Looking Forward to 2023 With Nary a Prediction in Sight

by Leave a Comment

Last began with more than 100 ships, loaded with goods, lined up outside the ports of Los Angeles. Now there is no backlog. I was looking forward to a new year with some semblance of normalcy in the supply chain for computer-related goods. Unfortunately, that looks like it might not happen.

China was locked down with its zero-Covid initiative and still managed to produce products to keep the supply of goods up and running. Now the government has eliminated that constraint, and people are staying home anyway. Many more are getting sick. Based on recent news articles, the country is prepared for hundreds of thousands of citizens to die. This disastrous result will place many computer equipment manufacturers in the same awful position they were in at the start of the pandemic three years ago.

Lenovo has not announced any planned price increases, but they rarely do. They adjust pricing at the distributor level when they provide their available supply list. I expect to see price jumps on the equipment I usually offer to home users and small business clients by mid-year. I also expect to see the same unavailability of monitors and computers as I did early last year. My advice is if your computers are coming up for replacement, get moving on that project sooner rather than later.

A lack of products will also affect the pricing of items that are still available. SonicWall has increased the price of hardware and software three times in the past two years. They have — for now — indicated they plan to hold the line. Still, I don’t think it will be far-fetched to believe that if they cannot get the necessary components for their firewalls, especially chips, they will increase hardware prices to what they feel is essential to keep moving forward. As a result, a higher price will affect anyone needing a new firewall.

Microsoft is proud of its software and cloud services, generating $25 billion in 2022. The price for Microsoft 365 (most commonly known as Office) will be increasing in 2023 for most business subscriptions. Following an enormous backlash from partners when Microsoft announced a price increase early in 2022, the company offered “discounts” through the end of the year. The cost of Azure, the data center cloud service, will likely increase later in 2023 to account for price spikes for the hardware required in their data centers — mostly solid-state disk drives.

Oddly enough, one of the latest offerings from the world of Artificial Intelligence, ChatGPT, will either wreak havoc for programmers or be a savior. This unique software can provide programming solutions when presented with a mere suggestion of a problem. Companies will still need skilled programmers to complete a full-fledged project. But with the starting point provided by an AI engine, many companies will be willing to reduce their staffing costs by employing this new technology just to hold the line on increasing software costs.

Another feature of ChatGPT is that it can respond to standard English language questions. I foresee customer service help desks will use this functionality before the end of the first quarter to answer commonly asked questions before routing a phone call (or chat session) to a human being. High school English teachers have recently realized the answers to essay questions cannot be reviewed by “did they cheat” software, because ChatGPT responses can be edited to approach grade level equivalency. Only the consistent use of proper grammar and punctuation reveals a software program, rather than an 11th grader, did the work.

With the price of a bitcoin reaching record-level lows, many computer industry pundits believe there will be a decrease in ransomware attempts. I am skeptical and don’t think so. In the past, most cybercriminals requested payment in bitcoin — especially when the price was approaching a record level near $66,000. However, the cyber-currency is now hovering around $16,000, dropping from over $50,000 at the start of 2022. So, in addition to asking for bitcoin to return data, bad actors also threaten to release the data they hold to the public. In some cases, various compliance regulations govern this information, which puts the owners (the victims) in more jeopardy than usual. Kyle Hanslovan, CEO of Huntress Labs, confirmed my thinking in a recent interview with CRN magazine when he said:

With the economy changing, there is no doubt that folks have to get paid. Threat actors have to make money somehow. We‘re noticing, even in some places, they’re holding the data for ransom, but they‘re not actually encrypting. They’re skipping that part and just only holding for extortion, or threatening to maybe call a regulator or threatening like, ‘I’m going to call your customer and show them I have your data.’ So there [are] still other ways even by not using ransomware to still hold data theoretically for ransom. For me, it‘s not going anywhere. It’s such a great source of income for them; it‘s clearly not going away in 2023.

Thanks, and safe computing!

Year End News: Transitions

by Leave a Comment

One aspect of my business that never ceases to amaze me is how hardware and software vendors can make sudden changes that affect vast numbers of clients and end-users with little notice. The two I write about this month are significant; however, they are not representative of the entire industry.

Intuit

Intuit is the maker of QuickBooks, the accounting software many individuals and businesses use to manage their finances. There are three desktop versions of QuickBooks: Pro, Premier, and Enterprise. In 2001, Intuit released a cloud-based version of QuickBooks, which purported to match the desktop versions. Often heated discussions on various forums show this effort has fallen short of expectations for those who are used to the desktop product.

