Information Technology

When I first started using Linux, back in ’97, working with the built-in firewall was not something just anyone could do. In fact, it was quite complicated. Starting around 1998, if you want to manage the security of a system, you had to learn iptables (which is a suite of commands for manipulating the Netfilter packet filtering system). For example, if you want to allow all incoming secure shell (SSH) traffic, you might have to issue commands like this:sudo iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT

That’s all fine and good if you have time to not only master the Linux operating system, but also know the finer points of managing a complicated security system. To be fair, I did spend the time and was eventually able to manage the security of my systems with iptables. However, the busier I got, the harder it became to continue the level of mastery needed to keep up with iptables. Over time, things started getting more accessible and some Linux distribution developers began to realize an easier system was necessary. One of those more accessible Linux firewalls came into being with the Ubuntu distribution (around version 12.04). That firewall is aptly named Uncomplicated Firewall.Uncomplicated Firewall (UFW) is a frontend for iptables, which focuses on simplicity. Compared to iptables, UFW is a leisurely stroll through the park that anyone can handle.Let’s take a walk down UFW lane and see just how simple it makes managing your Linux system firewall.There are two things you should know about UFW: It’s a command-line tool.There are GUI tools available to make it even easier.The UFW command-line basicsThe UFW command is actually pretty simple. Let’s stick with our SSH idea from above. Let’s say you want to allow other systems to access your machine by way of SSH (which listens on port 22). First, you’ll want to see if UFW is even enabled. Guess what…it’s not by default. Test that out by opening a terminal window and issuing the command:sudo ufw status
You’ll probably see the following:Status: inactive
How do you activate it? Issue the command:sudo ufw enable
The output of the command should be:Firewall is active and enabled on system startupCongratulations, your firewall is now active. As to the basic usage of UFW, it looks something like this:sudo ufw ARGUMENT SERVICE
Where ARGUMENT is either allow, deny, reject, limit, status, show, reset, reload, enable, disable and SERVICE is the service you want to work with (such as SSH or HTTP).Next, we need to allow SSH traffic into the system. Believe it or not, that’s as simple as:sudo ufw allow ssh
You could also run the command using the port number, like this:sudo ufw allow 22
Or, if you run SSH on port 2022, that command would be:sudo ufw allow 2022
If you’re working on a server and you need to allow HTTP traffic through, that command would be:sudo ufw allow http
Let’s get a bit more advancedone of the nice things about UFW is that even using more advanced features doesn’t require advanced knowledge. Let’s say, for example, you want to allow SSH traffic in, but only from a specific IP address on your network.If you’ve already allowed incoming SSH traffic, you’ll first need to delete that rule with:sudo ufw delete allow ssh
Now, if you try to SSH into the machine, the firewall will block the attempt. So, let’s allow SSH connections from IP address 192.168.1.152. For that, we’d issue the command:sudo ufw allow from 192.168.1.152 to any port ssh
After running the above command, you should be able to log into the machine, via SSH, only from the remote system at IP address 192.168.1.152.What about the GUI?If the command line isn’t your jam, there’s always a handy GUI tool to make it even easier. One such tool is GUFW, which allows you to point and click your way to UFW firewall rules. If UFW isn’t installed on your Linux distribution by default, you’ll find it in your app store. Once installed, open the app and click on the Rules tab (Figure 1).The GUFW tool makes configuring your firewall even easier.
Image: Jack Wallen
As you can see, I already have a few UFW rules added. One thing to keep in mind is that you cannot edit rules that were added via the UFW command line. Let’s add the same rule via the GUI that we just did from the command line. Click + and then (from the Preconfigured tab), select the following:Policy – AllowDirection – InCategory – AllSubcategory – AllApplication – SSHThat alone will create the rule allowing all SSH traffic into your system. If, however, you want to only allow traffic from a single IP address, you must click the Advanced tab and fill out the following (Figure 2):Name – any name you wantPolicy – AllowDirection – InInterface – All InterfacesFrom – 192.168.1.152Adding a rule to UFW to only allow SSH traffic from IP address 192.168.1.62
Image: Jack Wallen
Click Add and your rule is inserted into the firewall.And that, my friends, is your uncomplicated introduction to the Uncomplicated Firewall. But don’t think UFW is nothing more than a very basic firewall system. You can actually get considerably more complicated but for the basics, UFW is easy enough for anyone to use. More

