GDPR SECUIRTY

If anything online is “free” then simply YOU, or rather YOUR PRIVACY, is the product. As the old saying goes “there is no such thing as a free lunch”. Purveyor of Free Anti-Virus come bloat-ware AVG made this abundantly clear this when it announced a new Privacy Policy in 2015 and with GDPR now in force the issue of what data you and your organisation give away could not be more important!

In summary: if you use its free software, it will be harvesting and then selling your data or rather, the personal data of anyone you work with or for! This last fact is incredibly significant in light of GDPR.  As AVG and other ‘Pay With Privacy’ (PWP) Products and services collect data about you throughout your working day they are also collecting data about your customers, contacts or anyone who entrusts their data to you, however ‘inadvertent’ that data collection may, or may not be.

This Data Collection is not just limited to Free AntiVirus software, Google and Microsofts  Free Gmail service, BT Connect Email Addresses and Many other “free” IT products all work in the same way.  The Data collected is used to target advertising at you and potentially your customers.

If you choose to use ‘Free’ Pay With Privacy products and services in your business you have to ask yourself why and what are the legal implications. There will almost certainly be a commercial or genuinely Open Source, Business to Business (B2B) product that is suitable. Therefore, it is often down to price, particularly with small businesses and Third Sector Organisations. In which case you really can not make the argument that you did not knowingly resell your customer’s data and breach their privacy. You are receiving a product or service for a consideration, that consideration, in this case, being ‘free’ or a ‘Pay With Privacy’ (PWP) Product. Therefore my simple questions is this, do your Terms of Business make it clear to customers that you are selling their data and what implications does this have in light of GDPR?

This practice has long been dubious at best however the introduction of GDPR creates additional legal implications which could be putting your organisation at risk.  As yet we have not seen significant action taken in the UK by authorities in relation to GDPR breaches. However, everyone in the industry expects that to change swiftly once the BREXIT chaos is out of the way! The Information Commissioners Office (ICO) has stated on many occasions that it will initially seek to create test cases and to tackle ‘low hanging fruit’.  The use of these privacy-busting applications and services would appear to fulfil both criteria as a significant test case and low hanging fruit!


So perhaps your thinking well this is all a little Mella-dramatic and I won’t deny it is. Or perhaps your thinking well, we’re a small business, we’re insignificant in the grand scheme of things, we don’t handle sensitive data. Perhaps some or all of these are true, and I will be happy to listen to you explain that to your most privacy-conscious customer, when they discover the data breach and report it to the Information Commissioner, or even worse in a court of law.

My point is simple given the low cost of basic Business Anti-Virus, Basic Google for Business Email services or even our professionally monitored and managed Secure, Monitor, Protect product I ask is it a risk worth taking?

For further information about AVG’s changes read Rhodri Marsden’s take on AVG’s Privacy Policy. AVG announced the changes, a blog post. The updated policy is here, or take a look at this extract:

We collect non-personal data to make money from our free offerings so we can keep them free, including

* Advertising ID associated with your device.
* Browsing and search history, including metadata.
* Internet service provider or mobile network you use to connect to our products.
* Information regarding other applications you may have on your device and how they are used.
* AVG will also collect data about apps on your computers & mobile devices.

BT, Yahoo & Sky Email’s T&C’s also make it clear that they collect your data and use that data to allow advertisers to better target you, full Terms here: https://policies.oath.com/ie/en/oath/privacy/partnercontrollers/index.html

Secure, Monitor, Protect from Welgo provides Businesses with a Business level Security platform monitored and maintained by Welgo’s professional Edinburgh IT Consultancy.  We provide Business protection, monitoring your computers live and dealing with threats as they occur so that your team are not interrupted with pop up messages and are unsure how to respond.  

Welgo provides Business Email, collaboration and cloud services from both Google for work and Microsoft 365. For more information or to inquire about Business IT Support and Consultancy from Welgo Click here.  We work with Small Businesses and Third Sector Organisations thought the UK.

If you have any questions, please call Welgo helpline on 0131 667 0195 or raise a support request via the Welgo Support Portal.

If you are not already a Welgo Customer please call us and one of the team will be happy arrange an appointment to discuss how Welgo can help you with your Business IT needs.

Picking a Good Password is an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of systems and resources. All users, including clients, contractors and vendors with access to your systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Complex passwords which are not easily remembered to typed are no good, as are passwords with difficult to find special characters! When Picking a Good Password, try to create passwords that are both secure and can be easily remembered. One way to do this is to create a password based on a saying, song title, affirmation, or other phrases.

For example: “This May be 1 Way 2 Remember”

This password is long, uses Upper and Lower Case characters, Numbers and punctuation (spaces) and uses these in a non-natural or grammatically incorrect manner. It can be remembered easy and typed quickly and naturally making it harder for people to catch by looking over your shoulder and even if someone guessed it they would still need to know exactly how you have typed or modified it.  You could also use a variant of this such as:

“THIS may be1 way2 REMEBER”

“TmB1w2R3m3mb3r!”

“Tmb1W>r3meber~”

“This£May $e 111 Way 2 R3m3mb3r”

or some other weird and wonderful variation, the weirder the better!

NOTE: Do not use either of these examples as passwords!

However please be mindful that some systems have strange and pointless password restrictions such as no spaces or maximum lengths, so there is no one size fits all approach!


When Picking a Good Password, remember, Length beats complexity every time however the strongest passwords have the following characteristics:

Contain at least three of the five following character classes:
Lower case characters
Upper case characters
Numbers
Punctuation
“Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;'<>/ and space etc)
Contain at least twenty (20) alphanumeric characters.


Weak passwords or Passwords with the following characteristics are normally prohibited and should be avoided:

Short passwords (containing less than twenty characters, yes 20!).
A password which contains a word found in a dictionary (English or foreign) unless it is a combination of at least 4 such words constructed in such a way so as to meet the minimum standards set out above.
The password is a common usage word such as:
Names of family, pets, friends, co-workers, fantasy characters, names of celebrities or other persons of note, sports team names or player’s names, etc.
Computer terms and names, commands, sites, companies, hardware, software.
OR Any derivative of a word from the list above!
Birthdays and other personal information such as addresses and phone numbers.
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321,123456789 etc.
Any of the above spelt backwards.
Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
Any dictionary word with numbers replacing characters in a predictable or formulaic manner such as “w00d”, “5p0rt” or “313ph4nt” etc.  


Password Protection Standards:

Always use different passwords for each account/website and use different passwords from other non-Company accounts or personal accounts.
Passwords should never be written down or stored in online password managers.
Do not reveal a password in email, chat, or other electronic communication.
Do not speak about a password in front of others.
Do not hint at the format of a password (e.g., “my family name”).
Do not reveal a password on questionnaires or security forms.
Always decline the use of the “Remember Password” feature of applications such as web browsers.


If an account or password is compromised or you have any reason whatsoever to suspect it may have been compromised in any way you must report the incident to the IT / Data Protection lead in your Company and If you’re a Welgo Customer to our IT Team.


Most importantly of all use Two Factor authentication where available and remember When Picking a Good Password, Length beats complexity every time.

It is also important to note that Google has NEVER  been hacked, however individual user accounts have been compromised lots of times because people have used poor passwords or have inadvertently revealed them.  Google users are being targeted in this way because the Google System itself is secure.

Finally, Consider the use of a Secure Password Management Service like Last Pass, so long as you use it in combination with a strong master password and two-factor authentication the last pass is a good way to remember all of your passwords and security credentials.

In the first in a series of Blog Posts about email security and deliverability,  I set out to explain what SPF is and why you should use it.

SPF stands for Sender Policy Framework and whilst that might sound very technical it’s actually a very simple validation system that was introduced to detect email spoofing.  SPF provides a mechanism which allows the receiving mail server to check if incoming mail claiming to be from a domain is coming from an email server authorised to send mail on behalf of that domain.

For example, my Mail Server receives an email claiming to be from your company, but the email was sent via BT internet email server.  My mail server checks your company’s publicly published SPF record and finds BT Internets mail server is not authorised to send mail on behalf of your company, therefore my Mail Server should either reject the message or treat it with suspicion.

