The world of security anomalies

I continue to see the confirmation of my long held assertion in this blog that the ‘bad guys just keep winning’. Why? The simple example I continue to see is a growing number of infections of Cryptolocker. If you haven’t read my previous rant on this then take a look at:

https://blog.ciaops.com/2013/10/bad-guys-just-keep-winning.html

Now that post was 18 months ago and I still witness many of my peers battling to contain catastrophic outbreaks. How can that be? In all cases there was virus and malware protection already in place, yet the infection was still able to get through all of these, have a human being being duped into activating it and then causing major calamity in the business. Such calamity usually required a full restore of the system to eliminate the problems with all the loss of productivity that entails.

Tell me, why, oh why is this still possible 18 months or more since Cryptolocker first raised its ugly head? It is because the security software, that so many put their blind faith in, is totally and utterly useless in my opinion. It is reactive technology, based on what is already known. We now live in an exponential universe and the bad guys are taking advantage of that while security software tends to live in the old linear world and now being left far behind.

While our desktops are the current target, what happens when the bad guys shift their focus more to our mobile device? Imagine Cryptolocker on your phone. It is only a matter of time until it gets there and what protection do you have on your phone? The most security I have seen people enable on their phone is a pin code that is ‘0000’. That is, they don’t have any security. Think of all your contacts, phone calls, SMS’s, banking details, app purchases and so on begin taken over by hackers? Sadly, it is only a matter of time until we see the likes of Cryptolocker reek the kind of havoc it does on desktops on our mobile devices and sadly the majority of people are totally unprepared for that.

The biggest worry by far is the dawning of the age of the Internet of Things (IoT). This is world where everything from your toothbrush, to your car, your refrigerator to every item in your home and at work is all connected to the Internet. With technologies like IPv6 this is fast becoming a reality but so too is the ability for all of these to be hacked and turned against you. If you want to appreciate this scary future that is fast approaching have a look at my previous post:

https://blog.ciaops.com/2014/12/security-before-convenience-or-else.html

and read Marc Goodman’s book

Future Crimes

and you’ll get an idea of how crime is utilising technology to rule the world.

Another of a great concerns when it comes to technology is the lengths that governments are implementing to track citizens in the guise of ‘protecting us’. There has been plenty written about this subject so I won’t go into it here but I’d like to point out an interesting anomaly here.

Recently in my neck the wood there was a state election. Fair and equal democratic elections are the cornerstone of our western society. Many have the mistaken belief that their integrity is above question but I beg to differ. Here’s why.

When I attended my local polling location I am asked for my name and address. I am however NEVER at any stage asked to PROVE who I am with some form of approved identification. The official merely takes my word that I am who I say I am. Clearly, most people are honest BUT ANYONE would walk into all polling station and simply state a name in that electorate and be given voting papers.

My attendance at the polling location if recorded in a paper roll. This roll is NOT shared with other officials in the same polling location let alone other polling location is the electorate. They are only compared after the close of voting. So, what is to stop me voting in one polling location, the travelling to next and voting again, then repeating that processes throughout the electorate? Shouldn’t there a centralised location to record this so all officials can immediately see those that have voted ANYWHERE?

So, I can continue to vote as myself at as many polling stations as I can physically travel to in one day. I can also vote as anyone else at any polling station throughout the day. May seem like a lot of work for a single individual and probably would not have an impact on the outcome right? Maybe, but what if I could get 100, 1,000, 10,000, 100,000, etc, people to do the same thing all for the same political end? Now, how do you feel about the integrity of our democratic elections?

Technology is a great enabler for society but it also enables bad guys as well and honestly we are creating a world so full of insecurities that it makes it easy for them to rob us blind. Even if you are not a victim that affects us all in the hip pocket. The problem is not the technology, it is the human being. We need to teach everyone, especially kids, the importance of security and privacy. We need to demand products be made secure by default (we have the technology already). We need to stop putting convenience ahead of security or else.

Alas, as I continue to lament here, it is pipe dream I’m afraid and I’m sure in another 18 months time the likes of Cryptolocker will continue to roam free on the Internet destroying lives at will. Sigh.

The security issue

This to me is why we have such a major problem trying to secure our technology.

As usual I was looking through the major new sites and saw this:

Now, my first impression is that this is something serious affecting only Microsoft Windows and Microsoft isn’t fixing it! Gulp.

