Tag Archive for Microsoft

| August 13, 2015
Comments Off on Mobile Apps Leaking Your Info

Mobile Apps Leaking Your Info

Mobile Apps Leaking Your InfoJust in time for Blackhat, San Francisco-based Appthority released its Q2 2015 Enterprise Mobile Threat Report. The big headline from the Appthority report is that enterprise mobile apps are leaking your info. They are sending personally identifiable information (PII) and other sensitive information all over the world often without the enterprise’s knowledge. Your phone is leaking your info all over the web.

Appthority logoFierceMobileIT says that the Appthority Enterprise Mobile Threat Team (EMTT) collected and analyzed security and risky behaviors in three million apps. They found that the top iOS apps sent data to 92 different countries, while the top Android apps are leaking your info to 63 different countries.

Zombie apps are leaking your info

The report found another threat to all data. Appthority’s all-in-one App Risk Management service shows that 100% of enterprises surveyed have zombie apps in their environments. Zombie apps are apps that have been revoked by the app stores and are no longer getting security updates. Zombie apps can give attackers a conduit into the enterprise.

zombie appsThe report estimates that 5.2% of the Apple (AAPL) iOS apps on employee devices in an enterprise are dead apps, and 37.3% are stale Apps. On Google (GOOG) Android devices, 3.9% are dead apps and 31.8% are stale apps.

Zombie apps can leak your info. Appthority explains that malicious third parties could use a man-in-the-middle attack to hijack the update mechanism for these apps to install new malware on user devices.

Threat to the enterprise

Despite the threats, app stores run by Apple, Google, and Microsoft (MSFT) are under no regulatory obligation to tell users of revoked apps anything after release. Including copyright infringements or serious security/privacy concerns.  The report points out. Domingo Guerra, president, and co-founder of Appthority classified this as a stealthy risk; “The ongoing threat of zombie apps and stale apps continues to be an ‘under the radar’ threat to the enterprise.

programmersA third risk to the firm’s data comes from their own programmers according to the venture capital-backed Appthority. The firm says over-taxed enterprise app development teams are increasingly relying on third-party libraries and software development kits. Vulnerabilities in the third-party packages can put enterprise data at risk when they get baked into a corporate app.

The company told CSO that few mobile devices have security applications installed. In particular, only 4 percent of Android devices in use within enterprises had on-device scanning solutions.

Rb-
Firms that depend on mobile solutions as part of a Bring Your Own Device (BYOD) effort need to look after their apps as well as connectivity and hardware and data and governance and reimbursements. Bring your own device hardly seems like a cost saver to me.

I have said this repeatedly, it seems like costs are just being moved around. From spending on a PC in the office that is very less likely to be lost and that can be controlled to a bunch of new enterprise applications like EMM, mobile anti-malware to app monitoring.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| March 25, 2015
Comments Off on Password Pain Continues

Password Pain Continues

Password Pain ContinuesDespite claims to the contrary, the password isn’t dead yet. Help Net Security points out new research from SecureAuth that documents how dependent many firms are on passwords. In fact, the research found that 40% of IT decision-makers admit that passwords are their only IT security measure. The IT leaders also believe it will take 5 years to see a significant shift in organizations’ reliance on passwords. The author says this is a worrying revelation, considering how many security breaches are the result of compromised credentials.

The researchers found that the entertainment, hospitality, and leisure industry is taking the most risks with its data as 65% of respondents from this sector admit their organizations only use passwords as a security method. (rb- No wonder they keep getting hacked!)

The author claims that SeaureAuth found that 45% of public sector organizations only use passwords. (rb- Another reason to limit how much data they collect on citizens)

Despite companies relying on passwords alone, the survey revealed that 63% of respondents believe their current authentication methods are effectively protecting valuable assets. The survey also revealed that firms worry about protecting different resources:

  • 29% say protecting the company’s VPN is critical
  • 28% believe protecting on-premise applications is a top priority
  • 20% stated protecting Cloud and SaaS is the most important, and
  • 18% said mobile takes precedence.

Nick Mansour, Executive Vice President of Worldwide Sales at SecureAuth explained,

As the skills of hackers continue to evolve, organizations are going to have to wise up to new methods of information access security, such as adaptive authentication which can leverage real-time threat intelligence, biometrics and even behavioral analysis.

Windows 10 logoFrighteningly only 44% of SecureAuth respondents have plans to change or enhance their security model in the next two years. The forthcoming Microsoft Windows 10 can help firms evolve their authentication processes. Help Net Security reports that Windows 10, includes a new feature called Windows Hello. Windows Hello will allow users to authenticate themselves using biometrics. The SecureAuth study reports that only 28% of IT decision makers believe that businesses will biometrics in 5 years’ time.

The article reports that Microsoft (MSFT) considers Windows Hello authentication more secure than using passwords – so secure, in fact, that it can be used in government organizations, the defense, financial, and health care industry. Microsoft’s  Joe Belfiore wrote

Our system enables you to authenticate applications, enterprise content, and even certain online experiences without a password being stored on your device or in a network server at all

Facial recognitionMr. Belifore says Windows Hello will work with existing fingerprint readers. Windows Hello will also work with facial or iris detection by combining special hardware and software; “The cameras use infrared technology to identify your face or iris and can recognize you in a variety of lighting conditions.”

Mr. Belfiore also introduced Windows Passport, a programming system that can be used to provide a more secure way of letting you sign in to sites or apps. The article explains that unlike with passwords, with which you authenticate yourself to apps, sites, and networks, Passport allows Windows 10 to do that in your stead: again, without sending up a password to their servers. Mr. Belfiore says:

Windows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with ‘Passport’, you will be able to instantly access a growing set of websites and services across a range of industries

rb-

Couldn’t Redmond pick a name other than Passport? Reminds me of the Hotmail days.

There is of course the age-old problem of what to do if your biometric signature is stolen. You can easily change your iris with a sharp stick, but that does not seem very efficient.

What do you think?

Will Windows 10 biometrics take off?

View Results

Loading ... Loading ...

 

Related articles
  • Second factor authentication can help prevent security breaches (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

 

Category: Uncategorized | Tags: , , , , , , , , , ,
| March 12, 2015
Comments Off on What the FREAK !

What the FREAK !

What the FREAK !Earlier this month news broke that Google, Apple, and Microsoft are vulnerable to a new bug poetically called – Factoring RSA Export Keys – FREAK. The cause of the FREAK bug is not new. In fact, the origin of the FREAK back goes back to the 1990s and government meddling.

weaker HTTPS encryptionPaul Dirkin at Sophos’ Naked Security blog explains that FREAK is a risk to all users. It is a risk because an attacker can trick you and the server into settling on a much weaker HTTPS encryption scheme than from the 1990s. Basically, the attacker gets you to use what’s called “export grade” RSA encryption. Export grade encryption is a ghost from an earlier U.S. Gooberment attempt to break encryption. In the ’90s the NSA required exported encryption to be deliberately weakened. The idea was that export grade keys were just about good enough for every day, not-so-secret use, but could be cracked by superpowers with supercomputers if national security should demand it.

No one should be using export-grade keys anymore – indeed, no one usually does. But many clients and servers still support them according to Sophos. Somehow, in 2015 it never seemed to matter that the 1990 code was still lying around.

U.S. Gooberment attempt to break encryptionIf attackers can watch the traffic flowing between vulnerable devices and websites they could inject code that forces both sides to use 512-bit encryption, which can be easily cracked. It took researchers seven months to crack the key In 1999, the article claims that the same crack takes about 12 hours and $100 using Amazon’s (AMZN) cloud in 2015. It would then be technically pretty straightforward to launch a MITM by pretending to be the official website.

Now that your security is compromised, an attacker can use a “man in the middle” attack (someone who can listen into and change the network traffic between you and your destination server).

FactoringAdditionally, the author says many servers use the same RSA key over and over again. This allows attackers to use the compromised export grade key to decrypt other sessions, using the same key. Another risk Sophos claims is that export-grade keys allow evil-doers to steal both the public and private keys by using a technique known as “factoring the modulus,”  With the critical private key, criminals can now sign traffic from an imposter website as though it came from a trusted third-party.

The author says the team that identified the original FREAK vulnerability claim to have used this bug to create a fake nsa dot gov. University of Michigan computer scientists J. Alex Halderman and Zakir Durumeric, told InfoSecurity that the vulnerability affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains.

The good news, according to Sophos: Users of Chromium/Chrome and Firefox are OK.

The bad news – the bug affects TLS/SSL, the security protocol that puts the S into HTTPS and is responsible for the padlock in your browser’s address bar. The bug is known to exist in:

  • OpenSSL‘s TLS implementation (before version 1.0.1k), which includes Google (GOOG) Android‘s “Browser” browser, and therefore probably Samsung‘s (005930) derived browser known as “Internet.”
  • Apple (AAPL) SecureTransport puts OS X software at risk, including Safari.
  • Microsoft (MSFT) Windows Schannel TLS library puts Windows software including Internet Explorer at risk.

You can check to see if your browser is vulnerable to the FREAK attack on a UMich page here.

You can also check on your favorite website on this UMich page.

rb-

“Export grade” encryption was largely abandoned by 2000 because it was a bad idea. silly idea. It hurt the US software industry and Americans who bought an inferior product. It is still a dumb idea in 2015. As the Gooberment wants to cripple the latest generation of encryption by putting backdoors into encrypted messaging. They seem to have won with Google. Google has dumped plans to encrypt communications by default in Android.

In the short term, if you are worried, use another browser Firefox or Chrome.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| February 12, 2015
Comments Off on 25% of Employees Access Past Employers Work Docs

25% of Employees Access Past Employers Work Docs

25% of Employees Access Past Employers Work Doc'sMore than 25% of file-sharing service users report still having access to work documents from their previous employer, according to a “Rogue Cloud in Business” survey of 2,000 U.S. adults by Harris Interactive for Egnyte, an enterprise file-sharing platform provider.

uncontrolled file-sharingAccording to FierceITSecurity, the survey highlights the security risks uncontrolled file-sharing practices pose to the work place from these practices are obvious. An Egnyte presser claims The survey results illustrate a major exposure for today’s businesses when it comes to the transfer and storage of data through unapproved and insecure cloud-only file-sharing services.

The new survey uncovers deep issues around the rogue usage of consumer-based cloud services and illustrates the need for IT to deploy a secure enterprise-grade solution that meets the file-sharing needs of employees while protecting sensitive business data from the risks associated with insecure file sharing through the cloud

The survey found that:

  • easy to take sensitive business documents51% agree that collaborating on file-sharing services (such as Dropbox and YouSendIt) is secure for work documents;
  • 46% agree that it would be easy to take sensitive business documents to another employer;
  • 41% agree that they could easily transfer business-sensitive data outside the company using a file-sharing service;
  • 38% have used file-sharing services have transferred sensitive files on an unapproved file-sharing service to someone else at least once; 10% have done it 6 or more times;
  • 31% agree that they would share large documents that are too big for email through a file-sharing service without checking with their IT departments;
  • 27% of file-share service users report still having access to documents from that previous employer.

mobile users are willing to bypass IT policiesAnother report from Workshare paints a grimmer picture for those of us tasked with protecting a firm’s intellectual property. The report titled “Workforce Mobilization” shows the true extent to which mobile users are willing to bypass IT policies and use unsanctioned applications to share large files and collaborate on documents outside of the office.

  • 72% of workers are using free file-sharing services without authorization from their IT departments.
  • 62% of knowledge workers use their personal devices for work.
  • 69% of these workers also use free file sharing services to collaborate and access shared documents.
  • At companies with fewer than 500 employees only 24% of employees using authorized file sharing solutions.

Robert Hamilton, director of information risk management at Symantec (SYMC) in Mountain View, CA also told FierceCIO a continued threat to the company’s data comes from employees who feel like they live in a “finder’s keepers” environment.

Not encouraging

The results of the survey report, entitled “What’s Yours Is Mine,” were not encouraging to IT security professionals and IT management. According to the Symantec survey of employees:

  • "finder's keepers" environment68% of their company doesn’t take proper steps to protect sensitive work information;
  • 56% do not believe it is a crime to use a competitor’s trade secrets;
  • 40% download work files to personal devices;
  • 40% plan to use old company information in a new job role.

Symantec’s Hamilton told FierceCIO:

Employees are taking increasing amounts of data outside the company, and most people do not believe using corporate data for themselves is wrong … The attitude is that ownership lies with the person that created it, not with the company that employs them.

rb-

All three of these firms sell products they claim that can stop a firm’s intellectual property from leaking out through public file-sharing services. But before you engage any firm, some basic steps should be taken.

  1. Develop a technology acceptable use policy.
  2. Include public file-sharing services in the AUP.
  3. Incorporate the AUP in the staff handbook, and make sure staff sign it before they are given network access.
  4. Train staff on the risks associated with using public file sharing services for sharing corporate documents. Risks include HIPAA violations, PII release, Malware, PCI-DSS violations, and Government “Snooping.” Only then –
  5. Engage a service provider to implement an enterprise-approved alternative to the free file-sharing services.
What's Your is Mine

Symantec Infographic

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| February 10, 2015
Comments Off on Windows 7 Reaches Middle Age

Windows 7 Reaches Middle Age

Windows 7 Reaches Middle AgeNow that you have almost eliminated Microsoft (MSFT) Windows XP from your network and settled on Windows 7 it should be time to catch your breath. But NOOO!! Windows 7 has reached the end of mainstream support.  That’s right we are already 5 years into the Windows 7 era. Repeat after me… Windows 7 still has five years left … Windows 7 still has five years left … Windows 7 still has five years left.

MMicrosoft Windows 7 logoicrosoft commits to 10 years of security fixes and 5 years of feature enhancements and bug fixes for each major OS release. Windows 7 has moved from mainstream support – free help for everyone – to extended support, which means Microsoft will charge for help with the software. That will end in 2020 when Microsoft turns out the lights on Windows 7 for good.

The recent techno-flops from the boys and girls in Redmond, Vista, and Windows 8 have taught enterprises to plan for a new desktop OS every other release. This puts businesses in a bind. MSFT’s track record prevents forward-looking firms from organically growing their desktop fleet into the next cycle. There are those that argue that until Microsoft separates consumer from commercial desktops, Microsoft commercial customers will continue to skip one or more iterations of Windows, their only real answer to the high costs and disruption of upgrading.

Gregg KeizerMirosoft update cycle at ComputerWorld cites research from Gartner (IT) which prognosticates that many enterprises cannot change their processes. Many organizations will go through the same machinations they did with XP. Or maybe even balk at dumping Windows 7 at the same pace as the venerable Windows XP, making things worse. Michael Silver of Gartner told ComputerWorld that having a plan could help organizations avoid a repeat of XP’s expensive end-of-support scramble. Gartner believes that the same EOL mad-scramble we saw with XP will occur again when time is up on Windows 7. Mr. Silver claims:

[A repeat of Windows XP] is certainly likely to happen … One of the big differences that’s been under-considered is that because Vista took five years to come out [after XP], there were eight years between XP and Windows 7. So Windows XP felt pretty old. … Windows 7 won’t feel that old to people…” 

Microsoft Windows 10 logoMr. Keizer argues that the failure of Windows 8 to win enterprise hearts and minds has created an oddity: Even though Windows 7 has made middle age, Microsoft continues to let OEMs sell PCs running the Windows 7 business edition.  Microsoft has yet to name an end date for OEM sales of machines powered by Windows 7 Professional. But because it has promised a 12-month notice, those PCs can still be sold at least until early January 2016, when the OS has but four years of life left.

But if you are just finishing your last migration, then you don’t have all that much time to start planning the next one.

rb-

If you don’t like the Redmond hamster wheel, consider your alternatives. Sophos compares the Windows upgrade schedule to some other options. 10 years might be the best option out there. For example:

  • Apple’s (AAPL) OS X is supported for mystery years,
  • Apple’s mobile iOS is supported for mystery years (3?)
  • Android seems to leave it up to you, but don’t expect Google (GOOG) to commit to securing it.
  • Ubuntu LTS is supported for around 5 years, and
  • Red Hat Enterprise 13 years (with extended support).
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »