by Felicien | Sep 13, 2018 | Education
What is ‘ZeroFont’ Phishing?
‘Phishing’ is where hackers attempt to get a user to willingly provide personal information, generally through posing to be someone else. It is one of the more threatening forms of hacking, as it is among the most difficult to protect against traditional security measures.
Hackers continue to find new ways to breach spam and other filters while representing authorities with practical reasons to request information. It is ultimately the user’s decision to trust the hacker which results in information misuse. Users must, therefore, be aware of the nature of phishing tactics and vulnerabilities to best protect themselves.
‘ZeroFont’ phishing attacks have been successful against Office 365 users. In this attack, hackers use a zero-sized font in order to hide identifying information while posing as a reputable account-hosting organization. Users are unable to view zero-sized fonts so they are easily tricked.
What’s Been Happening?
Attacks have been increasing as security researchers learn about this type of internet hacking. ZeroFont phishers have been bypassing Advanced Threat Protection (ATP) processes in popular email services, such as those provided with the commonly used Office 365. Although the advanced Microsoft software uses security processes with many AI and machine learning procedures for blacklisting and other forms of phishing defenses, the ZeroFont method is able to evade these. The use of zero font sizes has proven to be a clever method that allows hackers to sneak in and steal information from a wide range of users.
ZeroFont attacks are actually not new. They were used by hackers in the past but faded into the background for quite some time. For years, hackers have used simple phishing scams to trick users into visiting unsafe sites or giving up their log-in information. This basic method of exploiting internet users has been very successful but cybercriminals are always looking for new and easy ways to steal our money.
Microsoft’s natural language processing has made it more vulnerable to zero font attacks. One example of a hacker using this approach for a successful attack against an Office 365 user involves fraudulent email. The emails are created by a phisher who pretends to be a legitimate Microsoft representative. The email they send out says something about how Microsoft is attempting to notify them that they’ve reached a quota limit of some sort.
Assuming they’ve received an actual message from someone who is their subscription representative, and with the words ‘Microsoft Office 365,’ the email urges the user to divulge personal information. Because of the zero font size, the security program does not recognize relevant keywords and the email is not correctly identified as a ‘spoof’ or spam. Instead, users may choose to cooperate in providing personal information.
ZeroFont attackers can exploit an ability to display a message to users that cannot be properly read by anti-phishing filters. These emails can look as if they are being sent by Facebook, PayPal, Apple, or your financial institution. They urge users to give up sensitive personal information that can then be misused. Hackers have been able to take over Amazon, Facebook and eBay accounts.
While natural language processing is regarded as a powerful aspect of software, highly efficient and effective while safeguarding against email phishing, exploitations of its vulnerabilities have caused ongoing demands for security upgrades. Avanan has more information about the nature of ZeroFont, Punycode, Unicode, and Hexadecimal Escape Character attacks being used today.
Online sources explain that this form of attack has been common, if not rampant since the extent of certain vulnerabilities in Office 365 has been realized.
Security Affairs reported recent phishing ‘campaigns’ that have successfully used this approach, and The Hacker News also reported on a campaign that ‘wildly’ attempted to target a wide range of Office 365 users. The latter was reported to involve a representation of Microsoft while directing users, via a link, to a SharePoint document established to record sensitive information.
As the bodies of the emails sent made use of a zero font size to avoid anti-phishing filters, users were presented with messages that appeared to be legitimate. Imagine getting SharePoint invitations asking for your collaboration or cooperation from Microsoft. It can be tempting to follow the instructions that hackers provide and just do what they say.
Clicked links resulted in automatic openings of the SharePoint file, which hyperlinked the user to an unsafe URL. Therefore even users that did not log in were vulnerable to hacking through the hyperlink, while users that attempted a login also provided their account information to the phisher.
The only way Microsoft can identify such attempts is to scan links within shared documents for URLs that appear to be created for the sake of phishing. Hackers have now become well aware of this. Even if all links are correctly identified, the software would have to blacklist links to all SharePoint files to blacklist the bad URL. This is not a practical fix for the problem.
The Hacker News reported that approximately 10 percent of registered Office 365 users had been targeted by a phishing campaign within just a two week time window.
What Should I Do?