Attackers using the Snake keylogger malware for Windows are emailing malicious PDFs with embedded Word documents to infect victims’ PCs and steal information. Malicious PDFs are an unusual tool to use today because attackers prefer Office formats like Word and Excel which are more familiar to PC users, according to threat analysts at HP’s Wolf Security who recently discovered the PDF malware campaign. The malicious PDF was used to infect PCs with Snake, a keylogger and credential stealer which was first spotted in late November 2020, according to HP. The attackers sent email with an attached PDF document named “REMMITANCE INVOICE.pdf” with an embedded Word document named “has been verified. However PDF, Jpeg, xlsx, .docs”. The reason for choosing this odd and actually rather sneaky file name for the Word document becomes clear when viewing the prompt that Adobe Reader displays when checking whether the user approves opening this file. The prompt reads: “The file ‘has been verified. However PDF, Jpeg, xlsx, .docs’ may contain programs, macros, or viruses that could potentially harm your computer.”An employee who hastily reads the notice could mistakenly understand that the file in question has been verified and is safe to open. Should the recipient then select “Open this file”, Microsoft Word opens. As HP notes, if Protected View is disable, Word downloads a Rich Text Format (.rtf) file from a web server, which is then run in the context of the open document. (It should be noted that Microsoft Office opens documents from the internet in Protected View or Application Guard for Office by default.)Upon analyzing the Word document, HP’s analysts found an illegitimate URL from which an external object linking and embedding (OLE) object was loaded. The OLE object also contains shellcode that exploits the CVE-2017-11882, an old remote code execution vulnerability in Microsoft Office Equation Editor that’s still popular with hackers. .  The shellcode downloads an executable called fresh.exe that is in fact the Snake keylogger, which has historically been distributed via malicious RFT documents or archive files attached to emails.  “While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems. Embedding files, loading remotely-hosted exploits and encrypting shellcode are just three techniques attackers use to run malware under the radar. The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting the exploit remains effective for attackers,” HP notes.  More

After almost 40 years in technology, it finally happened. I had one of my accounts hacked. Blast it. The target was my Instagram account. While I’m very active on social networks, Instagram was the one I used the least. Here’s what happened. 

