Windows 11 will be released soon. However, you're computer may not be compatible, either because you have an older computer or you have certain settings in your BIOS. First, here is a very general article about the problem. It covers enterprise computers as well as personal computers. Some of you may have that arrangement, even if you work from home, so I thought it reasonable to include that information.  Go past the article for more information

Security boost in Windows 11 limits PC reuse

Microsoft has put a lot of emphasis on improving security in Windows 11, but this comes at a cost as old hardware is no longer supported

By Cliff Saran

Published: 29 Sep 2021 14:39

Data from Lansweeper has found that almost a fifth of PCs will be unable to run Microsoft’s newest operating system (OS), Windows 11. Although it can be manually installed on any PC, Windows 11 is only certified to run on equipment with processors less than four years old. An automatic upgrade to the new operating system is only possible if the PC is running a supported processor and has the minimum 4GB of required memory. Specifically, to run Windows 11, PCs need a trusted platform module (TPM version 2.0), which Microsoft describes as a secure crypto-processor designed to carry out cryptographic operations. It said the TPM includes multiple physical security mechanisms to make it tamper-resistant.

Malicious software is unable to tamper with the security functions of the TPM, Microsoft noted in the Windows 11 specifications webpage. The TPM is used to store cryptographic keys and helps to maintain the integrity of the system. Newer hardware tends to have the TPM built-in, such as Intel Platform Trust or AMD Platform Security Processor. 

However, analysis from Lansweeper, based on an estimated 30 million Windows devices from 60,000 organisations, found that many PCs lack TPM capabilities. It reported that, on average, only 44.4% of the workstations were eligible to receive the automatic upgrade.

Lansweeper’s analysis found that while the majority of PCs (91%) had sufficient RAM, only about half of the workstations met the TPM requirements. Of the PCs it analysed, almost a fifth (over 19%) failed and 28% were not TPM-compatible or did not have the crypto-processor functionality enabled.

For PCs with a TPM 2.0 module, the function can be enabled in the Bios menu. For older devices, some PC motherboard models offer an add-in TPM 2.0 card which can be purchased. But some organisations may need to scrap their old PC hardware altogether if they want to install Windows 11.

Organisations using virtual desktop infrastructure (VDI) also face challenges in updating virtual machines (VMs) to Windows 11. When Lansweeper analysed virtual machines, it found that CPU compatibility was slightly higher, at 44.9%, but only 66.4% of the VMs had enough RAM. It’s analysis also found that very few Windows VMs (0.23%) had TPM 2.0 enabled.

While TPM passthrough (vTPM) exists to give virtual machines a TPM, Lansweeper said this feature was rarely used. It warned that Windows VMs would need to be reconfigured with a vTPM before they could upgrade to Windows 11.

It also found that TPMs on physical servers only passed the test 1.49% of the time. This, according to Lansweeper, means about 98% would fail to upgrade if Microsoft were to create a server operating system with similar requirements in the future. Its analysis found hardly any virtual servers with TPM enabled.

Discussing the data, Roel Decneut, chief marketing officer at Lansweeper, said: “Microsoft justifies the need for these requirements to allay security fears, as many devices won’t be able to upgrade, even some that are fresh on the market.”

Decneut said the improved security might drive organisations that are early adopters of new technology to upgrade their PC estate, but in enterprises with thousands of Windows machines the upgrade would be a massive task, requiring a full inventory of the PC estate.

One of the implications of this change, even if you aren't on an enterprise computer, is that servers and workstations at, say, hospitals or retail establishments, that use Windows may not migrate to Windows 11 and, therefore, will have a security exposure compared to using Windows 11.

Now, a couple of articles on how to tell whether or not you can install Windows 11. There are two things you have to check: (1) Your computer hardware and (2) Your Bios settings. The articles:

Confirm TPM 2.0 with Device Manager

To check if a TPM chip is present and enabled with Device Manager, use these steps:

1. Open Start.
2. Search for Device Manager  and click the top result to open the app.
3. Expand the Security devices branch.
4. Confirm the Trusted Platform Module 2.0 entry exists.

