the regular business correspondence that you have for them or use the common telephone directory or the organisation’s Web page to find that number.

Report the email then delete it

If you are using your Webmail provider’s Web-based user interface, you may have an option to report that email as spam, hacking, fraud or something similar. If you are using a client-based email setup, forward the email as an attachment to your ISP’s or email provider’s email address that has been set up for reporting email abuse or fraud.

Business users who work for a company that has an in-house or contracted IT team should let that IT team know about the suspicious email. This will also apply to those of us who study at a school or university which has its own IT team.

As well, if the email appeared to be in the name of the bank or other organisation, look on the organisation’s Website for a “report fraud” link or email and use that to report the fraudulent emails that you received. Here, they can engage local or national law enforcement to take further action especially if the behaviour is consistent.

Then delete the fraudulent email immediately.

Security tips

  • Keep the computer’s operating system and application software up-to-date with the latest patches
  • Make sure you are running a good anti-malware utility and that it is updated frequently and regularly. It may also be a good practice to run a full scan with this software
  • Make sure that you have strong and preferably unique passwords on your online services
  • Make sure that your home network hardware is on the latest firmware and has strong non-default passwords.
  • Consider using a password manager program or service. As well, it may be worth it to implement a two-factor authentication setup on your online services with your smartphone showing a key number as a “second factor”.
  • As well, you may find that if you have an account with a major online service like a Microsoft service or one of the popular social networks, you may have the opportunity to implement a single sign-on. This may be worth using especially with games, forums, comment functionality, online music or similar services so you don’t have to work out extra passwords.
  • Back up the data you created yourself using your computer to a NAS and/or USB hard disk and preferably make a separate copy of this backup in a separate location
  • Only visit Websites and online services that are known to be reputable