Similarly, if my Mail Server receives an email claiming to be from your company and the email was sent via a Google for Work email server.  My mail server checks your company’s publicly published SPF record and finds Google’s SPF record is referenced in your company’s SPF record because you are a Google for Work Customer, then my Mail Server is going to treat your message as genuine and will continue to scan the message in the normal way and consider it more positively in the overall spam filtering process.

The list of authorised sending mail servers for a domain is published in the publicly accessible Domain Name System (DNS) records for your domain in the form of a specially formatted TXT record. For example Ramsay.IT SPF record is:

v=spf1 a include:_spf.google.com include:autotask.net include:spf1.mcsv.net include:_spf.freeagent.com include:spf.mandrillapp.com -all

You can find out more about how to create and manage your SPF records here: http://www.openspf.org/

Essentially the receiving mail server checks the identity of the server sending it mail against the SPF record and returns one of the following results:

  • Pass, The SPF record designates the sending mail server is allowed to send mail => Accept the message
  • Fail, The SPF record has designated the sending mail server as NOT being allowed to send =>Reject the message
  • SoftFail, The SPF record has designated the sending mail server as NOT being allowed to send but is in transition => Accept the message but mark as Spam
  • Neutral, The SPF record specifies explicitly that nothing can be said about validity => Accept the message
  • None, The domain does not have an SPF record =>  Accept the message

Why use SPF?

Email spam and phishing emails very often contain forged “from” addresses.  By publishing and checking SPF records you help to ensure that these forged emails are not delivered and that they do not harm the reputation of your domain.  If a user is receiving spam which claims to be from your domain and they report it via some spam systems this will count against your domain’s reputation. Your Domain’s reputation with a number of spam filtering systems will, of course, affect the chances of your genuine email being considered spam.

By including an SPF record you also allow the receiving mail system to verify that the mail is genuine thus increasing the odds that the email will pass that recipient’s spam filtering system.  This is what we call “Increased Deliverability”.

If you are a Welgo Customer or a Welgo Google for Work Customer we will have created an SPF record for you. If you have any questions about that record please just call Welgo  helpline on 0131 667 0195 or raise a support request via the Welgo Support Portal

If you are not already a Welgo Customer please call us and one of the team will be happy arrange an appointment to discuss how Welgo can help you with your Business IT needs.

In the second in a series of Blog Posts about email security and deliverability,  I set out to explain what DKIM is and why you should use it.

DKIM or Domain Keys Identified Mail signature is an email authentication method, which allows your outgoing mail server to sign outgoing mail thus providing the receiving mail server with a mechanism to check that incoming mail from a domain is genuine.  DKIM allows the receiver to check that an email claiming to come from a specific domain was indeed authorised by that domains administrator. This is achieved by the use of Public-Private key cryptographic authentication and whilst that might sound very technical it’s actually a rather simple validation system that was introduced to help detect email spoofing and provide authentication of email.  

DKIM uses Public Key Digital Signature Encryption: this is a pair of numbers and a one way mathematical formula allows you to encrypt a message which anyone can decrypt with your public key, if the message does not decrypt successfully with your public key, it did not come from you because only you (hopefully) have access to your private key.  It is not normally possible to calculate your private key from your public key without a vast amount of data and very very large supercomputers.

Here’s how it works;  

You publish a public key in the publicly accessible Domain Name System (DNS) records for your domain in the form of a specially formatted TXT record. If you have more than one mail server or system you would publish one record for each email system.

When you send an email the mail system adds an encrypted header to the message, a string of text is created using your private encryption key and is not displayed to the recipient (see Email headers).  

The receiving mail server seeing the encrypted signature in the mail header looks in the DNS records for your public key.  It then checks the encrypted signature and verifies the authenticity of the message. Or otherwise treats the message accordingly for spam filtering.

One of the key limitations of DKIM is that if no encrypted signature is present in the mail headers, the receiving system will not check for a DKIM record in the sending domain’s DNS records.  Thus DKIM helps to ensure genuine mail is delivered but has little effect at preventing spoofing or spam mail from also being delivered. For that effect, we have to turn to DMARC records.

