Good News: Abolition of UK Mobile Phone Roaming Charges in Europe from 15th June 2017

Abolition of UK Mobile Phone Roaming Charges in Europe from 15th June 2017

New EU Regulations come in on 15th June this year which mean that throughout Europe's member states mobile roaming charges are (by and large) eliminated.

Countries Covered:

Austria, Azores, Belgium, Bulgaria, Canary Islands, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, French Guiana, Germany, Gibraltar, Greece, Guadeloupe, Guernsey,    Hungary, Iceland, Ireland, Isle of Man, Italy, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg,    Madeira, Malta, Martinique, Monaco, Netherlands, Norway, Poland, Portugal, Reunion Islands, Romania, Saint Barthelemy, Saint Martin, San Marino, Slovakia, Slovenia, Spain, Sweden, Switzerland

For most people and businesses on standard tarrifs this will automatically come into effect.

You will be able to use your UK minutes, texts, and data in the Europe Zone (subject to any relevant data fair use policy). This means many O2, EE, Vodafone, Threecustomers will no longer see roaming charges on their bill – enabling them to work flexibly without worrying about additional charges

Most Bolt ons will apply equally in UK & EU. If you have unlimited calls and / or data then you'll enjoy the benefits of this throughout the zone. Until now many providers have been charging £1.66 / £2 / £5 per day while roaming for access to bundles so this will save you money when you travel for work or pleasure. If you subscribe to bolt ons that provide an equivalent service then these will likely dissapear from your bill on the next relevant bill after the change.

Exceptions to this are if you have a bespoke tarrif from a provider, or for service which are not covered (be careful of Emoji like smiley faces making your text and MMS or picture message).

Also beware that outside of the EU - so popular destinations like Turkey / Egypt / USA etc. are not covered so you have to beware of roaming charges from these destinations. If we all get used to zero roaming charges in Europe it is easy to forget that countries like Turkey are not in Europe so could catch the unwary out. In any case it is usually best to use WIFI when you can so that you preserve all your quotas for when you are out and about - if your mobile device is not already set to connect to your home and secure office Wifi then now is a good time to rectify that.

 

Thanks to Alec Wilson for the photo of Rockwell Commander G-ROAM featured in our page banner.

Impersonating a Police Officer UK Phone Scam

This one initially caught me off guard as I was co-incidentally expecting a call back from the Metropolitan Police on an unrelated matter..

I had a call this morning from someone identifying themselves as 'Mark Dixon' who claimed to be from the Met Police. As all our calls are recorded on our phone system I'll attach the call here so you can judge for yourself .. the statement that he is from the 'Met Police' is very clear indeed so no doubt about what is claimed. This tactic works very well as we all naturally want to co-operate with the police and help prevent crime and abuse of all sorts. 'Mr Dixon' does do a very good job of sounding like a police officer - so full marks for tone and gravitas of voice.

NB: If you want to listen to the call then come back to the commentry here scroll to the bottom & hit play then come back to read on..

An annual alleged scam seems to be for a certain company who may or may not go by the name of 'blue line publishing' or 'thin blue line publishing' to call up pretending to be from the UK Police. They ask for business community support to support their efforts to help educate children about the dangers of the internet and other risks (grooming etc.). Specifically they state that they are producing a journal to be distributed to schools to address and highlight some of these issues and look for responsible community minded busiesses to help sponsor and enable this effort.

Here at Onega as part of our IT support work we go to great efforts to help keep computer systems safe from cyber attacks and reduce risks with various measures of Antivirus, secure firewalls etc.  Thus we'd be happy to consider helping the police with any initiatives to keep the community safe and raise awareness wherever possible. In this case though the caller is not calling from the police, but will state this, and heavily imply this. It is a great way to get past a swichboard for example... ie if the Police call and talk to reception asking for a particular member of staff, no one will refuse to connect the call (again due to our natural desire to help stay on the right side of the law).

The chap calling does not in fact work for the police, and if asked or questioned furter will back track to 'we're working for the police' then 'we're working with the police' then 'in the interests of policing' and may well we suspect end up with 'we're wanted by the police'! (or should do!) .. the point is that most people don't think to question the authenticity of the caller if they claim up front to be calling from the Met Police (or any UK police force), as we alll also know that 'impersonating a police officer' is a crime that typically carries a six month prison sentence in the UK. Fraud can carry much more.

The alleged fraud pans out that if you choose to support their journal then you buy a certain amount of display advertising space in the journal or add a paid message of support as a responsible and upstanding company. So the journal may or may not be produced and printed in volumes they claim, and may or may not be distributed to schools. We're pretty sure that the real Police did not commission or condone this, and most of your money (if not all) goes to pertetuate the scam and to line the pockets of the scammers.

We've reported this previously to the real police and understand that there is an ongoing investigation details of which are obviously confidential as it may lead to a court case and prison time for the man who is or claims to be Mark Dixon and his colleagues.

Call received 10th April 2017 at 11:34am - 1:45 duration in this case. Have a listen to the recording and be the jury - do you agree that it is clear that the caller claims to be from the Police?  The call comes from a withheld number so it makes it harder to trace - though in fact the UK telecom logs allow for a full trace behind the scenes so there is no hiding here. They also don't check the TPS register before calling, though that's a fairly minor crime compared to impersonating a police officer or basic fraud and deception. As an additional kick to the real UK Met Police, they also chose the day of heroic policeman PC Keith Palmer's funeral for PC K who was killed in last month's Westminster attack, takes place in London's Southwark Cathedral.

Call from the real police don't have withheld phone numbers, and officers will be able to indentify themselves to you. The police do have many civilian staff but they will also be clear about their title and authority. .. So if you get one of these calls please let us (and the police) know. This is about the 4th year we've had calls on this and we're always a bit sad it continues as it means that others are spending money that goes nowhere. In retrospect on the call I should have gone along with it to ask for details and where should I send my money etc. to capture their contact details but at the time I was not in the mood for time wasting so made short shrift of the call.

