Mon – Fri: 08:00am – 04:00pm, Sat/Sun: Closed

We Open over Xmas and New Year Break

And so it Begins: Gmail Authentication Errors are Here

Gmail has officially started to temporarily reject messages that fail their new authentication requirements.

The long-awaited day is upon us. Gmail has officially started to temporarily reject messages that fail their new authentication requirements. Gmail and Yahoo Mail have been preparing the email world for this day, and right on cue, it’s begun:

It has never been a more important time to authenticate your email. According to the new rules, today you will start to see temporary errors for unauthenticated mail. And starting in April, unauthenticated mail that does not pass DMARC will start to be rejected. 

There is no need to get caught off guard by these rejections!

Our CTO, Seth Blank, has a long history of playing a critical and active role across the email ecosystem to drive new technology and change that raises the bar for everyone. He is Co-Chair of the IETF DMARC Working Group, Chair of the AuthIndicators (BIMI) Working Group, and has developed ARC, BIMI, DMARC 2.0, amongst others. With these new requirements, he has already been providing ecosystem and customer feedback directly to Google and Yahoo, helping to clarify guidance and ensure all senders are set up for success with the new rules. 

Authentication matters, now more than ever, or the errors will flow. There are still many questions to be answered as these new requirements continue to roll out, but Valimail is committed to providing timely, accurate clarification to senders of all types.

In the meantime, if you want to protect your domain, sign up for our brand new product, Align, specifically created to help you meet the new email authentication requirements. It’s automated, simple, built for marketers, and priced to make it easy for companies of all sizes to meet the requirements. 

Since its founding in 2015, Valimail has worked hard to provide automated email authentication solutions ranging from free to enterprise and FedRAMP, and we now have more than 38,000 customers protecting themselves with our industry-leading DMARC software. We’ve always believed that it’s in everyone’s interest to make sure your email domain isn’t spoofed and to thereby help to stamp out criminal abuse of your email and brand. 

This isn’t just about protecting yourself – done right, email authentication protects partners, consumers, and anyone receiving email. If we can get to herd immunity (approximately 70% adoption of the largest senders), exact domain spoofing (the most pernicious) becomes economically uninteresting and criminals move on to other forms of phishing, spoofing, etc. 

Valimail is here to help you. Ultimately, all mail sent to Gmail and Yahoo Mail must pass DMARC to be delivered. As the world’s leader in DMARC, we’ve got you covered.

by Valimail

New Email Sender Requirements for DMARC, SPF, AND DKIM at Google and Yahoo

Google and Yahoo announced in October 2023 that starting early in 2024, bulk senders will be subject to more stringent requirements for authentication of the mail sent to these two mailbox providers.

Yahoo and Google timeline

Specifically, they’re requiring that bulk senders use domains that have DMARC policies in place, and while that requirement is straightforward, some other requirements around this are causing quite a bit of confusion, so we thought we’d clear them up here.

Google’s requirements for bulk senders include these bullet points:

  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none. Learn more
  • Set up SPF and DKIM email authentication for your domain.
  • For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.

Google Requirements

So, which is it? Do you need SPF and DKIM or just SPF or DKIM?

The answer, believe it or not, is both.

Set Up SPF and DKIM Email Authentication For Your Domain

For the purposes of our discussion (and for the purposes of the new Google and Yahoo requirements), “your domain” is the domain you’ll be using in the visible From: header of your emails. The directive is to set up SPF and DKIM email authentication for your domain, which means that:

  • Your mail must be sent with a Return-Path (or bounce) domain for which an SPF record exists
  • Your mail must be DKIM signed

So that covers SPF and DKIM, but what about SPF or DKIM?

From: Header Must Be Aligned With Either the SPF Domain or the DKIM Domain

DMARC is built on the two email authentication protocols, SPF and DKIM, and DMARC is designed to authenticate the use of the domain in the visible From: header of an email message. Since its release in 2014, DMARC has always required that either SPF pass and the SPF domain align with the From domain or that DKIM pass and the DKIM signing domain align with the From domain. 

With these new policies, Google and Yahoo aren’t changing DMARC’s requirement for a pass verdict; either the SPF domain or the DKIM domain must align, just as it’s always been for DMARC.

LEARN MORE ABOUT DMARC

DMARC Best Practices

Even though DMARC only requires an aligned pass for SPF or DKIM, it’s long been a best practice that messages sent with From domains with published DMARC policy to do so with both SPF and DKIM aligned if possible. 

This “belt and suspenders” approach is meant to mitigate the risk of failures due to DNS hiccups, breakage due to forwarding, and other blips that might cause one authentication method to fail, but not the other. Implementing the best practice here and having both align is a way, and arguably the best way, to meet the Google requirements discussed above.

Unsure of whether or not your SPF and/or DKIM are aligned? Use Valimail Align to view and update your sending domain.

CHECK YOUR COMPLIANCE

By Valimail

The Biggest Data Breaches of 2022

With ransomware attacks on the rise in recent years, it’s become more important than ever to make sure you’re secure. Educate yourself and employees, and work together to accomplish cyber resilience.
Download this ebook and learn more:

Protect yourself from phishing

Phishing-Security

Security Windows 10 Windows 8.1

Phishing (pronounced: fishing) is an attack that attempts to steal your money, or your identity, by getting you to reveal personal information — such as credit card numbers, bank information, or passwords — on websites that pretend to be legitimate. Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake message, which contains a link to a phishing website.

Learn to spot a phishing message

Phishing is a popular form of cybercrime because of how effective it is. Cybercriminals have been successful using emails, text messages, direct messages on social media or in video games, to get people to respond with their personal information. The best defense is awareness and knowing what to look for.

Here are some ways to recognize a phishing email:

  • Urgent call to action or threats – Be suspicious of emails that claim you must click, call, or open an attachment immediately. Often they’ll claim you have to act now to claim a reward or avoid a penalty. Creating a false sense of urgency is a common trick of phishing attacks and scams. They do that so that you won’t think about it too much, or consult with a trusted advisor who may warn you away.Tip: Whenever you see a message calling for immediate action take a moment, pause, and look carefully at the message. Are you sure it’s real? Slow down and be safe.
  • First time or infrequent senders – While it’s not unusual to receive an email from someone for the first time, especially if they are outside your organization, this can be a sign of phishing. When you get an email from somebody you don’t recognize, or that Outlook identifies as a new sender, take a moment to examine it extra carefully before you proceed.
  • Spelling and bad grammar – Professional companies or organizations usually have an editorial staff to ensure customers get high-quality, professional content. If an email message has obvious spelling or grammatical errors, it might be a scam. These errors are sometimes the result of awkward translation from a foreign language, and sometimes they’re deliberate in an attempt to evade filters that try to block these attacks.
  • Generic greetings – An organization that works with you should know your name and these days it’s easy to personalize an email. If the email starts with a generic “Dear sir or madam” that’s a warning sign that it might not really be your bank or shopping site.
  • Suspicious links or unexpected attachments – If you suspect that an email message is a scam, don’t open any links or attachments that you see. Instead, hover your mouse over, but don’t click, the link to see if the address matches the link that was typed in the message. In the following example, resting the mouse on the link reveals the real web address in the box with the yellow background. Note that the string of IP address numbers looks nothing like the company’s web address.
Fake IP address
  • Mismatched email domains – If the email claims to be from a reputable company, like Microsoft or your bank, but the email is being sent from another email domain like Yahoo.com, or microsoftsupport.ru it’s probably a scam. Also be watchful for very subtle misspellings of the legitimate domain name. Like micros0ft.com where the second “o” has been replaced by a 0, or rnicrosoft.com, where the “m” has been replaced by an “r” and a “n”. These are common tricks of scammers. 

Cybercriminals can also tempt you to visit fake websites with other methods, such as text messages or phone calls. Sophisticated cybercriminals set up call centers to automatically dial or text numbers for potential targets. These messages will often include prompts to get you to enter a PIN number or some other type of personal information.

Are you an administrator or IT pro?

If you have a Microsoft 365 subscription with Advanced Threat Protection you can enable ATP Anti-phishing to help protect your users. Learn more

If you receive a phishing email

  • Never click any links or attachments in suspicious emails. If you receive a suspicious message from an organization and worry the message could be legitimate, go to your web browser and open a new tab. Then go to the organization’s website from your own saved favorite, or via a web search. Or call the organization using a phone number listed on the back of a membership card, printed on a bill or statement, or that you find on the organization’s official website.
  • If the suspicious message appears to come from a person you know, contact that person via some other means such as text message or phone call to confirm it.
  • Report the message (see below).
  • Delete it.

How to report a phishing scam

  • Microsoft Office Outlook – With the suspicious message selected, choose Report message from the ribbon, and then select Phishing. This is the fastest way to report it and remove the message from your Inbox, and it will help us improve our filters so that you see fewer of these messages in the future. For more information see Use the Report Message add-in.
  • Outlook.com – Select the check box next to the suspicious message in your Outlook.com inbox. Select the arrow next to Junk, and then select Phishing.