Microsoft recommends, in addition to following best practices for trusting a claim of authority in an email, to:
Ensure the best ATP anti-phishing software and updates are installed.
Use all applicable anti-phishing features.
Use the Security & Compliance Center for more information and system- or software-specific instructions and optimization.
by Felicien | Sep 13, 2018 | Education
To date, Excel and similar apps deal primarily with text and numbers as data types. However, that tradition is about to be a thing of the past as Microsoft is adding two new data types to Excel. These data types allow cells to contain rich, intelligent data that can better represent more real-world data types.
Limitations and Possibilities
Suppose you are putting together a spreadsheet that will plot the relationship between a company’s sales and population in South America. The sales data is easy enough to find, but tracking down the latest population for each South American country might be a bit time consuming and error-prone. At the last minute, someone asks for data that shows sales related to the size of the country, which means another session of hunting down the right information.
What if you could have all that information for a country — population, square miles, map, gross national product, average minimum wage and more – all contained in a single cell within your worksheet? Believe it or not, those days are not too far away.
Excel’s New Intelligent Data Types
There are two new intelligent data types available in Excel: Geography and Stocks. That means that cells in your Excel workbook are no longer limited to holding flat information like text, numbers, or dates. Cells can now house an incredible amount of information related to geography and stocks. Not only can you access this information easily, you can even work with it when you are offline. Both of these data types can be found under the Data tab in Excel, and converting existing data to either of these types is very simple.
Working with the New Geography Data Type
Let’s suppose we have a worksheet that contains a single-column table. The table contains strings that represent countries. To convert this data to the new Geography data type, highlight the country names, then go to the Data tab and click on Geography. This takes care of the conversion.
You’ll notice that an icon appears in the cells next to each country name. It resembles a map that has been unfolded. If you click on that icon, you’ll see a data card that contains tons of information about that country. Now that cell is no longer just a string of characters, but a rich data type with much deeper meaning. All of the data from the data card is actually contained in that cell, and you don’t need an internet connection to access that data.
You will notice that a widget appears to the right at the top of the table. If you click on it, it offers to add another column. You can select from a list of available fields based on the data contained in the card you just looked at.
Stock Data Type
The Stock Data type works in a similar manner to the Geography data type but provides access to data involving stocks. Let’s say you have a table with a single column that contains some company names and some ticker names. You highlight that data, then go to the Data tab and select Stocks. That converts the string data into the new Stock data type, and all the names are switched to company names. You’ll notice that an icon appears by each company name, allowing you to access the data card for that company.
Stock data changes quickly, unlike the Geography data. Because of the dynamic nature of Stock data, the data is refreshable. Some of it is available in almost real-time, while other data will be delayed. If you want to do calculations with cells that contain either the Geography or Stock data type, type in a formula referencing the cell number and then use the . (dot operator) to select the correct member of that geography object. Anything you can do with normal data, you can do with these new data types.
Intelligent Data Types
The Microsoft Knowledge Graph, the intelligent service that also powers Bing, is what provides the data. When someone points out that the Stock and Geography data types are intelligent, that means far more than fixing typos or spelling errors. For example, these intelligent data types can interpret data requests in context. It may ask for more specifics if you enter a city name and convert it to the Geography data type because it wants to make sure what city you mean. However, if a city is listed with other city names in a particular geographical region, then Excel will select a city in that particular region (context).
Accessing It
Not all Excel 365 users can access these new AI data types just yet. According to Microsoft,
“The new data types are being released as preview to Office 365 subscribers enrolled in the Office Insiders program, in the English language only, starting in April 2018. “
However, it will eventually be rolled out for all Office 365 users. And other AI data types will also be added to Microsoft Excel’s repertoire. These developments mean that in Excel you can do even more, even faster.
by Felicien | Sep 12, 2018 | Education
Schools and libraries applying for E-rate technology funding discounts must be CIPA Compliant. CIPA stands for the Children’s Internet Protection Act and mandates that if an institution is receiving a discount for network and network-adjacent services, then it must develop a protocol for use of these services by minors. Further, CIPA stipulates that the public must be notified that the district, school, or library is going to be developing an internet safety protocol, and offer a public hearing before developing the protocol (again with adequate notice to the public ahead of time).