It all started when I got a plausible Instagram message from a friend. His message asked for my help and included a reset link for their account. Rather than asking me to click the link, which I’d never do in a million years, it simply asked me to send him back a screenshot of the message including the link. I thought, “How can I be hacked by sending a PNG image?” After all, it wasn’t a reset link for my account. So I replied with the image. Oh foolish, foolish me.It turns out the combination of the URL on the image and my reply gave them enough information to take over my account. Now, even when I saw trouble brewing — an Instagram e-mail came asking me if I wanted to change my phone number to one in Nigeria — I wasn’t too worried. I’d protected my account with two-factor authentication (2FA). While 2FA isn’t perfect, it’s better than anything else out there for basic security.But, here’s where things went awry. Instagram should have sent me an e-mail with a link asking me to “revert this change.” Instagram didn’t send such a message. Instead, I received e-mails from security@mail.instagram.com that provided a link about how to “secure your account.” This dropped me into Instagram’s pages for a hacked account, which wasn’t any help.In the meantime, I got another Instagram message telling me that my account was now associated with a  new e-mail account–a garbage Gmail account. Once more Instagram didn’t give me a chance to refuse this change and the message sent me back to the Instagram hacked account page.Argh!I followed up with Instagram’s suggestions on how to bring my account back. I asked for a login link from my Android Instagram app. I got one, which didn’t work. Next, I requested a security code. I got one. That didn’t work either, no doubt because — by that time — the account was now responding to its “new” e-mail address and phone number. Next up, I verified my identity by providing the email address and phone number I signed up with and the type of device I used when I signed up. I had hoped for this message since I doubt very much there are that many people who sign up for Instagram do so from a Linux desktop! Well, it was a good idea, but nothing happened. Then since my account had photos of me, I took a video selfie of myself to confirm that I’m a real person to confirm my identity. Nada.I would have called the Instagram tech support number, except — surprise! — there’s no such thing. After some digging, I was able to send a message directly to Instagram tech support. Instagram doesn’t make it easy to find this. In fact, the Instagram support link is actually a Facebook page. Good going, Meta!But even after that, it didn’t do me any good. I didn’t hear a peep out of them. So, I decided it was time to bring out the big guns. I sent a message as Steven J. Vaughan-Nichols, top technology journalist, to Instagram public relations asking for help and/or an explanation.That didn’t work.I guess I’m not that special after all.So, while I made the first mistake by opening the door to the hack, Instagram gets a lot of the blame for its 2FA system, indeed its entire security support system.But, hey at least I’m not alone. More: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposedThe Bored Ape Yacht Club, a leading non-fungible tokens (NFT) collective, lost $3 million of NFTs to a hacker using a phishing attack.  Like yours truly, the Bored Ape Yacht Club said, “At the time of the hack, two-factor authentication was enabled and security surrounding the IG account followed best practices.” They also said they were working with Instagram security and they’d report on what happened. That was almost a month ago.There appears to be a spat of these attacks going on. I’ve seen many reports of small businesses having their Instagram accounts hijacked. Several of my friends have reported the same. They also tell me that Instagram has been useless. One of them who works in security public relations reports he reached out to some white hats for advice, but they couldn’t help. Instagram appears to be a security black hole, Users’ complaints go in and nothing comes out. He also had 2FA on and was bombarded by “all kinds of weird texts for confirmation about changing my password. Also got multiple emails from IG about resetting my password. I later got a letter from T-Mobile, my phone provider, about putting a SIM block on my account.” SIM blocks are used to keep your phone’s SIM card from being cloned, a popular way of getting around SMS-based 2FA. He also “filed a police report and had the police contact IG.” After all that, “IG support was useless” and he eventually lost his account. Personally, this has been really annoying, but it hasn’t really bothered me that much. I had less than 100 Instagram followers. My hacker appears to be using my former account to send cryptocurrency spam. Anyone who knows me knows I think cryptocurrency is a scam. I’ve spread the word that my account has been hacked, and people should report, unfriend, and block it. You’d think all those reports, well over two dozen people have told me they’ve reported it, Instagram might have put two and two together and realized my account had been hacked. Three weeks into this and Instagram still hasn’t bought a clue.But, it could be worse. Hackers are taking over corporate and influencer Instagram accounts and demanding ransomware payments of up to $40,000. But what’s irritating to me is a business killer for others. I’ll shed no tears for the Bored Ape Yacht Club. NFTs are scams too and if you think otherwise I’ll happily sell you an NFT of the Brooklyn Bridge. However, many design shops, videographers, photographers, and marketing people depend on it for their livelihood. If Instagram doesn’t step up its security game, it’s time to find another platform for your business. I made, at most, one minor mistake, and lost my account. Instagram, with its pathetic security defenses, could lose your far more valuable account and you’d have no way to restore your account or your followers.Related Stories: More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Lynn Grieveson/Getty Images
