Security before convenience or else

One of the technology ‘hobbies’ I enjoy is studying the impact of technology on crime. The above talk by Marc Goodman (A vision of crimes in the future) is very thought provoking and eye opening.

I am constantly amazed at how lax so many people are when it comes to their security. I am constantly stunned by how casual and naive people are when it comes to using technology. Most violate the most common security practices without any thought in the desire for convenience. They do things they would never accept in the physical world, yet on line, for some reason common sense abandons them.

This the world we all live in, today. Right now! My opinion, is we are making the world much more vulnerable. We are allowing a single ‘Black Swan event’ that could basically terminate the comfortable way we lead our lives today.

Information and Bio technology are advancing at such a rapid pace and if you think they are only being used for good then you REALLY need to watch this video and become afraid of what is possible.

The rules have changed. We are connecting a totally interconnected world where the failure or disruption of part can effectively bring down the rest of the system catastrophically.

My advice? Take security seriously. Get involved. Get informed and always make the choice of security over convenience.

Catch me on Eagle Waves Radio

I recently did a very quick chat about IT security on Eagles Waves Radio. You’ll find the episode here:

http://www.eaglewavesradio.com.au/2014/11/eagle-business-27-nov/

I’m the last of the three segments about 48 minutes into the episode. I cover a few major topics around IT security in general, especially when it comes to passwords.

I thank Eagle Waves Radio for the opportunity to be a guest on their show.

Office 365 Message encryption

If you weren’t aware, Office 365 supports sending encrypted messages to anyone. Basically, they get an email telling them to login to a web portal to view the message. Here’s how to make all that work.

You’ll firstly need to enable Rights Management for your tenant. To do that login to the Office 365 portal as an administrator.

On the left hand side select Service Settings.

This will expand a menu as shown above. From this menu select Rights Management.

On the right now select the Manage hyperlink.

Select the Activate button to enable Right Management.

Confirm that you wish to enable by selecting the Activate button.

After a few moments the screen should update.

You are now going to need to run some PowerShell commands. if you haven’t done this check out this previous blog post to get your environment setup:

Configuring PowerShell Access in Office 365

Once you have connected using PowerShell you’ll need to run the following commands depending on your location:

USA: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Europe: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

Asia-Pacific: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

In my case I used the Asia Pacific URL as shown above.

You then need to run the command:

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

which produces the above result.

Then this command:

Set-IRMConfiguration -InternalLicensingEnabled $True

Finally run the command:

Test-IRMConfiguration -RMSOnline

and ensure the result come back OVERALL RESULT: PASS

With that done you can now return to the Office 365 management portal as an administrator to set up a message encryption transport rule.

In the top right of the Office 365 portal select Admin and then Exchange from the menu that appears.

From the menu on the left select mail flow.

Select the Plus icon on the right and the option Create a new rule from the menu that appears.

Now there are lots of different options when creating an Office 365 Transport Rule but I am not going to cover these. This post is aimed at showing you the basics of enabling Exchange Online Message Encryption. If you want more information about Office 365 Transport Rules in general see:

http://technet.microsoft.com/en-us/library/jj919238(v=exchg.150).aspx

In this case I am going to set a rule to encrypt messages sent to one person in the organisation (Anne Wallace).

To see the encryption options ensure you select the More options hyperlink at the bottom of this window as shown above.

For the Do the following condition select Modify the message security and then Apply Office 365 Message Encryption as shown above.

Once saved the new rule should appear in the list as shown above.

Now if Anne Wallace is sent an email by another Office 365 she will see:

Indicating that this is an encrypted message.

To view the message Anne must save the attached HTML file to her local machine and open it.

When she so and opens it she will see the above message.

If she then selects the Sign in and view encrypted message hyperlink she will be see the encrypted message.

Exchange Online Encrypted messages work with people inside and outside Office 365. If you want more information check out the following:

http://technet.microsoft.com/en-us/library/dn569286.aspx

Once you have done the initial Rights Management setup you then have a lot of flexibility using Exchange Online Transport Rules to determine how messages are handled. You could set up a rule that if the word ENCRYPT is in the message subject it will always be encrypted.

Very flexible and most importantly, very secure.

Security for your mobile devices

The IT landscape today is filled with hackers, malicious software and disasters. Most businesses have these under control for traditional servers and desktops within their business and perhaps somewhat in their homes but when it comes to mobile devices many have adopted the ‘Macintosh fallacy’. That is, it won’t happen to me.
The bad news is that mobile devices are now more than ever the target of the bad guys and are more likely to sustain some sort of disaster (like falling into the toilet). My question is, what are YOU doing about it? Yes YOU.
The first app that I’d be looking at installing on your devices is Lookout.

