Thursday
Aug062015

Latest Flash hole already exploited to deliver ransomware - update now!

DateThursday, August 6, 2015 at 7:59AM

By Paul Ducklinnakedsecurity.sophos.com

Thanks to Andrew O'Donnell and Fraser Howard of SophosLabs for their behind-the-scenes work on this article.

Are you still using Flash in your browser?

If so, make certain you've got the latest update from Adobe, even though it only came out last week.

Ideally, you'll have 18.0.0.194, announced in Adobe Security Bulletin APSB15-14, issued on 2015-06-23.

→ Windows and Mac users can optionally choose the Extended Support Release, which is an old version retrofitted with the latest necessary security fixes. That one is numbered 13.0.0.296. Linux users are stuck back on Flash 11, for which the current update is 11.2.202.468.

Adobe still delivers its routine patches on Update Tuesday, the second Tuesday of every month, so last week's patch was of the unexpected, emergency sort.

Targted attacks to start with

The bug that was fixed is designated CVE-2015-3133, and it is a remote code execution (RCE) bug that Adobe admitted was "being actively exploited in the wild via limited, targeted attacks."

However, Adobe went on to temper that statement by adding, "Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets."

Whether that's because the threat mitigations in Windows 8 and above make this vulnerability too hard to exploit, or simply because the victims being targeted were known in advance to be running older versions of Windows, is not clear.

One thing is for sure, though: there's still a lot of XP about.

The announcement that the US Navy just paid for a year of extended support for XP - more than a year after official support ended anyway - was a blunt reminder of that.

As colleague Chester Wisniewski pointed out [0'43"] in this week's Chet Chat podcast:

After all the news of the breaches in all these different government agencies..., it was a little concerning to think that we're not down to the shortlist of the last 500 machines over here in the corner, but 100,000 [Navy computers] still running XP.

 

(Audio player above not working? Download MP3 or listen on Soundcloud.)

In fact, by some accounts, Windows XP is still more widely used worldwide than all versions of OS X out there, and only a shade behind Windows 8 and 8.1 combined.

Cybercrooks join the attacks

As documented by well-known independent malware researcher Kafeine,attack code using of the CVE-2015-3113 Flash bug has already been packaged by crooks into an exploit kit called Magnitude.

Exploit kits, don't forget, are part of the "pay-per-install" ecosystem of modern crimeware.

Instead of battling to build a specific exploit into your own malware so you can attack unsuspecting users with a drive-by download, you just buy or rent access to an exploit kit (EK).

Typically, that's a server, perhaps "borrowed" from an unsuspecting system administrator whose Linux security isn't up to scratch, that is already rigged up with malicious JavaScript pages designed to unleash any of a number of pre-packaged exploits.

The JavaScript in the EK usually tries to work out which exploits are most likely to work in a victim's browser, for example by checking version numbers and available plug-ins, and then runs the most promising exploits in turn until one of them works.

At that point, if you're the crook, it's up to you what you want the EK to deliver.

Weapon of choice

So far, it looks as though the malware of choice that's pushed out by the crooks behind these attacks is ransomware of the Crypto Defense family.

Cryptoransomware, of course, is a particularly odious sort of malware that leaves your computer running fine, but scrambles your data files and thendemands a fee for the decryption key to unlock them.

If you don't have a backup, and the crooks have done their cryptographic programming correctly, then paying up is about the only way to see your files again.

What to do?

Prevention, obviously, is what you want, especially where the data-scrambling payload of ransomware is concerned.

Here are some tips:

  • If you don't need Flash, don't install it at all. To find out if you actually need it, rather than assuming you need it, try living without it for a week or two. You may get a pleasant surprise.
  • If you need Flash only occasionally, use click-to-play. That's where your browser asks you every time whether you want to let a page use Flash. Or turn the Flash plugin off altogether except for the times you know you need it.
  • If you have Flash, don't lag behind on updates. Even automatic updates can take a while to turn up, becaue Adobe spreads the load randomly amongst its users. You can jump the queue by checking for updates manually.
  • If you're still running Windows XP, please don't. Vulnerabilities that are really difficult for crooks to exploit on Windows 7 and later - as good as impossible, in fact - can often be still turned into working attacksagainst Windows XP.
  • Keep your anti-virus turned on and up-to-date. A good anti-virus can block this sort of attack at multiple points, e.g. by blocking the web page where the EK is hosted; blocking the EK's JavaScript component; blocking the Flash exploit itself; and blocking the ransomware it would grab next.
  • Don't skip making backups. If you don't have a good enough backupto recover from ransomware, you are at risk of any number of other potential data disasters, too. These include accidental deletion, a failed hard drive, and a lost or stolen laptop.

NB. Sophos products block the threat components mentioned above under numerous names. Detections you may see include: Mal/ExpJS-BU (exploit kit JavaScript), Exp/20153113-A (Flash files exploiting CVE-2015-3113) and Troj/Ransom-AXO (ransomware seen in attacks).

 

Free Virus Removal Tool

The Sophos Free Virus Removal Tool works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Click to go to download page...

AuthorBob Appleby | CommentPost a Comment |
in , ,
Wednesday
Aug052015

SSCC 210 - So many cool new Windows 10 features to opt out of [PODCAST]

DateWednesday, August 5, 2015 at 6:18PM

This weeks Sophos Security Chet Chat Episode 210 - August 5, 2015

I love that Sophos provides this information to us to learn from. It gives you deep understanding about features, issues and things that you need to think about in using and protecting your systems.

