Studio711.com – Ben Martens

Part 1 covered attacks through your browser. Part is is about attacks via email. We just had a mandatory training for all employees at work because somebody had this happen to them on a work machine and it created a ton of trouble. You really have to be on the lookout.

The first rule is to never click any link that you get in an email. If you always follow that rule, you are extremely unlikely to have any problems.

Ok, we both know that rule will be broken. So what should you think about before clicking on a link in an email?

1. Assume it’s a scam, a virus, or both.
2. Are you expecting to receive a link from the sender? Did your buddy call up and say “hey I have this hilarious YouTube video, I’ll send you a link”? If so then you’re probably good to go.
3. Does it look like something the sender would normally send you? Did your relative who normally writes you long text-only emails suddenly send you an email that only has a single link in it? Just leave it alone. Wait until you know that it’s something they really sent you before you click it.
4. Is some entity like PayPal or your bank telling you that you need to view something on their website? I NEVER click links like this even if I’m completely convinced they are fake. The penalties for being wrong are too great. If my bank says I have an important message about my account security or PayPal says I need to adjust my account settings, I don’t click on the link. Instead, I open up a browser and manually type in the address for my bank. If it’s a legit message, it will also show up somewhere in my account on their site. This is an important guideline to follow with phone calls too. If I ever get someone asking for any personal information, red flags go off. For example, when my credit card company called and said my card had been stolen, they started asking for my social security number, etc to verify some things. I politely asked for the caller’s name and extension, hung up, called the number on the back of my credit card and got back to talking to that same person. That convinced me he was legit and I continued. It’s too easy to scam people this way! I’ve caught people in the act like this too. Just the other day I had someone calling to collect money for the “King County Police” (which is an imaginary org) so I asked for his name and badge number so I could call him back to verify he was legit. It was a scam and it was funny to hear him squirm. (I later reported it to the sheriff’s office though it probably doesn’t do much good.)

When in doubt, don’t open a link. If you have to open a link, assume it’s a scam or virus and don’t open the link. If you REALLY have to open the link, see if you can get to that site without clicking on the link. And if you REALLY REALLY have to click the link, make sure that the sender actually intended to send it to you.

Only the paranoid survive. Everyone else gets a virus.

A laptop recently landed on my desk full of some lovely viruses. I won’t say who it was, but really, you shouldn’t be too embarrassed. These virus writers are good at what they do and it’s easy to be tricked. As I fixed up the laptop, I thought about a short series of blog posts that might be of interest to many of you readers, not just the household that got hacked. I’ll cover how virus writers try to get you through your browser, how they attack via email, and then what to do after you suspect you’ve been hacked.

The most common viruses get onto your machine because you clicked something. It’s pretty difficult to have a computer sitting idle with no human in front of it and get a virus. We are the weakest link. So when hackers try to attack you via websites, they’re going to present you with something that is out of the ordinary, but just plausible enough that you’ll click on it. These popups might seem fairly legit. Here’s an example:

A geek will look at this and know it’s fake, but to the general populace, this seems like something serious that should be fixed by clicking Accept and Install. How can you tell it’s fake? That’s tricky but some basic ways are that this installation box is inside of a browser window. That’s your first red flag. What video player is it trying to update? If it’s going to install something, it should be pretty specific. If you have questions you could take that product name and search for it.

But really the best way to defend against this type of thing is to know the legitimate ways you’ll be warned about this type of thing and then be incredibly suspicious of anything that tells you to install something or “click here to fix your computer.” These days, nearly everything that is needed to fix your computer happens automatically in the background via Windows Update. You might see some notifications from Microsoft Security Essentials when you haven’t run a scan in a while but that’s about it.

You should also have Windows User Account Control enabled. Whenever a program tries to install on your machine or access protected areas of the operating system, it will pop up a warning dialog that asks if you’re sure you know what’s going on. Unfortunately if you believed something like the image above then this probably won’t stop you, but it’s a good backstop to really think about what you’re doing.

So if you get a popup that says you have a virus or that is asking you to install something unexpected, just stop. It’s probably a lie, but just in case it’s legitimate and Microsoft Security Essentials is trying to save you, snap a photo with your phone and email it to your favorite geek. Ask them if it’s legit and what you should click. You might save yourself a lot of trouble.

My project at work is called Power Query for Excel. We released our first version last summer and now our second version is available as part of a larger offering called “Power BI for Office 365.” BI stands for Business Intelligence. The offering includes a bunch of tools that help you make sense of your data, create nice reports and then share them out with your colleagues. This marks the first time that something I’ve worked on at Microsoft is available for purchase!

But never fear home users, while the collaboration and sharing features require payment but you can use some of the pieces for free. For example, you can download the latest version of Power Query from the Microsoft download center.