The E-Rate discount applies to:
Data Transmission Services and Internet Access
Voice Services
Internal Connections
Managed Internal Broadband Services
Basic Maintenance of Internal Connections
It does not apply to funding the actual computers, VoIP phones, software, or any other devices that use the above telecommunication services.
Eligible institutions or educational consortiums accepted into the program will receive need-based discounts of between 20-90% off of the costs for the above-mentioned services.
CIPA Compliance Overview
Before implementing an internet use policy, schools, and libraries have to provide reasonable notice to their learning communities that they’re going to be putting one together. Additionally, they must hold at least one public hearing where citizens may ask questions or register concerns.
Lastly, the policy must include two certification requirements: online protection of minors such as filters that can block out objectionable content, and they must include a plan to educate minors on internet safety, cyberbullying, “Netiquette” and more.
The 2011 update also notes that public libraries are not subject to CIPA compliance.
Additionally, schools and libraries have to put into their policy:
Education on safe direct-link contacts such as email or chat.
Unauthorized access like hacking perpetrated by minors and other unlawful acts committed by minors using school devices or using internet services on school property.
Unauthorized access, dissemination of, or use of minors’ personal information including grades, addresses, medical alerts, etc.
Restrict minor children’s ability to access potentially harmful material.
Here is an example of a CIPA Compliance Contractor used by Walled Lake Consolidated Schools in Walled Lake, Michigan.
Adults on Campus
Adults using the internet for appropriate, necessary means are permitted to remove filters blocking access to necessary websites and programs. Adults are also not subject to internet tracking.
Who Determines What Materials Are Appropriate?
Local and state authorities determine what content is appropriate or inappropriate. Further, the blocking of entire social networking sites such as Facebook is not required per CIPA, though individual instances of objectionable or mature content should be filtered out.
Important Additions to CIPA as of 2011
E-rate finding discount recipients must develop and implement a workable strategy for protecting minors and their information, and for educating minor students in how to properly present and protect themselves online.
Schools must provide lessons in “Netiquette” and direct communication (e.g., chat sessions, email) safety education for minors using the internet on school property or with school devices.
What About BYOT/BYOD?
The biggest wrench in the works after funding issues is the BYOD/BYOT phenomenon. It’s natural to allow students to bring in their own devices. It takes care of a few problems regarding access and funding. Plus it reduces the amount of class time needed to train students on an unfamiliar device since they are using their own devices. However, the problems that Bring Your Own Device programs include far outweigh the benefits.
What Is Due Diligence On The Educator’s Part?
Really, the same tried-and-true methods that caught kids with comics or Playboys behind their textbooks still work today. Move around the room as you would for any other group activity or quiet study time, and make your presence known.
Screen mirroring works too and has the added bonus of allowing you to pretend that you’re a TSA agent or mall security officer. It does not allow for classroom management best practices, however, since the instructor may be glued to the screen too closely. It also opens teachers up to liability regarding students’ privacy since a distracted teacher may leave a mirrored workspace screen unattended, giving someone else an opportunity to access student work.
Going back to BYOD, which almost certainly would not be mirrored, students may use a personal broadband or other mobile networks to get around filters. Of course, it would be a violation of not only CIPA-related policies but likely policies already on the books in just about every school district. The best protection is to have a clear, promulgated policy in place that spells out expectations as well as consequences for violations of the policy.
Personal use on a private network also does not currently fall under CIPA’s scope, nor is there any reason to think that it ever would, since CIPA compliance relates to use of school network services and devices. Making the access to restricted materials difficult, expensive, or extremely inconvenient will naturally cut down on the number of people trying to do so.
Last Word – “The Spirit Of CIPA”
Due to the nature of technological innovation today, there are going to be instances of uncertainty. If you “keep in the spirit of CIPA,” you should be all right. Districts developing their policies should make it clear that students and educators failing to make a good faith effort to remain in compliance put funding and the safety of minors at risk, therefore violations will have consequences. It should not be too difficult to uphold the spirit of the CIPA since CIPA guidelines line up faithfully with the goals of all educators: to provide a secure learning environment for students.
The next E-Rate training webinar is Wednesday September 19, 2018 and it takes educators through the invoicing process.
by Felicien | Sep 12, 2018 | Education
What Are Keyboard Shortcuts?