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

AuthorBob Appleby | CommentPost a Comment |
in
Wednesday
Aug052015

Encrypt like everyone's watching! 60 Sec Security [VIDEO]

DateWednesday, August 5, 2015 at 6:04PM

Watch this week's 60 Second Security...

 

→ Can't view the video on this page? Watch directly from YouTube. Can't hear the audio? Click on the Captions icon for closed captions.

AuthorBob Appleby | CommentPost a Comment |
in ,
Wednesday
Aug052015

The "Stagefright" hole in Android - what you need to know

DateWednesday, August 5, 2015 at 2:07PM

The conference circuit can be a competitive arena, especially when there are multiple parallel streams.

For example, back in 2010, I was at Black Hat in Las Vegas, and I attended the talk next door to the late Barnaby Jack's now legendary "ATM Jackpotting" talk.

Jack famously made unmodified ATMs that he bought off eBay cough up banknotes live on stage.

Those of us next door had to wait until the ovation and commotion died down before our presenter could continue lecturing to his meagre audience. (At least there was a good choice of seats.)

Exploit Disclosure Silly Season

So it's not surprising that July tends to be Exploit Disclosure Silly Season.

Presenters at Black Hat and Def Con try to convince the media to tell the world that theirs is the talk to choose, stressing the severity of the hole they've found without giving too much away.

There's nothing wrong with that: good talks based on solid reverse engineering aren't easy to put together, and if you're prepared to do a live demo to go with it, you're entitled to your "jackpot" moment.

So, imagine that you've got exploit talks accepted at Black Hat and Def Con, that your hack is a remote code execution hole in the world's most widespread mobile operating system, and, best of all...

...that the operating system component in which you found the bug is called "Stagefright".

That's a better name for an exploit than POODLE or LOGJAM – heck, it's a better name than Heartbleed' (although the bugs don't really compare at all, whatever you may have read).

You can use a name like "Stagefright" in your press releases without being accused of hyperbole.

Unsurprisingly, then, that's what researchers at Zimperium have done.

They found a bunch of security holes, now designated with seven different CVE numbers (CVE-2015-1538, -1539, -3824, -3826, -3827, -3828 and -3829).

It's become the "Stagefright" hole.

Multimedia Messaging System

The bugs are in an unfortunate part of Android: a part that is used by the Multimedia Messaging System, or MMS.

Remember MMS?

Like SMS but with videos, sounds, pictures, and no annoying 160-character limit?

It's an aging system that doesn't get a lot of attention these days, because internet-based programs like WhatsApp, Snapchat and Instagram have swept it aside.

But most Android phones are still set up to receive MMS messages, and will process them automatically by default.

Technically speaking, an MMS arrives as a link, so that the actual content of the message (which might cost you money) is fetched only later on, when you decide that you want to look at it

That's a bit like email clients that fetch only subject lines at first, so you can ignore or delete unimportant messages without racking up download charges.

But the default SMS/MMS apps in Android 4.4 (KitKat) and 5.x (Lollipop) are Messaging and Hangouts respectively, and their default configuration is to download MMS content in the background as soon as the messages arrive.

Remote Code Execution

Unfortunately, the bugs found by Zimperium allow shellcode – executable instructions disguised as harmless multimedia data – to take control of your device as soon as the content of a booby-trapped message is downloaded.

So, you may be able to trigger malicious activity as soon as a victim's device receives your poisoned message, even if they later decide to delete it.

That's what's known as a Remote Code Execution (RCE) vulnerability, almost always the worst sort.

The bug has been around for some time, and Zimperium is claiming that 950,000,000 devices may be at risk.

(That precise sounding number seems to be simply a 95% vulnerability rate multiplied by a round one billion Androids.)

Patches coming

Google knows about the bugs, and has prepared patches.

Indeed, if you have a Google Nexus, and you have updated recently, it sounds as though you are already safe.

Sadly, we can't be sure which other device vendors have already patched, unless they choose to say so, because Zimperium is keeping the exploits under wraps until Black Hat, when the whole world will find out about them (and presumably, how to exploit them) at the same time.

It also sounds as though rebuilding Android from the open source project (AOSP) won't help yet.

Google told The Guardian:

This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.

As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at BlackHat.

In short, this sounds like a serious bug, and you should be looking for a patch as soon as you can get one.

What to do?

  • Try asking your device vendor whether a patch is available already. You may be able to get ahead of the game.
  • If you can't get a patch right now, find out when to expect it so that you can apply it as soon as you can.
  • If your messaging app supports it (Messaging and Hangouts both do), turn off Automatically retrieve MMS messages.
  • If your device supports it, consider blocking messages from unknown senders if you haven't already.
  • If your SMS/MMS app doesn't allow you to turn off Automatically retrieve messages, consider simply switching back to Android Messaging, which does.

Unless your digital lifestyle hinges on MMS, we think that you will be able to live without it, and that blocking the auto-download of potentially booby-trapped MMS content is a great start.

Of course, even if you've turned MMS auto-downloading off, you still need to avoid clicking on suspicious MMSes – doing so would initiate the potentially dangerous download anyway.

So, if you see an MMS from a sender who's never communicated with you before, consider deleting it.

And don't forget that "Stagefright" isn't specific to MMS messaging, but rather to the way Android renders the sort of content typically delivered by MMS.

Firefox for Android, for example, has recently been updated; it too was apparently vulnerable via web pages containing booby-trapped videos.

So, keep your eyes peeled for those patches!

AuthorBob Appleby | CommentPost a Comment |
in
Tuesday
Aug042015

Yet Another Encryption Scam

DateTuesday, August 4, 2015 at 10:26AM

ZDNet reports that another encryption scheme has arisen to rear its ugly head using Windows 10 upgrade as the teaser. Hackers are targeting users attempting to upgrade to Windows 10 with ransomeware malware that encrypts files until a ransom is paid. The "bad guys" appear to be impersonating Microsoft in and an attempt to grab your money. 

Emails are being sent out tempting the email recipient with an attachment that is an installer that will allow them to get the new Windows 10 operating system sooner. What is making this scheme work is the fact that Microsoft is making users wait in queue for their turn to upgrade their systems. Impatience on the part of waiting users is causing plenty of heartache for those that succomb to the tempation of running the installer.

Once you download and open the attached executable file, the malware payload opens, and begins encypting data on the affected computer and locking you out of those files.

Typically you are required to pay the ransom using bitcoin which is much harder to track. And to make it even harder to track the bad guys, they are usually using the TOR network which makes it nearly impossible to trace.

Cisco research Nick Biasini said the malware payload, called CTB-Locker, is being delivered at a "high rate." "The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user's files without having the decryption key reside on the infected system." 

Ransomeware attacks have been on an increase since 2014 and is a quick and easy near-untraceable way to generate a lot of money in a very short time. So hackers are going to keep coming up with new ways to attack your systems. So beware of what you are clicking on and accepting, you may their very next victim!

AuthorBob Appleby | CommentPost a Comment |
in , , , , , , , ,
Wednesday
Jul292015

Logitech H800 Wireless Headset

DateWednesday, July 29, 2015 at 6:28AM
I was looking for a simple wireless headset replacement for the headset I used on my home system. I thought would be nice to be able to work on projects while still being able to move around my office hands-free. My first test for sound quality was to get connected using Skype. I called home to my wife she reported to me that the sound quality was excellent and she didn't hear any background noise as well. This was very important because I use Skype quite often to call out when I am at home. Skype has great integration with our client management system and this makes it very easy for me to reach out and touch someone.
This is a Bluetooth headphone set so it can be paired not only with the tiny Bluetooth nano receiver that you plug into a USB port, but may also be connected to a smart phone or tablet by pairing it to those devices. I should be able to move up to 40 feet from the Bluetooth connection which is what I am testing right now. It appears that I don't have to have line of sight, but going through several sets of walls does attenuate enough to stop the connection.
There is a button on the side of the headset that allows you to switch between the Bluetooth circuit and the nano receiver so you can switch between devices using that type of function. By holding in the plus key on the right ear piece you begin the pairing process with any Bluetooth device. I paired it with my Microsoft Surface inside of two minutes. It was a very simple process.
The battery is rated to last six hours so there is plenty of talk and listening time between charges. If you are running low just plug the headset into a USB port and they recharge will begin and you can continue using the headset at the same time. The only issue that I'm going to have over time is that all batteries have a limited number of times that you can charge them and eventually I will have to dispose of the headset when it no longer can hold a charge. If you need replacement ear pads or a replacement battery you can get them on the Logitech website. Your pads and the battery are both five dollars apiece. If you loose your nano receiver you can get another one for $15. 
It does have a noise canceling microphone so it should work fairly well even in a noisy environment. It only took me seconds to get connected to my Dragon NaturallySpeaking software and I didn't have to train it at all begin dictating to it accurately.
The nano receiver is a 2.4 GHz wireless connection and allows you to move up to 40 feet away from your PC without losing the connection. 
The documentation states that it has a fold it go design but even though it does get smaller because of its heavy construction it does not fold as tight as my Plantronics unit did. But it does get a little bit smaller so it will fit into a backpack without a problem. The left ear piece opens up for access to the battery and also doubles as a storage compartment for the nano receiver so is available on your travels.
This unit retails for about $100. The warranty for the unit is two years. Sure to go to the Logitech website to register your unit after you have purchased it.
AuthorBob Appleby | CommentPost a Comment |
in , , ,
Wednesday
Jul152015

CryptoWall ransomware cost US victims at least $18 million, FBI says

DateWednesday, July 15, 2015 at 12:31PM

by John Zorabedian on June 25, 2015

 

ransomware-note-1200Malware that encrypts all of a victim's files and holds them for ransom - what's commonly called crypto-ransomware or cryptoware - continues to be hugely successful in making money for the criminal gangs who perpetuate it.

According to a public service announcement from the FBI's Internet Crime Complaint Center (IC3), the CryptoWall variant of crypto-ransomware cost US businesses and consumers at least $18 million between April 2014 and June 2015.

That figure is based on complaints from 992 CryptoWall victims, and includes related damages such as the cost of network mitigation, loss of productivity, legal fees, IT services and credit monitoring services.

It's not clear how much of the $18 million was paid out in ransom fees to the CryptoWall criminals, but the FBI said that the ransom demanded typically ranged from $200 to $10,000.

The FBI called CryptoWall the "most current and significant ransomware threat" in the US.

Although the FBI's report of financial damages caused by CryptoWall is significant, it's likely those figures represent only a tiny minority of the cost to victims worldwide.

It's difficult to determine the exact number of crypto-ransomware victims, in part because many businesses caught in the ransomware trap don't want to come out and say so (public sector organizations like police departmentshaven't had the same luxury).

Equally hard is figuring out how much money the crooks have hauled in from their ransomware enterprises.

What we do know is that crypto-ransomware is highly effective, and lucrative enough for criminals to keep coming up with new forms of it - one survey found that 3% of UK citizens had been victims, and 40% of those had paid the ransom.

CryptoWall's predecessor, CryptoLocker, was extremely successful - the crew behind CryptoLocker raked in an estimated $27 million in the first two months after it was unleashed in September 2013.

Although CryptoLocker was fatally damaged by a law enforcement take-down of its server infrastructure in May 2014, cybercriminals soon began spreading other dangerous forms of ransomware based on CryptoLocker's successful model.

We began seeing CryptoWall in April 2014, along with another similar variant called CryptoDefense.

Since then, other copycats have emerged that have proved to be just as dangerous, some even borrowing the CryptoLocker name.

Recently we even saw crypto-ransomware that borrowed themes and imagery from the popular television series "Breaking Bad."

The crooks have figured out some fiendish ways to get people to pay up: by making their illicit software "consumer-friendly" with easy-to-follow instructions on how to pay with bitcoins or other forms of untraceable e-payment, and offering "user support."

Crypto-ransomware crooks have also figured out that they can earn their victim's trust (more or less) by offering to decrypt one file for "free" - so you'll know the crooks will follow through on their promise to decrypt the rest of your files once you pay them.

If the crooks have implemented the encryption process properly - and they often have - you're left with a choice of losing your files, or paying for a copy of the decryption key.

It presents an ethical dilemma - one which Sophos security expert and fellow Naked Security writer Paul Ducklin captured well in his excellent post "Ransomware - should you pay?"

His spot-on and simple advice is summed up here:

  1. Don't pay if you can possibly avoid it, even if it means some personal hassle.
  2. Take precautions today (e.g., backups, proactive anti-virus, web and email filtering) so that you avoid getting into a position where you ever need to pay.
AuthorBob Appleby | CommentPost a Comment |
in , , , ,
Friday
Jul032015

Hundreds of Dark Web sites cloned and "booby trapped"

DateFriday, July 3, 2015 at 12:29PM
by Mark Stockley on July 1, 2015 | 14 Comments

 

TrapsThe founder of one of the Dark Web's fledgling search engines is warning Tor users about the presence of hundreds of fake and booby trapped .onion websites.

Sites with addresses that end in .onion are anonymous, Dark Web websites (properly called hidden services) that can only be accessed using the Tor browser.

The fake sites were discovered by Juha Nurmi, a founding member of the ahmia.fi project, an open source search engine that aims to search, index and catalogue all the content present on the Tor network.

Nurmi first noticed a fake of his own site before discovering that there are multiple clones of hundreds of other Dark Web sites, including a fake of the .onion version of the popular DuckDuckGo search engine.

Nurmi raised his concerns on Monday, on the Tor-Talk mailing list and published a full list of fake or booby trapped sites to Pastebin.

I noticed a while ago that there is a clone onion site for Ahmia. Now I realized that someone is actually generated similar onion domains to all popular onion sites and is re-writing some of the content.

In his post to the mailing list he claims that there are multiple copies of each target site with similar-looking addresses.

Tor sites are often found through directories rather than search engines and they have addresses that are quite difficult to read, which probably makes it easier to plant fakes than on the regular World Wide Web.

For example, the real and fake addresses for DuckDuckGo are the equally immemorable:

http://3g2upl4pq6kufc4m.onion/ (real)
http://3g2up5afx6n5miu4.onion/ (fake)

Nurmi also claims that the fake sites aren't just duplicates of the real sites but proxies for them (he could presumably verify this for his own site but he doesn't state how or if he tested it for the others).

If he's correct then the proxies would allow the attacker to launch so-called Man-in-the-Middle attacks, stealing or modifying data as it passes through the fake site.

These sites are actually working as a transparent proxy to real sites. However, the attacker works as MITM [Man-in-the-Middle] and rewrites some content. It is possible that the attacker is gathering information, including user names and passwords.

In another sinister twist user 'garpamp', who claims that such activity has been "going on for years", states that he's seen pages that list .onion addresses being modified by malicious Tor exit nodes.

This is a completely different attack from the one identified by Nurmi and it occurs on the regular web, not the Dark Web, but it's aimed at achieving the same thing - getting you to visit a fake Dark Web service instead of a real one.

It works like this:

The Tor browser can be used to browse hidden services on the so-called Dark Web, where both the browser and the site are completely anonymous, or the regular World Wide Web, where only the user with a Tor browser is anonymous.

When it's used on the regular web, Tor encrypts your traffic and sends it on an eccentric journey between a number of Tor nodes before it's decrypted again before making the final hop to its destination like any other internet traffic.

This decryption (and the encryption of responses) is performed by a special Tor node called an exit node. Anyone can set up an exit node and because they deal with unencrypted information they are an excellent place to spy on traffic, or even to modify it on-the-wire (you can read more about exit nodes in my recent article Can you trust Tor's exit nodes?).

What garpamp claims to have seen is malicious exit nodes being used to rewrite regular web pages.

In other words, if you looked at this page through Tor and you happened to get a malicious exit node in your circuit you might not see the legitimate DuckDuckGo address at the top of this page, you might see two fake ones instead.

During the course of the discussion, garpamp noticed that a bad exit node was actually rewriting the addresses on the pastebin page posted by Nurmi!

...I've also seen exits [1] rewriting onion addresses found on clearnet.

[1] Like the ****** behind this piece of **** is doing to that pastebin url... Arag0n 185.77.129.189 dc914d754b27e1a0f196330bec599bc9d640f30c

The thread closed with Roger Dingledine, one of the original Tor developers, reporting that the bad exit node discovered by garpamp has now been given the BadExit flag which should prevent it from acting as an exit node.

The battle to shut down bad exit nodes is ongoing.

We don't know who is behind the fake sites, who is behind the exit nodes rewriting real addresses for fake ones or why they're doing it, but there are no shortage of suspects.

The Dark Web is an online safe haven for dissidents, journalists and champions of free speech but it is also a small and highly concentrated den of the very worst criminality.

So, not only is there is an abundance of thieves on the Dark Web, and no honour amongst them, there is no shortage of government hackers or undercover agents either.

AuthorBob Appleby | CommentPost a Comment |
in ,
Saturday
Jun272015

What is Office Mix?

DateSaturday, June 27, 2015 at 11:26AM

A new PowerPoint addin that is free from Microsoft. Follow the download directions to install it into your PowerPoint program. Once it is installed you will see a new tab called Mix that will give you the abilty to create your Mix media.

So what is Mix? If you are aware of TechSmith's Camtasia and the way that it works with PowerPoint Presentations, then my explanation is simple. It is Microsoft's version of that function. Mix allows you to automate your PowerPoint presentation and save it as a video for sharing. It has many other features built into it but one of the things that it does that is useful in classroom situations, is to allow you to create quizzes with in the presentation. It also provides screen and sound capture that you can insert in a slide, insert other video files, insert audio and then do playback/recording your narration of your slideshow. You can then publish this recording to your online onedrive storage area and share it with whomever you wish.

It's pretty slick. Once you get the general function of it, then it becomes very easy to use. All you have to do is dream up and produce your content and then deliver it to the world.

AuthorBob Appleby | CommentPost a Comment |
in , , , ,
Wednesday
Jun242015

Practical IT: What is encryption and how can I use it to protect my corporate data?

DateWednesday, June 24, 2015 at 1:29PM

by Ross McKerchar on May 21, 2015    from nakedscurity

There’s been a lot of talk about encryption in the media lately.

You hear about who uses encryption, and who doesn’t (lots of companies don’t, to their own detriment).

And you hear about who wants to be able to bypass encryption (some law enforcement and national security agencies), and who doesn’t (Google, Apple, privacy advocates, etc.).

The encryption debate is important, but unfortunately, encryption is complex and the discussion can be hard to follow for people outside of the security community.

Businesses often don't realise why encryption is important, and how they can use it to protect their data.

In this article I will seek to answer some common questions about encryption by covering two areas: 1) a very brief explanation of encryption, and 2) a couple of the most common use-cases which business needs to be aware of.

What is encryption?

Encryption is a method of scrambling messages in a format that is unreadable by unauthorised users - it is, simply put, the best way to keep data secure from spies, thieves or accidental exposure. (Not to be confused with steganography, which is all about hiding messages, rather than making them unreadable).

Cryptography - the art and science behind encryption - uses algorithms to turn readable data (plaintext) into unreadable format (ciphertext).

Without getting too deep into the details, it's helpful to think about it like this: when you encrypt data you are storing it like you would money in a safe - you need a key to unlock the safe to get the money out (my apologies to any cryptographers reading this for the gross over-simplification!).

(If you want to learn more, I recommend my fellow Naked Security writer Paul Ducklin's great explanation of public-private key encryption.)

There are loads of ways to use encryption, but for organisations concerned about data loss, two very important areas to understand are full-disk encryption and file-level encryption.

Full-disk encryption vs. file-level encryption

Encryption can be used in many different ways.

Say your employee accidentally loses a USB drive with valuable data on a train, or their laptop gets stolen when they leave it alone in a coffee shop while they go to the bathroom (it happens).

The physical kit can be replaced, but the data on them could end up in the wrong hands and cause considerable harm - you might face financial penalties (depending on your local laws and industry regulations).

Or you might lose customers when word gets out that their personal data was leaked. You may very well be legally obliged to tell them. Of course, morally, telling them is always the right thing to do, regardless of legality.

However, if the laptop or USB drive was strongly encrypted, the data is unreadable to someone without they key and you likely won’t have legal issues to worry about.

Laptops, USB drives, and even smartphones can be encrypted using what is known as full-disk encryption. That means the entire hard drive of the device and everything on it is protected by encryption - from the operating system to program files all the way down to temporary files.

Full-disk encryption is also relatively simple to implement - laptops and smartphones now come with the capability built in, what’s called native encryption.

However, full-disk encryption can only keep your stuff secure when it's on the device. The second anything leaves the encrypted device, it is "magically" decrypted and readable by all. This has important implications for your backups or files you've uploaded to a cloud service or attached to an email.

If you think about the analogy of money in a safe, the encrypted disk is the safe, and the money is your data. Once you take your money out of the safe it is no longer protected.

Conversely, if you have file-level encryption, every file has a "padlock."

With file-level encryption, your data is protected when it is in transit, or stored somewhere in the cloud.

But there is a downside - file-level encryption is harder to manage than full-disk encryption, because whenever you want to access the data, you need the key. As you may want access from many devices and many places, this requires careful key management.

When and how should you use encryption?

Full-disk encryption barely affects system performance at all, but if you try to encrypt everything at the file level, it will quickly become unmanageable.

You need to think a bit more about what data you want to encrypt and why. You'll likely want to focus on file-level encryption for sensitive data and/or data that you copy to other places - for example, documents you want to access on your phone as well as your desktop, or from a service like Dropbox.

It's important to understand that file-level encryption doesn't replace full-disk encryption. They complement each other. If you only encrypt your own files and not the full disk then it's very easy to miss something. Chances are your computer stores copies of your data in all sorts of places you didn't think about.

Most companies will also want the IT department to carefully manage the encryption keys across various devices. Without this central management, data could easily be lost if a person leaves the company or loses their decryption password. Unlike passwords used for access, passwords used for encryption can't simply be reset by a sysadmin if they're forgotten.

A smart company will make sure the master decryption keys are very well protected. Even smarter companies will ensure that no single person has full access to the powerful key. One way of doing this is designing a system such that two or more people need to contribute towards the decryption process (segregation of duties).

Good encryption software will have capabilities to make key management and segregation of duties relatively simple.

AuthorBob Appleby | CommentPost a Comment |
in , , ,
Wednesday
Jun172015

Original Surface Pro

DateWednesday, June 17, 2015 at 1:35PM

I just picked up an original Microsoft Surface Pro and even with it's limitations I have been fairly impressed with it. So much so that I am now eyeing up the Surface Pro 3 as my next laptop computer. Of course, I'll wait until I find a good deal on that as well. The one I picked up has 64gb of storage and 4gb of RAM. It is an i5 so it is pretty snappy. My biggest issue with it is the screen size and the storage. I just upgraded it to Windows 8.1 and that gave me a bit back but I have 20GB's free with my basic load on it. I am running Office 2013 (Office 365 Load), Connectwise (this is our service management program, Netflix, Hulu Plus, Kindle, Plex, Readiy, Facebook Apps. 

However, before I upgraded, I was all the way down to 8GB so that was a little worrysome, especially when I didn't have enough space to install the upgrade to 8.1. 

It is snappy, runs well and I am beginning to really like the 8.1 interface. I have found a few programs that don't like the new operating system but for the most part I am running fine. I have signed up for the Windows 10 upgrade that should be availablle late July and this will give me a chance to work more with it as well.

AuthorBob Appleby | CommentPost a Comment |
in ,
Wednesday
Jun172015

New Credit Cards with Chips pose increased costs to venders that accept them

DateWednesday, June 17, 2015 at 6:08AM

An interesting viewpoint by Joyce Rosenburg from inc.com discusses the associated costs of having to upgrade your credit card readers to work with the new chip based credit cards that were designed to reduce credit card fraud. Businesses are required to update their equipment by October 1st or face the chance of being held liable for transactions made with phony chip cards. Most retailers are going to bear the brunt of these costs.

But that's not all! If your accounting system is connected to the readers they may not work with the new equipment and may require you to upgrade or replace your system to be able to automate the transaction processing. 

What are the alternatives? I can't seem to think of anything but move forward and take the financial hit. Not a pleasant situation to be in for all of us small business owners.

AuthorBob Appleby | CommentPost a Comment |
in ,
Sunday
Jun142015

Free Wi-Fi - Should you use it?

DateSunday, June 14, 2015 at 11:23AM

Sunday, June 14, 2015

With Wi-Fi becoming more and more prevalent in the places that you frequent, are the services safe to use with your mobile devices?

The free connections in cafés and hotels don't encrypt network traffic so others on the network can read your traffic and possibly hijacked your sessions. One of the solutions we try to use, SSL Encryption, has its issues is as well. You initiate this when you insert the HTTPS:// in front of the url that you are wanting to access or in many cases the site itself redirects to an SSL session automatically. This is the case with many financial sites as well as anything that needs to be HIPAA compliant.

Using a VPN Tunnel to your site helps to encrypt the session from your device to the site but you will need to use a proxy service in the cases when you are not connecting back to the corporate or provided VPN controlled site.

While this is a much more secured connection, there is a security hole that can be taken advantage of. In many cases you must open a browser to a "'captive portal", which comes from a local router when you ask to connect to the Internet. You may have to manually accept a terms of service agreement before your session can start.

While this is occurring your VPN has not yet begun and depending upon the software that you run you might be exposed at this point. If you have services running on your mobile device that begin checking for updated data automatically, like email, you are not going through a VPN to access the. The data that is streaming through is potentially available for anyone to see.

While this Coverage may only be a matter of seconds, that could be enough to expose valuable information like logon credentials. So how do you protect yourself?

Shaun Murphy, a founder of PrivateGiant (www.privategiant.com), which makes products to protect the security and privacy of online communications, suggests that you do it with a software firewall, either one that comes with your operating system or a third-party one:

The basic approach is to prevent all inbound and outbound connections on your public networks (or zones) with the exception of a browser that you use to connect to captive portals and such. That browser should be one you only use for this purpose and, perhaps, some lightweight browsing (certainly not email, social, or any other personally identifiable purpose.) Using that same firewall, set up a profile/zone for VPN traffic where inbound / outbound traffic are less restricted (I recommend blocking outbound connections by default and then adding in programs as needed, it's surprising how many programs call home... all the time.) The nice thing about this approach is your email client, primary web browser, and other applications you use will be useless unless you are actively connected to the VPN. 

And the real solution to this problem isn't hacking with firewalls. What we need is encryption being provided by default in public Wi-Fi. We don't see this very often now because that would mean supplying passwords to you the client, and the support overhead would be just too great in a busy environment like a café or restaurant. The result is that we have an insecure environment with bad but adequate usability.

In an article written by Larry Seltzer for arstechnica.com he talks about a solution has been available for years. He goes on to tell us that it is beginning to gain traffic and that hopefully will see this as the go to protocol in the future.

The Wi-Fi Alliance has had a solution for this problem nearly in place for years, called Passpoint. The Passpoint protocol was created to allow for Wi-Fi "roaming" by creating a way for access points to grant access by way of a third-party credential, such as your Google ID or your ISP account. When you connect to a public access point through Passpoint, it authenticates you and establishes a secure connection using WPA2-Enterprise, the gold standard in Wi-Fi security—instead of leaving your traffic unencrypted or visible on the shared wireless LAN.

The reason that you don't yet see Passpoint everywhere is that it requires the Wi-Fi provider—such as a consumer ISP,  Google, or Boingo—to trust certain authentication providers and to advertise a list of them to connecting devices—the longer, the better. And users would need to configure Passpoint on their system to use one or more of their credentials when connecting to such a network. There hasn't been wide adoption of Passpoint yet—while it's been put to use in certain high-volume locations, such as many airports, it's still pretty uncommon.

The Wi-Fi Alliance now says that Passpoint is gaining traction in the enterprise as a way to handle BYOD. That's interesting if true, but it doesn't address the pain point of public Wi-Fi privacy. Passpoint has the potential to close the VPN data leakage window and make public Internet services far more secure. In its absence, there is no good solution.

AuthorBob Appleby | Comments Off |
in
Wednesday
Jun102015

Instapaper Premium

DateWednesday, June 10, 2015 at 6:17AM

Instapaper is a great program that I have been using for years in its free version that allows me to capture web articles that I can file in folders to make it easy for later consumption. You can access this information either through a web browser on your PC,  using their iOS or Android apps on your mobile devices.

 

Instapaper has launched a new premium service that costs $2.99 per month or $29.99 per year, a 15% savings by purchasing on an annual basis. The feature list for both services are as follows:

From <https://www.instapaper.com/premium>

 

The ability to have fulltext search and to add notes to the articles that you have saved help to make an interesting argument for moving to the premium service but probably the most compelling is that you are supporting the company for offering the service as well as for any new upgrades to the product. At under three dollars per month doing so will not break your bank.

AuthorBob Appleby | Comments Off |
in ,
Tuesday
Jun092015

Windows 10 Feature Cuts

DateTuesday, June 9, 2015 at 6:33AM
Before deciding what you want to do about upgrading your Windows 7 or 8.1 operating systems to Windows 10, think about what programs that you use that may or may not be available to you in the new operating system.
Windows Media Center is one of those programs that I am sorry to see go by the wayside. Microsoft has been planning this for a while but it makes me unhappy to see it go. From Microsoft's Windows 10 spec page here are some of the other features that are being cut:
Feature deprecation section
  • If you have Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate, Windows 8 Pro with Media Center, or Windows 8.1 Pro with Media Center and you install Windows 10, Windows Media Center will be removed.
  • Watching DVDs requires separate playback software
  • Windows 7 desktop gadgets will be removed as part of installing Windows 10.
  • Windows 10 Home users will have updates from Windows Update automatically available. Windows 10 Pro and Windows 10 Enterprise users will have the ability to defer updates.
  • Solitaire, Minesweeper, and Hearts Games that come pre-installed on Windows 7 will be removed as part of installing the Windows 10 upgrade. Microsoft has released our version of Solitaire and Minesweeper called the “Microsoft Solitaire Collection” and “Microsoft Minesweeper.”
  • If you have a USB floppy drive, you will need to download the latest driver from Windows Update or from the manufacturer’s website.
  • If you have Windows Live Essentials installed on your system, the OneDrive application is removed and replaced with the inbox version of OneDrive.
Most of these items you can live without but if you still have some things on on floppies that you haven't moved to other media, you may want to consider doing that before upgrading. I think most people have already done that but here is the impetus to do so. Entire experience at the store more people will be worried about Solitaire than anything else.
AuthorBob Appleby | Comments Off |
in , , , ,
Monday
Jun082015

Amazon's Echo Speaker

DateMonday, June 8, 2015 at 7:56AM
I have been listening to one of my favorite podcasts for a while now and one of the hosts talks from time to time about how much she likes Amazon's Echo Speaker system and I finally saw an article in Engadget discussing the fact that Audible files now can be directly accessed through the speaker.
I am such a big Audible fan that having another source through which I can listen to the books I am reading, yes I understand that I'm listening to them but to me it's the way that I consume most of the books I read for enjoyment.
However, the Echo Speaker is available through invitation only through Amazon so I have to put my request for an invitation to purchase one through the Amazon service. As a Prime user you can an automatic discount of $50 of the price of the unit is $149.
Connectivity is one of the things that you always are looking for in today's new speaker devices and the Echo Speaker does a lot of the things that you would expect. First to connects through Wi-Fi back to the Internet so that as you are asking questions it will use that Internet connection to gather information to respond to you with an answer. It is also Bluetooth enabled allowing you to connect your tablet or phones back to the speaker so that you can play from applications that you are using on those devices. Also available for both Android and iOS devices is a companion application that allows you to connect to the speaker as well.
It also connects to your WeMo compatible devices using voice commands. A list of these controllers are available on the Amazon Echo's website. The Echo's brain is not built into the unit itself but is actually operating from Amazons Web Services. Over time, the Echo will continue to learn your speech patterns, vocabulary and personal preferences. All updates are done in the cloud so you don't have to worry about doing them locally on the device.

 

Echo is always ready, connected, and fast. Just say the wake word, "Alexa," for:

 

  • New - Connected Home: Control compatible WeMo and Philips Hue devices with your voice.
  • New - Pandora: Listen to and discover music from Pandora's library of over 1 million tracks.
  • New - Traffic: Hear commuting time and the fastest route to your destination.
  • New - Sports: Ask for sports scores and schedules from the NFL, NBA, MLS, MLB, and more.
  • Music: Listen to your Amazon Music Library, Prime Music, TuneIn, and iHeartRadio.
  • News, weather, and information: Hear up-to-the-minute weather and news from a variety of sources, including local radio stations, NPR, and ESPN from TuneIn.
  • Questions and answers: Get information from Wikipedia, definitions, answers to common questions, and more.
  • Alarms, timers, and lists: Stay on time and organized with voice-controlled alarms, timers, shopping, and to-do lists.
  • More coming soon: Echo automatically updates through the cloud with new services and features.

 

With all of these features, how can you help not wanting to own one for yourself?

AuthorBob Appleby | Comments Off |
in , , ,
Sunday
Jun072015

Dropbox for Business

DateSunday, June 7, 2015 at 5:09AM

Dropbox currently has over 300 million users and its For Business version has gone a long way to improve security of your information so that is becoming much safer for businesses to use this product. We have recently added Dropbox for Business as one of the many cloud base services that we can offer our clients. We are, after all, a Solutions Provider and we are strongly focused on Security for our clients networks, computer systemes, devices and information.

I started using dropbox almost from day one that I got my first iPad and as I continued to add new mobile devices to my personal inventory it became clear how important it is to have a service that is available on any device that I possibly know. I don't want to have an issue of having to find just the right device so I can access the data that I'm looking for.

What is Dropbox for Business?

 Individual Dropbox for each user in your team

  • 5 TB for 5 users, with more as your team grows
  • Unlimited file recovery and versioning
  • Centralized billing for all team members
  • Admin controls and phone support

 

With all of this control and security doesn't it make sense to include Dropbox for Business as part of your business applications?

 The cost is just hundred $150 per year per user with a minimum of five users to start. Let us know if you have any questions about this product.

AuthorBob Appleby | Comments Off |
in ,
Saturday
Jun062015

I am still amazed at what Roku offers

DateSaturday, June 6, 2015 at 12:04PM

 

Every so often I take a quick look to see what I might be missing in my channel list. The Roku 3 that I have as an accessory in our TV room, is slowly becoming the primary device we use to access TV shows and movies. With the Sling TV app you also have the ability to stream live TV without having to have cable. Cutting the cord becomes that much easier with adding some of these features. The one bill I hate paying every month is the Comcast bill with triple play constant over $200 a month. So the question is can I create a budget from streaming Internet services that is less than what we are paying for the cable services.
From my calculations I can drop the cost down to about $130 to $150 per month. Compared to the cost of around $300 for the same basic options. So what am I going to lose? I think the two main things I will miss will be football in local news. However, if I stick up a high definition TV until I can probably pick most of that up over the air for free. 
So am I ready to make the big leap? As much as I would like to, I don't think I'm there quite yet. It may happen soon though!

 

AuthorBob Appleby | CommentPost a Comment |
in
Friday
Jun052015

Here's one for Ken

DateFriday, June 5, 2015 at 2:38PM

A couple of our guys are really into drones but Ken is the craziest. 

So Ken, this one is for you!

AuthorBob Appleby | CommentPost a Comment |
in
Thursday
Jun042015

Google I/O: Google Photos

DateThursday, June 4, 2015 at 5:59AM

Built on these three key concepts:

  • Home for your Photos and Videos - a safe and private place to store all of your photos and videos that is avaialble on any device
  • Help you organize and access this media - the concept is to make an app that helps you organize and access your media so that you spend more time making more memories not on organizing old ones.
  • Make it easy to share this media - sharing should be easy and simple. Receiving this information should be easy to access and use it on the other end.

Google Photos is available now from your iOS, Android or Web enabled platform. It provides free unlimited photo and video storage of compressed images up to 16 GB for photos and videos at 1080p. A lot of time was spent showing the automatic organization capabilities based upon time, facial recognition, and geolocation.

One of the demos showed the ability to pull out a baseball photo array by just typing in the work baseball. They continued on to demonstrate how you can easily select the group of photos and share them simply by holding down on the first image and dragging to the last image to select, and create a share link that you can send off to a friend or family member that they can have access to those photos. The recipient of that shared link had total access to those images and can do whatever they wanted with them on their own device.

One of things to remember is that all of photos that were being accessed or online and came up instantly as though they were on the device that you are working with. Was very quick and made a compelling reason to consider Google Photos as a great place to store all your photos and videos.
I am anxious to see how well and if this service will work with Adobe's LightRoom and if this will be a viable service to use as a secondary source for storing all of your images.
AuthorBob Appleby | CommentPost a Comment |
in , , ,
Page 1 ... 27 28 29 30 31 ... 77 Next 20 Entries ยป