The Bios needs to be checked as well to make sure it has UEFI enabled.  If you have a pre-Windows 10 installation, you can get to the Bios using the function key or whatever key assigned to the Bios to bring the interface up.  You will need to know your Bios to check for UEFI. For Windows 10, you can check for UEFI by restarting your computer by clicking on the "start" icon, then the power button, then Shift button AND left button mouse click on the Restart option.  The computer will reboot to this:

Left click on the Troubleshoot option to get this:

The UEFI Firmware Settings icon needs to exist, otherwise, you will have to reinstall windows with this setting enabled. 

Your AT&T, bellsouth.net, and AOL passwords need to be changed if you use any application to access your email

 I've been away for a while:  writing a book.  But I'm nearing completion and I can deal with other issues.

The title says what the problem is, but I'll reiterate.  The companies listed above, and maybe others, now require that, if you use another application to access your email other than one from the provider,  you have to use a special web page on their web site to obtain  a special application specific password from your provider.  You can't make up your own password for your email application and your old password will suddenly stop working without warning sometime in the future.  Don't you hate that.  

The problem is that email providers are implementing something called OAuth.  This means that, for example, if you want to use Gmail to access your bellsouth account, you have to go to the bellsouth web page that provides the password for accessing the bellsouth account, https://www.att.com/support/article/email-support/KM1240462?authNState=Y&haloSuccess=true Get a password from that page by copying it to the clipboard.  Go back to the setup for your gmail account and enter that password in the dialog...

For gmail, 

• open the email interface
• click the gearbox in the upper right corner
• Click on the blue "See all settings" link at the top of the dropdown for settings.
• Click "Accounts and Import" at the top of the Settings page
• Look for "Check Mail From Other Accounts" on the left navigation area.  Your bellsouth, att, or aol email should be listed there.  Click the blue "edit info" on the right side.

• Change the password to the one provided by pasting it into the password field. 
• Click "Save Changes" and wait for the dialog box to disappear.
• Click "Check mail now" back on the Settings page to test it.

I know that AOL is requiring this change too.  See https://help.aol.com/articles/Create-and-manage-app-password

WARNING:  Because the drop dead times are approaching for switching, there are Phishing scams that exploit this requirement by sending a very official looking email to you.  Click on any of the links and you are dead meat.  Go to your provider's web page without going through any email link. I suppose that means, if you want to be strict about it, that you shouldn't click on the links I have provided

Using Outlook with Gmail

If you convert your email to Gmail, then the best user interface for your mail is the Gmail web interface.  However, if you are a longtime Outlook user and want to continue using it, you have to create a new user account in Outlook that points to your gmail account.  This is not a straightforward exercise.  Plus, in the end, if you want to continue to pull email from your old account, you will have two .pst files in Outlook.  (If you just want to start anew, I have a branch in the instructions below that you can follow to use your old .pst, but with the new gmail email.)


Here are steps to set up your Gmail account in Outlook: Follow these steps in this order. The order is important as unlocking the captcha should always be your final step.

In Gmail, go to Settings . Forwarding . POP/IMAP and make sure IMAP is enabled. Leave all settings at default

1. Start Outlook

2. Go back to your browser and sign into your Gmail account at https://mail.google.com

3a. If you use 2 step verification, go to your security settings and generate a new App Password. Copy that password

3b. If you don't use 2 step verification, enable access for "less secure" apps: https://www.google.com/settings/security/lesssecureapps.  Then go here: https://accounts.google.com/b/0/DisplayUnlockCaptcha and click Continue.
Then immediately - go back to Outlook and set up your account again, letting Outlook do it automatically using the Setup Wizard.

4a.  If you use 2 step verification, give Outlook your username and paste the App Password you copied earlier into the Password box.
4b.  If you don't use 2 step verification just give Outlook your username and your normal account password

5.  Then let Outlook get on with it and set up your account for automatically.

Leave all Outlook's settings at their defaults until you know whether you have been successful.