Intuit has had a strict support policy for QuickBooks. It states that support for the current product is valid for three years from when it was issued. For example, Intuit released QuickBooks 2022 in September 2021. It will receive support until the fall of 2024, which means Intuit will publish updates and fix problems with its code during those three years. Anyone who purchases the product can call Intuit’s QuickBooks Support to resolve problems with installation and program errors. Help for how to use QuickBooks is relegated to website forums and accountants. After three years elapse, add-ons to QuickBooks will no longer function. These include Payroll Services, Online Backup, and Online Banking.

For the Pro and Premier versions, you used to be able to go to the Intuit website, Amazon, or a big-box store and purchase the software. You’d either get the CD/DVD and a license key or the license key along with a download link. That software purchase gave you three years of support. The Enterprise version was always an annual subscription.

Last year Intuit changed how you can purchase the product. They have implemented a subscription service for the Pro and Premier versions. (I predicted this more than a year ago for some of my clients.) You must buy the product every year if you wish to continue to use it. To make matters just a little bit worse, you can no longer purchase the Pro version from the Intuit website by clicking a Buy Now button. Intuit removed that option this year. You must call the Sales phone number at the top of the page.

As I learned last month, when you call, the sales agent, using a script, will push you to choose QuickBooks Online. If you say no to that option, they will attempt to get you to upgrade to the Premier version. And if you continue to say no, the sales agent is tasked to offer you additional for-fee options to the Pro version (e.g., Payroll Services, Online Backup, and Online Banking). All in all, not a pleasant buyer’s experience, certainly not one conducive to further purchases – except now, everyone who uses QuickBooks is a captive for a higher priced, not necessarily better, product every year.

Microsoft

Most people probably know Microsoft makes Office primarily consisting of Word, Excel, and Outlook. You might also know that Microsoft has made Office available as a cloud-based offering – in many forms and with different names – since 2010.

Over time, Office was installed from diskettes (6 in 1990), CDs, DVDs, and – most recently – using a license key and a download link. These are known as perpetual licenses. They are valid for as long as you use the computer on which you installed the program. For several years, Microsoft hinted there would come a day when they would stop issuing those product versions. That day is now more visible and inevitable. Last month one of my colleagues reminded me that Office 2013 is going out of support in April 2023. While I wasn’t surprised that a ten-year-old product was ending, what surprised me was the end dates for Office 2016 and 2019. Look a look at the chart below.

OfferingStartMainstream EndExtended End
2013Jan 9, 2013Apr 10, 2018Apr 11, 2023
2016Sep 22, 2015Oct 13, 2020Oct 14, 2025
2019Sep 24, 2018Oct 13, 2023Oct 14, 2025
2021Oct 5, 2021Oct 13, 2026Not applicable

Please note that the last day of support for Windows 10 is also October 14, 2025.

What is someone with a perpetual “Home and Student” or “Home and Business” version of Office supposed to do? The only solution is to purchase a subscription to the appropriate cloud product, as follows:

Consumer (Student):Microsoft 365 Personal$69.99 per year
Business:Microsoft 365 Apps for business$99.00 per year

I will distinguish between an individual purchasing a “Microsoft 365 Personal” or “Microsoft 365 Apps for business” subscription on the Microsoft website versus a business subscribing its staff to Microsoft 365 Business Standard or Business Premium via my Microsoft partner program, NCE. Individuals must create a Microsoft Account (a unique-to-Microsoft email address) to purchase the license because Microsoft will save your credit card information. I can provide subscriptions for businesses through NCE that get are included on their monthly bills.

While it is going to be relatively easy to create a FirstName.LastName@Outlook.com email address for individuals (unless your name is Bob Smith), Business accounts – for actual businesses – must go through NCE to ensure the default “onmicrosoft.com” administrator account gets created. After that, it requires several administrator steps to link the business’ legal website name to the product.

By October 14, 2025, Microsoft will (most likely) require a Microsoft Account to access any new Windows 11 computer. If so, then you must use the same email address for Office!

I can’t say I’m looking forward to these changes because if they are difficult for me to adjust to, they will probably play some havoc for the clients I support.

Thanks, and safe computing!

An Extended Warranty Is Important – Especially When You Need It

by Leave a Comment

Why do some clients complain about the cost?