As Australians wake up on Monday with a new government after sending the Morrison-led one packing, this past election campaign has been one of the more shouty and incorrect elections in recent times, and not only from the candidates. One of the more commendable efforts this time around has been the misinformation bubble-bursting work undertaken by the Australian Electoral Commission (AEC) on Twitter. Rather than just being a boring corporate account, it has got sassy and has been stomping on any misinformation or disinformation it comes across. After watching electoral messes overseas, the AEC clearly formed a view that politely and meekly engaging was not an option to head off one of the biggest scourges of being online in the 2020s, and if the pilled mob are going to claim the election is rigged regardless of counter arguments, the AEC might as well have a proper go at them and take an infinitesimal shot at piercing their reality. For an example of how far misinformation can travel online, last week researchers of The Disinformation Project at Victoria University of Wellington released a study on how misinformation played into the New Zealand copycat version of the Canadian protest convoy earlier this year. Promise: Labor election plan has digital licence and misinformation detection course for children In the first week of the New Zealand protest, misinformation and disinformation peddlers were able to garner more video views on Facebook than the entirety of the mainstream media in the nation. “On 11 February, video content by mainstream media was viewed less than the day before, while engagement with mis- and disinformation accounts remained about the same,” the researchers said. “Mis- and disinformation ecologies are heavily laden with conspiratorialism, Covid-19 denialism, and other harms, including from QAnon wellsprings in the United States, imported into Aotearoa New Zealand.” By March, the researchers found 73% of interactions were driven by a dozen misinformation accounts, and the classic, older conspiracy theories were rising in prominence to such an extent that some protesters “took to wearing hats made from tinfoil as protection”. Once the Ukraine invasion kicked off, the disinformation network shifted to parroting pro-Kremlin talking points. “By the end of March, in what was a sustained and stark content signature, every domestic telegram channel studied had pivoted to a near-exclusive framing of the Ukraine war through pro-Putin and pro-Kremlin frames,” the researchers said. “An inability to distinguish between real, fictive, and imagined events is a consequence of information disorders and the expansion of online mis- and disinformation into offline realities. “These are significant challenges facing Aotearoa New Zealand society and government that must be addressed.” The implications for being complacent about disinformation, the researchers warned, is ending up in a place where people have vastly different views on how events unfolded and what actually took place. The obvious example of where this ends up is how America is still wrestling with the events of January 6, 2021. See also: Musk’s vague ideas of free speech and Tesla’s ambition could spell doom for India’s minorities Australia has looked at granting powers to curb disinformation and misinformation on social media, and the AEC said earlier this year that all platforms would increase resourcing for election monitoring. Coming into the six week election campaign, the AEC misinformation-fighting crusade had a succinct slogan: Check the source. But what if the misinformation is coming from inside the house and it is something that is found on the AEC’s disinformation register? No less than former Prime Minister Kevin Rudd falsely claiming voting for one party means you end up voting for another. This is a piece of misinformation the AEC addressed in January, and the nub of it is thanks to Australia’s preferential system — voters control where their votes go, not parties. This trope has been repeated from all sides of the spectrum, but with Labor looking to get over the line and form a majority government, Rudd’s replacement in the seat of Griffith tried to claim a vote for any of the three major parties other than hers would result in a Morrison government.Apart from the seriousness of spreading outright disinformation about how preferential voting in Australia works, there is the sillier idea of left-wing Greens supporting a right-wing government they’ve said they want to boot out. It is simply preposterous — and it turns out the universe is not without a sense of humour, as Griffith appears to have shifted Green, and yet the conservative government has been ditched.As psephologist Kevin Bonham points out, misinformation is not against the law, and the AEC is hamstrung to do anything itself; it is not a policing agency and does not regulate truth in advertising. Information war: Ukraine destroys five bot farms that were spreading ‘panic’ among citizensIt’s just something else that politicians are exempt from. You might be a wholly incorrect but genuine anti-vaccine truther that finds themselves booted off a platform, and yet a politician who very much knows how voting works can fib their way to victory without repercussions. It’s the sort of hypocrisy that “do your own research” types loves to point at. Dealing with misinformation is fast approaching being table stakes for being online, for both users and platforms, and no doubt lawmakers are going to try to stem it — but politicians are not coming to the fight with clean hands. Restoring public faith in politics and democracy has a long way to go when even those who have risen to the top of the pile will tell porkies on the most sacred parts of the electoral process for a measly few votes. ZDNET’S MONDAY MORNING OPENER   ZDNet’s Monday Morning Opener is our opening take on the week in tech, written by members of our editorial team. We’re a global team so this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US, and 10:00PM GMT in London. PREVIOUSLY ON MONDAY MORNING OPENER :  More