Warning about Phishing emails associated with CaronaVirus

Unknown hackers are running a mass spam email campaign that tricks users into thinking they’re opening a public health bulletin. But the files that come attached are secretly malware, which the hackers are hoping you’ll open without thinking.

Here’s how it works: An email will arrive claiming to be from local authorities with information about infections in the area. A PDF or similar file will be attached to the email, but opening it will infect your computer with phishing malware. Tap or click to see how well you can spot a phishing email.

Following infection, the malware gets to work harvesting personal data. What’s more, it can potentially inject even more malicious code into your system to steal information or monitor your activities.

Presently, this cyberattack is only making the rounds in Japan. This is probably due to the sharp increase in cases in the country and nearby territories. Researchers fear the current campaign is only the beginning, and as the real virus spreads, the hackers will launch the spam campaign globally.

{copied from KimKomando site}

Background explanation of phishing and spear phishing

The following discussion about "spear-phishing attacks was copied from a Microsoft blog.  I think it is informative and, since I have seen a number of these when helping people with computers, I think it is important for you to read, even if you are retired.  It will explain how a lot of the phishing emails you get are created so they look like the email is from someone you know and the content of the note has personal or professional information in it.  The article explains the full business model for those who are creating the phishing emails.   How to protect.  Unfortunately, though most full function security suites do have elements that try to protect you from phishing, both via email and through a direct pirating of a web site you are on or a link you click on a valid website, you are still THE DEFENSE against phishing.  Learn the signs of a phishing attack.  Learn how to "get out fast" and "clean up the mess" if you succumb.

Spear phishing campaigns—they’re sharper than you think

microsoft.com/security/blog/2019/12/02/spear-phishing-campaigns-sharper-than-you-think

December 2, 2019

Even your most security-savvy users may have difficulty identifying honed spear phishing campaigns. Unlike traditional phishing campaigns that are blasted to a large email list in hopes that just one person will bite, advanced spear phishing campaigns are highly targeted and personal. They are so targeted, in fact, that we sometimes refer to them as “laser” phishing. And because these attacks are so focused, even tech-savvy executives and other senior managers have been duped into handing over money and sensitive files by a well-targeted email. That’s how good they are.

Even though spear phishing campaigns can be highly effective, they aren’t foolproof. If you understand how they work, you can put measures in place to reduce their power. Today, we provide an overview of how these campaigns work and steps you can take to better protect your organization and users.

Figure 1. Percentage of inbound emails associated with phishing on average increased in the past year, according to Microsoft security research (source: Microsoft Security Intelligence Report).

Step 1: Select the victims

To illustrate how clever some of these campaigns are, imagine a busy recruiter who is responsible for filling several IT positions. The IT director is under a deadline and desperate for good candidates. The recruiter posts the open roles on their social networks asking people to refer leads. A few days later they receive an email from a prospective candidate who describes the role in the email. The recruiter opens the attached resume and inadvertently infects their computer with malware. They have just been duped by a spear phisher.

How did it happen?

In a spear phishing campaign, the first thing an attacker needs to do is identify the victims. These are typically individuals who have access to the data the attacker wants. In this instance, the attackers want to infiltrate the human resources department because they want to exfiltrate employee social security numbers. To identify potential candidates they conduct extensive research, such as:

• Review corporate websites to gain insight into processes, departments, and locations.
• Use scripts to harvest email addresses.
• Follow company social media accounts to understand company roles and the relationships between different people and departments.

In our example, the attackers learned by browsing the website that the convention for emails is first.last@company.com. They browsed the website, social media, and other digital sources for human resources professionals and potential hooks. It didn’t take long to notice several job openings. Once the recruiter shared details of jobs online, would-be attackers had everything they needed.

Why it might work: In this instance it would be logical for the victim to open the attachment. One of their job responsibilities is to collect resumes from people they don’t know.

Figure 2. Research and the attack are the first steps in a longer strategy to exfiltrate sensitive data.

Step 2: Identify the credible source

Now let’s consider a new executive who receives an email late at night from their boss, the CEO. The CEO is on a trip to China meeting with a vendor, and in the email, the CEO references the city they’re in and requests that the executive immediately wire $10,000 to pay the vendor. The executive wants to impress the new boss, so they jump on the request right away.

How did it happen?

In spear phishing schemes, the attacker needs to identify a credible source whose emails the victim will open and act on. This could be someone who appears to be internal to the company, a friend, or someone from a partner organization. Research into the victim’s relationships informs this selection. In the first example, we imagined a would-be job seeker that the victim doesn’t know. However, in many spear phishing campaigns, such as with our executive, the credible source is someone the victim knows.

To execute the spear phishing campaign against the executive, the attackers uncovered the following information:

• Identified senior leaders at the company who have authority to sign off on large sums of money.
• Selected the CEO as the credible source who is most likely to ask for the money.
• Discovered details about the CEO’s upcoming trip based on social media posts.

Why it might work: Targeting executives by impersonating the CEO is increasingly common—some refer to it as whale phishing. Executives have more authority and access to information and resources than the average employee. People are inclined to respond quickly when the boss emails—especially if they say it’s urgent. This scenario takes advantage of those human power dynamics.

Figure 3. The more targeted the campaign, the bigger the potential payoff.

Step 3: Victim acts on the request

The final step in the process is for the victim to act on the request. In our first example, the human resources recruiter could have initiated a payload that would take over his computer or provide a tunnel for the attacker to access information. In our second scenario, the victim could have wired large sums of money to a fraudulent actor. If the victim does accidentally open the spear phishing email and respond to the call to action, open a malicious attachment, or visit an infected webpage, the following could happen:

• The machine could be infected with malware.
• Confidential information could be shared with an adversary.
• A fraudulent payment could be made to an adversary.

Catch more phishy emails

Attackers have improved their phishing campaigns to better target your users, but there are steps you can take to reduce the odds that employees will respond to the call to action. We recommend that you do the following:

• Educate users on how to detect phishing emails—Spear phishing emails do a great job of effectively impersonating a credible source; however, there are often small details that can give them away. Help users identify phish using training tools that simulate a real phish. Here are a few tells that are found in some phish that you can incorporate into your training:
  • An incorrect email address or one that resembles what you expect but is slightly off.
  • A sense of urgency coupled with a request to break company policy. For example, fast tracking payments without the usual checks and procedures.
  • Emotive language to evoke sympathy or fear. For example, the impersonated CEO might say you’re letting them down if you do not make the urgent payment.
  • Inconsistent wording or terminology. Does the business lingo align with company conventions? Does the source typically use those words?

• Encourage users to communicate potential phishing emails—It’s important that users flag phishing emails to the proper team. This can be done natively within many enterprise email systems. It can also be helpful if users talk with their peers about the phishing emails they receive. Spear phishers typically don’t send blast emails; however, they may select several people from the same department or with business relationships. Talking will alert other users to be on the lookout for phishy emails.

• Secure your identities—A spear phishing campaign is often the first step that an attacker takes to gain more privileged access to company resources. If they succeed in duping a victim, you can reduce the damage with modern authentication techniques. For example multi-factor authentication (MFA) can block over 99.9 percent of account compromise attacks.

• Deploy technology designed to block phishing emails—If users don’t receive the phishing email, they can’t act on it! Deploy technology that can help you catch phishing emails before they land in someone’s inbox. For instance, Office 365, one of the world’s largest email providers, offers a variety of protection against phishing attacks by default and through additional offerings such as Microsoft Advanced Threat Protection (ATP) anti-phishing. Importantly, Microsoft has both been advancing the anti-phishing capabilities of Office 365 (see Figure 4 above) and improving catch rates of phishing emails.

Battery Life? What does this mean and what can I do about it?

