We’ve all had our web browsers (Chrome, Firefox) ask if we want to save our password for a website account.

By logging in to your Google or Firefox web browser, you can access these saved passwords from any device running the same web browser, so long as you are logged in to the Google or Firefox account on the device you are using. In addition, the web browser will auto-fill your username and password when you go to that website.

Although this is very convenient, it is not a safe way to manage your passwords when compared with the equal convenience and superior security of a Password Manager. Both Google and Firefox store your saved passwords both in a local web browser cookie and in your Google or Firefox online account.

The local saved passwords can be extracted and unencrypted from any of your devices. Tools to extract and un-encrypt  your saved passwords are readily available, and by using one of these on your device, these tools will show each web site where you’ve saved your password, providing both username and password. This process can be accomplished whether physically using the device or remotely connected to the device.

Best Practice – Use a Password Manager

LeeShanok recommends you extract all browser saved passwords, then install a Password Manager and re-enter your sites, usernames and passwords there. Following this, you’ll want to disable auto-saving of passwords in your web browser account. Firefox published an article Five Myths About Password Managers (https://blog.mozilla.org/firefox/myths-about-password-managers/).

Most Password Managers install a plug-in or add-on to your web browser, and when you log in to the Password Manager, you’ll have all the convenience with much better security. Adding 2-Factor Authentication to your Password Manager account will increase the security of your credentials.

For a list of available Password Managers, see the following reviews:

• PC Magazine – https://www.pcmag.com/picks/the-best-password-managers
• CNET – https://www.cnet.com/how-to/best-password-manager

Disable Password Saving in Web Browsers

• Chrome – https://support.google.com/chrome/answer/95606?co=GENIE.Platform%3DDesktop&hl=en
• Firefox – https://www.howtogeek.com/111555/view-and-delete-stored-passwords-in-firefox/

Please contact your LeeShanok Account Manager right away to discuss your situation and the assistance we can provide your team.

Your technology Partner,

The LeeShanok Team

Phishing and spam emails can use 2 methods to infect your computer, infected attachments, and URL links to malicious websites. Attachments can be saved to your local Downloads folder and scanned for threats prior to opening the file. However, it’s been more challenging to evaluate URL links for threats on the remote website.

Web-based URL scanning services have become commonplace to test links in an email you’ve received. Better to test the URL before you use a web browser to go to a malicious website, which can download malicious content that can infect your computer. There are good URL scanners, and at least one to stay away from.

Risky URL Scanner:  ScanUI  (https://urlscan.io)    DO NOT USE!

First, notice the “Recent Screenshots” section? These are available publicly and will often contain various screenshots from sessions running on the website or server, some of which may contain snips of spreadsheets and other work being done in connected sessions. Confidential information can be scraped from these screenshots by anyone, as they are made available publicly.

Second, notice the “Recent Scans” section? All scans of a website or server are made publicly available, and each recent scan may contain screen shots of connected sessions during the time of that scan.

This site should be avoided, and under no circumstances should you ever enter your own company website or server into urlscan.io. A better alternative would be to use the following “good” URL scan site.

Good URL Scanner:  VirusTotal  (https://www.virustotal.com/gui/home/url)

Your technology Partner,

The LeeShanok Team

Phoenix: 602-277-5757 | Tucson 520-888-9122 | itsupport@leeshanok.com

The AZ Tech Council hosts their annual “Tech & Business Expo”, a trade show normally at Tucson Convention Center that includes lots of interesting presentations, workshops, and vendor booths. This year with COVID-19, the event is going virtual and being entirely held inside the Verbela Open Campus platform. Navigating and communicating inside the event involves customizing an Avatar, and by using computer speakers and microphone a participant can speak with and listen to others in the event. Want to listen to a presentation? Just navigate your Avatar into the auditorium, sit down, and watch and listen to the presentation. The keynote speaker is from Raytheon sharing “Vision with Precision for Arizona and the Globe”.

LeeShanok’s team will be hosting a booth (called a “private room”) where we’ll be available to discuss technology ideas and best practices with attendees. We will have flyers on various topics available that you can download to your computer. We also will hold a post-event raffle of a $250 Amazon Gift Certificate, and a handful of $50 Certificates as well. To be entered into the raffle, attendees will need to take a screen snip of our private room and email that to us.

For members of AZ Tech Council, registration costs $20, and for non-members it’s $40.