Written by

Eileen Yu, Contributor

Eileen Yu
Contributor

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Full Bio

SolarWinds is ready to move past the “cyber incident”, having spent the past year bolstering its build model and processes to better mitigate future cybersecurity breaches. It also has expanded its systems monitoring capabilities as part of efforts to help customers better manage the complexities of hybrid cloud environments.  Mention SolarWinds and most would recall a colossal security breach that triggered when a malware-laced update for the vendor’s Orion network monitoring platform was sent to customers. Thousands of companies received the Orion update containing the malicious code Sunburst, including US government agencies, Microsoft, Malwarebytes, and FireEye, which first raised the alarm in December 2020. Acknowledging that 2021 was a tough year, SolarWinds’ president and CEO Sudhakar Ramakrishna told ZDNet that the company spent the time and investment assessing what it needed to do to beef up its infrastructure and processes.  In January 2021, with Ramakrishna then newly on board, SolarWinds brought in Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency, and former Facebook chief security officer Alex Stamos to help improve its security posture. Over the past year, Krebs and Stamos engaged governments and regulators and put in place best practices to drive the vendor’s focus on being “secure by design”, Ramakrishna said in an interview. While SolarWinds already had capabilities in this aspect prior to the breach, more were added across all elements of security, he said. 

Efforts were centred on three key areas around its infrastructure, which included its cloud assets and applications, software build, and processes.  The focus here was to reduce the threat window that a security incident could occur and alter the threat surface on which an attack could be launched, he explained. A new build process then was implemented to address these two objectives, he said, adding that the goal was not to provide a fixed target for attackers to target by creating dynamic, rather than static, processes.  In this “next-generation build system”, SolarWinds subscribes to four pillars that looked to support “secure by design” software development principles to boost its resiliency against future attacks. These encompass “ephemeral operations”, amongst others, in which resources are produced on-demand and dismantled when tasks are completed, making it more difficult for threat actors to establish a base on systems.  The vendor also adopts a “build in parallel” principle where it creates multiple secured duplicates of its new build system and builds all artifacts in parallel, across all systems at the same time. This establishes a basis for integrity checks and “consensus-attested builds”. Apart from assessing the resilience of its systems, SolarWinds also spent the past year pumping in investments to expand its operations two key regions, Asia-Pacific and EMEA, said Ramakrishna, who was in Singapore this week. In addition, it worked to “evolve” its product offerings to support customers’ digital transformation and changing needs, especially as more adopted multi-cloud environments, he said. In this aspect, the vendor looked to beef up its product capabilities across automation, observation, visualisation, and remediation.  Describing 2021 as a “tough” as it coped with the aftermath of the “cyber incident”, the SolarWinds CEO said the year also was “rewarding” as the vendor was able to focus on bolstering its build systems and processes as well as make the investments it did. And while it remained associated with the security breach, he said SolarWinds also should be associated with how it handled and dealt with the breach and emerged from it.  He noted that security incidents were “here to stay”, pointing to others that had followed since SolarWinds’ own breach, such as Kaseya, US Colonial Pipeline, Log4j, and more recently Okta. Deeper observability needed to manage complex hybrid environments Rather than roll over and play victim, though, Ramakrishna said companies needed to learn from such attacks and continuously worked to better mitigate their impact.  This was particularly critical amidst significant changes in IT environments, as organisations adopted hybrid work and were more dependent on cloud services, he said.  As their ecosystems widened, they now had to deal with different environments with different security postures and different connectivity profiles, he noted. Security challenges were amplified along with demands on performance and the ability to identify and remediate issues, he added. It drove SolarWinds to pull together its monitoring capabilities and extend them to support such security requirements, he said. This included the need for deeper observability or “observation”, as he coined it, with a comprehensive system that could look at data across all entities including networks, databases, applications, users, and systems. Organisations then would be able to detect issues faster and remediate.  