Microsoft has released security updates for Windows and Outlook that all users should apply immediately, as they address several critical security vulnerabilities that have already been exploited by Russian hackers.
If your organization’s computers are enrolled in Macktez Workstation Management, we were able to ensure that all PCs were up to date. Macktez even remotely rebooted computers that still needed a restart in order to apply the security patches.
If your organization’s computers are not enrolled in Macktez Workstation Management, you should apply updates right away to make sure that Windows and Outlook are current.
– Select Start > Settings > Windows Update
– Then select Check for updates.
– If updates are available, choose to install them.
Or go to this Microsoft Support page and click the “Check for updates” button.
If you need any help with this or have any questions, please email us to let us know what the issue is.
In addition, if your mail provider is Microsoft 365, Macktez is available to run a script that checks accounts to see if this vulnerability has been exploited at your organization.
What’s really going on?
The vulnerability allows hackers to send you a specially-formatted email or calendar invite that can share an important part of your Windows internal password management tool. This, in turn, can allow hackers to try for more targeted attacks.
The exploit appears to have been used by state-sponsored hackers in Russia against targets in Ukraine for at least the past year. If you are not involved in that conflict, it is highly unlikely that your organization has been targeted. But now that Microsoft has announced the vulnerability, bad actors everywhere are aware of it and have likely already started trying to use it against unpatched systems.
Note: macOS, iOS, and Android versions of Outlook do NOT have the same vulnerability.
Best practices
Microsoft regularly updates Windows and other Microsoft applications on the second Tuesday of every month (“Patch Tuesday”). Not all updates are as critical as this month’s, but they are all important and recommended — you should keep automatic updates on and restart your computer at least weekly to make sure that patches are fully applied and your system is current.
Macktez Workstation Management provides a core set of tools on end-user computers that allow us to manage software patching, antivirus and malware protection, and standard security policies such as screen lock and local encryption. Our clients with workstations enrolled in this subscription are guaranteed to have the latest security updates already installed, and this week we were able to issue a reboot command to any workstations that hadn’t yet completed the latest updates. If you’d like your organization to have the same protection, contact us and we can meet to discuss your options.
Over the past few months, Google Drive, Dropbox, Box, and OneDrive users on Apple computers have experienced small and not-so-small changes to how files saved to these cloud services appear in the Finder. The notes below address the user experience with Google Drive specifically, but some of these particulars are relevant also for other cloud file storage solutions.
User experience changes in Google Drive for Desktop
Where to find “Google Drive”
In Finder, “Google Drive” no longer appears in the “Favorites” section of the sidebar, and instead is listed under “Locations.” You will still be able to see a link to “Google Drive” from your Home directory, right after “Desktop,” “Documents,” and “Downloads.”
If you have connected more than one Google account to Google Drive for Desktop (for example your business and personal accounts), this link will include your email address to distinguish the different accounts.
Shortcuts broken
As a result of this change from “Favorites” to “Locations,” any shortcuts to Google Drive folders that you created and saved to your Desktop or to the sidebar in Finder will be broken and will need to be recreated manually. What’s especially confusing is that you might still see the files you expect inside these folders when you click these old links, but they will not be the files that are syncing to Google Drive. Be sure to recreate all your Google Drive shortcuts.
Move and copy files in Finder
Previously, if you dragged a file from a Google Drive folder to your Desktop or another local storage space, your computer would copy that file. Now, if you just drag a file from Google Drive to Desktop that file will *move* and get deleted from Google Drive. That’s confusing, and can even be a little alarming, but not if you think about it this way: dragging a file from Google Drive to your Desktop now works the same as dragging any file in your Finder — it moves the file. If you want to copy the file while dragging, hold down the option key.
External references may get messed up
The old version of Google Drive created full file paths for everyone that started with /Volumes/GoogleDrive/ and were the same for all users. Under the new architecture mandated by Apple, the full path goes through your Home folder (/Users/[yourname]/Library/CloudStorage/GoogleDrive/), which is different for every user. This can be a big problem for teams sharing files with externally-referenced files (ex-refs).
When you place images or other drawings into a file in InDesign or AutoCAD, the program is saving a file path to this ex-ref. Whenever possible, that file path is a relative file path that indicates where the ex-ref is in relation to the main file. But in certain situations the file path saved is an absolute path, starting from the top level or root level of your entire directory. When that happens, this full file path to an ex-ref won’t be the same for you as it is for your colleagues, because the absolute path includes the name of your Home folder, which is the same as your computer login name. That means that if you place a drawing into AutoCAD, and then your colleague opens that AutoCAD file to make additional edits, they won’t be able to work on the ex-ref you placed.
The solution generally is to make sure that ex-refs live in the same folder as the main file you are working on, or in a folder below that file. That way the file path for an ex-ref can always be a relative path and won’t need to use the name of your Home folder.
Other bugs
Some users have experienced problems that are not intentional security changes and are more easily classified as bugs. If any of these are happening to you, first try a simple restart of your computer. If that doesn’t help, a reinstall of Google Drive for Desktop is usually the best course of action.
– Google Drive seems to be constantly syncing files and limiting the performance of your computer.
– Google Drive starts saving files locally that are meant to be saved only in the cloud. If this happens with a large folder, you can end up running out of storage space on your computer.
– Google Drive is not reporting the sync status of certain files correctly — files you add to Google Drive in your Finder are not showing up at drive.google.com in your web browser and are not accessible for your colleagues.
What’s really going on?
All these changes are related to a new API for cloud storage providers called File Provider that Apple first released in macOS 12.1 to integrate cloud file storage solutions more securely and consistently in the operating system. While Box responded to Apple’s extension change in 2021, only since September 2022 have we seen Google Drive, Dropbox, and OneDrive rewrite their applications for desktop integration to use the new API.
Cloud file storage solutions that show up as external drives in Finder have been available for years, but were always a bit of a hack, and were implemented in different ways on different systems using “kernel” extensions that were allowed to make deep changes to Apple’s OS. These hacks were incredibly helpful for users, especially when cloud file storage solutions figured out how to show you all the files you had in the cloud without actually downloading them. But kernel extensions presented a security problem for Apple in that they implemented changes to core OS functions and opened up security vulnerabilities that Apple couldn’t cover.
Apple has deprecated support for kernel extensions in general. In order to accommodate the popular and useful cloud file storage solutions, Apple published a new API called File Provider that created integration to these cloud services at the user level, not the system level. As a result, the applications that run the interface for interacting with these cloud files needed to be rebuilt.
Certain changes in functionality are expected and even desired by Apple (like how files are moved, not copied, when you drag them). Others are user-interface bugs that will hopefully get cleared out as Google continues to update Google Drive for Desktop.
How do you know if you’re on the new version?
If you are running macOS 12.1 or higher (Monterey or Ventura) then you are probably already using the most recent version of Google Drive for Desktop and have had these changes implemented. The best way to be sure is to check the preferences of Google Drive.
– Click the Google Drive icon in your menu bar.
– Click the gear icon, then Preferences.
– Click the gear icon in the window that appears. Here you’ll see more detailed preferences for each of the Google accounts you have connected to Google Drive for Desktop.
– Under “Google Drive streaming location,” if the “Change” link is grayed out and you see the notice “Folder location is controlled by macOS,” you are working under the new architecture described above.
A retail client recently approached us with a challenge: can Macktez help them to deliver 3-5 million emails a month to verified subscribers from multiple platforms without getting tagged as spam?
Why is that so hard? Well, a lot has changed in the world of technology in the past four decades, but the current protocols for sending and receiving email, solidified in the 1980s, have not.
That leaves a lot of room for mess, misuse, and misunderstanding for those of us trying to separate the signal from noise in our own inboxes as well as for organizations that rely on large email campaigns to reach their customers and drive business.
Google and Microsoft in particular have been attacking that first problem aggressively, flagging email they recognize as spam or phishing attempts and encouraging users to take cybersecurity seriously.
But what about organizations like our retail client that legitimately need to send a high volume of email, want to make sure that email is delivered, and want to make sure that no one is sabotaging their online identity with spoofs and malicious content?
The answer involves a number of acronyms and backend services as well as continued human attention to manage and monitor configuration changes. The tools involved are useful for any organization concerned with its online reputation, but especially impactful for any with high-volume email requirements.
Tools
First, the acronyms:
– SPF (Sender Policy Framework) is a protocol for letting the world know what outgoing mail servers are allowed to send email from your domain.
