In this issue:
Ask Our Readers: Spell checking for webmail? Editor’s Corner. This Week in IT – phishing, ransomware, more. Windows (and some macOS) news. Windows Server news. How to Run Chrome OS Flex. Upcoming webcasts, events and conferences (NEW SECTION!). IT Bookshelf: Building in Security at Agile Speed. Data-crunching energy drinks. Plus lots more — read it all, read it here on WServerNews!
Ask Our Readers (new question): Spell checking for webmail?
Michael Hallstead sent us the following asking for help from our readers on a problem he’s facing with a small business customer he provides IT support for:
Last Saturday, the boss wanted to know if there was a way to do spell checking in a webmail client. Here’s some background info. There’s 8 people in the whole company. Still uses a netware server for 22 year old MRP software. Everyone is on a new computer, with a virtual machine to handle the MRP program, and everyone has 2 monitors, one for the virtual machine, and one for everything else. However (and there is always a however) there is an older gentleman there, who is not that computer savvy, and not the best speller around. You put him in front of one of these workstations and he freezes up and is totally confused. So the boss keeps him on a win xp computer because he is Ok with that. He uses firefox v52 for webmail, and that works just fine. He’s the nicest guy one could meet, knows our products, knows the community, knows the customers, and is invaluable to the company, just don’t ask him to spell.
So, I’m not really sure what to do for him. There are no spell checking browser extensions for v52 of firefox (well, there was one, but it did not work)and trying to find a universal spell checker for win xp, that gives an interface similar to gmail’s spell checking — red squiggly underline/popup correct word, within the webmail client… just haven’t found anything. Normally, one could just compose the email in a word document, spell check it, and copy and paste into the webmail client, but he doesn’t get that somehow either. And yet, he understands the MRP program and can use that fine. Go figure.
Do any of our readers have any suggestions for Michael? Besides dropping the customer of course. Email us.
Got questions? Ask our readers!
WServerNews goes out each week to almost 200,000 IT pro subscribers worldwide! That’s a lot of expertise to tap into. Do you need help with some technical problem or are looking for expert advice on something IT-related? You can Ask Our Readers for help by emailing us your problem or question. Do it today!
Help spread the news!
Please tell all your colleagues and friends about WServerNews and its companion newsletter FitITproNews, and let them know that they can subscribe to these and other TechGenix newsletters for free by going here. Thanks!!
What’s obviously on everybody’s mind these days is what’s happening with Russia and the Ukraine. And as IT professionals this should also be a big concern for us. Because in today’s online world, wars are as likely to be conducted on the Internet as they are in the air or sea or on the ground.
What this means for those of us responsible for maintaining the IT infrastructure of our organizations is that we should be focused evaluating how this evolving situation may affect the safety and integrity of our operations. A good place to start is to watch this webcast from the SANS Institute:
SANS Webcast: Russian Cyber Attack Escalation in Ukraine – What You Need To Know and Do!
You need to register to login and view the webcast, but registering with SANS so you can get their NewsBites newsletter is something that anyone in charge of maintaining a network or datacenter should do as it helps you keep informed about critical vulnerabilities and cyberthreats and how you should deal with them. I watched this particular webcast and it was excellent—and also scary! The presenters go into detail concerning Russia’s current cyber capabilities and what security researches have seen happening so far during the conflict, although clearly the situation continues to rapidly evolve. They also describe in detail the dangers that the escalating cyber conflict presents to various kinds of national critical infrastructure including transportation, energy distribution, financial services and manufacturing—dangers not just to Russia or the Ukraine but to other nations as well!
I expect that as the conflict heats up that SANS will present more webcasts to help IT pros prepare for increased cyber attacks on the infrastructures they manage. As just one simple example, take a look at this tweet by Bill Woodcock about how Ukrainian government authorities are asking ICANN to shut down root name server instances within Russia that are operated by ICANN, revoke the Russian-managed top-level domains (TLDs) which includes .RU, .SU and .рф, and revoke any SSL certificates issued for these domains. In addition the Ukraine has made a request that RIPE withdraw IP address blocks registered by the RIPE NCC. If any of this happens you can bet for sure that this Russia/Ukraine situation is going to heat up a lot more. However it’s not likely that any of this will occur, partly because RIP has reaffirmed their position concerning such disputes and because ICANN generally treats ccTLDs as national sovereign resources. Furthermore, even if those ICANN-managed root name servers were turned off Russia could still perform essentially full AXFRs from external root servers to bring their own locally-anycast root server instances online pretty quickly.