So you get paragraph in and you find out that the vulnerability affects basically anything running iOS, Android or Windows. So it isn’t really just a Microsoft vulnerability now is it? Especially when you use the word ‘ubiquitous’ now is it?

Read a bit further and it says that security experts say it isn’t a ‘terribly big issue’ as you see above.

So we have, in my opinion, gone from a sensationalist headline where the world is about to end due to a cyber security threat to something that really ‘isn’t a big issue’.

Seems to me that this article is simply ‘click-bait’ and does not really take a responsible approach to cyber security. I agree that it is in the mainstream media but that is my point, this story is going to read by lots of plain technology users and to me it doesn’t convey the right message. It is either going to freak them out that they are insecure or lull them into a false sense of security because of the ‘crying wolf’ aspect of the reporting.

Again, this is simply my opinion and you can read the whole article at:

http://www.smh.com.au/digital-life/consumer-security/microsoft-warns-freak-attacks-put-hundreds-of-millions-of-pcs-at-risk-20150306-13xr0s.html

and judge for yourself. I understand that mainstream media is a corporate entity that needs to focus on profit but our dependence on technology and how it is secured is so critical to our society these days that there must be a better way of getting the right message out to the right people to make them safe.

What do you think?

Enabling Self Service Password Resets in Office 365

One of the most common tasks that any IT administrator performs is to reset users passwords. This means that a lot of this administration can be alleviated if the users are able to reset their own passwords.

You can enable user self service password resets in Office 365, however at this point in time you need to have an Azure Active Directory Basic or Premium subscription enabled on your Office 365 Azure AD Free account. I showed you how to enable this for every Office 365 account a few posts back.

It is also important at this point to highlight some information from the Office 365 roadmap. Under “Development” you will currently find:

Sign-In Page Branding and Self Service Password Reset

Sign-in Page Branding enables an Office 365 customer to select custom colors, text and Imagery for their Office 365 sign-in page. Self Service Password Reset allows a user who has forgotten their password to reset it based on prearranged alternative personal information. These two features were previously available with the Azure AD Premium subscription and are now being made available to all Office 365 subscribers.

Thus, both branding and the user self service password reset ability will becoming available to all Office 365 subscribers.

So, this is how you enable it at the moment, with the requirement of an Azure Active Directory Premium subscription (which you can get on a 90 day trial). In the very near future this will no longer be required and be available in the Office 365 Azure AD Free account.

The first step in the process of enabling the user self service password reset feature is to login to your Office 365 Azure AD Free account, which I have detailed previously about enabling.

You will typically only see the Active Directory option on the menu on the left. When you select this you will then see your Office 365 AD to the right. If you select your Office 365 directory you will drill down into more information for that directory.

One of the options across the top now is Configure. Select this.

If you scroll through all the options on the page you will find no mention of user self service password resets. This is because you need to firstly enable an Azure AD Premium subscription (or trial) to enable this feature. As I mentioned previously, soon you will not need to do this as it will be included in the standard Azure free AD offering.

To at least see what user self service password resets are all about you can enable a 90 day Azure AD Premium subscription by now selecting Licenses from the menu across the top.

Then select the link to Try Azure Active Directory Premium Now.

Select the check button in the lower right hand of the window that appears once you have read its contents.

You will then need to wait a few minutes while the Azure AD Premium subscription is configured.

In a few moments you should see that the subscription is enabled as shown above. Select this to configure.

To enable the Azure AD Premium features for users you will need to select a user from the list of Office 365 users displayed and then select the Assign button at the bottom of the screen.

You will also need to assign a license for an Office 365 global administrator to configure the service. In this case, it has been enabled for the same admin user who is logged into the Azure portal currently.

When you assign a user an Azure AD Premium license you will see the above status message at the bottom of the screen indicating successful completion of the license assignment.

If you now return to the Configure tab you should find a new section devoted to user password reset policy as shown above.

If you now select the green Customize Branding button you will be taken to the above screen where you can upload a number of different graphics to be displayed in the portal as well as desired messaging as shown above.

Scroll down and ensure User enabled for password reset is set to YES.

You can also configure the number of authentication methods. In this case I also added Security Questions.