– DKIM (Domain Keys Identified Mail) is a protocol that proves an email that says it came from your outgoing mail server really did.
– DMARC (Domain-based Message Authentication Reporting and Conformance) is a protocol that leverages SPF and DKIM to produce detailed reporting on all email associated with your domain name, and then lets you send specific instructions to recipients’ mail servers about what to do with invalid email.
Configured properly, used together, and then monitored and adjusted over time, these tools can greatly reduce cybersecurity risks and increase deliverability for legitimate email. (We include these tools and services in Macktez Domain Management as a monthly subscription.)
When your company receives all its email through Google, for example, but sends email using Mailchimp, SPF, DKIM, and DMARC all need to be used together to ensure that the Mailchimp email isn’t flagged as spam.
Our big retail client is using several marketing and retail services to send 3-5 million emails per month on the company’s behalf. The sheer number of emails sent requires a careful application of policy to make sure they reach their intended audience, and each of the services used to send email needs to be incorporated into the DMARC policy and monitored.
Macktez spearheaded the Domain Management project with our client. First, we confirmed or established correct SPF and DKIM records for every service our client uses to send email. Then we wrote a DMARC policy that at first collects information on all email alleging to come from our client’s domain.
Once we had enough data, we worked closely with several key members of the client’s staff to make adjustments and additions to the DMARC policy then, we slowly adjusted the percentage of invalid emails that DMARC would instruct recipient mail servers to quarantine or reject outright. This part of the process needs to be done incrementally and with ongoing attention to make sure that the policy is being applied correctly. It’s important not to rush this, or else you run the risk of legitimate emails getting blocked.
Results
Within the first two months we could confirm through DMARC reporting that the number and percentage of sent emails that were delivered properly had gone up. Two more months of monitoring and policy adjustments showed that percentage continuing to increase, with authentic messages being delivered as intended while illegitimate messages (spoofing attempts of the domain sent from non-authorized servers) were consistently flagged.
This allowed our client to feel secure and confident that its marketing and sales emails were properly reaching its customers, and that any malicious attempts to subvert its stellar domain reputation were being blocked.
Our client’s marketing, sales, and customer experience teams benefit from the confidence that their emails are being sent with proper authentication and are being received by their customers without issue, while their customers get added security of knowing that spoofing attempts appearing to come from this company won’t even make it to their inbox.
If you or your organization is using LastPass or other Goto services, please contact Macktez right away so we can review your security profile and address any vulnerabilities.
Macktez does not use LastPass, nor does it manage any backups through LogMeIn Central. But Macktez has used LogMeIn as a tool to remotely access client computers for years, so it is important that we consider the implications of this service being mentioned in Goto’s incident response.
After review, we are confident that no client workstations are vulnerable to unauthorized access through Macktez’s LogMeIn account.
Our threat assessment is based on the following:
– All LogMeIn users on Macktez’s account — including clients who need remote access to their own workstations — have multi-factor authentication (MFA) enforced as an added protection against a password breach.
– Any remote workstation credentials saved by LogMeIn users are saved only locally, so would not have been exposed in Goto’s security breach.
– Goto has forced all LogMeIn users to update their Goto password and MFA this week out of an abundance of caution, mitigating any possible exposure of passwords or MFA keys.
Goto’s incident response and discovery may not yet be finished, and we will continue to monitor the situation closely. But based on our specific use of Goto’s services and the security precautions mentioned above, we consider Macktez’s position, and access to our clients’ workstations, to be secure.
(Last Updated: 2/6/2023)
On January 22, Apple began assertively pushing the upgrade of macOS to Ventura to all end users, regardless of any deferrals implemented by IT Teams due to existing app incompatibility issues. As a result, Macktez had reduced access to the software update panel temporarily for our Managed clients to delay the upgrade while we gathered more information.
We have found that the issues with common applications (particularly Adobe Creative Cloud and Malwarebytes) are minor at this point. As such, this Friday afternoon, 2/10, we are removing the delay to these pushes to end users, and allow end-user based upgrades to Ventura.
If you’re ready to take the plunge and allow Ventura updates within your organization, proceed with caution, knowing that some minor features within Adobe Creative Cloud and other third party software still may not work as expected (we’ve found so far issues involving automatic CC updates). RoaringApps is a site that tests macOS compatibility with popular software, which you can search and review for compatibility information about any specific software your company uses.
