Archive for February, 2014
Apple has released a patch for iOS and says an OS X fix will be released ‘very soon’
Security researchers revealed late Friday that iOS’s validation of SSL encryption had a coding error that bypassed a key validation step in the Web protocol for secure communications. As a result, communications sent over unsecured Wi-Fi hot spots could be intercepted and read while unencrypted, potentially exposing user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. Secured Wi-Fi networks, such as home and business networks with encryption enabled, are not affected.
Apple released a patch Friday evening, available to al iOS users. iOS users should have already received a notification of the update’s availability or have had it automatically installed, depending on their device’s iOS version, update settings, and available space for downloading the update.
[ It's time to rethink security. Two former CIOs show you how to rething your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
But on Saturday, several researchers reported that the flaw also affected OS X 10.9 Mavericks and perhaps other OS X versions. Late Saturday, Apple said it had a fix ready for OS X and would release it “very soon.” On OS X, the flaw is likewise limited to SSL connections over unsecured Wi-Fi networks, though only in Safari.
The update will be available through OS X’s Software Update utility, which is set to download security updates automatically by default in recent OS X versions.
iOS uses the WebKit-based Safari engine even in non-Safari browsers, so all iOS browsers can be exploited. By contrast, OS X lets each browser use it’s own browser engine. A Google security researcher said Chrome does not have the coding flaw; other researchers have said that Mozilla Firefox is likewise safe.
The mobile messaging app has 450 million monthly users
Facebook, in a major push to expand its business on smaller screens, has agreed to buy the mobile messaging app WhatsApp for $16 billion, the companies said Wednesday.
Facebook plans to pay $12 billion in shares and $4 billion in cash to acquire the company. It will also grant $3 billion in stock options to WhatsApp’s founders and employees. The deal is expected to close this year pending regulatory approval, Facebook said.
The size of the deal shows the value that Silicon Valley firms now place in mobile users, and what a high-stakes industry mobile computing has become. Facebook paid $1 billion when it bought Instagram almost two years ago, and even then some said it had paid too much.
WhatsApp has 450 million monthly users, and 70 percent of them access the service daily, Facebook said, making WhatsApp one of the leading mobile messaging services.
WhatsApp will operate “independently” inside Facebook and retain its own brand, Facebook said, a similar model it has used for its Instagram acquisition.
“WhatsApp is on a path to connect 1 billion people. The services that reach that milestone are all incredibly valuable,” Facebook CEO Mark Zuckerberg said in a statement.
It’s a dramatic move by Facebook to solidify its position in mobile. After a slow start the social network now generates more than half of its ad revenue on mobile, but it wants to strengthen that position further, in part by offering more standalone apps.
Facebook already has its own Messenger app, which it said will continue to operate alongside WhatsApp. It also has Instagram and it recently launched Paper, a new app focused on visuals.
WhatsApp allows people to send messages and photos over the Internet, meaning they don’t have to pay SMS charges. Like Skype and other Internet-based communications tools, it’s seen as a significant threat to traditional cellular carriers like Verizon and AT&T.
If the merger plan falls apart because the companies can’t get the required regulatory approvals, Facebook has to pay WhatsApp $1 billion in cash and also issue it $1 billion in stock. Both companies have the right to terminate the deal if it’s not closed by Aug. 16, suggesting they expect to complete the acquisition before then.
When it closes, Jan Koum, WhatsApp’s co-founder and CEO, will get a seat on Facebook’s board of directors.
But extends end-of-sales date for business PCs running Windows 7 Professional
Microsoft has set Oct. 31 as the end of sales of new consumer-grade Windows 7 PCs, but for now has left open the do-not-sell-after-this-date for business machines.
On the site where it posts such policies, Microsoft now notes that Oct. 31, 2014, is the end-of-sales date for new PCs equipped with Windows 7 Home Basic, Home Premium or Ultimate. All three are consumer-oriented versions of Windows 7; Home Premium has been the overwhelming choice of OEMs (original equipment manufacturers) for consumer systems.
Microsoft’s practice, first defined in 2010, is to stop selling an older operating system in retail one year after the launch of its successor, and halt delivery of the previous Windows edition to OEMs two years after a new version launches. The company shipped Windows 8, Windows 7’s replacement, in October 2012.
The setting of a deadline for consumer Windows 7 PCs followed a glitch last year when Microsoft named the same Oct. 31 date for all Windows 7 PCs, but then quickly retracted the posting, claiming that the notification had been posted “in error.”
Some OEMs, notably Hewlett-Packard, have made headlines for marketing consumer-grade Windows 7 PCs, a sign of the fragmentation of the once-dominant Windows oligarchy, which always pushed the newest at the expense of older editions.
But while it has established an end-of-sales date for consumer PCs with Windows 7 pre-installed, Microsoft has yet to do the same for business PCs.
Microsoft will give a one-year warning before it demands that OEMs stop selling PCs with Windows 7 Professional, the commercial-quality version. Under that rule, Microsoft will allow computer makers such as Lenovo, HP and Dell to continue selling PCs with Windows 7 Professional until at least February 2015.
It’s likely that the extension will be much longer.
Windows 7 has become the standard version for businesses, which have spurned Windows 8, largely because of its two-user interface (UI) model, which they consider disruptive to productivity and a needless cost that would require employee retraining.
Most analysts believe that Windows 7 will remain the most popular Microsoft operating system deployed by companies for years to come.
“There’s a good chance that enterprises will stay on Windows 7 as long as possible,” said Gartner analyst Michael Silver in an October 2013 interview. If his prediction turns out to be accurate, Windows 7 may reprise the stubborn persistence of Windows XP, the nearly-13-year-old OS that Microsoft will retire in April.
Even after Windows 8’s launch, Windows 7’s user share, a rough measurement of the prevalence of the OS on operational machines, has continued to grow. From October 2012 to January 2014, Windows 7’s user share increased nearly 3 percentage points, representing a 6% gain during that period, according to data from analytics company Net Applications.
Some of Windows 7’s gains certainly came at the expense of Windows XP, which has fallen more than 11 percentage points, a 28% decline, since October 2012 as users abandoned the old OS.
By making Windows 7 available, Microsoft and its OEMs not only continue to serve customers who want the OS, but make sure that new PC sales do not slump even more dramatically than they have already.
Consumer PC sales have plummeted — last month Microsoft said sales of consumer-grade Windows licenses fell 20% in the December quarter compared to the same period the year before — while the Redmond, Wash. company’s business line of operating systems grew 12% year-over-year. In effect, enterprise spending kept PC shipments from tanking even more than the 10% contraction the industry experienced in 2013.
Extending Windows 7 Professional’s availability on new hardware will also give Microsoft breathing room to continue its retreat from Windows 8’s radical shift to a touch-first, tile-based UI, and to roll out a successor that caters even more to customers who rely on keyboard and mouse.
Microsoft is expected to unveil an update to Windows 8.1 this spring, perhaps in April, that will restore several desktop-oriented features and tools. Some reports based on leaked builds of this Windows 8.1 Update 1 have noted that on non-touch devices, the boot-to-desktop option will be enabled by default; if accurate, most users of traditional PCs will skip the colorful, tile-style Start screen. Windows 9 may appear as early as April 2015.
Retail sales of Windows 7 by Microsoft to distributors and customers were officially halted as of Oct. 31, 2013, but that deadline has been meaningless, as online retailers have continued to sell packaged copies, sometimes for years, by restocking through distributors who squirreled away older editions.
As of Saturday, for example, Amazon.com had a plentiful supply of various versions of Windows 7 available, as did technology specialist Newegg.com. The former also listed copies of Windows Vista and even Windows XP for sale through partners.
Even after Microsoft pulls the plug on Windows 7, there will be ways to circumvent the shut-down. Windows 8.1 Pro, the more expensive of the two public editions, includes “downgrade” rights that allow PC owners to legally install an older OS. OEMs and system builders can also use downgrade rights to sell a Windows 8.1 Pro-licensed system, but factory-downgrade it to
Windows 7 Professional before it ships.
And enterprises with volume license agreements will never be at risk of losing access to Windows 7, as they are granted downgrade rights as part of those agreements, and so will be able to purchase, say, Windows 8.1 or Windows 9 PCs in 2015 or 2016, then re-image the machines with Windows 7.
The end-of-sales dates for Windows 7 are not linked in any way to the support schedule for the 2009 operating system. Microsoft will provide free non-security bug fixes and vulnerability patches for Windows 7 until Jan. 13, 2015 — called “mainstream support” — and follow that with a five-year stretch of “extended support” during which it will ship free security updates until Jan. 14, 2020.
How to easily encrypt email, Gmail, Hotmail, Outlook, Yahoo; Virtru is free, protects your digital privacy, and is so super easy to use that even your non-techie grandma could and should use it.
I believe privacy is a fundamental right, so what better way to celebrate Data Privacy Day than to show you how to encrypt email easily and keep those emails both private and secure?
Meet Virtru, an email security app that encrypts your email before it leaves your device; it includes fine-grained privacy controls so only you and the person to whom you sent the email can access it…meaning government snoops, third parties, advertisers, ISPs and even cybercrooks can’t access your email messages. Thanks to Virtru’s Chrome and Firefox browser extensions, you can keep your Gmail, Outlook or Yahoo email accounts and still have secure and private email. And you can protect your digital privacy for the low, low price of FREE! Virtru is so super easy to use that even your non-techie grandma could and should use it.
Before we jump to the how-to, let me introduce the founders of Virtru: brothers Will and John Ackerly. When Will worked at the NSA as a cloud security architect, he invented the Trusted Data Format (TDF) that Virtru, and intelligence agencies, use. “After serving eight years at the NSA, he came away from the experience entirely convinced that users need to take action to preserve their own privacy.” John, who served as associate director of the National Economic Council and director of the Office of Policy and Strategic Planning at the Commerce Department under President George W. Bush, said of Virtru, “The fundamental motivator here is…the need to give individuals practical tools to exercise their fundamental right to privacy.”