Have a listen:

 

 

Onega Treasure Hunt and Christmas Dinner 2016

For this year's work Christmas do we started off with a treasure hunt for which we started off at The Barbican and followed cryptic clues around the city exploring many of the sights that we usually walk past and take for granted every day. The clues were probably written by the same people as make the Telegraph Cryptic Crossword as they were challenging to say the least. The best of us managed to get half way through the fifteen waypoints before we had to break off for supper.

Could you have worked out these clues? 

Dinner was at the Disappearing Dining Club at Ropewalk / Borough. This was inside an architectural salvage yard and the food and drink were excellent.

For the treasure hunt we'd been split into three teams and there were prizes for everyone, which ranged from a Lock-Picking Skills Masterclass through to tickets to the BFI IMAX Cinema, getting to choose the next company outing, parkour at the Parkour Academy, and others. 

Many Thanks to Heather for organising this. 

Christmas Party Gallery:

A Maharajah's Wedding

In Hindu wedding tradition, the Groom is treated as a Maharajah or King for a day and the Bride is honoured as Goddess Parvati. So it was for one of our most esteemed colleagues, Krunal Patel, this weekend and we were honoured to have been invited to his and Sejal's wedding at the Hilton Heathrow on Sunday 27th November 2016. Krunal was resplendent in traditional attire as you can see below:

Krunal before the big event.

The Groom enters the wedding ceremony first and Krunal did this in style, mounted on a suitably garlanded white horse.

Krunal on his White Charger. Thankfully the horse was very well behaved.

The groom's procession approached the venue with much dancing, with an Indian drum and brass band proclaiming the approach.

The Ceremony

The ceremony itself starts with just the Groom, his best man, the parents and the priest who orchestrates proceedings. There was a film crew present so we expect a Bollywood style production to showcase the event for posterity in due course. Guests were requested to be silent for the wedding (not always the case) which had a number of steps including the ceremonial washing of Krunal's feet by his new parents-in-law, prior to the arrival of the the Bride.  Sejal kept Krunal waiting as all brides (according to legend) do and was brought into the hall carried by her brothers and uncles upon a flat, open sedan chair.

The different parts of the ceremony include blessings, offerings and processions. At the end of the ceremony the Bride and Groom are presented as a married couple and you can see Sejal and Krunal here, newly married. If you look carefully you can see a red string that goes around them both and joins them. There is also a scarf around Krunal's neck that is tied to Sejal's sari for the same symbolic purpose; quite literally tying the knot. They remained joined after the wedding as tradition dictates, newly bonded to one another.

Sejal and Krunal newly married.

A photo from part of the ceremony.

Wedding Lunch, Dinner and reception:

After the wedding there was a very good lunch and then a well-needed break before the big celebration and reception in the evening.

Some of the Onega team and partners at the wedding reception dinner.

A photo from the big reception and party in the evening. Sejal was changed into a white wedding dress and Krunal wore a dinner suit and top hat - you can see the dancing in the centre of the picture here amongst the confetti.

We all wish Sejal and Krunal every happiness and all the very best for their future together.

What Exactly Is 'The Cloud' ?

This is something we are asked a lot so we thought we'd share our take on 'The Cloud' with you.

Undeniably the term has become one of the most used misused marketing buzzwords of recent times and, in our minds, is associated with the latest technology and techno-magic, will solve all your business IT needs and be the way of the future. But what is 'The Cloud' in reality?

The answer to this we can sum up in three words, that we'll then explain further. So, drum-roll please... as we enlighten you (and possibly shatter some illusions) with the revelation that 'The Cloud' basically means 'someone else's infrastructure'.

There can be nuance around this, but the essence of it is captured thus. Once you understand this fact, you can probe more deeply into it and better decide what is right for your business.

Don't get us wrong, here at Onega we are big fans of 'The Cloud' and we help provide many cloud services to clients. These range from hosted telephony solutions to backup, hosted servers and security solutions such as Mimecast. In each case the core benefits are typically those of economies of scale with shared infrastructure. What you would have had to have been a large enterprise to enjoy, in terms of features, functionality and reliability not many years ago; you can now access for mere pounds per month per person. We are big proponents of some cloud services and both economics and capability are major reasons why we suggest this approach.

It was not always this way though. One of the main differences that cloud services offer is that software can be deployed more continuously on the front end and the back end because they are based on subscription and hosted services models. Partly this is enabled by the better connectivity we (generally) enjoy now - you used to have to write software, test it, produce it in a factory and then distribute it in boxes on tape, on floppy disks or latterly with CDs and DVDs. This had cost and took time. Back in the day there were no such things as security updates and Service Packs. You bought MS-DOS, or Windows 3 through 95 or OS/2 etc and that was pretty much what you used. Things get quicker nowadays in production and feedback cycles. The latest release of Office 2016 for example is being updated with new features continually deployed every few months. I note that on the latest release Outlook can help manage your travel bookings and deliveries - small innovations that over time make big differences. Back to the point; some of the first and early Cloud Services really were quite rubbish but they did evolve quickly to the point where today, they make great sense.

One thing to remember is that not all cloud services are the same. There is no magical 'hosting heaven' where all cloud services are hosted. There are big differences. Some of the differences are in the infrastructure that makes up a solution and others are around how it is managed. For example Onega's office, near the Docklands, is very close to quite a number of the best connected Data Centres in the country.  Even here though there is sharp contrast between one 'Docklands Data Centre' and another. For example pics here:

Here can be seen some of the UK's prime data centres clustered together. Telehouse x2 and Global Switch 1 & 2 sites. All with good security, high fences, generators, high powered redundant aircon etc.

Here can be seen some of the UK's prime data centres clustered together. Telehouse x2 and Global Switch 1 & 2 sites. All with good security, high fences, generators, high powered redundant aircon etc.

This is also a hosting centre, just behind the BP garage off the A13 in East London. You can see the accessible air cooling vents on the street side. The security shutters for this re-purposed light industrial building can (allegedly) be breached in about 5 minutes if you know what you're doing. Still a step up from some of the 'chicken shed' data centres you hear about.