Note: If you’re using an email client other than Outlook, start a new email to [email protected] and include the phishing email as an attachment. Please don’t forward the suspicious email; we need to receive it as an attachment so we can examine the headers on the message. 

If you’re on a suspicious website:

  • Microsoft Edge – While you’re on a suspicious site, select the More(…) icon > Help and feedback > Report Unsafe site. Follow the instructions on the webpage that displays to report the website.
  • Internet Explorer – While you’re on a suspicious site, select the gear icon, point to Safety, and then select Report Unsafe Website. Follow the instructions on the webpage that displays to report the website.

For more information see Securely browse the web in Microsoft Edge.

What to do if you think you’ve been successfully phished

If you’re suspicious that you may have inadvertently fallen for a phishing attack there are a few things you should do. 

  1. While it’s fresh in your mind write down as many details of the attack as you can recall. In particular try to note any information such as usernames, account numbers, or passwords you may have shared.
  2. Immediately change the passwords on those affected accounts, and anywhere else that you might use the same password. While you’re changing passwords you should create unique passwords for each account, and you might want to see Create and use strong passwords.
  3. Turn on multifactor authentication (also known as two-step verification) for every account you can. See What is: Multifactor authentication
  4. If this attack affects your work or school accounts you should notify the IT support folks at your work or school of the possible attack. If you shared information about your credit cards or bank accounts you may want to contact those companies as well to alert them to possible fraud.
  5. If you’ve lost money, or been the victim of identity theft, report it to local law enforcement. The details in step 1 will be very helpful to them.

Published by Microsoft.

Webroot: (NEW) Privacy and Security with DNS over HTTPS (DoH)

Webroot
NEW: Privacy and Security with DNS over HTTPS (DoH)

DNS has been around since 1983 and has worked brilliantly at resolving all internet domain requests for both IPv4 and the newer IPv6 address spaces. However, DNS was not built with privacy or security in mind, as it communicates all requests in clear text.

To make DNS more secure for users, the new DNS over HTTPS (DoH) protocol encrypts the requests using the same HTTPS encryption used when connecting to a secure website. All the major web browsers are beginning to support DoH, but this incredible privacy enhancement can also bring some security drawbacks.

What exactly is DNS over HTTPS (DoH)?

DoH is an initiative to prevent eavesdropping and manipulation of DNS request data by third parties, whether for malicious purposes, governmental control, or commercial reasons. DoH adds encryption to these requests, thereby hiding them from prying eyes and ensuring the privacy and security of the overall connection.
 

Why is DoH a problem for IT security?

Adding privacy can come at a cost. From a security perspective, the rapid adoption and usage of DoH could blindside security administrators and prevent them from extracting useful cybersecurity information by monitoring and analyzing their DNS request traffic logs.

Additionally, some applications can be configured to use DoH directly. As this bypasses the system’s configured DNS server, it presents issues with filtering and accuracy of the DNS requests.

How does Webroot DNS Protection handle DoH?

If all DNS requests are encrypted, then admins can lose considerable visibility and control in terms of web filtering security. When applications are capable of making DNS requests independently, it defeats the value of web filtering by circumventing the in-place protections. To correctly leverage the advantages of DoH, every DNS request on a must be passed via DoH, applications must be prevented from making rogue DNS requests, and filtering and logging must be maintained.

With our latest enhancements, Webroot DNS Protection now combines the privacy benefits of DoH with the security benefits of DNS-layer protection powered by Webroot BrightCloud®️ Web Classification intelligence. Our service leverages the advantages of DoH by encrypting and managing the DNS requests for the entire system, and then securely relaying these requests via DoH to the Webroot resolvers. This way, admins retain control of DNS and are able to filter and log, while the user and business benefit from the additional privacy and security.

Where can I learn more?

Check out our new DoH resources for more info:

Written by freydrew – Community and Advocacy Manager of webroot

Microsoft Edge: Protect against potentially unwanted applications (PUAs)

Overview

Potentially unwanted applications aren’t considered to be viruses or malware, but these apps might perform actions on endpoints that adversely affect endpoint performance or use. For example, Evasion software actively tries to evade detection by security products. This kind of software can increase the risk of your network being infected with actual malware. PUA can also refer to applications that are considered to have poor reputation.

Protect against PUA with Microsoft Edge

Microsoft Edge (version 80.0.361.50 or later) blocks PUA downloads and associated resource URLs.