It will protect your device from malware, scan every app that you download to ensure that it is safe as well as block malicious web sites. It will also backup your contacts, photos and other data allowing you to easily transfer it to a new device. Lookout even allows you to find your device and remotely wipe it if you need to.

Much like the Secunia desktop software, a version now available for Android devices allows you to ensure that all the apps on your device are up to date. This greatly reduces the chance of them being exploited as any desktop user knows.
Both of these are FREE so there is no excuse not to have them running on your device. Both also offer commercial products that provide greater amounts of control for businesses with lots of devices to manage so if you have a fleet of devices you need to manage you should also look at how these products can allow you to create your own BYOD (Bring Your Own Device) strategy.
If you don’t protect your device then you have no one to blame if something goes wrong. Reduce the risk and use these two free apps. I do!

Message encryption coming to Office 365

A very common request I see out there is people wanting to ensure that a person who receives an email does so securely and can’t forward it to others. That is a little tough given the way the standard email protocol was designed and implemented.
To provide an enhanced level of security with its Office 365 service Microsoft has recently announced that it will be shortly introducing email message encryption. if you want to see how it will work then check out this blog post.
http://blogs.office.com/b/office365tech/archive/2013/11/21/introducing-office-365-message-encryption-send-encrypted-emails-to-anyone.aspx
The great thing about this is that you’ll be able to send encrypted mail to anyone! That is certainly going to fill a major need these days as well as make a real point of differentiation for Office 365.
We’ll have to wait until early next year until it becomes available and the good news is that E3 and E4 plans will automatically receive it. It will also be available as an option with other plans but in the long run I see it becoming part of the standard Office 365 offering for all plans.

Bad guys just keep winning

The number of incidents I am seeing of people being infected with the Cryptolocker continues to escalate. Now before I launch into this rant here is information about the nasty:
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
so you have been warned.
But how the hell can this be happening? How the hell can these sorts of things still get through and cause mayhem and destruction? Having lived through Nimda, Code Red, Melissa, Conficker and more, why is this all happening over and over again? Simple, technology is making it easier for the bad guys not harder. Am I the only one who acknowledges this fact?
I have written many, many times about how vulnerable society has become by creating such a dependence on technology. For example:
here – https://blog.ciaops.com/2013/03/a-gift-for-hackers.html
here – https://blog.ciaops.com/2008/07/why-bad-guys-will-always-win.html
here – https://blog.ciaops.com/2008/08/the-bad-guys-win-again.html
and here – https://blog.ciaops.com/2009/08/bad-guys-win-again-part-iv.html
but to name just a few.
And yet, the world seems to be again brought to its knees by a clever piece of code that is able to slip past all the ‘so-called’ filters, scanners, protection mechanisms and what not that are supposedly put in place. How is that? How can people still be clicking links and attachments they know nothing about? And why is everyone paying so much for what seems like so little protection? Is all this supposed ‘security’ actually making things worse by providing people with a false sense of security?
Simple, the weakest link is the wet-ware behind the keyboard (i.e the human being). People simple don’t have any concept of the security risk they face on ANY device that is connected to the Internet or that receives email. And you know what? That is just about every single technology device we have today. EVERY SINGLE ONE. What is being to educate people about IT security. Not much from what I can see. That is the REAL problem here.
The modern world continues to place its unmitigated faith in the march of technology, obvious to the underlying risks and fragility it is creating. It also lives with this naive assumption that whatever is done on the Internet is also anonymous. They likewise jump up and down when they find out that the NSA is monitoring email traffic. Like DUH, emails have ALWAYS been sent in the clear so ANYONE could read them, DUH. It demonstrates how removed from technology the average person is. They happily use technology but have no IDEA how it works. That is always a dangerous recipe.
It makes NO difference where your information is. In your Office or in the cloud, if you are connected to the Internet you are vulnerable, full stop. The problem is others are also on the Internet so if you get infected then there’s a chance you’ll infect them. We are now more than ever all connected together and what happens in one place can have a huge impact thousands of miles away INSTANTANEOULSY.
To me most of this anti virus software and filtering is a complete and utter waste of time. Don’t get me wrong, I have a certain set of tools and programs I use but my main weapon to remain secure is to concentrate on scaring the crap out of everyone I know (especially my family), constantly reinforcing what maladies will befall them if they click on something they shouldn’t. Does that make them paranoid? You bet it does, but you know what? I am pretty sure none of them are going to get infected with this latest virus because they are more scared of me than this virus. Sometimes that’s what you gotta do keep people secure.
So what’s the point of this post? Firstly, it is to express my utter disbelieve in the existing security ‘industry’ that charges users billions of dollars every year and yet somehow fails to protect them. Is the problem the software or those charged with maintaining them? Hmmm… I could go on but secondly, it is to say that these problems are only going to continue because we are not dealing with the root cause – the idiots who click on unknown attachments and files sent to them. Here’s my golden IT security rules for idiots that MUST be followed under pain of death:
1. Backup, backup, backup. That’s not being repetitive it means back your stuff up at least 3 times.
2. If it seems too good to be true then it is. That means, that if there is any doubt then there should be no doubt.
3. If you don’t know, then ask.
I long for the day when society takes IT security seriously and develops solutions to EDUCATE people on how they vulnerable they really are every time they access the Internet. Am I being paranoid, I sure am, because you know why? Only the paranoid survive when it comes to security. I’m paranoid and I’m proud of it. That is why the machines I look after don’t get infected. Sure, there is never 100% surety when it comes to dealing with human beings but you know what? Paranoia goes a lot further in my books than most of this other ‘so called’ protection I see out there today.