This is also a hosting centre, just behind the BP garage off the A13 in East London. You can see the accessible air cooling vents on the street side. The security shutters for this re-purposed light industrial building can (allegedly) be breached in about 5 minutes if you know what you're doing. Still a step up from some of the 'chicken shed' data centres you hear about.

So - quite a difference between data centres. Multiple diverse Internet connections, redundant building-wide UPSs, mains supplies from different substations, multiple generators with fuel supplies good for days or weeks mark out the best of the data centres. In how they manage their operations, there can also be quite a gulf.

Beyond data centres, cloud services will run on different server hardware platforms and networks within the data centres, with different levels of security, resilience and engineered capacity. How resilient a network is to a DDOS attack for example depends on the network everything sits on and mechanisms in place to protect the servers.

A very well run Cloud service (like Microsoft Azure & Office 365, and Amazon AWS services for example will allow for redundancy within and across data centres and even across geographies. Thus if one server or whole data centre fails (rarely but they can and do), then services will still be available to be provided from the mirrored data centre.

How does all this make a difference in the real world? The answer to this good question is one we've had first hand experience of. Engineering is about all factors. Cumulatively: service of quality delivery in hardware; software; hosting resilience; engineering and operational processes mean that the end user's experience of a good service will be qualitatively and quantitatively better than that of a poorer service. Everyone will claim to have great services, but over time you learn the differences between them.

Some tell-tale things to look for are Service Level Agreements, which show contractual information as to what is guaranteed and delivered. These are akin to the warranty that is bundled (or offered) with a laptop computer.  A good business machine will often come with a three year on-site warranty with the option to upgrade to a 4 hour response time; sometimes for less than £50 which implies the chances are that you'll be unlikely to need it. The detail of this an SLA will say if compensation is paid for downtime and what the target availability is etc. It is important to read the small print as well, as many SLA documents are not worth the electrons they are transmitted with.

At Onega we have to evaluate many web services / cloud services and there can be a lot of difference in the detail here.  Many Cloud SLAs (even from very well-respected providers) will make it clear that the SLA covers their ability to provide a service, but excludes any responsibility for your data. CSPs (Cloud Service Providers) will always take measures to ensure that your data is protected (for example with replication to multiple data centres), but they don't take ultimate responsibility for data which is why you also typically need Cloud Backup alongside your new cloud services.

Another thing to look for on quality of delivery is service status reporting. Good organisations tend to be open about issues and when they will be resolved (everyone will have issues from time to time). Poor organisations can sometimes claim that there are no issues when it's pretty obvious that they do. Purely anecdotally, we've also learned to be skeptical of any organisation who claim good scores with 'TrustPilot'.

If you're pondering 'The Cloud' and how you can use this in your company, then please don't hesitate to get in touch. We're happy to discuss what's best for you and help take things forward. Also remember that 'The Cloud' is not the answer to everything. There are some circumstances (quite a number) where it is not (or not yet) the right solution. Onega have a lot of experience of cloud and physical worlds and we'd be very happy to discuss with you.

 

DisplayLink Software Causing MS Office and Internet Explorer Crashes

We've just had an interesting support call and, after some hours, found the solution to the problem so thought we'd share it here so that others might save time on the same issue.

The problem:

Brand new PC - very good spec, not that it is relevant to the problem, but a joy to work on as it is a Fujitsu i7 PC with 16 Gbytes of memory and a Samsung 512 Gbyte SSD drive so everything is very quick in Windows 7 (the machine is licenced for Windows 10 also but LOB (Line Of Business) software at site means that this can't yet be used.

Everything was working fine on the machine and software installs of Adobe, Office, Dropbox and other utilities etc. and then Office stopped working. Outlook was in the process of downloading / synchronising email box from Office 365 Exchange mail when it all just stopped working.

The error we were getting was instant upon launch of Office, and we found that Internet Explorer (IE11) was doing the same. You'd click on the icon to launch and no - crash, not happy.

We went in circles for quite a while on this - was it DLL issues, was the problem due to DLLs? Would repairing / removing and reinstalling Office work or would 32 / 64 bit make a difference? Having not got very far, we escalated the issue with Microsoft. Their support for Office 365 is very good and quick and a testament to their dedication to customer satisfaction. About 30 minutes after logging the ticket, we had a joint remote session on the PC affected and I explained what we were seeing and what diagnostics we'd done so far etc. so that we need not repeat things.

Pretty quickly, Jibin (the Microsoft Engineer assigned to the ticket) asked about recently installed programs, so I replied that it was all very standard utilities and software we often install on machines and all good and clean (known sources and corporate licences). We had a look at Program Files and Jibin asked about one that evidently popped out at him on the list, which was: Displaylink - which I did not particularly recognise or recall having installed to the best of my knowledge. Jibin went on to explain that this software is often automatically installed by external screen hardware like USB docking bays and external screen drivers. The version that we had installed (probably from something like a USB Dock being plugged into the computer) was version X and that he'd seen this before. We uninstalled the software (a few clicks), downloaded the latest version from http://www.displaylink.com/ and installed.

After a quick reboot, everything worked perfectly and normally again. I'm very glad we logged this ticket as searching on the net for the problem was in this case bringing up blanks. So Jibin Samuel at Microsoft, thank you very much for your help and sharing your experience :-)

We'd not noticed the software as it is automatically installed by devices and sounds rather innocuous in name. Newer versions of the software are much better on this.

For anyone else, if you find that MS Office and Internet Explorer crash quickly, immediately after clicking on the icons and Office installs are failing, do have a look for DisplayLink in Programs and Features.

Good luck fixing this problem if you have the same problem.

Complacency is the Enemy of Security

We're often asked the difference between different products and why we might recommend one solution over another.

Rather than giving details on particular computer products, and pros and cons between two different virus scanners / firewalls / computers / laptops etc. we thought that it might be more helpful to give some insight as to our general thought processes and illustrate this.

As an example please consider the two videos linked below. They're also quite short (less than 60 seconds each) and amusing in themselves so do have a watch.

Video 1:

The first here is a video of a tourist who 'crosses the line' and lays a hand on a member of the Royal Guard.

What happens when a tourist touches a member of the Queen's Grenadier Guards

Video 2:

The second video below here also shows a security guard, here in the context of an office building lobby. In fact here are two guards that you can see in the video - one crouching in the foreground (hands up) and another approaching on the carpet behind.

In contrast note what the approaching guard does when his colleague is 'shot'.

So - what's the point here?

Both of the videos show someone in the role of 'providing patrol and security' but the training and reaction are very different to a situation. To be clear we're not suggesting that either are right or wrong, but they are definitely very different.

The first video could be seen as a potential overreaction but this is trained response to a threat and maintaining a clear line which should not be crossed. We suspect that the tourist got quite a shock. You don't see the tourist's reaction on film but you can make a pretty good guess.

The second video shows the guard running away pretty quickly and comments on the YouTube video liken the reaction to playing 'Sonic the Hedgehog'. As you see in the video this was a staged prank and an effective one at that. The reaction is not necessarily wrong though. Hopefully the guard is going to call for help / police / armed backup / check CCTV and grab a gun etc. rather than just to uselessly become the next victim given what he's just seen and heard in front of him. Of course he might equally be heading straight out of the door and planning to go home; we'd like to think not though.

Both of these are providing security around a building and assurance for the tenants and visitors to help maintain and assure a safe environment. In very different ways. Both are more effective than many reception / security guards in an office environment who often provide only token levels of security. You've probably noticed buildings where a 'guard' is absorbed in playing solitaire and around whom a seven year old would run rings in a chase.

This is the difference between ticking boxes and providing value and much of the value of a guard, like the value of insurance or an army, is not in the work they do, but what they can do if needed, which means it is less likely you'll need them. Good security obviously has a more powerful deterrent effect.

Companies recognise this in their implementation of security. It goes to the core of the company's values; do you only pay lip service, or are you thorough? Much of the time you may not notice the difference unless you are looking for it. We say time and time again that there is no such thing as total security, only different levels of risk management and mitigation.

In some city firms the security office is manned by staff who may be entirely ex army and indeed sometimes ex special forces. You'll not notice on the door but you will if you try anything untoward and in the subtle, but very real, difference in the level of attention paid to things. This is a deep skill in itself. Guarding anything from an office to nuclear weapons requires dedication and focus to do well, evaluate the risks and pull against the natural human instinct towards complacency over time.

Are we digressing again here? Yes, probably... to bring the comparison of security guards back more to the world of IT and subtle differences, the point is that when at Onega we consider solutions, we look for what is the best long run solution for a challenge, that will serve a business and provide for value and service. In considering IT systems, we look at many aspects of capital cost, performance, reliability, robustness, running costs and serviceability. Aesthetics are also considered and sometimes people choose preferences of good looks over functionality or serviceability as their conscious choice which is fine if trade-offs are accepted. From cars to aircraft, to computers to anything else, there are almost always trade-offs made in any decision; it is just a matter of getting the balance right.

Currently in IT there is an increasingly mature trend towards swapping traditionally capital investments for regular periodic subscriptions. An example of this might be Microsoft's 'Surface as a Service' offering but in software, client computing and server side computing the trend is present and it allows for the traditional cost bump to be smoothed out over time; so that you can have a high quality solution and pay for it as you enjoy it with reduced barriers to entry.

When Onega look at a product, we do of course consider cost. We are a business ourselves and we have to balance the books. However we invest where we need to and appreciate that some things can be very much a false economy. The difference that an extra £100 investment can make to your enjoyment of a computer over three years can be between smooth service delivery and frustration. We've learned many things the hard way and we try to share the benefit of our experience so that you can avoid repeating mistakes and errors we may have made. We do of course sometimes make mistakes, but we learn from them.

As a case of false economy in point, consider backup systems. The purpose of these is to keep your vital company information safe and in some cases, also doubling as Business Continuity solutions. You really don't want to be choosing a backup solution based on price. Among the criteria here are: how well does it work; is it reliable; how quickly and easily can we get things back when we need them; how is it monitored; how is the data encrypted; how do we obtain support for the system; how many copies of data are maintained; how far back will it retain our backup data; does it cover everything we need backed up; are air gaps enforced; how stable is the company providing the service? Price of course is a factor, but it should probably be a secondary factor to the first questions. A good solution that might cost £30 a month is likely to be much, much better business value than a poor solution that just about does the job for £19 a month. In this hypothetical example the £11 extra a month in cost would arguably be worth way more than that in peace of mind alone.

So for any system, when we are considering recommendations from Onega, we are looking to help provide solutions that will stand up to the task and deliver when needed rather than something that will disappear like Sonic just when you need it.

No one likes being let down.

No one likes being let down.

Back to the title of our post here (after a slight case of ADD);  Complacency being the Enemy of Security.  Complacency is very hard to prevent, but procedures and reality checks / external audit and baselines can help greatly. Arguably the role of a security professional is primarily countering complacency everywhere it creeps in.. which it does.

There are some tricks that can be learned from the people who protect some of the nation's most critical assets, again imperfectly but still relatively robustly and relatively successfully. We're talking about the high bar of protecting nuclear assets, domestic or military. Imagine the awesome responsibility of guarding a nuclear reactor or live missile defensive systems. If you were tasked with this role, you'd obviously understand the serious nature of the role and the possible implications of a breach of security. You'd be very much 'on your guard' on day 1, but on day 2 (allow some leeway on timing here), you'd likely think 'no one stole / launched our nuclear weapons yesterday, so I can relax a bit' - maybe read a good book, check out X-Factor, kitten videos on YouTube or read the paper, play solitaire, wave through the maintenance engineers or take a long break for coffee etc. and so it goes until one day something happens and you get that sinking feeling in your stomach when it's too late to do anything about it.  Thankfully it is relatively hard to do anything useful with quantities of nuclear material without being picked up by the eyes and ears of intelligence, but for every time the backstop comes good, comes the day closer when it misses one.

So to prevent complacency we have a number of routes. Training and reinforcing on why we have security and the importance of the items we are looking to protect, learning from incidents that others have experienced and share with the community, implementing institutional anti-complacency measures with audits and penetration exercises, rotation of staff roles so that your attention-deficit burnout is minimised. Some of these measures can be equally applied to corporate environments and can uncover convenience hacks from staff that might undermine or bypass security measures for example.

At Onega, we've accumulated a good deal of knowledge on security and we've spotted enough loopholes in our time to know that, if we consider them too much, we'd just run for the caves. We do like the challenge of a security audit though and helping companies to look for low-hanging fruit or potential unbalanced security practices. Checklists and standards can help greatly on this, though their application and evaluation can be done with the thoroughness of the Queen's guard or the run away guard, we try to aim for the former of course in any security evaluation. The cost of doing an evaluation is insignificant compared to the potential cost of not doing one.

Crims are clever..

You have to hand it to them, criminals are a clever bunch and in some ways we should thank them for entertaining us with their ingenuity. Actually we do thank them - with our hard earned cash when they get the better of us. This cat and mouse game will likely still be going on when Long Player (http://longplayer.org ) has long since stopped playing...

In the interests of learning and staying safe, we'll share some experiences of current attacks used to try to steal your information (and thus maybe your money a little later).

Example 1:  Socially Engineered Email Attacks

This is a popular one as we write and, having started off targeting large organisations, it is now trickling down to smaller organisations like yours.

What happens? Criminals have a look at public sources like your own useful website / Companies House etc. to identify who the main boss(es) of the company are and who is in the finance team. They then craft (forge) an email from the head of the company to the head of finance asking for help to make a payment to a supplier, which might be a perfectly normal thing to do and a reasonable request. If the scheme runs to completion then the head of finance replies, thinking that he or she is talking to the boss, and £15,000 (or such amount as the criminal deems appropriate to not raise suspicion) is transferred into the sunset. 

If the criminal can be bothered, they may even have sent a fake enquiry to your company prior to the attack, so that they have a copy of your email stationery and footers to make the mail more convincing.

To date (October 2016)  it is estimated that just short of a billion pounds have been lost by UK companies falling for this type of fraud. Not many people or large organisations are going to want to stand up and admit that they were caught out though.

The same exploits are used not only in attempted financial fraud but in other walks of life too. A salient example is noted at http://www.bbc.co.uk/news/uk-england-london-32095189 where a prisoner was released and ushered out of jail after his bail / probation had come through - albeit on a fake email which was not noted until his release.

Example 2:  Phishing Links

A newer threat that we are seeing in the wild at the moment is the digital equivalent of the chain letter, but with more malice. It starts when criminals trick you (through one of many possible ways) to reveal your login credentials for your email (MS Office 365 / Exchange / Lotus Notes / Google Mail). They then access your mailbox and send out a bulk email to all your contacts using your email account. Since this will be to people you know and who know you and is sent via your real email address and mail system, the chances are that it will get through all the email filters.

As they have access to your mailbox, they know your industry and how you write, along with your stationery etc.  They also have a full copy of your email box in case there is anything interesting or useful to them in there. What could a criminal or competitor do if they had a full copy of your email box, sent box, folders, contacts, diaries, public folders and web shared folders?  Have you ever emailed payment card details to people or noted passwords in email?  Although most of the time this may be disregarded as the prime aim is just to spread and spread malware to do more damage later.

A typical mail sent out from one company to another could include a note such as: 'Please can you review these deal documents?'; or something similar that is appropriate to the industry and company, such that it looks credible, as well as a link to a document sharing website like Google Drive / Docusign Form etc.

When someone receives this message, if they click on the link, they might get a login page such as the below to access the 'documents':

The above looks like a legitimate login page for Google Drive, but please look carefully at the address - it starts out with 'drive.google.com (which looks legitimate to the human eye), but the 'gotcha' is the bit after this of .kwaltaz.com ... so you will not be going to Google Drive at all in this case, but to a sub-domain (sub-site) of kwaltaz.com - easy to miss that small but vital detail. The page looks convincing so if you are in a hurry then you may just enter your details to log in to get to the interesting deal documents.

If you do proceed to enter your details as invited to do, then you'll have just given away access to your files / email / anything else you store on Google in this case to the criminals. Unless you have further login security in place, they can now log into your email, continue the chain and help themselves to any interesting items you have. You may well not know that they've been looking and lurking for a week or more, before your mailbox is used in turn and it is also possible that your login might be sold on the underground 'darkweb' markets - value being higher depending on factors like, organisation and connectedness.

When one of these email abuse attacks are launched to repeat the cycle that started this example, the person or group starting the bulk mail is said to have 'owned' your mailbox. They may also change your password to lock you out and to slow down the process of you getting control back once you realise what is happening (by which time the damage is done in mail sending and to your reputation in turn).  We've also seen that criminals like to interact with people when they are in the process of an exercise of abuse. For example: if a bulk mail goes out referring to deal documents etc. and a recipient is slightly suspicious so mails back to confirm validity (e.g. 'Hi Paul - can I check that this link was from you and is legitimate?'); then the crims in turn reply back to say something like - 'Hi Bob - yes, these are from me - please review and let me know your thoughts' etc... so encouraging Bob to become the next victim in the chain. The perpetrator of the fraud also likely deletes all your contacts and the replies / conversations they've had to further frustrate your recovery and communications as you wrestle back control of your mailbox.

Remember that, in this case, the email comes from the trusted mail account and no virus bearing attachments are included, only the link to the website for the 'documents' so the majority of virus scanners / junk mail filters will pass the email as 100% legitimate. There are effective defences but we'll come onto that later. Apart from just stealing your login details, scripts on the site also commonly detect what type of computer you have and which web browser and if these are known to be vulnerable to known attacks then they will often proceed to use these open doors to load malware onto your computer in the background without your knowledge. If you know that 90%+ of infections can be avoided by having your computer up to date so that known vulnerabilities are stopped, then you'll understand why your IT department focuses a fair bit of time and energy on patches and updates that get pushed out to your computer to keep you up to date. The odd reboot to apply these is a very minor inconvenience compared to the alternative of not keeping up to date!

Example 3: The Freebee USB stick.

Who doesn't like a freebie? For example a free promotional USB drive that you're sent in the post, or one that you were 'lucky to find' which someone else had evidently previously dropped. Statistically we're all suckers for the proverbial free lunch and 'don't look a gift horse in the mouth'.  So you proceed to plug the drive into your computer to make use of it, or if found to see if there is anything interesting (music/ files / competitor files / the original owner's contact details to return the drive) on the drive. There is a chance this was your lucky day, but equally there is a good chance that the drive might have been 'dropped' where you'd find it.

When you click to open files on the drive, these may not be what they appear and unbeknownst to you could silently install malware or viruses on your computer, especially if you don't disable the 'autorun' features on removable media. By the act of plugging in the USB device to your computer, you bypass all your network firewall and external security and there is a very good chance that if a hacker can be bothered to drop USB devices for you to find, then they'll be bothered to write a custom virus for you that will not be detected by your virus scanner.  Thus the last line of defence on your desktop could well be bypassed as well and the attacker has a backdoor to your office network and can likely get to anything you can get to, as well as maybe recording all your visited websites and keystrokes. Combine this with taking the odd screenshot in the background and letters 2 and 6 of your password may not be your secret for long.

Example 4:  Bank Phone fraud.

We're all very careful about our computing and personal data, which websites we trust and keep our cards safe, don't we?  So if you get a call from your bank's security department that they're worried about a number of transactions that have been put through for authorisation on your account, then you'll be glad that their anti-fraud systems have got your back, right? Not if the caller is not, in fact, your bank, but yet another clever criminal trying to catch you off-guard; to obtain your banking details to later abuse and enrich themselves. The fact that they appear to be trying to help you by flagging attempted transactions on your account is often enough for them to get your confidence before any of these 'transactions' go through.  Analogue telephones also have a flaw that is abused at this point; if you have any doubt as to whether the call is genuine, then you can call back the bank on the phone number printed on the back of your bank card and are encouraged to do so 'to satisfy yourself that the call is genuine'.  So you hang up the one call and then dial the number on the back of your card for whichever bank you are with. The call is answered - sometimes with a short 'your call is very important to us and we are connecting you as quickly as possible'; then you ask to be transferred to the fraud department where you are connected to the same, or another, agent who then verifies your details and helps you reset your security information to be very secure in future. In actual fact you've not called your bank, as the original call has not been cut off.  The flaw in many phones is that calls do not disconnect until the caller (that rang you) has hung up, thus you've been on the same fraudulent call all the time and likely given away your memorable word / date / date and place of birth etc. in the process, while all the time thinking you are helping the bank to protect you.  You can imagine how this ends; often within days of the original call.

There are a number of variations on this fraud call which targets businesses as well as individuals. Criminals know that certain professions, like solicitors, accountants and investment advisers may well hold short-term funds for clients in client accounts separate from their own funds. Where this is the case, there is a heavy duty of care on the holder and thus criminals may well target these groups as the modus operandum of the call appeals to and preys upon the instinct of the account holder to 'keep the funds safe'.  Variations have included suggestions that the 'bank' will call back (and then do) tomorrow to assist with moving chunks (often quite considerable) of money into 'safe' accounts away from the account which is currently being 'targeted'. So, in a desire to keep client money safe, the unwitting victim actually assists the criminals by transferring large amounts of other people's money to them; which in many cases is never to be seen again.

If you're thinking 'no one would fall for this', then have a read of http://www.bbc.co.uk/news/business-34425717 which is a real example of this fraud occurring. The article notes that in the case of this unfortunate solicitor, the implication of the fraud was personal bankruptcy and being banned from practicing her profession. We understand that the professional indemnity insurers also failed to pay out on the grounds that she 'knowingly assisted criminals' which we think counter to probability and good faith in insurance so also be reminded that not all insurance is the same, though you may only come to understand that when you need to call upon it. Would your insurer cover you for this case if you acted (in your mind) in utmost good faith but were fooled into transferring money to criminals? Now might be a good time to make a call and find out.

What can we do to stay safe?

The above are just some examples of common frauds that we see in the real world that are delivered by technological means. There are many more.

Some advice we'd generally give is:

  1. Remember nothing is secure.

    Sobering as it is, there is no such thing as a completely secure system; only degrees of risk reduction. Security is about reasonable justified degrees and measures which reduce risk of abuse. Admitting that you have a security problem (we all do) is the first step towards mitigating it. Never trust a security professional who isn't paranoid!
     
  2. Learn from the mistakes of others and don't repeat them.

    Take an active interest in security. The more you know, the more you are armed. There is a lot to read on the Internet and in the press and knowing that you are at risk is the first step in reducing risks.
     
  3. Respect the need for security.

    Security often (nearly always) comes at the expense of some convenience. Be that glass screens or steel bars in a bank branch that physically protect cash, or computer processes that ask for authentication or for you to change your password from time to time. Each time you have to go through the hassle of changing a password, remember that means you have a fresh start where anyone who might have known your password, now does not.  Equally if your computer prompts for a reboot to complete install of (security)updates, don't hit 'postpone' but instead save anything you need to save, hit reboot and grab a coffee or glass of water; the updates are there for a good reason - to keep you safe.
     
  4. Be part of security.

    We all need to be careful and vigilant. Even network administrators should normally only log in with normal user rights - see our other post on this at  http://www.onega.net/blog/2015/6/4/are-you-logged-in-with-admin-level-credentials-on-your-computer-right-now . More generally, ensure you consider things and share information on a 'need to know basis'. Recruitment companies and those involved with industrial espionage (the former might arguably be the latter in some cases) might charm information out of you under many guises.  We've even had phone calls where people claim to be calling from the Police (not the band or manufacturer of sunglasses, but the law enforcement crew) and naturally we want to help them, don't we? Even beware that, by reading security blogs and web pages, you are often giving away your network IP address and location.
     
  5. Make sure appropriate technical measures are in place to minimise your risks.

    Where appropriate, pieces of technology can help maintain security.  Make use of these and make sure they are configured, deployed, monitored and managed appropriately. There is a big difference between just 'having a firewall' and having a well-configured and well-run security solution in the same.
     
  6. There are no stupid questions when it comes to IT security.

    As a rule of thumb: If you have a doubt, point it out. If something looks too good to be true, or does not 'feel right', then be sceptical and check. This might be in the language used in an email that might not be quite characteristic of the sender. Remember it took the one little boy to point out the emperor wore no clothes - often we find this recurring on a digital scale. It can also be in person or on the phone.  Who is that new guy in the office and does everyone else just assume he has the right to be there?
     
  7. Trust your security.

    There are many computing tools that aim to minimise risks online while you get on with your work. Quite a few operating systems (including MacOS / Windows 7, Windows 8, Windows 10 etc.) and popular web browsers like Firefox, Chrome and Internet Explorer have pop ups when they are warning you about a potentially dangerous website, or when a piece of software is trying to change things on your system. Unfortunately many studies show that 95%+ of the time people just hit 'Continue' and carry on. Stop and think when you see these, and better to err on the side of caution.
     
  8. Maintain good backups (and test them).

    If all else fails, you've got your backups, right? There are many risks from threats like 'cryptolocker' which encrypt your files and ask for a ransom to restore them (which likely leads to only an empty wallet and no files back for you) and the value of your information to others which may be electronically leaked. But if you have good backups, at least you are still in business. Onega have developed a Backup Policy Template document which takes you through a number of risks to help make sure you have an appropriate strategy in place.  We'd be happy to share a copy of this with you. Do test your backups though; we can't stress that enough. Over time companies implement new systems and people put things in new locations. On the cloud, on their computer, on external drives and network shares. Pick some random files, note their details, move them to somewhere new and challenge yourself or your IT department to get them back. A good example of this is if you move all your Outlook contacts from Office 365 to a PST file - do you have these backed up and can you get them back easily? I digress, but in that example Onega would have you covered with our O365 SkyKick backup system to keep your MS Office 365 cloud data safe.
     
  9. Don't be complacent.

    This one is hard. Our natural inclination is to concentrate our attention on what is urgent, not neccessarily what is important. Even if your office is connected to the MOD secure network, or if you've got the shiniest new firewall, is everything else as good and is everyone briefed and playing the same way. If: you leave your computer unlocked while you are away from your desk; your Sage 'manager' password is blank (the default so do check if you use this); or 1001 other things, then you are at risk.  An external check can sometimes help to remind us of this and wake us all up.  Standards like the basic Cyber Essentials standards from the UK Government give a good basic baseline, also to make sure most of the low hanging fruit is covered.

    ** Please note the above are elements of what we consider salient advice but in no means comprehensive guidelines.
Think and read warnings before you blindly click continue.

Think and read warnings before you blindly click continue.

Onega can help with aspects such as Incident Response (although we'd rather help avoid incidents in the first place), Security Review / Audit, ensuring you have good Physical and Cloud Backup Solutions, implementing multi-level UTM Firewall protection, user education and security awareness, external mail filtering etc. The first step is to get in touch and we can discuss any particular concerns, run through any issues and decide what would be appropriate for your needs.

Epilogue:

The story header picture here is of a Lego Criminal, but in actual fact we're probably not giving them the credit they're due. Here, more accurately, your foe could be better imagined as:

.. the Evil Genius (complete with white cat)

.. the Evil Genius (complete with white cat)

But in reality would actually probably look more like this:

Average Joe..

Average Joe..

Be on your guard; keep safe online and in the real world :-)

Microsoft Exchange 10 Device Limits and Focus for Productivity

Like many things, sometimes you don't know there is a limit until you hit it, or at least are reminded what you learned long ago that things are not unlimited.

In my case, I've just hit a limit of having 10 mobile devices connected to sync to my email account with ActiveSync / Outlook on mobile or iPad devices. Of course, whilst like many, I do like my gadgets, I don't actually have 10 phones or iPads!

What has happened is that every time you add a device to sync to your Exchange Mailbox (this is true for MS Exchange on premise and also for Office 365 Hosted Exchange email), a new device partnership is created and there is currently a reasonable limit of 10 devices as a maximum. The Exchange server has to keep track of what the last messages you've had are, so it knows from when to push you the latest messages etc.

You can access the list of phones / mobile computer devices via the Outlook Web Portal for your email (or Exchange control panel). If you connect you can then choose Options -> Phone, from where the list will then load.

The view allows you to see what devices you are syncing with, when they last did a sync, and, should a phone ever be lost or stolen, you can attempt to initiate a remote wipe from here to protect your private data, even if the phone is lost.

In my case the list reads as a recent history of my mobile phones, showing the dates the respective device was last synchronised and hence retired. Thus I can see that I had an HTCAce (Actually an HTC Desire HD) until Jan 2013, an HTC One X Plus, an HTCOneM8 and now the Samsung Galaxy S7 etc. Is it me or is the life of a phone generally getting shorter these days as we use them more?

Once you have 10 phones in a partnership with your mailbox, you can't have any more. Thus it is probably good to get into the habit of removing old phones when you add a new one. Note that if you use the MS Outlook app for iPad / iPhone / Android phone, then this will take a second slot alongside the native Mail ActiveSync connection if you use that. The Outlook Mobile app is pretty good but we tend to recommend sticking with your native mail app in most cases, so that you have:

  1. All your mail in one inbox,
  2. More flexibility on sync schedules (and hence battery life) and
  3. Less data use abroad if you travel; the native mail apps are much better at being roaming aware for now.

So removing phones or devices no longer used is good for security, reducing server resource load and allows you to add more devices when needed i.e. if you are at the limit and your current phone dies, then you can't configure a replacement until you clear an old phone off the list.  This could cause some small delay at the time you need to get going with work / trips / other things you might need your phone for.

And now for a slight, but very relevant, digression: 

Of course, if you are in the office or trying to get some focused work done then one of the best things you can do is to turn your mobile phone off. Research such as that conducted by Kaspersky Labs shows that your productivity can be 26% better without the distraction of a mobile phone - see http://www.business-standard.com/article/technology/not-using-smartphones-can-improve-productivity-by-26-says-study-116082900664_1.html  for details on this particular example.