Keyboard ‘shortcuts’ are the strategic use of combinations of keys on your keyboard to perform some task in your software more efficiently. There are shortcuts you can use in your file folders, word processing programs, and even for your email accounts or any social media services, you might use. In addition to increasing time efficiency, some users prefer the potentially increased accuracy of certain keyboard shortcuts.
Text highlighting and spreadsheet cell selection, for example, may be more accurate using a keyboard shortcut versus selections from even the most advanced mice. In any case, if you use mainstream computer software frequently, keyboard shortcuts have been designed for some potential benefit you or your employees can experience.
Which Shortcuts Have Been Most Helpful?
While general preferences have the most priority in what is defined as truly helpful for use, online resources have reported some keyboard shortcuts being more popular or commonly beneficial than others. Here are five keyboard shortcuts that could potentially be ‘life-changing’:
Locking a screen
Window or app switching
Opening Windows Explorer
Opening search bars
Selecting all text
These shortcuts are reported to be the most common time savers when performing common computer software tasks. Pressing the Windows key with the L key (Windows + L) allows a user to quickly lock their screen to more quickly step away from their system.
Pressing the ALT and Tab keys (ALT + Tab) allows a user to navigate between programs they are using. This can be more efficient than using a mouse to click through or minimize several programs as users navigate through their software.
In the common event of a need to locate an unused file, pressing the Windows and E keys (Windows + E) will open Windows Explorer without a mouse navigation and click. This can be useful even if the application is already on the user’s taskbar.
In the event you need to search for additional information, you can press the CTRL and F keys (CTRL + F) to open a search bar. If you need to select all text in a document or screen, pressing the CTRL and A keys (CTRL + A) will result in this being automatically performed, and without the more tedious mouse-button-holding-while-scrolling action notorious for its frustrated multiple attempts.
Other keyboard shortcuts may be less commonly demanded by users but still potentially beneficial to you. Pressing the CTRL and D keys (CTRL + D) automatically moves files to the recycle bin on your system. Pressing the CTRL, Shift, and Escape keys (CTRL + Shift + Esc) automatically opens the Task Manager, allowing you to search for problems.
MoneyTalks News and Buffer recommended several additional keyboard shortcuts as potential ways to boost organizational productivity. In addition to the more commonly known but often still uncommonly used CTRL + S, CTRL + C, and CTRL + V shortcuts for saving, copying, and pasting respectively, these sources report that an emphasis on shortcuts can have a measurable impact on organizational or general productivity and output.
Windows shortcuts recommended include:
CTRL + N (Open new window)
CTRL + T (Open new tab)
Windows key + M (Hide window)
Gmail shortcuts recommended include:
CTRL + Shift + C (Add CC recipient)
CTRL + Shift + B (Add BCC recipient)
Twitter shortcuts recommended include:
G + L (Move directly to Twitter lists)
J/K (Cycle forward or backward through tweets)
Enter (Open tweet details)
| (Close open tweets)
Facebook shortcuts recommended include:
0 (Help page)
1 (Homepage)
2 (Timeline page)
3 (Friends page)
4 (Inbox)
5 (Notifications)
6 (Settings page)
7 (Activity Log page)
J/K (Scroll forwards or backward along posts)
L (Like or Unlike a post)
C (Comment creation)
S (Share post)
P (Create new post)
/ (Search)
YouTube shortcuts recommended include:
1 (Jump to the 10% mark of a video)
2-9 (Jump to the corresponding 20%-90% through a video)
Spacebar (Pause or Unpause the video)
Google+ shortcuts recommended include:
/ (Open search bar)
J/K (Scroll up or down in posts)
Left Arrow (Jump to the menu)
WordPress shortcuts recommended include:
<Command> + 2, 3, or 4 (Jump to corresponding heading)
Alt + Shift + A (Add link)
Alt + Shift + M (Insert image)
What’s In Store For The Future Of Keyboard Shortcuts?
More innovative developments are on the way in an attempt to further improve efficiencies, and you may be able to take advantage of them quite soon. One recent development by a team of researchers extends keyboard shortcuts with arm and wrist gestures so that users can work more quickly with rotations using sensors.
