Newsletter Archives

  • Encryption isn’t wise

    Posted on February 21, 2025 at 08:00 CST by Comment in the Forums
    View of password protected file

    View of password protected file

    Before you think I’m about to say encryption in all cases isn’t wise, no, I’m not going to say that. But I will say there are times that encryption is a very bad idea if you’ve made no plans for someone else to know or how to handle getting back into a “thing” that is encrypted.

    I can’t tell you how many times I’ve been asked how to remove an encryption password from an Excel file that someone used to store their passwords. The person may be ill or passed away, and their loved ones will be scrambling to get into various accounts. While there is software that can easily get into a QuickBooks file by removing the password and requiring you to reset it, for Excel it’s a slow, brute-force process to figure out what the password is. The best you can hope for is that there will be a favorite phrase on a sticky note somewhere. Otherwise, you may (probably will) be stuck trying to get into the accounts and recover access.

    I am a fan of encryption when used responsibly. But when someone uses encryption and doesn’t plan on recovery, it can lead to a world of hurt. None of us will live forever. My dad is 96 and working on that, but he still makes sure I know how to get into his accounts or makes me an additional user on them.

    It’s okay to write passwords down, hopefully in a safe place. It’s not okay to protect them so well that your loved ones can’t access them when they need to.

    Security , ,

  • Passkeys in Turbo Tax?

    Posted on February 20, 2025 at 03:00 CST by Comment in the Forums

    I hit this last night logging into QuickBooks online, but you may also see it when logging into TurboTax on a system that supports passkeys.

    A passkey is a modern authentication method designed to replace traditional passwords, offering enhanced security and user convenience for accessing online accounts and applications. Unlike passwords, which are user-generated and vulnerable to various attacks, passkeys are automatically generated using public-key cryptography. It’s tied to that PC. So even though I set up a passkey for this computer, it doesn’t mean that I am mandated to use a passkey on all computers. If I logged into a PC that didn’t support passkey technology, it would require my two-factor authentication to log in. Intuit may have supported this before, but this was the first time it popped up — encouraging me to use it.

    The main thing is that passkeys are phishing resistant.

    Are they immune to attacks?  Nothing is immune. Given enough time, energy, computing power, and especially adversary-in-the-middle attacks, the latter being when the attacker manipulates login in forms to expose alternative, weaker logins or device compromises in which the private key could be exposed. But it does mean that the attacker will be encouraged to go down the street and attack your neighbor. Ultimately, that’s our goal — to make it just a little bit harder so that the attacker will find the weak link elsewhere.

    Security , ,

  • Don’t fall for the IRS scam

    Posted on January 21, 2025 at 03:03 CST by Comment in the Forums
    IRS Scam received via text message

    IRS Scam received via text message

    This is a USA centric post, but it can be said for many things that get texted to you.  Lately I’ve seen texts regarding paying toll fees, post office misdelivered items and lately, the IRS – you will get a refund. In the US we have just entered “tax scam season”. From now until April 15th you will see any number of scams being thrown your way. I get even more scams thrown at me as a tax preparer. “I need someone to do my taxes….” and then they ask if I want to receive a link to their last year’s tax documents. It sounds reasonable until you look at the email address and often (and fortunately) they are from overseas domains or email addresses that just don’t look right.

    I hope that everyone seeing that text message will realize that the domain in question is NOT irs.gov but rather tax-popular. I also found it interesting to see that they know I’m on an iphone.

    For the record, if you are indeed eligible for a missed out Economic payment there is no action needed on your part.  This is not a new stimulus payment, rather it’s payments going to those that didn’t receive them based on their 2021 tax return.  If you are on a fixed income and did not file a tax return in 2021 you have until April 15, 2025 to file a return so that the IRS has you in their database. If you do not electronically deposit your IRS refund checks into your bank account, but instead receive checks in the mail, this is also the time to review your postal habits. We have mailboxes out on the street and typically they are not locked. This is the beginning of the time of year that people start driving around checking mailboxes at night to grab refund checks. My advice?  Consider a post office box, a postal service, or if you are geeky like me, a device such as a Ring mailbox sensor or similar electronic alert system.

    Security

  • Protecting us from TikTok

    Posted on January 17, 2025 at 14:51 CST by Comment in the Forums

    I have mixed feelings about the upcoming TikTok ban. While not a huge user/follower of the app, I can appreciate someone who has built a business on a platform and then gets word that an important rug is being pulled out from under it — your business model is disrupted.

