Tag: Security

A gift for hackers

Here’s a great documentary on how technology is “protecting” us but compromising our “privacy”. It is another example of the tyranny of the default.  Basically, having so many devices freely connected to the Internet with effectively no security is a gift for those willing to look and exploit.

Here’s the brief:

For downloads and more information visit:http://www.journeyman.tv/?lid=64861
IT companies are failing to secure devices connected to the internet, leaving them open to hackers. This shocking report reveals how anything from your pins to your passport could now be accessed online.
“Is this your pin? Is this a letter you received from your bank? Do you have a HP e-Print scanner?” The young man answers yes to every question, stunned that all of his information was accessible on the internet for anyone who wanted to see it. And he’s not alone: the wealth of information available is staggering. From shop owners whose security cameras can be watched and controlled remotely, to medical records and confidential documents for international companies like Unilever, Orange and KLM, it’s a bonanza for any would-be hackers. While it would be simple for the IT firms who provide printers, scanners and software to make the system more secure, they don’t see it as their problem and argue that attending to basic safety protocols is a bit of a marketing nightmare. “There are people who know all about how this works, security-wise, but it’s too much trouble to explain all that.” One company went so far as to call consumers who didn’t know they had to change their passwords “idiots”. As the rate of technological change continues at a frightening pace, do technology companies have a duty to prevent our privacy being eroded?

If you have an Internet connected device ensure the password is CHANGED. Do it now because insecure systems affect every Internet user. Watch the video and change those passwords.

Microsoft acquires two factor provider

One of the criticisms levelled at Office 365 is that it doesn’t easily support two factor authentication. Basically this means that when you log into a system with an id and password you require another form of identification to gain access. This second factor is normally provided by a token that generates a number you enter during login.
Two factor provides an much greater level of security because it means that anyone trying to access your system need more than just a password (which could be captured by a key logged on a PC you are using). A good example of this is the PayPal security key that I have blogged about previously.

When you access PayPal you are asked for the security key number that appears when you press the key. So without this physical key you can’t gain access to PayPal services.
Now this is all well and good if you always remember to have your security key with you. But what happens if you don’t and you need to access your system? The solution is to use a software token. That is a piece of software on a device you have with you (a tablet or mobile for example) that allows you to generate the required key. A great example of this is Google Authenticator which I use with all my Google accounts as well as Lastpass. If I need to access my Google information or retrieve a password from Lastpass I simply run the Google Authenticator program on my iPad and enter the number it provides (along with my password and id) to gain access.
Even something as simple as Google Authenticator can prove technically challenging for some, so a final option is to use an SMS text message to provide the required key. As I mentioned, Microsoft has been a little late to the game but that should all change now that they have acquired Phonefactor.

Hopefully we’ll soon be able to use two factor authentication with Office 365 to provide additional security and overcome the tendency for users to implement poor passwords. It also looks like you’ll be able to use these with on premise Microsoft software but I reckon it’ll come to the cloud first.
I’ll keep my eyes peeled for when it becomes available and let you know.

Now is the time to start looking at Office 365 federated identity


One of the most difficult things to implement for cloud based systems is the concept of federated identity and Single Sign On (SSO). This means that a user only needs one set of credentials to log into the cloud or the local network. It also means that when they log in somewhere they are seamlessly logged into everything else they need.
Many local network users have taken for granted the fact that when they log into their local network (say Small Business Server) they are logged into the local machine, given access to files on the server, allowed to browse the Internet and more, all from a a single login.
Now, when users information is relocated to other systems, like the cloud, single sign on becomes much more challenging because you now have two (or more) completely separate systems that must trust each other first before they can share credentials between them. In the Office 365 world this was handled by Active Directory Federated Services (ADFS). When configured, this basically allowed the local network to ‘trust’ the cloud so users information could be passed securely between them.
Problem is that ADFS is really not a small business solution. It requires additional on site hardware as well a involved configuration process which was generally beyond most SMB resellers. Don’t get me wrong, ADFS is not impossible to implement in SMB but it certainly wasn’t a few clicks of the wizard.
For that reason, we have generally not seen a lot of Single Sign On (SSO) in SMB, yet there has been growing demand for a simpler solution. Personally, I now think we are about cross the Rubicon where SSO is a requirement. In that respect I would be suggesting NOW is the time to start looking at how to implement federation and SSO with cloud based systems. Sure, there aren’t a lot of solutions out there and many are complex but I think this will all change rapidly very soon. Get in early I say to lead the pack going forward.
So, my advice to SMB resellers and IT Professionals is to put aside what you have heard about ADFS and SSO and start investigating what they can offer. Have a look at third party options and two factor authentication. Most importantly keep you ear to ground on what changes are happening in the industry and be especially watchful of what Microsoft will bring to the table in the near future to greatly ease the pain of SSO in SMB.

Check your router’s vulnerability

A recent security vulnerability has been unearthed in many routers previously though safe. Universal Plug and Play (uPNP) is a method of easily configuring a router automatically to allow traffic to flow from the Internet into the local network. It should only be accessible from devices inside the local network. However, as it turns out, the vulnerability allows devices on the Internet to potentially reconfigure a router. This is REALLY, REALLY bad to say the least.
Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw
You can find out more about the specific of the issues at:
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
So advice is that you should check to ensure your router is not vulnerable. To do this visit grc.com and go to the Shields Up page like so:

Click on the GRC’s Instant UPnP Exposure test.
Hopefully you will see:

If not then you need to take steps to ensure you rectify any issues discovered.

Why passwords matter

Here is a great example from a buddy of mine (Ben from DigitIT) about why passwords are important.
 
As his blog post details he was called in when a client found their machines displaying a message asking for money to unencrypt their files. They had been infected with Ransomware. Why? Very poor passwords as the blog post notes.

End results? A complete reinstall and restore of the server from a known good point in time. After that how much do you figure using strong password is worth?

I always recommend something like Lastpass to auto generate and remember complex passwords. If you haven’t used Lastpass then you SHOULD!

Facebook security video

Here’s a great video from Kaspersky that covers how to enable the security features of Facebook.

 

Office 365 data not encrypted at rest

One of the questions that was posed in todays Office 365 Security session hosted by Scorpion Software that I appeared on

 

https://www.youtube.com/watch?v=RvDB3vOFpEI&feature=player_embedded

 

was whether the data in Office 365 was encrypted ‘at rest’. I said that I thought it would be but as it turns out I was wrong. The following document:

 

Standard Response to Request for Information O365 – Security Privacy v2 – http://www.microsoft.com/en-us/download/details.aspx?id=26647

 

says clearly:

 

“Office 365 currently does not encrypt data at rest, however, the customer may do so through IRM or RMS.”

 

in multiple places (one instance is on p26, in the IS-18 Information Security Encryption section).

 

However, before everyone starts jumping up and down about this, can I ask whether the information on your local server is encrypted at rest? It can be (using Bit Locker and what not) but it isn’t be default I believe. However, I’d like to know the reason why it is not, so let me see what I can find on that score and report back.