However by using DKIM, you allow the receiving mail system to verify that the mail is genuine thus increasing the odds that the email will pass that recipient’s spam filtering system.  This is what we call “Increased Deliverability”.

If you are a Welgo Customer or a Welgo Google for Work Customer we will have created a DKIM record for your Primary Email system, however, any third party systems you use to send email such as an email marketing system should also have its own DKIM record added. If you have any questions about these records or email security in general, please just call Welgo  helpline on 0131 667 0195 or raise a support request via the Welgo Support Portal.

If you are not already a Welgo Customer please call us and one of the team will be happy arrange an appointment to discuss how Welgo can help you with your Business IT needs.

DMARC Explained

In the third in a series of Blog Posts about email security and deliverability,  I set out to explain what DMARC is and why you should use it.

DMARC or Domain-based Message Authentication, Reporting and Conformance Policy is the most recent addition to a suite of email authentication methods available to companies.

A DMARC policy allows a domain to inform a receiving mail server that their emails should be protected by SPF and DKIM.  The DMARC Policy then informs the receiver what action should be taken if either of those authentication methods passes or fails.  DMARC also provides a mechanism for a domain to request feedback about a sender’s domain and messages that have failed the DMARC evaluation, this allows for fault finding and further strengthens the system.

DMARC is designed to help email receivers determine if the incoming message aligns with the guidance issued by the sender. If not, DMARC includes guidance on how to handle messages that fail the sender’s domain policy. DMARC doesn’t directly advise a recipient whether or not an email is spam or otherwise fraudulent.  Instead, DMARC requires that a message pass DKIM and SPF validation. This additional record ensures that a recipient knows which verification records to check for, the message must pass the SPF check and the domain in the From: header must match the domain used to validate SPF (must exactly match if strict alignment is specified).  For DKIM, the message must be validly signed and the domain of the valid signature must align with the domain in the From: field (again must exactly match for strict alignment). Under DMARC a message can fail even if it passes SPF or DKIM but fails the alignment test, ie if it was sent from test.welgo.co.uk but the alignment specified is strict.

DMARC policies are published in the publicly accessible Domain Name System (DNS) records for your domain in the form of a specially formatted TXT record. If you have more than one mail server or system you would publish one record for each email system.

The receiver sends daily aggregated reports to an email address specified by the sender domain indicating to the sender domain administrator how many emails have been received and if these emails passed SPF and/or DKIM and were aligned or not.  This allows the Sender domain administrator to assess the impact and effectiveness of the DKIM record during the deployment phase.

During the deployment phase there are a number of options which limit any negative effect such as, false positives specifying that messages should be quarantined opposed to rejected and setting the percentage of messages subjected to filtering.

By using DMARC with SPF and DKIM you allow the receiving mail system to verify that the mail is genuine thus increasing the odds that the email will pass that recipient’s spam filtering system.  This is what we call “Increased Deliverability”. You also help to protect the reputation of your domain and decrease the chances of your domain being used in SPAM and Phishing attacks.

How does DMARC Work in practice?  

Hopefully, this graphic from https://dmarc.org/overview/ explains a little more clearly.

DMARC Explained


DMARC Explained


If you are a Welgo Customer or a Welgo Google for Work Customer we will create a DMARC record for you.  However we do not always do this as standard, this is because any third party systems you use to send email such as an email marketing system must be set up with your SPF and DKIM records before we can enable DMARC.  Failing to do so would prevent emails from those systems reaching there intended recipients. If you have any questions about these records, would like DMARC Enabled or email security in general, please just call Welgo helpline on 0131 667 0195 or raise a support request via the Welgo Support Portal.

If you are not already a Welgo Customer please call us and one of the team will be happy arrange an appointment to discuss how Welgo can help you with your Business IT needs.

As we approach Brexit, with or without a deal or it being delayed, we are finally getting some clarification on how key issues will be handled. Unfortunately, this is not good news and therefore there are some very important points below which require action.

Domain name servers:

The world finds out where to look for your website and where to send your emails because of your DNS (Domain Name Service) Records as published by our Name Servers (NS). Until 2 years ago our name servers were based as ns1.ramsay.IT and ns2.ramsay.IT, however our Ramsay.IT domain is a risk due to Brexit (see point two below). Therefore, everyone must change their name servers to our new name servers IF you are using the Ramsay.IT name servers above.