In reiterating the need for security by design, Ramakrishna also underscored the importance of adopting a zero trust framework as well as the need for better collaboration between private and public sectors.  “No company, regardless of how many resources you have or how smart and dedicated you are, will be able to thwart nation-state attacks,” he said, stressing the difficulty of defending against such threats. “The best way I know [that] needs to be done is for vendors like us to share information and be shy to share when we’ve been breached. Like any crisis situation, the faster we announce, the faster we accept help, the faster we resolve issues.”  In addition, he urged governments to proactively share threat intelligence with the private sector so the industry could be more vigilance against potential attacks.  While there currently was not enough of such exchange of information, he expressed optimism this would improve over time as there already was “collective will” to start doing so. “Threat intelligence should never be used as a competitive advantage,” he added. “We should compete hard on the value we deliver to customers, [but] not on holding back information from your competition with regards to threat intelligence.” Governments also had a role to play in how victims of cybersecurity breaches were perceived, he said, noting that victim-shaming would discourage companies from coming forward. An “environment of understanding” for those that complied would speed up resolution in the event of a security incident, he added.  Asked about his priorities moving forward, Ramakrishna pointed again to SolarWinds’ significant investment to drive its expansion plans in Asia-Pacific, which he said could be its fastest growing region.  He declined to break down the vendor’s growth and investment numbers by region, but said it recently established offices in South Korea and expanded its presence in Japan as well as Asean and ANZ.  In its first quarter 2022 earnings report last week, SolarWinds reported revenues of $177 million, up 2% year-on-year. Subscription revenue grew 37% year-on-year to hit $38.7 million, with adjusted EBITDA clocking in at $69 million. For the year, it forecasted revenue to range from $730 million to $750 million, on a year-on-year growth of between 2% and 4%. According to Ramakrishna, the vendor’s customer renewal rates prior to the breach had hovered in the low- to mid-90s, but dipped to the 80s in 2021 following the December 2020 cyber incident. Numbers since had climbed back up to 91% in the first quarter of this year, he said.  RELATED COVERAGE More

Microsoft has released an out-of-band patch to fix authentication failures on Windows after installing the May 10, 2022 security update on Windows Server domain controllers. The new update should fix authentication failures that affected services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). 

“An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller,” Microsoft explained. SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsThe US Cybersecurity and Infrastructure Security Agency (CISA) this week pulled Microsoft’s fix for the bug CVE-2022-26925 from its list of known exploited vulnerabilities that federal agencies must patch within a given timeframe.  The bug was a Local Security Authority (LSA) spoofing vulnerability. Details of the bug have been publicly disclosed and exploits exist for it. An unauthenticated attacker could “call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it,” Microsoft said. The bug would have a severity score of 9.8 when it is chained with NTLM Relay Attacks on Active Directory Certificate Services (AD CS), Microsoft added.  The authentication issue was only caused after installing the May 10 update on Windows Server domain controllers. Any previously applied workarounds are no longer needed, according to Microsoft.  Microsoft’s out-of-band patch also fixes a separate issue caused by the April KB5011831 or later updates that stopped some Microsoft Store apps from opening. The cumulative updates with the out-of-band fix are available for Windows Server 2022 (KB5015013), Windows Server, version 20H2 (KB5015020), Windows Server 2019 (KB5015018), and Windows Server 2016 (KB5015019). Microsoft has also released standalone updates for Windows Server 2012 R2 (KB5014986), Windows Server 2012 (KB5014991), Windows Server 2008 R2 SP1 (KB5014987), Windows Server 2008 SP2 (KB5014990). Admins can manually import the updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.  More

If you forget your password, you are indistinguishable from a hostile intruder and you will be treated as such, which means you will be locked out from your encrypted data.
Getty Images
Welcome to this week’s installment of Ask ZDNet, where we answer the questions that make Dear Abby’s eyes glaze over. In the mailbag this week: A reader is concerned about the negative side effects of full disk encryption. Also: How your EV charger can pay for itself in a year or less, plus email archiving secrets.  If you’ve got a question about any of the topics ZDNet covers, one of our team of editors and contributors probably has an answer. If they don’t, we’ll find an outside expert who can steer you in the right direction. Questions can cover just about any topic that’s remotely related to work and technology, including PCs and Macs, mobile devices, security and privacy, social media, home office gear, consumer electronics, business etiquette, financial advice … well, you get the idea. Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Ask away. 

What’s the downside of disk encryption?

Does encrypting a disk make it less likely that data can be recovered with utilities after a crash? (Of course, that data should be backed up, but….) Does encrypting the disk make it more likely to have errors and failures? Does encrypting the disk make it harder to transfer to a bigger boot disk? I’m sure any tradeoffs are well worth it for important, sensitive data. But are there risks for the average home user?

Make no mistake about it, disk encryption is a powerful security precaution. Using strong disk encryption means that your data is under your control and only your control. An unauthorized intruder who’s able to gain access to that encrypted data is able to see precisely nothing. And even with the assets of the world’s most powerful intelligence agencies, it takes months or years or even centuries to crack the code.

And now the bad news: If you forget your password, you are indistinguishable from a hostile intruder and you will be treated as such, which means you will be locked out from your encrypted data.That’s not a bug, it’s a feature. A backdoor that would allow you to recover your data without the decryption key would also be available to an attacker, rendering the data protection useless.But that’s the only difference between an encrypted disk and one where the data is stored in the clear. If your drive or controller fails, resulting in data corruption, it doesn’t matter whether the data is encrypted or not; you’ll need a backup to recover the damaged files. And on modern hardware, encryption and decryption using the AES standard takes place in the CPU, which means that any impact on data transfer speeds is negligible.Which means your biggest challenge is to ensure that you have access to the backup encryption key for your device, for use only in the event of an emergency. On a Mac using Apple’s FileVault encryption, you can store the recovery key in iCloud or locally (follow the instructions in this support article). For devices running Windows 10 or Windows 11, follow the instructions in ZDNet’s BitLocker FAQ.Make sure you store that recovery key in a safe place. If you can supply that key on demand, you have full access to the data on the encrypted disk.

Do I really need an expensive charger for my new electric vehicle?

I’m about to purchase a new electric vehicle. Do I really need to pay $500 or more (plus installation) for a fancy charger in my garage?

You only need two things to charge your EV: a 240V power outlet, and a cable to connect that power supply to your car’s charging port. (Yes, EV owners in the US can plug into a standard 110/120V outlet, but the charging rates are too slow to make that practical for everyday use, especially if you have a long commute.) Plug in the vehicle as soon as you get home; unplug it when you’re ready to leave. Easy, right?

That basic setup can cost you dearly, however, if your local utility bases its billing on a “time of use” plan, with different rates per kWh based on the time of day. In most regions, peak rates apply in the afternoon and early evening, when demand is highest, and offer much lower rates in the wee small hours of the morning. Some power companies even offer plans specifically tailored to EV owners. Georgia Power, for example, offers a Plug-In Electric Vehicle Plan that charges 1 cent per kWh in the Super Off-Peak hours between 11 p.m. and 7 a.m. but bills at 7 cents or 20 cents per kWh at other times. In Oregon, the Time of Day plan from Portland General Electric charges 6.5 cents per kWh in off-peak hours from 9 p.m. to 7 a.m. but charges 30.6 cents during peak hours, 5 p.m. to 9 p.m..And that’s where a charger comes in handy. Use the charging app to specify that you only want to deliver power to the vehicle when rates are low. Over the course of a year, the savings from charging during off-peak hours can pay for the cost of the charger several times over.

What’s the best way to archive my email?

I have two email accounts, one hosted with Microsoft’s Outlook.com and the other with Gmail. After archiving my email and deleting unimportant messages, I would like to download the rest of them into year-wise folders on my laptop or external hard drive. What’s the best way to do this?

Here at Ask ZDNet, we are normally can-do people, obsessed with finding a way to show you how to Do The Thing You Are Trying To Do. But just this time, we are joining Team Please Don’t Do That Thing You Are Trying To Do.

Downloading email to local copies is a form of digital hoarding. You don’t need to do that! If you move those files to the Archive folder on the service where they were originally received, you can review and search those archives any time. If your search turns up a message you need to recall, you can copy, print, reply, or forward it as needed. You don’t need copies of those messages saved to your local PC. (For the rare Truly Important Message that deserves its own copy, such as a confirmation for a hotel reservation or a digital receipt that you know you might need in the future, use the Print function to save a message as a PDF file.)Your Outlook.com account stores up to 15 GB of mail for free. A paid Microsoft 365 business account includes 50 GB of storage. Your free Gmail account also includes 15 GB of storage, but that allotment includes whatever you’ve stored in Google Photos and Google Drive in addition to your email. If your archive becomes truly gargantuan, the costs to upgrade your email storage are relatively small and well worth it.You can, of course, always synchronize a copy of your Archive folder to a local store in an app like Outlook. If you’re worried that Microsoft or Google will be inaccessible at the precise moment you need an old email message, you can use this option. That should accomplish everything you’re trying to do, without hoarding.Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for any other purpose.  

ZDNet Recommends

  More

Security researchers have found a new collection of phishing domains offering up fake Windows 11 installers that actually deliver information-stealing malware. 

Cybersecurity firm Zscaler said that newly registered domains appeared in April 2022 and have been designed to mimic the legitimate Microsoft Windows 11 OS download portal. ‘Warez’ sites containing pirate material, including software and games, are notorious as hotbeds of malicious malware packages, including Trojans, information stealers, adware, and nuisanceware.  SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsCracked forms of software are on offer for free and users who download the software are usually trying to avoid paying for software licenses or gaming content. A brief scan of active warez sites reveals listings for Windows, macOS, and Linux applications, including Adobe Photoshop, various creative applications, enterprise versions of Windows software, and a host of films and games.  However, if you risk the download, you might be opening your machine up to infection – and the same applies if you download software you trust from a suspicious web address.
Image: Zscaler
In the case documented by Zscaler, Vidar is spread by the threat actors through phishing and social media networks, including Mastodon, which are widely abused to facilitate attacks. Mastodon is decentralized, open-source software used to run self-hosted social networks. In two instances, the cyber criminals created new user accounts and stored command-and-control (C2) server addresses in their ‘profile’ sections.  In a new development, the Vidar group is also opening Telegram channels with the same C2 stored in the channel description. By doing so, malware implanted on vulnerable systems can fetch C2 configuration from these channels.  Vidar is a nasty form of malware able to spy on users and steal their data, including OS information, browser history, online account credentials, financial data, and various cryptocurrency wallet credentials. Vidar is also spread through the Fallout exploit kit.  SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesWhile the fake website pretends to be the official download portal, the malicious file on offer is an .ISO hiding the Vidar payload and packed with Themida. A static configuration is used to access the C2, but social media profiles can also be used as backup URLs.  In addition to the .ISO files being distributed as fake Windows 11 installers, Zscaler also uncovered a GitHub repository storing backdoored versions of Adobe Photoshop, another popular option for warez sites.  The best option to mitigate the risk of Vidar is to only download software from trusted, official domains – and to not give in to the lure of free, cracked software.  “The threat actors distributing Vidar malware have demonstrated their ability to social engineer victims into installing Vidar stealer using themes related to the latest popular software applications,” the researchers say. “As always, users should be cautious when downloading software applications from the Internet.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More