Virtual Booth Exhibition Hall

Auditorium for Presentations

My Avatar in Auditorium

Overview and Registration
https://www.aztechcouncil.org/event/2020-southern-arizona-tech-business-expo-2/

We believe that virtual events are the wave of the future, reducing the need to travel while  enabling effective engagement and interaction within the event.

Come see us at our booth, and keep fingers crossed during our raffle.

Your technology Partner,

The LeeShanok Team

Phoenix: 602-277-5757 | Tucson 520-888-9122 | itsupport@leeshanok.com

Microsoft Exchange 2010 is reaching End of Support on October 13, 2020, the final step in the software’s life cycle. Though the software will continue to function after this date, Microsoft will stop providing any patches and updates, nor will they provide technical support or time zone updates.

Companies who’s email domain is hosted on Microsoft (Office) 365 with Exchange Online are not affected.

Migration alternatives are:

• Microsoft 365 with Exchange Online
• Microsoft Exchange 2016

Prior to October 13, 2020, you can migrate directly to Microsoft 365. But after this date, you will have to first migrate to Exchange 2016, then migrate to Microsoft 365.

Microsoft’s full report is found here:  https://docs.microsoft.com/en-us/microsoft-365/enterprise/exchange-2010-end-of-support?view=o365-worldwide

What should you do now ?

1. First contact your account manager at LeeShanok to discuss your email server
2. We will determine if you’ll need additional licensing and provide a quote with licensing and labor needed
3. Then we’ll prepare for and perform your migration

From then on, you can be more at ease with a supported and secure email platform on into the future.

Your technology Partner,

The LeeShanok Team

Phoenix: 602-277-5757 | Tucson: 520-888-9122 | itsupport@leeshanok.com

Access to your company domain and data stores may be controlled by sophisticated next-generation firewalls and access policies. But what about your remote and home-based workers who connect to your Microsoft Azure Active Directory, On-premise Exchange and Exchange Online, SharePoint Online, Teams, or Dynamics using their own devices and sitting in various locations? If they use an older device and connect through a public Wi-fi hotspot, there are numerous risks that your on-premise edge protection never gets the chance to evaluate.

Microsoft now provides Conditional Access controls that provide “zero trust” evaluation of all conditions or signals with enforcement of consistently applied and pre-determined access policies, providing protection from any user with any device at any location using any browser or app and accessing any data store.

Here is a simple model:

Conditions or Signals can include:

• Sign-in attempt
• User credentials
• Device (including mobile phones)
• Location (example: outside the U.S.)
• Client Apps (examples: web browser, email client)
• Mobile device

Enforced access policies can include:

• Require MFA (multi-factor authentication)
• Block legacy authentication
• Block access by location
• Require compliant devices
• Require compliant operating systems
• Block access except for specific apps

Policy enforcement can require:

• User must satisfy policy BEFORE accessing calling app
• User signs in to calling app, then policy is enforced

This structure can plug holes in out of date (legacy) policies. One legacy policy may allow senior staff members easy access to sensitive data once they’ve authenticated into your domain. This may be fine if they are using their office computer inside your firewall, but what if they are using an old laptop running Windows 7 in a public Wi-fi hotspot? There are multiple vulnerabilities present with this access attempt. Serious risk would also occur if that employee’s credentials were stolen, which an imposter could then use to gain access to the domain for easy access to anything, including your most sensitive data.

Zero-trust Conditional Access evaluates every connection attempt regardless of privilege, and after the condition or signal is evaluated successfully, the access policy is applied to that user’s connection, and if successful they are granted access to certain data by the app, device, and location being used for that one session.

This may sound inconvenient to senior staff whose time is valuable, but it happens very fast and is mostly un-noticeable. One common policy is to require MFA for every access attempt, regardless of user, device, or location. In today’s world where staff may work in the office, from home, at a restaurant, or the airport, it controls every access attempt according to policies that make sense for your business.

Requirements may include additional Microsoft licenses, however, these may already be bundled with Microsoft/Office 365, Azure AD, Intune, or Enterprise Mobility and Security Suite licensing that you already own.

1. First, contact your account manager at LeeShanok to let us know you’re interested
2. We will determine if you’ll need additional licensing, but many of our managed client firms already have all that’s needed
3. Our team will ask you some questions, gather information, and design your Conditional Access
4. Finally, we’ll set up the controls and implement the designed structure

From then on, you can be more at ease with the increased security to your domain, accounts, apps, and data.

Your technology Partner,
The LeeShanok Team