You can set up protection by enabling the Block potentially unwanted apps feature in Microsoft Edge.

To enable PUA protection:

  1. Open Settings in the browser.
  2. Select Privacy and services.
  3. In the Services section, check to see that Microsoft Defender SmartScreen is turned on. If not, then turn on Microsoft Defender SmartScreen. The example in the following screenshot shows the browser is managed by the organization and that Microsoft Defender SmartScreen is turned on.
  4. In the Services section, use the toggle shown in the preceding screenshot to turn on Block potentially unwanted apps.
security-pua-setup
Edge security-PUA-setup

block against PUA-associated URLs

After you turn on PUA protection in Microsoft Edge, Windows Defender SmartScreen will protect you from PUA-associated URLs.

There are several ways admins can configure how Microsoft Edge and Windows Defender SmartScreen work together to protect users from PUA-associated URLs. For more information, see:

Admins can also customize the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) block list. They can use the Microsoft Defender ATP portal to create and manage indicators for IPs and URLs.

Protect against PUA with Windows Defender Antivirus

The Detect and block potentially unwanted applications article also describes how you can configure Windows Defender Antivirus to enable PUA protection. You can configure protection using any of the following options:

When Windows Defender detects a PUA file on an endpoint it quarantines the file and notifies the user (unless notifications are disabled) in the same format as a normal threat detection (prefaced with “PUA:”.) Detected threats also appear in the quarantine list in the Windows Security app.

PUA notifications and events

There are several ways an admin can see PUA events:

  • In the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or Intune.
  • In an email if email notifications for PUA detections is turned on.
  • In Windows Defender Antivirus event logs, where a PUA event is recorded under event ID 1116 with the message: “The antimalware platform detected malware or other potentially unwanted software.”

 Note

Users will see “*.exe has been blocked as a potentially unwanted app by Microsoft Defender SmartScreen”.

Allow-list an app

Like Microsoft Edge, Windows Defender Antivirus provides a way to allow files that are blocked by mistake or needed to complete a task. If this happens you can allow-list a file. For more information, see How to Configure Endpoint Protection in Configuration Manager to learn how to exclude specific files or folders.

PCMadness Recommends the New Microsoft Edge as the choice of browser to use.

2020 Webroot Threat Report

phising2020

2020 Webroot Threat Report: Phishing Attempts Grew by 640% Last Year

The annual Webroot Threat report was recently released, highlighting not only the agility and innovation of cybercriminals who continue to seek out new ways to evade defenses, but also their commitment to long-established attack methods. Most notably, Webroot observed a 640 percent increase in phishing attempts and a 125 percent increase in malware targeting Windows 7. The report is derived from metrics captured and analyzed by Webroot’s advanced, cloud-based machine learning architecture: the Webroot Platform.

“In the cybersecurity industry the only certainty is that there is no certainty, and there is no single silver bullet solution,” said Hal Lonas, Senior Vice President and CTO, SMB and Consumer, OpenText. “The findings from this year’s report underline why it’s critical that businesses and users of all sizes, ensure they’re not only protecting their data but also preparing for future attacks by taking simple steps toward cyber resilience through a defense-in-depth approach that addresses user behavior and the best protection for network and endpoints.”

Here are a few of the findings that I found pretty interesting:

Phishing URLs encountered grew by 640 percent in 2019.

  • 1 in 4 malicious URLs is hosted on an otherwise non-malicious domain.
  • 8.9 million URLs were found hosting a cryptojacking script.
  • The top sites impersonated by phishing sites or cybercriminals are Facebook, Microsoft, Apple, Google, PayPal and DropBox.
  • The top five kinds of websites impersonated by phishing sites are crypto exchanges (55%), gaming (50%), web email (40%), financial institutions (40%) and payment services (32%).

Malware targeting Windows 7® increased by 125 percent.

  • 93.6 percent of malware seen was unique to a single PC – the highest rate ever observed.
  • 85 percent of threats hide in one of four locations: %temp%, %appdata%, %cache%, and %windir%, with more than half of threats (54.4%) on business PCs hiding in %temp% folders. This risk can be easily mitigated by setting a Windows policy to disallow programs from running from the temp directory.
  • IP addresses associated with Windows exploits grew by 360 percent, with the majority of exploits targeting out-of-date operating systems.

Consumer PCs remain nearly twice as likely to get infected as business PCs.

  • The data reveals that regions most likely to be infected also have the highest rates of using older operating systems.
  • Of the infected consumer devices, more than 35 percent were infected more than three times, and nearly 10 percent encountered six or more infections.
  • The continued insecurity of consumer PCs underscore the risk companies face in allowing employees to connect to business networks from their personal devices.