Our new nameservers are:
ns1.welgo.co.uk
ns2.welgo.co.uk

 

We are in the process of changing everyone over, however, if your domain name is held with a third party and we provide your nameservers you may need to do this yourself or ask the company who hold your domain name to make this change for you. You can check your nameservers here:
https://mxtoolbox.com/DNSCheck.aspx

 

If you have any questions please ask.

.EU and other EU based Domain names such as .IT .FR

 

Since the creation of the .EU Top Level Domain (TLD) the eligibility for registration has been tied to presence/citizenship in the EU of the company or person owning the domain name, in accordance with Article 4(2)(b) of Regulation (EC) No 733/2002. The same rules apply to ownership of other, country-specific Top Level Domains (TLD) of European member states such as .IT of Italy.

 

As of the withdrawal date (currently scheduled for Friday, 29 March 2019) undertakings and organisations that are established in the United Kingdom but not in the EU and persons who are citizens of the United Kingdom will no longer be eligible to register, renew or own .eu domain names.

 

The EU has stated, That where, as of the withdrawal date and as a result of the withdrawal of the United Kingdom, a holder of a domain name does no longer fulfil the general eligibility criteria for EU TLD’s the Registrar shall be entitled to revoke such domain name registration on its own initiative and without submitting the dispute to any extrajudicial settlement.

 

Therefore persons and organisations who hold or use .EU or other European Domain names should take urgent action as recommended during the Christmas period by the UK Government.

 

At Welgo we can secure and transition you to a new Domain name however we would normally recommend doing so over a period of years, that may not be possible in this case.

 

Stock Supply and anticipated requirements

 

The press and 24 hour news channels are full of stories about the potential problems associated with international trade after Brexit. If you plan to purchase new equipment around or shortly after Brexit, will a delay of the delivery or an increase in price of the kit have a negative effect for you? If so, please talk to us now.

 

Lastly, we hold a limited amount of spare parts and equipment, we keep the stock levels low for two key reasons, innovation in the IT market means the value of kit declines and Next Day delivery is the norm for almost everything we need. In preparation for potential delays we are increasing this supply, however, we have to be realistic about how much we can hold and also the fact that it is just not practical to hold stock of everything everyone might need. Therefore we ask that you consider if it will be of benefit to your business to hold a supply of spares, this also applies to our office stationery, printer consumables, paper and till roll supplies.

Recent articles in the media have raised awareness around some processor security vulnerabilities named Meltdown and Spectre; these are particularly troubling as they affect most Computer processors including, all Apple devices, all modern Intel processor chips and some AMD chips. These are found in most PC’s, servers, laptops and a handful of other non-apple tablets and mobile phones in use today.

Meltdown and Spectre can be exploited by malware to steal passwords and other sensitive data from computers, there are patches for Windows PC’s for one of the bugs, and other patches are on the way for most other systems. Crucially, the updates will incur a performance hit; the effects are still being benchmark tested. However on Intel products, there are extensive reports of between a 5% to 35% slow down, individual results will depend on the tasks, the processor model and type that you have.

Because of the performance hit we understand that there will be a reluctance to install the update to fix these security flaws, however, we must put your systems security and the security of your customer’s data ahead of all other factors.

There have been three Court cases launched in America stating: “The defect renders the Intel x86-64x CPUs unfit for their intended use and purpose,” the complaints read. “In essence, Intel x86-64x CPU owners are left with the unappealing choice of either purchasing a new processor or computer containing a CPU that does not contain the Defect, or continuing to use a computer with massive security vulnerabilities or one with significant performance degradation.”

We agree and believe there will be much broader implications of these issues as regulators, and other international courts are likely to get involved, this could lead to further lawsuits.

In the meantime, unless clients contact us to specifically request that they do not authorise Welgo implementing the patches, we will begin installing them from Saturday 13th January 2018.

Further to this, we will be installing updates to our web services; this may result in a short service interruption between 22:00 and 24:00 on both Tuesday 9th and Wednesday 10th January 2018.