On the other hand, as cybergangs take sides (The Record) and gang up on one another or break up into pro-Russian and pro-Ukraine cohorts, maybe they’ll all cybernuke each other and cyberspace will suddenly become stable, peaceful and safe. That would be nice J
This Week in IT
A compendium of recent IT industry news compiled by Your Editors. Feel free to email us if you find a news item you think our newsletter readers might be interested in.
Since cybersecurity is on everyone’s mind at the moment let’s start with news in this area. Phishing attacks continue to be a major headache for organizations with the latest development being impersonating DocuSign emails to steal credentials (BetaNews). In fact phishing attacks on social media have doubled over the course of 2021 (KnowBe4). And you can expect this trend to continue in 2022.
Ramsomware attacks are also much in the news these days, with AvosLocker ransomware now targeting the VMware platform (VMware). And while backups have traditionally been a primary way of recovering from ransomware attacks, but a survey from Venafi suggest that reliance upon backups is becoming less effective due to how ransomware attacks are evolving. Some food for thought there, I guess—but I’ll still make sure I’m regularly backing up everything (and verifying I can restore). And if you use Samsung phones you may want to be aware that Samsung apparently botched the encryption in roughly 100 million phones they manufactured in the last couple of years (ThreatPost). So maybe it’s time you upgraded your phone—or buy a PinePhone Pro and secure the phone yourself if you wear a penguin hat.
In other news, reports have identified a recent trend of attacks that downgrade Office 365 E5 licenses to E3 in order to bypass E5 security detection (TechGenix). And a recent research report forecasts that the network management software market will witness robust expansion over the remainder of the decade. The report highlights some of the leading companies involved this market including Manage Engine, GFI Software, Spiceworks and others. These are all great companies especially GFI which sponsors our newsletter.
Windows (and some macOS) news
Several news sources have reported (and Microsoft has confirmed) that selecting the Remove Everything option when resetting a Windows 11 PC doesn’t actually remove everything from the machine. What’s left behind is the Windows.old folder that’s created when you upgrade Windows, and this file can also include OneDrive files that have previously been market as Always Keep On The Device. Workaround steps are included in the Microsoft article referenced above, and Tom’s Hardware has more.
And while we’re on the topic of OneDrive we’ll also mention that Microsoft has made a small change to OneDrive on the macOS platform to make it easier for Apple aficionados to identify which OneDrive files are actually present in local storage on their Macs (Windows Central). And staying on the subject of macOS for a moment, Microsoft has enhanced their Endpoint Manager product to support configuring and deploying macOS policies. So if you also manage Macs as part of your Windows infrastructure, keeping those funky machines secure and up to date is now easier.
Getting back to Windows again, if you’re currently running Windows 10 on your home PC and are debating whether to accept Microsoft’s offer of a free upgrade to Windows 11, you should be aware of that Microsoft says their free upgrade offer “does not have a specific end date for eligible systems” and that “Microsoft reserves the right to eventually end support for the free offer” and also that the end date “will be no sooner than October 5, 2022.” You have to dig down deep into the FAQ on that page to find this information.
Windows Server news
The recent set of software updates for Windows Server 2022 are reported to be causing problems for some users. According to Microsoft after KB5009555 updates are applied certain apps or devices might be unable to create Netlogon secure channel connections. This means that scenarios which rely on synthetic RODC machine accounts might fail if they do not have a linked KRBTGT account. At the time of writing Microsoft is still investigating this issue.
Tip of the Week
You’ve probably heard the news by now that it’s possible to run Google’s new operating system Chrome OS Flex on your PC or Mac. So if you’ve been itching to have a Chromebook but are too cheap to buy one but you’ve got an old PC or Mac lying around, you’re in luck! The question however is how exactly do you do this? How-To Geek explains the steps involved here:
How to Run Chrome OS Flex on Your PC or Mac (How-To Geek)
Upcoming webcasts, events and conferences (NEW SECTION!)
Got an event, conference or webcast you want announced in our newsletter? Email us!
VMWare will hold a live webinar “Securing the Container Lifecycle from Build to Run with VMware Security” on Wednesday, March 16th at 11am PST / 2pm EST. Register here for this online event.
Data Center World is coming up soon on March 28-31 in Austin, Texas. New sessions and speakers are being added daily for this conference. Find out more and register here.
Also be sure to check out Redmond Channel Partner’s calendar of upcoming Microsoft conferences for partners, IT pros and developers!
Got comments about anything in this issue?
Email us! We love hearing from our readers!
Meet the Editors!
MITCH TULLOCH is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada that produces books, ebooks, whitepapers, case studies, courseware, documentation, newsletters and articles for various companies.