    I understand the concerns about technology being used by foreign countries to spy on us. But I don’t think it’s any better when we are spied on by companies in our own country Let’s be just as concerned and take action regarding all vendors, platforms, and social media sites.

    Bottom line: we need to remember that we are the product, and act accordingly.

    Security

  • Are you prepared for the worst?

    Posted on January 16, 2025 at 13:11 CST by Comment in the Forums
    Image of two factor sms code

    Phone showing two-factor code

    The recent fires in Los Angeles are far enough away that I will feel no impact, either personally or professionally. But I know people in that area. They may not have lost their homes, but they know the impact will be felt for a long time. Everyone should think about the “what if’s” when it comes to disasters of every kind. The American Insitute of CPAs has a checklist; I suggest that everyone read it.

    As soon as I know my family is safe, I always think in terms of what items would I grab. For me, it’s my cell phone. It has the two-factor authentication systems (apps or text messages) that I need to get into just about anything. Without question, it’s the first thing I would grab. Others have recommended a “go bag” of documents with the same kind of information. That could be helpful if you were concerned about the availability of power, but these days the most important go bag item is that phone with everything in digital form.

    In such emergencies, the cloud surely has a place. Businesses and banks burned down in the Los Angeles fires. Would your safety deposit box survive this sort of disaster? Should you consider an encrypted cloud location for at least some of your key items, such as copies of insurance policies and other important documents?

    Have you heard about the blue VW bus that survived the fire with amazingly little damage? Keep your eye on the newsletter — I have an idea for an article rolling around in my head.

    Security

  • Time to patch now

    Posted on December 26, 2024 at 13:16 CST by Comment in the Forums

    Today you get a DefCon5 – all clear and patch now for one specific reason and for one specific type of technology. There is one time when I’ll urge you to immediately patch. And that’s today, the day after Christmas when you are finally getting around to setting up and playing with whatever new technology you may have received.

    Today is the day that you’ll want to ensure that your new technology item has no issues getting patched, otherwise it should be returned. That said, on a new computer I recently set up, there can be a situation where an update fails because it’s trying to install an OEM driver update at the same time. I’ve personally seen that OEM drivers will sometimes try to install multiple updates at the same time.

    If you got a new phone, ensure its fully up to date before migrating to it. And don’t forget, don’t turn in that old phone until you’ve fully migrated any two factor applications off the old phone. Some, like the Microsoft authenticator application do not automatically migrate to the new phone. If you do not use the built in password app inside the phone, be patient as you log back in to all of those apps.

    Today – and just today only – for any new technology you just bought for yourself or got from others, patch away and make sure that device patches easily and well. Note for existing systems, I still recommend the more measured and cautious approach.  But for new devices? Let ‘er rip. This will test that all patching systems will work right out of the gate.

    Security

  • Reviewing the scams

    Posted on December 20, 2024 at 12:00 CST by Comment in the Forums

    It’s the time of the year when I get spam phone calls as well as the ever-present spam emails and text messages. One I’ve seen lately is the “You paid a huge amount to…” or this one, asking for a large payment.

    Some are obvious. I know I never paid anything like this, and the 800 number for support isn’t an 800 number. But sometimes they get really good. So how can you protect yourself?

    First, never follow a link like this. Log directly into the site like Venmo or PayPal. Then, hover over the links and URLs.  See if they make sense, that they will go where you expect.

    Then look to see who the email is from and who it’s to. Sometimes it’s the from that makes no sense. In this case it’s the to. How did it get to me? A hidden blind carbon copy.

    Does that email address make sense?  This is, once again, a really bad example as it’s quite obvious from the nonexistent message that this is a scam. But the point is, take your time. Don’t overreact. Do your due diligence and check out the email. Be aware and question.

    Be extra careful this time of year because the scammers want to get you. Don’t make it easy for them.

    Security

  • Always call the right phone number

    Posted on November 2, 2024 at 22:00 CDT by Comment in the Forums

    One of the scams I’ve personally seen lately is a scam that purports to be from your Bank but really isn’t.  One of the recommendations I’ve seen is to always ensure you keep a copy of the back of the information on your credit card.

    This ensures that you call only the proper numbers if you lose your credit card or there is fraud on your card in any way.

    I’ve also had a client get hit with a “your package couldn’t be delivered, call here and provide a credit card” scam.

    I’ve also had a co-worker been hit with a fake invoice from a vendor he was working with that was trying to get his credentials.

    Bottom line this is the season for scams, so don’t fall for them!

    What have you seen lately?

    Security
  • « Older Entries
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    March 2025
    S M T W T F S
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.