If issues do arise, or if you’d like assistance with the upgrade, please email support@macktez.com to let us know, and we can provide assistance.
(Last updated 10/31/2022)
Apple released a couple very important updates this week, and we’re reaching out today to provide information and guidance around those. The Team here at Macktez is working hard to keep your computers up to date and secure while maintaining reliable access to the softwares that help your business operate smoothly with minimal downtime. As such, we take a conservative approach to major upgrades so we can evaluate any issues, and move forward only when we are confident they are stable.
It is recommended that the Monterey 12.6.1 update be installed, and instructions for doing that are below.
Macktez advises against a Ventura upgrade at this time, because of major security revisions and some third party software incompatibilities that have yet to be addressed. For clients who subscribe to Workstation Management, Macktez will approve and release the Monterey 12.6.1 security update and delay (temporarily block) the Ventura upgrade. For clients who are not enrolled in the management toolset, caution should be taken regarding Ventura at this time.
If computers are currently running Monterey or Big Sur (or an older OS), here are some tips for updating those systems to the latest version without applying the major Ventura upgrade:
– Go to the Apple menu in the upper left corner and select “System Preferences”
– Choose “Software Update”
– Under the Ventura banner, find ‘Other updates are available’, and click on the tiny blue text under that that says “More Info.”
– In the window that appears, select all items and click “Install now.” Note that the computer will restart, and the full update may cause downtime for an hour or so.
If you’re curious, you can find Apple’s release notes on these updates by clicking the links below.
macOS Monterey 12.6.1 https://support.apple.com/en-us/HT213494
macOS Ventura 13 https://support.apple.com/en-us/HT213488
If you have questions or run into any problems, please email support@macktez.com.
Apple has released critical security updates this week, and the Macktez release schedule will be tighter than for prior releases. The Managed Services group is releasing those updates for eligible computers as of 8/20/2022, but users are encouraged to manually install at any time prior to the release, when convenient.
Notes: If the computer is not yet running Monterey, it can remain at the current macOS system, and ignore any notices to upgrade to Monterey.
WHAT YOU NEED TO DO
– If you would like to control the timing of these updates by doing them on your own schedule, go to the Apple menu at the top left of your screen, select System Preferences, then Software Update. Save your work, quit all running applications and let the machine restart. If updates are available, the install can take approximately 45 minutes to an hour.
– If the machine is running Monterey, that is the only update you will see and you can click “Install”.
– If the computer is running an earlier OS, like Mojave, Catalina or Big Sur, you will see “Other updates are available” below the Monterey upgrade box. Click “More info” below that, and install the updates that pop up.
– If the above task is not completed manually, starting today, you will receive a total of 4 prompts (at 24-hour intervals) from Macktez Management to restart your machine. These prompts will show a turquoise logo, and read “Update Requires Restart”. The prompt will disappear after a few minutes, so if you miss it, you will see another one 24 hours later.
– If after the 4th prompt you still have not yet restarted, a disruptive restart will be initiated. This prompt will show a turquoise logo, and read “Mandatory Update”, and you will have approximately 10 minutes to save your work. This may disrupt your workflow for up to an hour, and could result in losing files if you don’t save your work first.
Macktez is not releasing a Windows 11 upgrade at this time, but Microsoft has begun automatic installs on compatible computers.
While there is an option to temporarily defer the automatic upgrade, Microsoft has not provided a way to stop it. In order to minimize inconvenience and potential disruption, clients should plan ahead, take control, and designate a time to manually install the upgrade on all affected machines.
This page outlines Windows 11 specs, features, and requirements. Macktez is unaware of any major compatibility issues at this time. However, if you’re concerned about a particular application, please reach out to your Strategist to review together before upgrading.
TO DEFER THE WINDOWS 11 INSTALL
To defer the Windows 11 install, follow the steps below which will enable a grace period of up to 5 weeks (an Admin login is required to change these settings). Keep in mind though, that after selecting a grace period, Windows 11 will automatically be installed.
– Right-click on the Start menu button on the Windows Taskbar below.
– Select “Settings.”
– From the left panel, click on “Windows update.”