The term "battery life" has two different meanings, and control of "battery life" has two different outcomes depending on the meaning.  To the point, the two meaning of battery life are:

1. How long does a battery charge last when not being charged (device not plugged in)?
2. How long does a battery last before it has to be replaced because it no longer holds charge for a reasonable amount of time when the device is not plugged in?

The conflict is:  if you optimize for battery charge life your battery will probably not last as long before you have to buy a new one.  Conversely, if you optimize for length of time before you have to replace the battery, the battery won't last as long between charges.  To distinguish between the two kinds of battery life, I'll call the second kind "battery health."

Why the conflict:  In short, because if you want the battery to last longer before you need a new one, you shouldn't charge the battery to 100%. 

I'll provide some details about the operating system controls for Windows here.  You can do a search for the terms "Extending battery life" and the name of your device or operating system to learn what controls are available for your device to gain some control over how long your battery will last between charges. 

Extending battery life between charges

With that out of the way, there are ways to make a battery last longer between charges.  The controls you have available are pretty much functionally the same between different kinds of devices, but the user interfaces and the number of controls you have available vary by device, by the operating system, and by any extra application you might install to control this kind of battery life.

Windows:  This article explains the operating system controls available:  https://support.microsoft.com/en-us/help/20443/windows-10-battery-saving-tips

Android:  Read this article:  https://www.androidauthority.com/android-battery-saver-tips-tricks-189882/.

Extending battery health

Windows:  There is one control in Windows whose purpose is to maximize battery health:  "Battery Life Extender."  It controls whether or not the battery will be charged to 80% or 100%.  Battery designers say that charging to 80% will extend the life of your lithium battery.  For details on the Windows control see:  https://answers.microsoft.com/en-us/windows/forum/all/why-does-my-laptop-only-charge-up-to-80-and-not/916ea22c-9e36-4b69-a5ef-f91495de4fda.  If you use your laptop mostly plugged in and don't use it on battery for more than 4-5 hours at a time, then you can set this control to 80%.  If you are traveling and you can't be sure how long you will be able to go until the next charge, then set Battery Life Extender to 100%.

Android:  Rather than getting into the details of the operating system controls for battery health, download the app AccuBattery.  It has more tools than you could ever want to monitor the health of your battery.  I haven't found a way to automatically control the maximum charge on a locked Android phone, which is what most people have.  Manually, you can watch the charge and not charge to 100% and occasionally discharge to depletion. 

PS:  If you wish to add the Apple appropriate information, please feel free to use the comment feature of this blog.  

Equifax breach settlement- is it worth it to participate in the settlement?

If you were impacted by the Equifax databreach, which occurred in 2017, you lost much of your identity information.

(This and other breaches means your on line presence and info such as your SSN is probably somewhere in the process of moving to the dark web to be sold.  Or it will be weaponized by rogue countries or instruments of rogue countries whenever that country wishes.  So, in a way, trying to protect your SSN, for example, by not giving it to a bank or insurance company to receive a claim, is close to pointless.)

A settlement has been reached with the courts regarding this breach and, for most of us, the settlement will mean at least $125 for you if you file a claim.  What you give up by accepting a settlement is the ability to sue if you can show that a loss of identity was caused by the Equifax breach.   Proving this is going to be tough to do.  Plus, most of us, because of other breaches, are already covered by identity protection and identity theft detection by other settlements.  For example, most everyone is South Carolina is covered for a number of years due to a breach of the government databases.  For more information and forms, read this:

• read this:   https://www.cnet.com/how-to/equifax-data-breach-how-to-claim-125-right-now-in-the-ftc-settlement/
• or go directly here:  https://secure.equifaxbreachsettlement.com/en/claim

Update, 8/1:  This notice was put out today.  It says that there was very little money, compared to what was advertised, set aside for payment of claims. If more people apply for a claim, the amount per claim will be less.  (What a ripoff!)

But there’s a downside to this unexpected number of claims. First, though, the good: all 147 million people can ask for and get free credit monitoring. There’s also the option for people who certify that they already have credit monitoring to claim up to $125 instead. But the pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.