How to encrypt email with Virtru
For webmail, Virtru currently offers a Chrome extension and Firefox add-on to encrypt Gmail, Outlook, Hotmail or Yahoo. There’s also a mobile app for Apple, with the Android app, as well as plugins for Outlook and Mac Mail programs, and extensions for Internet Explorer versions 10 and up, and Safari coming in the future. Although I’ve tested both Chrome and Firefox add-ons for Gmail, Hotmail and Yahoo, the following examples are primarily screenshot captures from Gmail and Hotmail. Email addresses have been redacted.
First, go get the add-on for Firefox and/or Chrome. After it is installed in your browser, simply click to activate Virtru for your webmail.
Virtru app permissions in Outlook:
Virtru app permissions in Outlook
Virtru in Outlook first look:
Virtru in Outlook first look
Virtru activate message if you send encrypted Gmail to a person not using Virtru:
Virtru activate message if you send Gmail to person not using Virtru
Virtru security bar
Virtru security bar new in Hotmail, Gmail, Outlook, YahooYou will then receive a message notifying you about the Virtru security bar.
You can easily turn Virtru on and off. If it’s grayed-out, then it’s off. It’s blue when you turn on Virtru protection.
Easily turn Virtru security bar off and on
When Virtru is on in Outlook, Hotmail, Gmail or Yahoo, your “send” button Example of Virtru send secure buttonbecomes a “send secure” button as seen in this Outlook example.
Drafts on Yahoo are not encrypted by Virtru
As a side note of caution regarding the cloud, if you use Yahoo, then know that Yahoo drafts are not currently encrypted by Virtru. Try to avoid such drafts; it’s fodder for the mass surveillance powers-that-be if you’ve become a target.
Every email protected by Virtru is secured with the most Advanced Encryption Standard available, AES-256. The Virtru software, either installed via browser add-on or mobile app, encrypts your email before it leaves your device. When you hit send, Virtru protects the encryption keys with perfect forward secrecy. Only you and the person to whom you sent the email can access the content.
The TDF format controls access privileges for “all file types (ie, emails, text messages, Office files, pdfs, photos, videos).” When you send a Virtru-protected email, “your content is encrypted and secured inside a TDF wrapper. When your receiver attempts to open it, the wrapper communicates with the Virtru server to verify that the receiver is eligible to see the information.”
When you have installed Virtru and you receive an encrypted email, the decryption happens quickly when you open it.
Virtru decrypting email
Disable forwarding and set email expiration date
On the right-side of the Virtru security bar, you have options to disable email forwarding and to set up an expiration date for how long your recipient has access to your sent email.
Virtru disable email forwarding; set email expiration time
If you disable email forwarding, then if Alice sent email to Bob, and Bob forwarded Alice’s email to Mallory, Mallory would not be able to open it. Regarding The Register’s claim that a person can defeat Virtru by copying and pasting from the email, the fix for that is coming.
“On the copy/paste front, we have a technical solution, but we haven’t yet rolled it out,” Will told me. “Our main focus is on protecting the emails as they go from sender to recipient, as well as when stored on servers and your devices, but use after decryption isn’t our first ‘privacy’ concern.”
Revoke or reauthorize email messages
Virtru “thinks everyone deserves real privacy and control over their data, even after hitting the send button,” so sent email comes with an option to revoke access.The red hand icon allows you to revoke email; this is especially handy if you sent an unwise, angry email in haste.
Virtru revoke message
Below is what the recipient sees if you revoke access to a sent email:
Virtru revoked access message
Virtru, reauthorize revoked email
If you change your mind again, such as if the revoke access was due to a lover’s spat, then you click on the blue eye to reauthorize your recipient’s access to your sent email.
Virtru Secure Reader
If you want to send Virtru encrypted email to a person at work, who maybe does not have the admin rights to install browser add-ons, no problem. Virtru also has a web-based Secure Reader.
Virtru redirects to you have secure mail via browser add-on or install nothing and use web-based reader
When you send your first email to a person not using Virtru, if they choose the Virtru Secure Reader option, then they will be asked to verify their identity; this insures that only the recipient you intended can open the email. By using OpenID and OAuth protocols, the recipient does not need to setup a new account or yet another password. Instead, they can verify their identity via their existing Gmail, Microsoft or Yahoo email provider.
Virtru Secure Reader, verify your identity to use service where you received secure Virtru email
If your recipient forwards an email that you protected with “disable forwarding,” this is what the non-authorized person sees via Virtru Secure Reader.
Virtru secure reader, attempt to read forwarded email protected by disabled forwarding
Virtru wanted to make encryption easy for absolutely everyone to use without sacrificing security; the creators believe in your fundamental right to have digital privacy and provided a tool that combines strong encryption with granular privacy controls. They claim Virtru will change the way we use email, and it surely could. The purpose of all these screenshots was to show you every aspect of how easy it is to use Virtru.
For people who would like more in-depth details of how Virtru works, then I encourage you to go read more. Virtru also has an open source strategy, which includes making a collection of open source Virtru components available on GitHub.
Although it’s only in beta right now, I still highly recommend that you try Virtru. There is no reason Virtru should not be widely accepted by the masses to escape mass surveillance. Please do give it a try. Happy International Data Privacy Day! Why don’t you celebrate by taking back control of your email and digital privacy?