– You will see a Pause updates option. A drop-down selection menu with options to pause for one week and up to five weeks is to the right. Select the number of weeks you want to stop automatic updates on your PC from the drop-down menu.
TO MANUALLY MANAGE THE WINDOWS 11 INSTALL
To take control over when Windows 11 is installed so as not to interrupt work, it can be manually installed.
– Right-click on the Start menu icon on the Windows Taskbar at the bottom.
– Select “Settings.”
– On the left, click on “Windows Update.”
– If updates are paused, click on the “Resume updates” button.
– Under “More options,” click on “Advanced options.”
– On the Advanced options page, make sure that “Receive updates for other Microsoft products” is toggled ON. When this is toggled on, the computer will look for updates for all installed Microsoft software.
– To allow updates to install as soon as they arrive, toggle on “Get me up to date.” Otherwise, set “Active hours,” so restarts won’t occur while the computer is actively in use.
– Click on “Windows Update” at the top of the “Advanced Options” window.
– Click on the “Check of updates” button to begin the update process manually. Future updates will happen automatically.
Note that the computer may need to restart multiple times based on the number of new updates installed. Don’t turn off the computer in the middle of the process and make sure it is plugged in. If the update process is interrupted, it can create file corruption issues that cause errors or even failure to boot.
If you have questions or run into any problems, please email support@macktez.com or call 646.274.0933 (press 0 for Support).
A major security vulnerability has recently been identified for network-connected backup batteries made by APC (Schneider Electric).
For more context, a detailed writeup from the firm that discovered this vulnerability can be found here.
Backup batteries are often installed with file servers and network equipment to make sure that these essential devices can remain on during a brief power outage. Connecting these batteries to the network, while not necessary for them to perform their basic function, allows network managers to monitor power-related events and total power consumption of connected equipment.
The vulnerability in question is not likely to be used broadly and most offices will not be in danger unless specifically targeted, but its potential consequences are severe enough that susceptible devices must not be left unprotected.
At Macktez, we are in the process of reviewing our own records to make sure that any impacted clients receive the firmware updates they need to remain protected. We are also asking all Macktez clients to review their network racks and all server equipment to make us aware of any backup batteries we don’t know about.
While reviewing equipment, clients should confirm the following:
– Is there a device in the rack or on the floor near the network or server equipment that other devices are plugged into for power (like a power strip but much more substantial)?
– Does the device have an “APC” logo on the front?
– Is there an attached ethernet networking cable plugged into the back of the device, where power cables are plugged in?
If the answer to all of these questions is “Yes” please let the Macktez Team know immediately so that appropriate action can be taken. No equipment updates are required if backup batteries are confirmed to have no ethernet cable connected.
Finally, a general reminder for all our clients to be careful about adding any new equipment to office networks. A wide array of “internet of things” and “smart” devices are available and becoming as common in offices as TVs and coffee makers. The new technology is exciting, but the Macktez Team should be informed about all devices connected to the networks we support, including any device able to access the office WiFi. These kinds of devices often have substandard security policies and should be added to the network in a way that keeps all equipment and data safely protected.
Some of our favorite projects are when we surprise clients with the broad range of consulting services Macktez offers. A client may come to us for end user support, then be delighted to discover we also design and install large-scale, critical networks, video conferencing systems, and complex workflows. We’ve been hired for a low-voltage cabling project, and then asked for general technical consulting and support over the years that follow as our relationship grows.
Little Island offers a profound example of this experience, working together to help this new public park open on Manhattan’s west side.
How it started
Macktez was referred to a potential client needing some service support for their very small office — Can we help untangle subscriptions from a previous managed service provider? Can we recommend some new workstations for a few staff members? Would we be available for occasional desktop support? Yes, yes, and yes.
When this startup moved into a small office across from the construction site they were managing — an ambitious, high-profile build-out of a new pier in Chelsea — Macktez was asked to recommend and design a new local network configuration. That led to a few questions about how this office network would be integrated with the park’s network across the West Side Highway, and a request to take a look at the WiFi specifications provided for the park by their general contractor.
And that’s when the real fun began.
How it’s going
In reviewing the draft IT plan for the park, there were a bunch of questions left unanswered by a subcontractor no longer working on the project. Some of the plans were very good — for example, the WiFi placement outlined would provide excellent coverage for park guests — but the underlying network equipment had not been specified and the network topology had not yet been designed.