You may know that I like to make use of odd moments of time or travel on public transport etc. to listen to audio books (generally from Audible) as well as useful / relevant podcasts so as to make better use of time. Currently I'm listening to Deep Work by Cal Newport. This also reminds us that Facebook / Twitter / What's App and other social apps and services might be great, but they're also a massive form of distraction. Each tweet has the ability to take your mind off task and we all know that there is likely a 20 minute recovery time to re-focus fully again. At Onega, we aim to turn off our mobiles in the office (you are welcome to call us at the office on the phones here of course!) and we've blocked Facebook access for our own good for years, after I started to browse Facebook one morning and then realised 'crikey it is nearly past lunchtime already.'  I recommend that book highly and they also touch upon one of my favourite topics of eudaimonia in one section, in relation to architecture applied to provide a focused environment for deep work.

If turning your mobile off in the office can make you 26% more productive, think how much more focused and efficient you can be if you avoid Twitter, Facebook etc. With a logical extension you could easily get to 100% here and your results may soon reflect that. Likely you may be reading this and thinking 'I could turn my phone off anytime but I choose not to' and think of 100 reasons why you must, must, must keep it on... but this is also addictive behaviour. If you consider it, modern smartphones are designed (actively designed) to hold our attention and app developers work very, very hard to tune the experience to encourage you to indulge in more 'screen time' as every minute of screen time has a dollar (or pound or euro) value. It can be hard at first, but turn your phone off and the world does not fall apart; you'll likely get a lot more work done.

Other things you can do to help yourself focus are to turn off the pop up for new email notifications and just check your mail from time to time. This way you are in control of your focus rather than it being in control of you. Again, this one can be hard initially but you'll also find you soon get used to it. If there is anything urgent there is always the phone, which is generally the best way to have direct, focused attention, immediately.  You can also achieve more in a 5-minute call than 10 days of email back and forth on a subject which would take a lot more cumulative time.  You might notice that I'm not often on Skype either - this is for the same reason again. Nothing wrong at all with Skype, but If you have 10 different methods of contact then you risk simultaneously splitting yourself between IM chats on Skype, phone calls / emails / Slack Messages / Sametime / What's app / Linked in and Facebook messenger etc. and thus not focusing on any of the simultaneous conversations with the attention they deserve.

Onega Authorised to sell Microsoft Surface Computer Range.

Microsoft's Surface range consists of the SurfacePro tablet computers (the current line-up includes the SurfacePro 3 and SurfacePro 4 series) and the SurfaceBook which is a convertible laptop that can run in traditional laptop or folded screen only mode. They were originally introduced by Microsoft as much to point the way to the rest of the computing industry on design and what could be achieved, as to an actual product to sell to users. Given that Microsoft produce the Operating System for the majority of computers in the world it is not good form to be seen as competing with your clients.

In the object of taking direction, Lenovo have done so with their successful Yoga range which includes a series of convertible computers and Fujitsu (who have always been strong in tablets) have brought out new convertibles in the form of the nattily named Stylistic R726 which has been well received. However, the success of the SurfacePro range has taken even Microsoft by surprise and they sold over six million units in 2015 with 2016 likely to be double that.

Onega have been working with Microsoft products since MS-DOS 3.2 and although Microsoft is primarily known for its software, they have, for many years, made hardware which is known for being at the premium end, but reasonably priced for what it is. For example you'd always find a safe and dependable choice in a Microsoft keyboard and mouse. The SurfacePro computers are definitely at the premium end of the market and are very slick computing devices which have had very good feedback from users.

Until now, availability of the computers has been quite limited so you'd have to go to John Lewis or other big retail providers, or buy direct on the MS Surface website. Microsoft is expanding its channel to selected partners and we're happy that Onega have been accepted in the latest round as an authorised reseller. This means that we can provide clients with best pricing and support on the Surface range.

In another innovation, Onega and Microsoft are also making it easy to access the benefits of the Surface range. You can take the traditional route and buy a SurfacePro or SurfaceBook, but we can now also offer the choice of 'Surface as a Service' which allows a bundle of Surface hardware, software (if needed) and services to be made available for a monthly subscription. When the hardware and the warranty services are bundled this way there is no barrier for obtaining the very latest technology, with the peace of mind of a full warranty including accidental damage cover and a very reasonable monthly investment - you should, in any case, make sure your computers are covered under your general business policy for loss or theft.

The Surface as a Service scheme offers same day finance acceptance and we only need basic details to get approval in principle.

What do we think of the Surface and why would you consider this vs competitors? The Surface is a very slick computer which provides a lot of computing power at your fingertips and runs full MS Office and other Windows apps. If you try the touch and pen interface for handwriting or just drawing on the screen then having only a keyboard again can feel limiting on any other laptop. Potentially the Surface can save you from needing to carry around both a laptop and an iPad.

Any computer is a compromise between cost / weight / capacity / build quality / speed / expandability / badge / serviceability etc.  We often think of a laptop as being the 'sports car' of the computer world in that they are great machines but you have to make choices (unless you have an unlimited budget) to get things right for your needs. The SurfacePro ticks most boxes. The one 'gotcha' with it is that, due to the focus on ultra slim build, the spec you buy is the spec you'll finish with, in that the case is glue sealed, so you cannot upgrade memory or storage. So it is important to specify enough up front for your foreseeable needs. The comprehensive extended service warranty means that any service problems are dealt with by an advanced swap out if you have any hardware issues.

Competitors like Apple also go for the sealed device approach (seen any screws on the back of your iPad lately?) but others like Fujitsu do allow for upgrades and servicing at the slight (very marginal) expense of size and weight.

Post Brexit the British pound has been dropping in value against both the Euro and US Dollar so computers have been going up in price lately but a good computer, at whatever price, is still excellent value, especially if you get a good few years' use out of it (big hint - best money - from £10 - you'll ever spend on a computer is on the case that protects your laptop).

Onega's aim is always to find the best fit for clients and to recommend the appropriate device for your needs - so please feel free to run any requirements by us and we'll be happy to discuss.

Happy computing.