I always include an extended warranty whenever I sell a higher-end APC UPS battery backup device. I do this to safeguard my client’s investment in a piece of hardware designed to protect computer and network equipment from electrical mishaps.

Sometimes I get push-back from clients about the additional expense, and I take the time to explain what the extended warranty offers. Of course, I’m using a rational approach to try to offset an automatic response (i.e., a gut feeling), which – I realize – is not one that works well all the time.

But let me tell you about a recent incident with one APC UPS device.

A client was renovating one of their offices. As a result of the new design, the APC UPS ended up underneath a desktop counter with minimal airflow. I received an alert because the battery temperature had increased significantly – to the point where it would reduce the lifespan dramatically. So, I asked for a vent to be placed in that section of the desktop counter.

When the contractor came to do the work, he inadvertently sliced into the UPS with his jigsaw while cutting the opening in the desktop. The device went into battery-only mode because he had severed the electrical connection.

Without an extended warranty, here’s what would have happened. I could take advantage of the APC TradeUPS program to obtain a new device. In mid-2022, there is only a 5% discount ($469 -5% = $445). The model is heavy, so shipping is expensive ($50). And there’s the Bergen County recycling fee for batteries ($35). All in, this comes to $530 to replace a damaged device.

With an extended warranty, the replacement device is free, shipping is free, and the recycling fee is free. There is no cost for a warranty replacement.

An extended warranty costs approximately $120 when purchased with a new UPS. In addition to the unique situation my client experienced, an extended warranty lets you obtain a replacement battery, including free shipping and recycling, during the device’s warranty period. Consider that a replacement battery costs about $130 (not including shipping) without a warranty. As I’ve mentioned numerous times, a UPS battery will last between three and five years based on environmental conditions. That means during the life of the device, you might replace the battery at least once, and possibly twice.

There is no reason not to get an extended warranty when you buy a new UPS if one of your goals is to save money.

How I Prepare for the Security Threats of Tomorrow

by Leave a Comment

There is little doubt that cybercrime is becoming more complex, and ransomware and data breach events are becoming more frequent. As a result, many small business owners have become concerned that they will soon be victims. Some have looked to IT solutions providers, like Heliotropic Systems, to help deal with these evolving threats. That is why it is vital for me to understand the current state and emerging trends of that threat landscape and what tools I can use to combat them.

Let’s look at the cybersecurity landscape and analyze the threats, trends, and opportunities.

Protecting Small Businesses from Ransomware Attacks

Cybercriminals are increasingly targeting small- to medium-sized businesses (SMBs). In 2021, more than 40% of all cyberattacks were against small businesses. Digging deeper into that statistic, researchers have found that of those attacked, approximately 60% will go out of business six months following an attack. The primary reason is that so many SMBs don’t have the resources to support an internal IT and data security operation.

In almost all of my security vendor recent annual reports, the most common threat was ransomware. The second tier threat was data breach. To combat these insidious hazards, I must be proficient in three areas.

Prevention

The primary goal is to eliminate the threat of an attack in the first place. While I fully acknowledge there is no “right” way to do this, there are measures I take to help keep my clients from becoming ransomware victims. I recently added Huntress (a threat detection tool) to my portfolio. You subscribe to SPF+ (for consumers) and SHADE (for small businesses), which enables automated patch management to fix potential vulnerabilities as soon as they are discovered.

Another significant measure is to constantly remind clients that rather than click on a link or respond to a suspicious email, you should call me for confirmation. The other day, someone said they received an invoice for three years of Norton Lifelock. No, they didn’t — they received a scam email. It was de-
signed to obtain sufficient information to make fraudulent charges on their credit card.

Detection

I’d be remiss if I didn’t acknowledge that ransomware can still get through the protection layer despite my best efforts. That’s why I have measures in place to identify when ransomware is present, rather than assuming an attack will never be successful. The earlier I can detect it, the sooner I can take action to eliminate it.

Response

When ransomware is detected, responding to the attack, and eliminating it must be done with the utmost efficiency. Some of the steps I must take include:

  • Scan the network for confirmation of an attack unfolding.
  • Identify the infected computers and isolate them from the rest of the network.
  • Secure all backup data or backup systems immediately.

I feel good knowing I have a significantly positive affect on my clients’ businesses by optimizing ransomware prevention and detecting and quickly responding to attacks. Ransomware attacks were estimated to cost roughly $20 billion in 2021. My aim is to save my clients from suffering any financial damages that would hurt their business.