“Macktez asked us for an equipment list,” recalled Park Operations Manager Kathryn Lewis, “but it didn’t exist.”
More importantly, there had not been enough consideration for the environmental requirements of an outdoor installation, nor was there sufficient redundancy built into the plan for power outages or other equipment failure.
Jason Stewart, Consulting Head of Development and Construction, explained the situation: “When design started in 2012 there were a lot of high-level guesses about what the eventual tech needs would be. The engineering company responsible for making most of those initial decisions didn’t really ask questions to force us to understand the issues, so they made some generic assumptions.”
When Macktez CTO Reilly Scull got involved in 2019, said Stewart, “He identified the problems and the solutions.”
Macktez has been supporting active outdoor public spaces in New York City for years. We have a long-standing relationship with the High Line (which is how we connected with Little Island to begin with), and we’ve managed the transition away from municipal IT services for Brooklyn Bridge Park and Governor’s Island. So Reilly knew right away, for example, that power redundancy is not optional — it’s a public safety requirement to support emergency communication systems.
Having identified these vulnerabilities, Macktez was contracted to review the park’s architectural and engineering plans from top to bottom to close any more gaps in the IT plan.
“What I really appreciated about working with Reilly in particular was understanding and explaining how everything is connected,” said Lewis. She added, “It turns out the internet is connected to everything.”
“This project evolved radically in so many ways,” said Stewart.
Macktez talked to FDNY and NYPD, then worked with the park’s electrical team to design a redundant system with huge backup battery capacity through excess conduit that had already been installed.
Stewart recalled, “We wasted a year getting Verizon to even tell us if high-speed internet was available.” When the answer was no, Macktez reached out to Pilot Fiber. Our longstanding relationship with Pilot prompted them to negotiate a special arrangement for the park.
Stewart said there were so many “pragmatic issues — entirely outdoor space, weather, topography.” Reilly advised the contractors on the kinds of waterproofing and environmental controls needed to protect IT equipment in an outdoor, marine environment with huge temperature swings.
Over the course of the year, Macktez became an integral part of the core project team, to make sure that every part of the project that relied on the IT network was compatible, well-considered, and expertly installed.
“Reilly realized the fire alarm wasn’t connected,” said Lewis, “and that half the security cameras weren’t focused correctly.”
“It’s very easy for someone in the decision tree to say, ‘Well that’s out of your scope, we’re not going to listen to you,’” said Reilly. “Of course everyone was apprehensive when I would raise red flags. But Little Island’s willingness to receive critical feedback was the only reason we were able to make these necessary changes to the project.”
How it finished
Little Island officially opened to the public on May 21, 2021.
The Little Island team now has a 10G, fully redundant network that’s completely integrated with the park through 40G backbones. The park’s multi-gigabit wireless system is backed by Cisco Catalyst 9000 Series switches, while Cisco’s Industrial Ethernet Series switches provide protection from temperature and humidity extremes in the more exposed outdoor locations.
Given the many different systems and services Little Island intended to utilize, and with the park’s staff growing significantly, Macktez recommended and configured a comprehensive single sign-on environment. We chose JumpCloud, allowing for a wide range of integrations to every aspect of the organization — email, conferencing, access control, human resources, password management, and much more. (Read more about this from JumpCloud.)
We’ve deployed a fleet of nearly 100 portable workstations that can be used by anyone on the park staff, with secure on-boarding and off-boarding handled remotely.
Many members of our team were involved in this project: Strategist Nate Smith oversaw the initial office assessment; CTO Reilly Scull spec’d the entire network and built it out with Scott Battaglia. Patricia Mastricolo managed a huge amount of logistics assignments; Ray Brown and Sam Smolinski performed the physical installations; consultants Tanika Grant, Zachary Lui, Kelly Donovan, and John Barera have provided user and logistical support; and CEO Noah Landow has lent oversight to the entire project.
“Ultimately, our goal was to make sure everything ‘just worked’ and worked really well,” said Reilly, “so that the Little Island team could focus on their mission of creating a magical user experience for visitors.”
Macktez is extremely proud of our contribution to Little Island, and encourages all to come enjoy this spectacular addition to the city.