INGRID TULLOCH is Associate Editor of both WServerNews and FitITproNews. She was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press and collaborated on developing university-level courses in Information Security Management for a Masters of Business Administration (MBA) program. Ingrid also manages Research and Development for the IT content development business she runs together with Mitch.
IT Bookshelf: Building in Security at Agile Speed
Building in Security at Agile Speed from CRC Press is designed to instill security development lifecycle (SDL) best practices into your organization’s software development life cycle (SDLC). While software development isn’t the main activity of most readers of this newsletter who are generally IT professionals or IT managers, many of you do some coding and/or scripting as part of the various tasks you perform in deploying, configuring, administering and maintaining the IT infrastructures of your organization. And even if coding isn’t something you do yourselves, you probably have colleagues in your organization who develop applications and services.
This is especially true if your organization employs DevOps and follows an Agile software development process instead of the more traditional Waterfall approach, which still predominates in more platform-centric IT activities like setting up networks, deploying hosts, migrating workloads, and such. This book focuses in particular on SCLC within an Agile environment, and it shares a lot of good wisdom on how to effectively marry security into the software development process.
Particularly in the area of people. Those of us who work in IT tend to forget that technology—including software applications and services—are not only designed for use by people but are also designed *by* people. And since people have all kinds of flaws, being human—so inevitably does software. The authors keep this fact in mind throughout and therefore starts at the beginning by asking, what exactly *is* secure software? Then along the way they examine various tools, programs, methodologies and constraints for developing secure software in Agile environments and propose a generic security development lifecycle that can allow coding project teams to design, build, test and release secure applications and services—as secure as humanly possible, that is.
Threat modelling is also covered in some detail, mostly from a process-oriented perspective. What I mean is, the authors target those in management who are responsible for overseeing the SDL process, not the actual coding itself. Much of the book deals with the human side of software development: team dynamics, continuous delivery pipelining, vendor management, security training, hacking culture, and so on. For example in the section titled Software Security Organizational and People Management Tips the authors provide numerous helpful recommendations for productively managing teams of developers. I also found insightful their admission on page 122 that there are two situations that increase the likelihood of coding errors, namely when coding something creative/innovative and when coding something boring. What the authors might have suggested though is some possible steps one might take to reduce the chances of error in those situations.
Other parts of the book provide interesting and useful overviews of key aspects of SDL as applied to software development. I found for example the explanations of static vs dynamic code analysis vs fuzz testing helpful and clarifying, having had some exposure myself to the topic of fuzz testing when I wrote a whitepaper awhile back for the Office team at Microsoft. And scattered throughout the book are practical and actionable recommendations where additional useful information can be found to enhance secure coding, such as page 126 where they reference OWASP’s Cross Site Scripting Prevention Cheat Sheet which provides guidance for mitigating the possibility of cross site scripting attacks when developing web applications. OWASP actually has a whole bunch of useful cheat sheets on specific application security topics which you can download for free here.
There’s much more to learn and think about in this book but being constrained with time I was only able to quickly go thru the first two chapters. But if you’re in any way involved in managing the development of applications and services for your organization and value those applications and services being as secure as possible, I recommend you get hold of this book and read it through. You can buy it on Amazon here.
EDITOR’S NOTE: We’ll be rebooting this section soon under a different name to make it more useful to our IT pro readers—stay tuned!
AlterPoint is a network management platform that enables you to effectively manage network device configuration and backup.
Ontrack can help small, mid- and large-scale businesses recover, restore and retrieve server data in a time sensitive manner:
TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software:
PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator:
WMISpy is a tool to help you understand the intricates of WMI (Windows Management Instrumentation):
Clear Technology lets you automate routine business processes and transactions to improve consistency and efficiency of operations processing teams.
Factoid: Data-crunching energy drinks
Back in our February 21st newsletter we included this Factoid:
Fact: Love and logins: Who gets custody of passwords in a breakup?
Question: Has technology disrupted the traditional way of writing up wills, powers of attorney and similar documents? Are these done online now in some jurisdictions? Can you write up your will on your phone and have it legally enforced? Can you have digital-only wills or does there still need to be a hardcopy stored somewhere? Are people including clauses in their wills that grant password usage rights to beneficiaries or to executors?
Andrew Wong from Toronto, Canada responded to this by saying:
I have heard some people are including login names and passwords in their written wills for the convenience of their beneficiaries. I haven’t done something similar, and don’t intend to. I feel a bit silly in doing this, but I admit that this question looms in the mind: “What about those online accounts, platforms, subscriptions, etc. after I die and I am the only one who has access?”
Gee I guess dying is getting more complicated these days. Wayne Hanks from Australia also commented on this after doing a bit of research to help us all out in this area:
Following on from our discussion, I found these articles regarding preparing your account . Firstly Google has an inactive account manager that will allow you to specify what happens to your account.
Facebook has a FAQ about setting up your legacy on FB.
Twitter does not have anything automated but they will talk to the executor of an estate about memorializing or deleting the account.
And finally there is the following from a law firm.
Of course the simplest way is to have a file with the usernames and passwords for various accounts available on an SD card or usb drive that is kept with your important papers. Like any offline resource, it would need to be regularly updated when passwords are changed.
Very good stuff Wayne, thanks for doing our homework for us!
Wayne also had some thoughts to share concerning last week’s Factoid which was this:
Fact: Connected cars must be open to third parties, say Massachusetts voters
Question: What about repairing (or modifying) PCs? Do you still open the box from time to time? Can you still find your way around inside? Has the reparability of PCs you’ve bought changed over the years? And is that simply because of evolving technology, or do you think PC manufactures are deliberately making it harder for customers to play with the guts inside their machines?
Here are Wayne’s comments on these matters:
When Microsoft started tying the serial number activation to the hardware and components, it became a bit more complicated. And with the advent of super light and thin machines, the days of adding extra ram or a different HDD are coming to an end. For example, I challenge anyone to modify the hardware in their Surface Pro or Chromebook. Apple started this with the iPads and iPhones and many manufacturers have followed this trend with laptops. I have in the past taken a bunch of junked laptops and managed to get a couple of workable ones for friends and family by exchanging components but this is not really a thing now. Usually when a laptop is broken , it becomes e-waste.
Many of the newer business desktops (low profile and mini) have HDD , video and network components as part of the motherboard, and have no capacity for expansion apart from minimal memory upgrades. They have the power supply as an external unit similar to laptops, saving the cost of a dedicated internal supply.
Many servers are designed in component form, either with blade servers or plug in modules. Memory, processors, fans, power supplies and hard drives are all interchangeable. However with most people opting for the cloud, only those that have in house servers, or work in data centers see these any more.
For the enthusiast there have always been available components and boxes to allow access, but these are usually at the expense of weight and cost.
That about sums it up. But FWIW when we purchase new desktop PCs for our business we usually go for the larger “tower” models when they’re available, mostly because my fat fingers find their way around the guts of these machines better than when I try to mod small form factor (SFF) or (ugh) mini systems. And since we usually buy refurb and stay one step behind with operating systems, we usually have few problems in this area. Plus I still like getting my hands into hardware to “move slow and not break things”.
Anyways, let’s move forward now with this week’s factoid:
Fact: Oracle’s Red Bull Deal Highlights the Power of Data-Crunching in Formula 1
Question: What’s your favorite energy drink, and why? Mine is NOS mostly because I like the Fast and Furious movies. Well, at least the first few in the series, the recent ones suck. What about our readers?
Email us your answer and we’ll include it in our next issue!
Subscribe today to WServerNews!
Subscribe today and join almost 200,000 other IT professionals around the world who subscribe to our newsletter! Just go to this page and select WServerNews and you’ll receive it every Monday in your inbox.
Fun videos from Flixxy
EDITOR’S NOTE: We’ll be replacing this section next week with a new section where we’ll be including various different kinds of interesting and fun stuff to entertain our readers, so stay tuned! Until then here are a few classic videos from Flixxy…
The History Of Computers And Operating Systems
The Future Of Computing (1967)
Oldest Working Electronic Computer Runs A Program
World’s Smallest Computer – The Mactini (Comedy)
The World’s First Portable Computer (1975) – IBM 5100
John Cleese: Portable Computer Compared To A Fish
The odd, the stupid and the remarkable. Enjoy.
This HAM radio geek in the UK tried performing an experiment: he mailed an Apple AirTag to himself so he could find out how well Apple’s tracking network actually works. Read it (or watch it) here:
We posted our Apple AirTag (Essex Ham)
AirTags can be useful in other interesting ways (besides tracking your unfaithful partner or spouse). For example Bruce Schneier tells how a German activist tries to track down a secret government intelligence agency using them.
Tracking Secret German Organizations with Apple AirTags (Schneier on Security)
Have any of our readers used Apple AirTags? What do you use them for? Any security concerns over their use? Let us know.
Please tell others about WServerNews!
We hope you enjoyed this issue of WServerNews! Feel free to send us feedback on any of the topics we’ve covered—we love hearing from our readers! And please tell others about WServerNews! It’s free and always will be free—and they can subscribe to it here. Thanks!!!
Product of the Week