Sharing of infected files

In my last post I noted how Office 365 prevents you from uploading infected files. I got to wondering what happens when the other file sharing services try and share an infected file.

If I try and attach an infected file directly from my local machine to an email in Google Apps it is detected as shown above, which is good, and prevents that file being attached.

But since I can also attach from Google Drive as well, I can attach the infected file (since I can upload into Google Drive as my last post highlighted). This is not good.

Now you’ll see that with Google Apps the attachment is really shared via a link rather than attaching the actual file from what I see. Any email system worth its salt will detect and quarantine an attachment that contains a virus, so let’s just eliminate from our considerations. But, if instead I send a link to an infected document what happens? I know the email will reach the users (because it isn’t infected).

So here’s what the user sees. If I click the link to the file I see:

Now if I try and download I get:

That’s good, but remember here I am dealing with a .com file that includes a virus.

So let’s assume I am a little more cunning in my attempts to infect a user I place the infected file inside a ZIP archive. What happens?

As you see, Dropbox allows me to send a public link to the encrypted file where anyone can download it. This means that your only defence typically here is now the local anti virus software which we know all users always keep up to date right? (if you believe that then you live in world of unicorns, leprechauns and perpetual rainbows). Not good!

Now if I share the same ZIP file using Google Drive and attempt to download it from the File menu.

It is blocked like before which is good, BUT look at this:

If I download it from the drop down option at the end of the file

It downloads! Not good, especially give this the default that users see when they view the link provided. I also find it strange that one way you get one result (i.e. blocked file) while the other way you don’t. Strange.

So what’s the moral here? Best bet is don’t let the file get up to file sharing platform in first place, which is why I reckon Office 365 is a much better bet when you start digging into what can happen as I have done briefly here.

All file sharing systems are not created equal.

SkyDrive Pro includes anti virus protection

I’m seeing a lot of people out there getting hit with all sorts of viruses coming through file sharing programs because you know what? They simply don’t provide any protection but they are really easy to use.

For example when I upload the eicar antivirus test file to Dropbox look what happens:

Dropbox allows the file to be uploaded and stored. Now, if a user opens this file they run the risk of being infected.

So what happens if you attempt the same thing with Google Apps? Guess what? It also let’s the virus be uploaded and stored.

This highlights how great most file sharing applications are a virus delivery mechanisms now doesn’t it?

However, when we come to Office 365 SkyDrive Pro and SharePoint we receive the above notification telling us that our file is infected and won’t be uploaded! Now that’s protection.

Viruses and malware are so much a part of todays landscape, problem is, so are easy file sharing utilities. Most of these file sharing utilities don’t even do the most basic security checks to ensure the files uploaded are clean. Office 365 is different. It is is protected by Forefront Protection for email, SharePoint and SkyDrive Pro. To my mind that makes it some much better than the alternatives, because it automatically protects users.

If you want to understand the difference between file sharing options and Office 365 then look no further than inbuilt virus and malware protection. When I pay for a file sharing and collaboration solution I want the one with built in security. That is Office 365 and SkyDrive Pro.