TechLinks: Is this email for real?

Technology is great, and we love trying out new things. But that doesn’t mean that someone won’t abuse it. Email scams, often called phishing, commonly play upon your greatest hopes, such as a huge windfall, or your worst fears, such as being accused of missing a payment. So how do you sort through the trash to find the treasure? NCRA’s Realtime and Technology Resources Committee has some advice on how to make sure you don’t get scammed.

Robin Nodland, FAPR, RDR, CRR, of Portland, Ore., offers a three-step process to start:

  1. Read the email closely. Does it ring true? Usually there are spelling, grammar, and punctuation errors that will alert you that a con artist is at work and the email is not authentic. Court reporters and captioners are experts at this! Trust your gut reaction.
  2. If you have access to an IT professional, run it by them.
  3. Google it. Chances are you are not the first person to be hit up.

Nodland references Computer Hope’s article on how to tell if an email is a scam. Red flags can include incomplete and misspelled words, a call for immediate action, a request for personal information, using a username instead of your real name, or a deceptive link or email address (that is, the metadata does not match what you see).

Committee chair Lynette Mueller, FAPR, RDR, CRR, of Germantown, Tenn., pointed to a Wired article entitled “Phishing scams even fool tech nerds – here’s how to avoid them.” The March 13, 2017, article says one of the first things to consider is the sender’s email address for mistakes, such as a number 1 for a letter l and other such substitutions. Also, think about whether this email would be likely to come from such a person.

Don’t overlook the official source for information on your particular email program. Whatever email program you use regularly, consult the help section or visit the online website to find information about how to block specific senders, change your security settings, unsubscribe from mass emails, and otherwise keep up with the latest protections. The Federal Trade Commission also offers information on how to avoid phishing attacks. The website includes information on how to file a complaint and report phishing emails.

To help you get a better handle on what to look for before you are attacked, Mueller recommended three articles on phishing:

Tamara A. Jenkins, RMR, CRR, CRC, of Crystal River, Fla., suggested a few more resources to bring you up to date on the latest in scams:

If you’ve already accidentally clicked on a bad link, Mueller recommends “5 steps to take after clicking on a phishing link,” a July 20 article on AgingCare.com. This article also notes that spotting phishing messages can become harder and harder to identify as scam artists get sneakier about getting to you.

Why court reporters need fast passes for obstacle court

In a recent blog on ChicagoNow.com, court reporter Margaret Mary Kruse, RPR, offers a humorous take on  the daily security check court officials need to pass through at county courthouse and calls on the local sheriff’s office to reissue the ID cards or “fast passes” that were rescinded after 9/11. Kruse, pseudonym The Ink Slinger, writes:  “As anyone who finds themselves on the legal playground of Cook County. Ill., knows The Daley Center is a thrill ride like no other … Before entering the courtrooms above the Tower of Terror’s lobby, court reporters are forced to:

  • Play Beat The Clock as they waste precious time in long lines;
  • Engage in hand-to-hand combat with crazy line-jumpers;
  • Fight to maintain their sanity in the Hall Of Insanity, as they watch unprepared folks seemingly learn to negotiate a metal detector for the first time.”

Read more.

Heartbleed: What it is and how it affects you

Heartbleed is likely the most serious Internet security threat to date. Here’s what you need to know.

What the term Heartbleed refers to is a bug in the code for OpenSSL. This code, which is thousands of lines long and has been written and rewritten by several people over the years, is a widely used cryptographic library. When a user logs into a website that uses OpenSSL (or another method of security), the browser “talks” with the website to make sure it’s a legitimate website; for example, typing in “www.ncra.org” actually leads the user to the main website for the National Court Reporters Association and not a pretender. Secure websites are noted with the “https” before the address or sometimes an icon of a lock.

The Heartbleed bug allows a hacker to access communication between the user and the website, which could include sensitive information like passwords, credit card numbers, contact information, etc.

Companies and websites affected by Heartbleed need to change the problem on their end. Once an affected company has made their necessary security changes, they should alert you to change any passwords. Changing a password immediately will not solve the problem if the company has not been able to solve things on their end. However, after a week, it should be safe to change passwords that haven’t been flagged.

For now, avoid going to websites that have access to secure personal information, like a bank website. LastPass and the Heartbleed test can also help you determine if a specific website is vulnerable or not. Mashable has also put together a chart showing if popular websites have been affected and whether passwords need to be changed.

Check with your firm, court, school, etc. to see what they recommend for keeping private client information secure when electronically transferring information.

NCRA is checking in with our vendors on this issue and making sure that things are safe on our end. We will pass on any additional information when we can (you can access that list here).

Many news sites are publishing information on Heartbleed, including NPR.

NCRA vendors’ response to Heartbleed

NCRA has contacted our vendors to check on their online security. Our previous post on Heartbleed is here. Here are the responses so far:

Advantage Software:

Advantage Software has confirmed that Heartbleed is not a threat to its website. The connect.eclipsecat.com server that handles keyless licenses, shared documents, and realtime sessions likewise is not vulnerable since Advantage does not use the feature of OpenSSL that includes the Heartbleed vulnerability.

Depobook:

DepobookProducts.com and Depobook.com websites are safe and secure.  According to the company, their servers were not running the vulnerable version of OpenSSL.

LiveDeposition:

LiveDeposition.com reports that its website is secure.