You can choose how many authentication methods are required for password to be reset and since I have selected to use Security Questions, I can also determine how many questions will be required for the user to create.

The next option allows you to set how many Security Questions are required to be answered from those set.

Next, you enter the questions you wish the user to create answers for.

You can then Require users to register when signing into the Access Panel. This means when the users sign into the Azure Single Sign On portal available via Office 365 they will be prompted to set up the required password reset information. Normally you want this set to YES.

The Azure Single Sign On portal is a free component of the Azure AD Free plan that is available to all Office 365 tenants. I covered how to set that up in a previous post. Your users access this single sign on portal via:

http://myapps.microsoft.com

If you scroll down you can modify the language used when sending emails as well as whom to notify when passwords are reset.

Once you have completed your configuration press the Save button at the bottom of the screen. You should see the status bar at the bottom indicating that your changes are being updated.

Now when a user navigates to the Office 365 portal login page, as soon as they type their login details the branding will be applied to the portal as shown above.

Now let’s say the user now attempts to reset their password by selecting the Can’t access your account? link. They will be taken to a page shown above where they will be prompted to enter some CAPTCHA information.

Once they have done this they will be presented with the above screen telling them that their account could not be verified and they should contact an administrator (link provided, configurable from Azure).

Why is that? The reason is that the user hasn’t logged into the Azure single sign on portal and set up their security options for doing password resets yet.

Thus, once you have enabled user password self service you need to send all your users to the Azure single sign in portal at:

http://myapps.microsoft.com

Once they have logged in with their Office 365 credentials they will be prompted to verify their contact information as shown above. This requirement, again, is an option set in the Azure portal during configuration previously mentioned.

Depending on the security requirements you have configured the user will need to complete each option via the process found by clicking on each of the links for that option.

Once all of these are complete ensure the Save button is select at the bottom of the page.

So if a user now selects the link Can’t access your account? on the Office 365 portal login page and completes the CAPTCHA they will now be taken to the above screen which will ask then which security method they wish to use to verify their identity.

Simply select the method from the list available and complete the requirements.

in this case the method selected is via an alternate email address. That sends a one time code to that email address which then needs to be entered at this challenge.

Once the identity of the user has been verified, they are then given the option to reset their password as shown above.

When that has been completed they can now login to the Office 365 portal (or the Azure single Sign in portal) with these details.

Again, note the branding that was also configured in this process.

Once user self service password resets are configured they should make the life of an Office 365 administrator much easier. To do this at the moment requires an Azure AD Premium subscription but as I mentioned in the beginning this will be changing so it is available for all Office 365 accounts for free very soon. So try it today with this method and get ready for when it is available everywhere.

Encryption of data at rest in SharePoint Online

A very common question I get is about how secure information is in Office 365. The above video shows you how SharePoint Online data is saved when at rest.

Microsoft do a lot in my books to ensure that data stored in Office 365 is secure as possible and in my books far more secure that most people achieve on premise. That means to me security is a major reason to CHOOSE the cloud over anything on premise.

Security is a journey and not a destination I know but Microsoft have the resources to ensure that the information they maintain is a secure as possible and I’m comfortable with that.

Security before convenience or else

One of the technology ‘hobbies’ I enjoy is studying the impact of technology on crime. The above talk by Marc Goodman (A vision of crimes in the future) is very thought provoking and eye opening.

I am constantly amazed at how lax so many people are when it comes to their security. I am constantly stunned by how casual and naive people are when it comes to using technology. Most violate the most common security practices without any thought in the desire for convenience. They do things they would never accept in the physical world, yet on line, for some reason common sense abandons them.

This the world we all live in, today. Right now! My opinion, is we are making the world much more vulnerable. We are allowing a single ‘Black Swan event’ that could basically terminate the comfortable way we lead our lives today.

Information and Bio technology are advancing at such a rapid pace and if you think they are only being used for good then you REALLY need to watch this video and become afraid of what is possible.

The rules have changed. We are connecting a totally interconnected world where the failure or disruption of part can effectively bring down the rest of the system catastrophically.

My advice? Take security seriously. Get involved. Get informed and always make the choice of security over convenience.

Catch me on Eagle Waves Radio

I recently did a very quick chat about IT security on Eagles Waves Radio. You’ll find the episode here:

http://www.eaglewavesradio.com.au/2014/11/eagle-business-27-nov/

I’m the last of the three segments about 48 minutes into the episode. I cover a few major topics around IT security in general, especially when it comes to passwords.