In another development, a research team developed ‘finger aware’ shortcuts, which senses hand posture while allowing secondary movements to trigger shortcuts as other tasks are performed. Actions potentially triggered with a user’s thumb are being coined ‘FingerArc’ functions, while the secondary key actions are being referred to as ‘FingerChord’ functions. Both of these may be considered useful, or even become commonplace in the near future.
What Should I Remember About Keyboard Shortcuts?
Keyboard shortcuts exist in great numbers.
They can be beneficial for better efficiency.
When used across a workplace, measurable productivity increases may be observed/experienced.
Additional, and potentially revolutionary, developments are underway.
by Felicien | Sep 12, 2018 | Education
What is Fluxion?
Fluxion is a new program that combines social engineering and technology to trick users into giving up their log-in and password information. This program is a step above Wifiphisher, which lacks the ability to verify WPA passwords. Fluxion takes all the work out of hacking using a variety of processes that quickly and easily convince users to provide their Wi-Fi password.
Hackers can acquire these passwords through a few simple taps on a keyboard. Fluxion is regarded as a success in making it easier than ever for cyber thieves to steal valuable information from users.
Fundamentally, or in terms of many aspects of its basic framework, it is similar to previous developments but uses a twin access point in combination with handshake capture and integrated jamming functions. These can work together so that aspects of hardware and software operations that normally take place in the standard functionality of the user account are overwhelmed.
What Recent Developments And Potentials Should I Be Concerned With?
The extent that Fluxion has developed in combination with its accessibility and ease of use online is the most concerning. A search of Google or other major internet search engines will reveal numerous instructional pages that can be downloaded. These instructions provide anyone with a little Internet skill to begin a new career as a cyber thief. These sites provide public access to a range of resources that make it possible for anyone to violate user privacy and accounts and steal login information.
The program initiated as an improvement over a successful attack and was rewritten, so both the structure and coding have been strategically optimized in addition to its user-friendliness and availability.
How Does Fluxion Work?
Fluxion uses what is known as a WPA handshake to affect the functionality of a login page as it attempts to gain receipt of user information. It can affect how the user’s entire script is controlled as the original network is jammed, and a clone is created with the same name, attempting to persuade the user into making an unsafe connection under the guise of a familiar one. It often requests that the user allow time for their router or firmware to reload or be updated. This is just a ploy; the real objective is to steal sensitive information.
Fluxion is an EvilAP attack tool, written with a combination of Bash and Python, that is used for MiTM attacks on WPA Wireless networks. Online sources report on Fluxion as a potentially beneficial tool while touting its features similar to how potential improvements in business functions could be experienced through software installation. Hack Insight claims that the use of Fluxion allows network scanning, handshake capture, web interface use, imitating original access points, the de-authentication of all users on a network, capturing and redirecting of all DNS requests, captive portal launching, password verification processes, and automatic program termination following the recording of a viable password. Technology and strategies applied include the launching of FakeAP instances for access point emulation, fake DNS server launching, and MDK3 process spawning.
What’s Been Happening In Research And Development?
Research and development (R&D) regarding Fluxion and related computer software security processes have involved multiple studies and patents in the past year. At the 12th International Conference on Recent Innovations in Science, Engineering, and Management, researchers reported having developed a highly successful cracking system by using Fluxion as their foundation. They explained that the damage that can be done with new hacking software using Fluxion demands better software processes in addition to network strategies in currently maintained and improving systems, particularly those that handle network connections and passwords.
At the 2017 IEEE International Conference on Power, Control, Signals and Instrumentation Engineering (ICPCSI), researchers reported that a number of new security patents have been involved in safeguarding against new hacking techniques that are relevant to the processes used by Fluxion. Fluxion was projected to remain a target of ethical hackers in ongoing research and development, and a foundation of the more damaging tools developed and made accessible online.
What’s The Bottom Line?
Accessibility and ease of use make Fluxion particularly dangerous
Combines multiple processes for high potential effectiveness
Foundation of new and more deadly cyber security attacks
Warrants multiple security upgrades and ongoing R&D
by Felicien | Sep 12, 2018 | Education
You may have an EHR system, decision support systems, purchasing, payroll, laboratory, pharmacy, personnel, finance, planning, and a myriad of other systems running on hardware that’s getting very long in the tooth.
Many PCs are still running some older version of Windows. These issues can be a constant source of security headaches for the IT staff of today’s healthcare organization. From causing security breaches to all-out system failures, this type of trouble can cost your health organization money. In addition, your staff will not have the modern tools they need to do their jobs.
The cloud vendors see your suffering, and, as they are kind, they offer to take this all off your hands and move all your IT operations to the cloud. “For how much?” you ask. “Between $35 and $165 per seat per month,” they reply. You are taken aback. $35 per seat per month is about what you’re paying for Microsoft Office Enterprise, which, you dimly recall, sort of runs in the cloud, or at least it can. What a deal! Where do you sign?
What Was That You Said About Cost Again?
The first thing you realize is that cost is the actual cost of cloud operations once the migration has been completed. Nothing was said (yet) about the cost of moving to the cloud. Digging deeper, you note that the amount charged will vary by processor load, storage used, and “egress” – the cost of moving your data out of the cloud vendor’s data centers down to your PCs, smartphones, and tablets. You quickly discover that if all you want to do is store your data, the cloud is an incredible bargain. If you want to use your data, on the other hand, then this is a whole different story.
There are two choices when it comes to the Cloud: the private and the public cloud. In addition, there are two big vendors: Amazon Web Services (AWS) and Microsoft’s Azure.
So many choices to make and it’s important to make the right ones in order to get exactly what your healthcare organization needs without paying too much.
If your hospital is located in a rural area with practices spread far and wide, then your healthcare facility will need many different services than if you are a single large hospital in a big city. Keeping all of this info on a yellow legal pad may not be ideal. With so many different choices to make, it can be beneficial to work with a trusted IT consultant instead.
There are so many decisions to make and it’s important to find the right IT provider who will oversee everything from start to finish. If you run a busy healthcare facility, you probably don’t have the time or the skills to do all this work yourself. Once you find the right IT service provider, work very closely with them to develop a migration plan, an infrastructure plan, a schedule for moving services, backup storage, and security services.
So, What Are The Real Cloud Advantages?
Moving your operations to the cloud has four substantial advantages:
You no longer have to worry about back-end hardware. All that goes away, except for the servers that interface with the cloud.
You no longer have to worry about capacity, in terms of processor load, memory, or storage. Whatever you need, the cloud provides.
Your security worries will be, not eliminated, but drastically reduced.
You will be able to reduce your in-house IT staff, possibly substantially.
These benefits are arguably worth a tidy sum to most healthcare organizations. AWS, Azure, and a private cloud can provide all of them. So how do you choose?
How Do I Choose The Vendor?
The first thing you need to realize is that you will need a redundant, “failover” site that automatically comes online if the cloud provider’s main site for your applications is down. This does happen – Amazon ran into this issue with its own site on Prime Day 2018.
The cost of this is not automatically included, and it can be substantial. The second thing is that private clouds, where the vendor can treat you as a sole client, are much more configurable than the public cloud (AWS or Azure), which has to be configured to support all comers. Of course, if the situation demands it, you can run part of your operations in a private cloud, and the rest in the public cloud; setting up communication between them is relatively easy.
Should I Wade In Or Jump In?
McKinsey, the renowned consulting firm, has studied both failed and successful cloud migrations and recommends a phased approach. Of course, no solution is one-size-fits-all, but there is a good deal of thought and expertise behind their recommendations. In other words, they say wade in, don’t jump in.
Wading rather than jumping allows you to:
Test the feasibility of cloud migrations
Orient your IT staff to cloud operations
Distribute costs over time
End the project gracefully if it is proving infeasible
Wading will also give you a much more realistic appreciation of the costs and the benefits that are involved.
So, What’s The Bottom Live?
Unless the IT gods are smiling at your organization, you will not be running all your IT operations in the cloud for the $35 you pay for Microsoft Office Enterprise. When site redundancy, egress costs, and processor surge demands are considered, your total costs per seat per month are likely to be higher than this.
When you consider that cost versus a realistic assessment of your current costs (including hardware, software, staff costs, network costs, electricity, cooling, backup, and security), moving to the cloud may still be a bargain. It totally depends on your organization’s needs and the way it handles data. With most healthcare organizations growing by leaps and bounds and considering the high demands that doctors and patients place on the healthcare system, there’s every reason to believe that you will eventually have to make the switch.