Martel:

Level 1 PCI compliance protects Martel store from hackers. Martel store transactions are automatically PCI compliant, and its entire network is independently audited against stringent PCI security standards every three months. Martel is on the lists of PCI-compliant providers for both Visa and MasterCard.

OMTI/ReporterBase:

Both omti.com and its customer portal (support.omti.com) are secure and safe from the Heartbleed bug. In addition, and of particular interest to ReporterBase users who have RB Web subscriptions, the RBWeb servers are not run on Apache and nginx servers; therefore, the website will not be affected by the bug. RB Web uses SSL but not OpenSSL, which is where the bug is present.

Pengad:

Pengad’s servers were patched within a few hours of the vulnerability being announced, according to the company. The large majority of the company’s servers were not vulnerable to this attack, as they run versions of the OpenSSL software that did not have the Heartbleed bug in them. Pengad’s main website, www.pengad.com, is patched and up to date.

ProCAT:

ProCAT.com and MyProCAT.com do not use the OpenSSL that is affected with the Heartbleed vulnerability.

RPM:

RPM’s servers were not affected by the Heartbleed bug.

StenEd:

StenEd was not affected by the Heartbleed defect.

Stenograph:

Stenograph confirms that there are no security concerns for anyone shopping on the Stenograph site. We do not use Open SSL as the method to secure personal or financial information, so our websites are not (and were never) at risk from Heartbleed.

Stenovations:

Stenovations’ websites were not affected by the Heartbleed bug. Stenovations uses PayPal, which was not affected, as its payment processor. They also include this list of tips for Internet security:

  • Make sure each website has a unique, difficult to guess password.
  • If a website offers “Two-Factor Authentication”, turn it on.
  • Install updates for your computer and applications when they become available.
  • If required, use a secure password manager such as LastPass or KeyPass.
  • A longer password that you can remember is often better than a shorter one that you can’t.

StreamText:

StreamText.Net was not affected by the defect.

YesLaw:

YesLaw and YesLaw Online servers were not affected by the Heartbleed defect.

 

This page will be updated as new information comes in.

Personal computing: VPNs: When sniffing your data is rude

As with much in life, much about security on the Internet depends on how much risk you’re willing to take, if you know. If you don’t know, much depends on how lucky you are.

Should you sit back and take your chances? “Sniffers” can make this risky, but a “virtual private network,” or VPN, service can put the odds back in your favor.

With Internet security in general, the

idea is to prevent hackers from finding ways into your computer, where they can capture your data, access your bank account or credit card, or take over your computer and use it to send out spam or take over the computers of others.

Many procedures are set up to protect you by default. Today’s computer operating systems come protected with their own firewall and antivirus software, though as usual better software can be had elsewhere through third-party vendors such as Symantec and Trend Micro.

Today’s best websites are protected through “Secure Sockets Layer,” or SSL, which encrypts information to or from the site and your computer or other device. Sites protected this way have Internet addresses beginning with “https” instead of “http.”

Passwords are required for many sites, and you can further your own protection by picking difficult-to-crack passwords that consist of a combination of at least eight letters, numbers, and special characters, with 10 or 12 being even better.

Banking and other websites holding sensitive data of yours typically require or give you the choice of two-factor authentication, such as asking you for the answers to selected questions you’ve previously given or texting to your cell phone a second temporary code or password when you try to log in.

Making sure you keep your operating system and software updated is also important in preventing hackers from finding cracks that let them find their way into your system.

In the office or at home, if you’re using a router, make sure it’s secured. You should have had to type in a security key, a type of password, to access it initially. The security key is often written on the outside of the router.

When you’re on the road, you should take special precautions. The free or lowcost Wi-Fi provided by many hotels, airports, libraries, bookstores, and coffee shops can be a great convenience. But not all such Wi-Fi providers provide a secure connection.

Secure connections require you to type in a security key or password provided to you by the facility. The best Wi-Fi security today is WPA2, with the earlier WPA a step behind. WEP is even less secure. And many facilities providing free Wi-Fi provide only unsecured connections.

The problem is packet analyzers or sniffers. This software serves legitimate purposes such as letting a company analyze its network traffic to best use its bandwidth or to monitor intrusion attempts. But the same software can be used by a would-be intruder sitting two seats down from you in the coffee shop. Such programs include Firesheep and Reaver.

At a Barnes & Noble bookstore once, I thought the connection was secure. But someone had captured my email address, password, and the email addresses of people I emailed. The next day my email recipients got an email impersonating me and making me sound foolish, a sophomoric joke probably by someone around the age of a college sophomore. It could have been worse.

Now I use a VPN service. Three highly recommended VPN services, getting good reviews in the computer press and anecdotally from fellow users, are Hotspot Shield (www.anchorfree.com), WiTopia (www. witopia.net), and Private WiFi (www. privatewifi.com).

In some cases a free, limited VPN version exists. When you’re protecting yourself in this way, it probably makes sense if possible to spring for the beefed-up pay version. You simply download and install the software before you use a public Wi-Fi hotspot. You can keep the software running all the time, or you can disable it temporarily when you’re back to using a secure business or home connection.

Other benefits of VPNs are anonymous browsing and access to content in foreign countries that may be be restricted to U.S. users.

VPNs use authentication and encryption to provide virtual private tunnels for your data through the public Internet. In some cases, with VPN vendors that have lots of servers, your Internet speeds actually increase. In other cases speeds can slow down slightly or remain about the same.

What it comes down to is: How sensitive is your data? How much risk are you willing to take with it?