Finding the Right Tools to Combat Ransomware

All my small business clients trust me with access to critical systems and data. They feel protected because they know I will act swiftly and effectively when a threat arises. To accomplish this, I have – over the years – sought to obtain the necessary tools that will facilitate quick and decisive action.

For example, remote monitoring and management (RMM) provides me with access to your computers so I can keep them secure, patched, and operational. I can proactively fix any vulnerabilities before you are attacked with automated patching, whether it is from Microsoft or third-party vendors, which helps optimize ransomware prevention efforts.

But, again, the idea is always to be prepared if ransomware attacks are successful. SentinelOne takes the next step of ransomware defense by including native ransomware detection. It constantly monitors for crypto-ransomware and attempts to kill the malicious software, thus reducing the impact of an attack. You (and I) get alerts at the first detection of crypto-ransomware, and I can automatically isolate any infected computer.

The ability to detect ransomware immediately enables me to execute an action plan sooner rather than later. And I know ransomware infections can cause extensive damage, which may prove too costly for many small businesses to overcome.

Of course, no ransomware response plan is complete without a system to protect the most vital company resource – its data. Regularly backing up data can reduce the risk of downtime when a ransomware attack is successful, but the backup system must be secure and reliable. The Datto Vaults I deploy at client sites are designed to protect physical, virtual, and cloud infrastructures and data. The data is well protected and easily accessible, so I can recover it rapidly when needed. The Vaults also have software that detects ransomware within backups, saving me (and my clients) time locating the last clean system restore point.

Leveraging Security Services to Help You Grow Your Business

Most of my colleagues will tell you that they are all focused on security on many levels, whether securing computers and networks, protecting data, or understanding how to be better against the threat of ransomware. Security threats will never go away – we can only keep them at bay. I believe I can effectively protect my clients and ensure their businesses thrive with the multi-layered security tools I have deployed.

Thanks, and safe computing!

Tell Me What I Need to Know, Not What You Want to Say

by Leave a Comment

So, if you are going to make a presentation about cybersecurity to a group of small business owners, what are some things you would do to prepare for the event? That question came to mind when I attended a webinar co-sponsored by the Chambers of Commerce of Fort Lee and Hackensack earlier in May.

A local IT company offered to have a speaker come in and talk about cybersecurity, but I do not know what kind of homework this speaker did before that session. The answer seemed “minimal” because when the speaker began, he spoke in a language I understand, but not one these attendees would know or use. He was talking about endpoints, EDR, SOC, and SIEM. In English, that means computers, Endpoint Detection and Response, Security Operations Center, and Security Information and Event Management. Those acronyms didn’t help because he had to stop and explain everything. He might have considered preparing a glossary to distribute before the presentation — that would have been helpful.

What else might he have done? As part of the preparation, he might have obtained the list of attendees. He might have looked up their businesses on the internet to focus on topics that may have been pertinent. If there was sufficient time, he might have even called the Chamber’s directors and asked to speak to some of those business owners to get a feel for what they were interested in understanding.

After a 45-minute talk, it was clear that this speaker’s presentation was geared toward much larger organizations than those he was addressing. And he was going to say what he came to say.

I don’t mean for this to become a rant, but it seems that by not preparing, he did a disservice to his audience and the topic of cybersecurity. His intent was to educate so that he could potentially sell his company’s services. But he couldn’t make it clear to the attendees the problems they potentially face.

One person asked: Why would anyone want to ransom my computer? He went off on a long discussion that never really answered the question. Instead, he should have asked probing questions of the person who asked it: What information in your computer is valuable? Do you have a list of all the Hackensack Chamber members? If so, is there contact info on that list? And does it have any other information that someone could use to find detailed data with additional searching and cross-referencing? The attendee would have learned more from those questions — and thinking about her responses — than the answer she got.

There might not be any need to put ransomware software on a computer if it was possible to copy the entire list and leave no trace of the intrusion behind. The data itself is valuable when correlated with other information. Now, if you were the bad actor, you could find some of the larger companies on the list, see if they bank at some of the Chamber’s member banks, and pretend that you’re an employee of one company and send an email like this:

BEC Example

This type of email is called BEC (business email compromise) and is extremely common. Sure, says Joe, and takes a copy of the invoice attached to Taylor’s email, contacts the appropriate individual, and sends the money. It takes training (or perhaps a keen eye) to realize the attachment is a fake invoice, this is a fake email account, and a fake Taylor. Usually there is no recourse to get the funds back.

That’s because it is relatively simple to spoof (pretend) the email address so it appears as if it is legitimately from within a company. Social engineering skills make it easy to convince one person in an organization to go out of their way to help out a co-worker or boss. However, it is only with proper training about the likelihood of this scam that bad actors can be shut down with a quick delete of the fake email.

What about the question one participant asked: What should I do if I see a ransom notice on my computer? The answer they received was not altogether too helpful: Call the police.

My response is: Call your IT support company and find out exactly what to do (at the very least disconnect the computer from the internet). The police department should not be your “go to” strategy when it comes to ransomware attacks. Yes, you’ll need to contact them eventually to file an insurance claim — if that is even possible under the circumstances — but it isn’t the first thing you should do. But what if you don’t have an IT support company? The presenter should have shared the web address or the name of an organization that has a list of steps for small business owners and their staff to take.

It doesn’t take much to cover the three or four critical aspects of cybersecurity for small business owners. It would be best to understand your audience, tailor your presentation by asking about their concerns, and then provide relatable and understandable answers. That approach doesn’t take a lot of effort, but it does give attendees much more information.

Thanks, and safe computing!

All Scams. All the Time.

by Leave a Comment

In this particular “scammers” edition of Sun Spots, I will share a few recent emails from clients asking about the validity of the contents. I also want to direct your attention to a feature-length article from Wired magazine’s March 2022 issue that contains a third-party discussion of what happens when someone is an unwitting victim of a phone call.

One client forwarded me an email about urgent warning about his Norton anti-virus license.

He uses AOL, which doesn’t let you see “behind” the email address unless you explicitly look for it; fortunately, Outlook does. But this is such a piss poor example of fraud it isn’t even funny.

The email return address is justforconsumers.com, which doesn’t resemble Norton at all! The links in the email route to http://aoolldearbox.bond, which is not a secure website. Worse yet, if you click any link, you are re-directed to a website hosted by aquaticbees.com (definitely not Norton). That page has a warning about an increase in “Malware and Viruses.” Click on any of the links on that page, and I’m certain your computer would be flooded by tons of the stuff they “warn” you about.

And, of course, he has SentinelOne with his SPF+ subscription, not Norton!

This email is fraudulent; it should be marked as “spam” and then deleted.

Another client returned from a recent vacation to find an email with the subject, “Your order has been confirmed.”

Attached was a PDF file that resembled an Amazon invoice indicating that a payment of $769.99 had been received for a “SAMSUNG 55-Inch Class QLED 4K UHD Dual LED Smart TV with Alexa built-in.”

It also included the following information:

If you want to cancel or modify this purchase and want to claim your money back. Please call us Immediately to our Billing Department : +1- 877-542-2099

Let’s forget, for a moment, the atrocious grammar and punctuation. Let’s ignore the email address that isn’t from Amazon.com. This email and invoice features one of the more insidious scamming aspects. It requires you to call them to ask for assistance. The moment you do that, you are an active (unwitting) participant, and — if you are not careful — will be providing con artists and thieves with your personal information. I cannot stress how important it is to DELETE garbage like this immediately!

This leads me to the Wired article: They Were ‘Calling to Help.’ Then They Stole Thousands. Take the time to read this, and if you have any questions afterward, please let me know.

Thanks, and safe computing!

Lenovo Supply Chain Woes Continue

by Leave a Comment

By mid-February 2022, the line of container ships waiting to dock at the ports of Los Angeles and Long Beach was down to 78 vessels from a high of more than 110 at the start of the year. I’m writing this in late March, and the number has remained steady.

I was fortunate to obtain Lenovo monitors for a handful of clients a few weeks ago, but that was an exception. When I saw 140 monitors available in a Texas distribution center, I called my distributor and asked to have them shipped from there, rather than Pennsylvania. By the end of that 30-minute call, the number was down to 39.

I had hoped that by now things would improve, and computers and monitors would become more readily available. Then reality shifted. The Omicron wave that we experienced during the winter is now hitting China. Their approach to dealing with Covid-19 is to lock down entire cities. Many of those are industrial centers, which means factories are closing and manufacturing is stopping. So, even if there were slots available in the ports to handle cargo ships, there won’t be many ships to fill for a few more months.

As many of you know, I prefer that my clients have fully-warrantied computers because it is an insurance policy against something going wrong. Lenovo’s technicians will be there within a day or two with a replacement part. However, because of the scarcity of monitors, I will loosen my rules and allow everyone one extra year before I consider replacement. The caveat being, if something goes wrong off-warranty, a full replacement is required.

The primary advantage I now see in Lenovo’s Tiny-in-One approach to computing is that monitors usually will last twice as long as computers. This means I can slip a new computer into the cubbyhole at the back of the monitor, and you can avoid an added expense.

But it sure would be nice to have monitors available for home users and businesses who need them. I’m going to revise my estimate for availability to late summer. Another factor to consider is that Lenovo announced a slew of new products, which are supposed to become available starting in April. Well, we’ll see about that.

Thanks, and safe computing!

Stop Phishing Attacks from Giving You Agita

by Leave a Comment

If you look at the number of security alerts sent to my Inbox, cybercrime seems to always be on the rise. I certainly know it is here to stay, and near the top of the list of malicious activities are phishing scams. Most believe that only dumb people fall victim to these types of attacks. That is not true. Anyone can fall victim to a phishing scam, making it more critical than ever for me to protect you.

According to the Federal Bureau of Investigation’s (FBI) 2020 Internet Crime Report, phishing was among the top three cybercrimes reported in 2020. Phishing incidents more than doubled between 2019 and 2020. More frightening than that is 90% of incidents that end with a data breach started with a phishing attempt. That FBI report shows US businesses lost more than $1.8 billion last year because of business email compromise (BEC) or spear phishing.

Email is one of the primary vectors by which cyber criminals distribute ransomware. And they often depend on phishing and social engineering to infiltrate an unsuspecting company. Traditional anti-virus software products cannot protect you from these cyber-attacks. Too often, small business owners fail to properly secure their environments because they don’t know any better or because they don’t want to spend money on something they can’t “see.”

One way to mitigate this problem is to increase security awareness. Simply training staff to be alert to what constitutes phishing emails can reduce a business’ chances of having a cybersecurity incident by up to 70%.

Let me give you a theoretical example. Assume there is a dental practice with 15 employees. How many dental practices are willing to pay every three months to certify every employee on security awareness training (which they view as “don’t click on links”)? In real life, the most common response I hear is, “Ah, it’s a pain. I don’t want to do it. No one’s going to come after us. We’re a dental practice.” Well, again, that is not true.

The bad guys know the dental practice is the one that’s probably going to react if threatened, so they’ll ransom them for $10,000 or $20,000. And what makes it hard for someone like me to get that message through to this dentist? I mean, they are probably a wonderful dentist. They’re great at fixing teeth. But they’re like, “Why would these Russians, or these North Koreans, or these people in Silicon Valley who are bad – why would they want to get me?”

The reality is the bad actors are brilliant and relentless. They know if they ransom, or if they attack, a dentist in Fort Lee, New Jersey, for $10,000 or $20,000, no one – other than the local police – is going to investigate. So now, small businesses are being targeted at a much faster rate than large companies. If the bad guys try to ransom ExxonMobil, Walmart, or some other large company, the FBI and Homeland Security will get called in. And they have serious capabilities, and they’re going to get the bad guys. But there are not enough resources to protect small companies down the road who get hit. What I am finding is more small business owners are starting to say, “Oh, maybe I should listen to my IT guy because they’re on to something.” And that thinking helps safeguard their business.

Small business owners must be cautious because cybercriminals constantly adapt their techniques to find a way in. It is an unfortunate way of life in 2022, but maintaining a heightened level of security awareness while reading each email is a requirement of using email to communicate with staff and clients. There is no escaping the threats, so you must remain vigilant and stay alert. Security awareness training can go a long way to ensure your safety.

Thanks, and safe computing!

What You Should Know About Crypto Miners

by Leave a Comment

Let’s start with some basic facts. A crypto miner is a malicious software that uses the resources of your computer to generate cryptocurrency for someone other than yourself. It is, at its most basic level, theft of services.

In 2018, crypto jacking (the practice of using browser-based programs to mine cryptocurrency without your knowledge or consent) and crypto mining (malware that usurps your computer’s CPU to mine cryptocurrency) grew to be major threats. The only way you’d know something was amiss was when you realized your internet browsing was very slow and, after a while, your computer stopped working until you restarted it. After a few days, the malware would cause you to “lather, rinse, repeat.” The biggest player in this arena was Coinhive.

Why did Coinhive target browsers? Because it was relatively easy to slip in as an add-on since the code appeared to be innocuous. It was, until you restarted your browser. At that point, the program would run any time your browser was open, using up electricity and processing power to generate minuscule amounts of the cryptocurrency called Monero.

In February 2019, Coinhive publicly announced it was ceasing operations the following month. The service stated that it wasn’t “economically viable anymore” and that the “crash” (of Bitcoin) had severely adversely affected the business. That pretty much sent a death knell to browser-based crypto coin mining.

So why am I bringing this up at the start of 2022? I recently read two articles and learned that crypto mining is alive and well. And it is not being used solely by cybercriminals. Nope, no, siree. Given the pandemic, it seems marketing types have prevailed at Norton, the eponymous Security 360 product maker. A new feature is the inclusion of crypto mining. Avast, a European maker of security software, has announced it is doing the same.

Apparently we live in an upside-down world when security companies allow their crypto miners but claim they can keep out everyone else’s crypto miners. But what does this mean? Well, for one, you have to opt-in to use this feature; Norton doesn’t install it indiscriminately. Also, your computer has to meet some stringent hardware requirements before you’d even see the option. The critical condition is that your computer has an advanced video card (where the computing will take place) so that you can mine Ethereum.

And then comes the kicker: Norton is going to take a good percentage of the money generated. They get 85% while you get 15%. And if you want to obtain your portion — having donated your computing resources — you are faced with additional fees (one a transaction fee and the other a processing fee to cash it in), which reduce your overall take. But suppose that’s not enough to dissuade you. In that case, this money is considered extra income by the Internal Revenue Service, so you will be responsible for including it on your annual tax return.

But the biggest question (and complaint) from security-conscious netizens is: Why would any security company think of doing this? The answer is simple: They want more money from consumers than they get from the annual subscription to their products. Consumers have learned that when subscribing to Norton 360 for the first year, they get a terrific discount. Norton sets the subscription to auto-renew and keeps your credit card on file. Savvy users realize they can turn off the auto-renewal and remove the saved credit card. The day after the current subscription expires, they can purchase a new discounted subscription with a different email address (e.g., larry2022@gmail.com for the current year because it was larry2021@gmail.com for last year’s subscription). It seems Norton is simply fighting back in a very unusual manner.

Do I think this is a good idea? Absolutely not! Is it well-intentioned? Undeniably no. Should all consumers be extremely wary about this? Resoundingly yes! Are you (my clients) affected by this? Not at all, because your computer is running SentinelOne Vigilance, part of your SPF+ or SHADE subscription. But if you know of someone who thinks Norton has a terrific security product, I would urge you to let them know that’s not necessarily the case.

Thanks, and safe computing!

Internet Explorer 11 and the June 15, 2022 Deadline

by Leave a Comment

Microsoft will end support for Internet Explorer 11 (IE) on June 15, 2022, as announced in May 2021.

Starting with Windows 10 version 20H2, which Microsoft released in October 2020, if you attempt to use IE, Windows will prompt you to use the Microsoft Edge browser.  You must make an explicit choice to deny that to continue to use the Internet Explorer browser.

Note: If you want to know what version of Windows you have, type the word winver in the Windows Search box (next to the Start button in the lower left-hand corner). The resulting “About Windows” window contains the version and build information.

The critical point to all of this is that Microsoft will jettison some outdated, still risk-prone software in favor of its new Edge browser, built on the same base as Google’s Chrome.

What does that mean for you? If you have an Internet Explorer icon on your desktop, it is time to delete it. Similarly, if you use IE to browse the web, you should transfer your Favorites (bookmarked websites) and your saved user IDs and passwords over to Edge or Chrome.

While Microsoft will provide a hybrid form of IE under Edge’s covers, the rest of the world has moved on. According to W3Schools, the internet’s most extensive tutor of web-based material, Chrome held the lead in usage with a commanding 81% of the market. Edge came in second with 6.6%, and Firefox held on with 5.5%. I am, and probably always will be, a stalwart fan of Firefox (at least until Mozilla stops supporting it).

In the upcoming months, I am hopeful that companies whose websites contain code explicitly built for Internet Explorer will remove that code to strengthen the security of their website. However, if they don’t, your browser should automatically switch to IE mode in Edge. But I won’t be surprised if bad actors make multiple attempts to figure out how to take over those websites to try to introduce malware to the unsuspecting.

Thanks, and safe computing!