I thank Eagle Waves Radio for the opportunity to be a guest on their show.

Office 365 Message encryption

If you weren’t aware, Office 365 supports sending encrypted messages to anyone. Basically, they get an email telling them to login to a web portal to view the message. Here’s how to make all that work.

You’ll firstly need to enable Rights Management for your tenant. To do that login to the Office 365 portal as an administrator.

On the left hand side select Service Settings.

This will expand a menu as shown above. From this menu select Rights Management.

On the right now select the Manage hyperlink.

Select the Activate button to enable Right Management.

Confirm that you wish to enable by selecting the Activate button.

After a few moments the screen should update.

You are now going to need to run some PowerShell commands. if you haven’t done this check out this previous blog post to get your environment setup:

Configuring PowerShell Access in Office 365

Once you have connected using PowerShell you’ll need to run the following commands depending on your location:

USA: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Europe: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

Asia-Pacific: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

In my case I used the Asia Pacific URL as shown above.

You then need to run the command:

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

which produces the above result.

Then this command:

Set-IRMConfiguration -InternalLicensingEnabled $True

Finally run the command:

Test-IRMConfiguration -RMSOnline

and ensure the result come back OVERALL RESULT: PASS

With that done you can now return to the Office 365 management portal as an administrator to set up a message encryption transport rule.

In the top right of the Office 365 portal select Admin and then Exchange from the menu that appears.

From the menu on the left select mail flow.

Select the Plus icon on the right and the option Create a new rule from the menu that appears.

Now there are lots of different options when creating an Office 365 Transport Rule but I am not going to cover these. This post is aimed at showing you the basics of enabling Exchange Online Message Encryption. If you want more information about Office 365 Transport Rules in general see:

http://technet.microsoft.com/en-us/library/jj919238(v=exchg.150).aspx

In this case I am going to set a rule to encrypt messages sent to one person in the organisation (Anne Wallace).

To see the encryption options ensure you select the More options hyperlink at the bottom of this window as shown above.

For the Do the following condition select Modify the message security and then Apply Office 365 Message Encryption as shown above.

Once saved the new rule should appear in the list as shown above.

Now if Anne Wallace is sent an email by another Office 365 she will see:

Indicating that this is an encrypted message.

To view the message Anne must save the attached HTML file to her local machine and open it.

When she so and opens it she will see the above message.

If she then selects the Sign in and view encrypted message hyperlink she will be see the encrypted message.

Exchange Online Encrypted messages work with people inside and outside Office 365. If you want more information check out the following:

http://technet.microsoft.com/en-us/library/dn569286.aspx

Once you have done the initial Rights Management setup you then have a lot of flexibility using Exchange Online Transport Rules to determine how messages are handled. You could set up a rule that if the word ENCRYPT is in the message subject it will always be encrypted.

Very flexible and most importantly, very secure.

Security for your mobile devices

The IT landscape today is filled with hackers, malicious software and disasters. Most businesses have these under control for traditional servers and desktops within their business and perhaps somewhat in their homes but when it comes to mobile devices many have adopted the ‘Macintosh fallacy’. That is, it won’t happen to me.
The bad news is that mobile devices are now more than ever the target of the bad guys and are more likely to sustain some sort of disaster (like falling into the toilet). My question is, what are YOU doing about it? Yes YOU.
The first app that I’d be looking at installing on your devices is Lookout.

It will protect your device from malware, scan every app that you download to ensure that it is safe as well as block malicious web sites. It will also backup your contacts, photos and other data allowing you to easily transfer it to a new device. Lookout even allows you to find your device and remotely wipe it if you need to.

Much like the Secunia desktop software, a version now available for Android devices allows you to ensure that all the apps on your device are up to date. This greatly reduces the chance of them being exploited as any desktop user knows.
Both of these are FREE so there is no excuse not to have them running on your device. Both also offer commercial products that provide greater amounts of control for businesses with lots of devices to manage so if you have a fleet of devices you need to manage you should also look at how these products can allow you to create your own BYOD (Bring Your Own Device) strategy.
If you don’t protect your device then you have no one to blame if something goes wrong. Reduce the risk and use these two free apps. I do!