It’s exciting to see all our hard work available for public use and we love getting feedback! Please use the smile/frown buttons on the Power Query tab in Excel or leave feedback in the Power Query forum (or one of the other Power BI component forums.)

The marketing department put together a nice Power BI overview video. The Power Query specific part is in the “Discover” section around the 36 second mark.

I don’t know about you, but I’m an email packrat. Steve Gibson, the security genius behind grc.com, recommended mailstore.com and I’ve been really impressed with it so far. It runs locally, sucks in mail basically any source you might have (online mail, local Outlook, Exchange, etc), removes duplicates and then indexes it all for crazy fast searches. I love having everything in this nice clean searchable format across all my various accounts through the years. It’s so much cleaner than my old mess of saved PST files and multiple web mail accounts. This also lets me delete all my old email from GMail and Hotmail. There’s no longer a compelling reason for me to let them see all my old data.

I’m still dusting off some old email archives and finding more lost messages, but right now I have 110,000 messages in this database and it only takes up 3.6GB (and that includes attachments.) Searches return results almost instantly, and if for some reason I don’t want to keep using this program, there are easy options for exporting to a wide variety of locations and formats. The only complaint I have is that it can’t detect duplicates that are loaded from the same source. So if I have a piece of mail that gets loaded from GMail and also from my Outlook cache, it will show up twice.

They have a paid corporate version but there is also a version that is free for personal use. There are probably other solutions out there, but I’m loving this one and I give it two thumbs up!

I’m sure Facebook has some business reason for forcing me to view my news feed in the “Top Stories” order, but it’s really frustrating to me. I don’t care about what they think are the top stories. I just want to see things in the order they happened. Thankfully they change the URL when you change your sort order, so if you want to always view your news feed in “Most Recent” order, change your bookmark to https://www.facebook.com/?sk=h_chr.

I have about a dozen Windows Phone and Windows 8 Store apps. They’re all paid apps, mostly because I’m too lazy to mess around with advertising and it’s nice to get a little money, even if it’s just a few bucks, for my hobby. CascadeSkier makes up about 90% of all my downloads, but even that one isn’t huge. I decided to open the kimono a bit and share the results of a recent experiment where I offered both apps for free for three days.

Windows 8 Store
This version has been out since 2012 and as of today I have 1574 downloads. This app offers a free trial for a couple days and then you have to pay $1.99 to continue using it. During the period where the app was free, I got 120 downloads so that’s a pretty good chunk considering I only have 1500 total downloads. The really interesting part is that after the free period ended, I saw another peak of about 20-30 downloads and about a third of those people bought the app. We’re not talking huge money here, but it does appear that some of the people who downloaded the app for free convinced acquaintances to buy it later.

One random stat unrelated to the free trial: over the last 12 months, 1 out of every 7 people who view the app in the store download it. 27% of those people buy the app and 75% of those people buy it without even attempting the trial.

Windows Phone
The Windows Phone app has been out since 2010 and it has 1758 downloads. During the free period I got 200 downloads but there was no follow-on peak of paid downloads.

This was an interesting experiment. In reality I probably should have done this a long time ago and maybe I’ll do it again in the future. The reviews show that pretty much anybody who uses the app loves it. So that implies that the more people that are using the app, the more people will hear about it. The flip side of this argument is that I target a very small customer base. This app only applies to skiers and snowboarders who live in Washington or the Portland area and who use Windows Phone or run apps from the Windows 8 Store. I often wonder how close I am to saturating that market.

So you’re getting rid of some old hard drives, but you’re nervous about just throwing them in the trash. If the idea of creating a USB boot key doesn’t frighten you, then you should know about Darik’s Boot and Nuke. Simply deleting files or formatting the drive doesn’t actually erase the files on the drive. You need to overwrite every sector on the drive multiple times to really be sure.

Reboot the computer with either a CD or USB key inserted and you’ll boot into DBAN. From there you can choose a number of options for wiping the drive that range from writing 0’s one time across the whole drive to doing much deeper scrubs with multiple passes. I generally default to “DoD Short Wipe” which does three passes. That could take you a day or two with today’s larger drives, but it’s nice to know that nobody is going to find my old hard drive and pick any data off it.

I’ve also been known to physically take drives apart and smash the platters with a hammer (wear safety glasses!) That’s messy and technically it’s still possible to read data if the pieces are big enough, but it’s good enough if I’m in a hurry.

P.S. If you find yourself doing stuff like this often, consider picking up a hard drive dock. It’s a lot easier to swap drives in a dock then to physically open your computer. This is the one I’ve had for a while, but you might want to consider a USB3.0 model too.