Trojans and malware accounted for 91.8 percent of Android™ threats.

Download the full report.

Written By Freydrew by Webroot

What Is Credential Stuffing? How to Protect Yourself.

cyber-security
A silhouette of a padlock in front of a Zoom logo.
Ink Drop/Shutterstock.com

A total of 500 million Zoom accounts are for sale on the dark web thanks to “credential stuffing.” It’s a common way for criminals to break into accounts online. Here’s what that term actually means and how you can protect yourself.

It Starts With Leaked Password Databases

Attacks against online services are common. Criminals often exploit security flaws in systems to acquire databases of usernames and passwords. Databases of stolen login credentials are often sold online on the dark web, with criminals paying in Bitcoin for the privilege of accessing the database.

Let’s say you had an account on the Avast forum, which was breached back in 2014. That account was breached, and criminals may have your username and password on the Avast forum. Avast contacted you and had you change your forum password, so what’s the problem?

Unfortunately, the problem is that many people reuse the same passwords on different websites. Let’s say your Avast forum login details were “[email protected]” and “AmazingPassword.” If you logged into other websites with the same username (your email address) and password, any criminal who acquires your leaked passwords can gain access to those other accounts.

Credential Stuffing in Action

“Credential stuffing” involves using these databases of leaked login details and trying to log in with them on other online services.

Criminals take large databases of leaked username and password combinations—often millions of login credentials—and try to sign in with them on other websites. Some people reuse the same password on multiple websites, so some will match. This can generally be automated with software, quickly trying many login combinations.

For something so dangerous that sounds so technical, that’s all it is—trying already leaked credentials on other services and seeing what works. In other words, “hackers” stuff all those login credentials into the login form and see what happens. Some of them are sure to work.

This is one of the most common ways that attackers “hack” online accounts these days. In 2018 alone, the content delivery network Akamai logged nearly 30 billion credential-stuffing attacks.

How to Protect Yourself

Multiple keys next to an open padlock.
Ruslan Grumble/Shutterstock.com

Protecting yourself from credential stuffing is pretty simple and involves following the same password security practices security experts have been recommending for years. There’s no magic solution—just good password hygiene. Here’s the advice:

  • Avoid Reusing Passwords: Use a unique password for each account you use online. That way, even if your password leaks, it can’t be used to sign in to other websites. Attackers can try to stuff your credentials into other login forms, but they won’t work.
  • Use a Password Manager: Remembering strong unique passwords is a nearly impossible task if you have accounts on quite a few websites, and almost everyone does. We recommend using a password manager like 1Password (paid) or Bitwarden (free and open-source) to remember your passwords for you. It can even generate those strong passwords from scratch.
  • Enable Two-Factor Authentication: With two-step authentication, you have to provide something else—like a code generated by an app or sent to you via SMS—each time you log in to a website. Even if an attacker has your username and password, they won’t be able to sign in to your account if they don’t have that code.
  • Get Leaked Password Notifications: With a service like Have I Been Pwned?, you can get a notification when your credentials appear in a leak.

How Services Can Protect Against Credential Stuffing

While individuals need to take responsibility for securing their accounts, there are many ways for online services to protect against credential-stuffing attacks.

  • Scan Leaked Databases for User Passwords: Facebook and Netflix have scanned leaked databases for passwords, cross-referencing them against login credentials on their own services. If there’s a match, Facebook or Netflix can prompt their own user to change their password. This is a way of beating credential-stuffers to the punch.
  • Offer Two-Factor Authentication: Users should be able to enable two-factor authentication to secure their online accounts. Particularly sensitive services can make this mandatory. They can also have a user click a login verification link in an email to confirm the login request.
  • Require a CAPTCHA: If a login attempt looks strange, a service can require entering a CAPTCHA code displayed in an image or clicking through another form to verify a human—and not a bot—is attempting to sign in.
  • Limit Repeated Login Attempts: Services should attempt to block bots from attempting a large number of sign-in attempts in a short period of time. Modern sophisticated bots may attempt to sign in from multiple IP addresses at once to disguise their credential-stuffing attempts.

Poor password practices—and, to be fair, poorly secured online systems that are often too easy to compromise—make credential stuffing a serious danger to online account security. It’s no wonder many companies in the tech industry want to build a more secure world without passwords.

Article by Chris Hoffman from how to geek.

Special Offer

December and January Special

Save 20% off your Service!

Coupon Code below: