Posts tagged security
The move is intended to promote better security practices across the Web
Websites that aren’t encrypting connections with their visitors may get a lower ranking on Google’s search engine, a step the company said it is taking to promote better online security practices.
The move is designed to spur developers to implement TLS (Transport Layer Security), which uses a digital certificate to encrypt traffic, signified by a padlock in most browsers and “https” at the beginning of a URL.
As Google scans Web pages, it takes into account certain attributes, such as whether a Web page has unique content, to determine where it will appear in search rankings. It has added the use of https into those signals, although it will be a “lightweight” one and applies to about 1 percent of search queries now, wrote Zineb Ait BahajjiA andA Gary Illyes, both Google webmaster trends analysts, in a blog post.
All reputable websites use encryption when a person submits their login credentials, but some websites downgrade the connection to an unencrypted one. That means content is susceptible to a so-called man-in-the-middle attack. Content that is not encrypted could be read.
Rolling out https is fairly straightforward for small websites but can be complex for large organizations that run lots of servers, with challenges such as increased latency, support issues with content delivery networks and scaling issues.
LinkedIn said in June it was still upgrading its entire network to https after Zimperium, a security company, found it was possible in some cases to hijack a person’s account. People using LinkedIn in some regions are flipped to an unencrypted connection after they log in, making it possible for a hacker to collect their authentication credentials.
Facebook’s Instagram was found to have the same problem last month. Instagram’s API (application programming interface) makes unencrypted requests to some parts of its network, which could allow a hacker on the same Wi-Fi network to steal a “session cookie,” a data file that reminds Instagram a person has logged in but which grants access to an account.
Awareness programs don’t have to be complicated, expensive ventures
Implementing a security awareness program seems rather straightforward, until you actually start to implement one – factoring in things like resources and the people (users) to be trained. At that point, it can seem complicated, costly, and unnecessary. However, the process doesn’t have to be a logistical and expensive nightmare, and it’s certainly worth it in the long run.
Organizations both large and small have implemented awareness programs for next to nothing, and while they’re not perfect, many of them are able to show measurable results. The key to these successes however, is based on understanding what it is that the organization is actually trying to accomplish.
While doing topical research for this story, CSO discovered a common thought among the experts and executives that were consulted, including some who spoke to us during two regional security conferences this summer (B-Sides Detroit and CircleCityCon).
Often, executives view security and business as two separate items, and while this point-of-view is changing, it takes effort to get some executives to commit to security and make it part of the business overall.
When this happens, tangible security needs such as license renewals, support and service contracts, firewalls and other appliances – all of those are things that executives understand. However, awareness training, to the executives at least, seems like an extended version of general security training, and there just isn’t money for something like that.
At the same time, there’s also a shakeup happening – thanks to a seemingly endless stream of data breaches this year that have placed several large companies in the headlines. The result of this shakeup is fear, and sometimes fear has a way of producing the budget needed to strengthen security. In some circles, this additional funding opens the door to the development of security awareness programs.
Is awareness training really needed?
Security awareness training is something that can cause a good deal of debate among experts. Some agree that it’s needed; others will call it a waste of time and resources.
Dave Aitel, in a column for CSO, expressed an opinion that such training wasn’t needed:
“Instead of spending time, money and human resources on trying to teach employees to be secure, companies should focus on securing the environment and segmenting the network. It’s a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization.
“Because they’re going to do so anyway, so you might as well plan for it. It’s the job of the CSO, CISO, or IT security manager to make sure that threats are stopped before reaching an employee—and if these measures fail, that the network is properly segmented to limit the infection’s spread.”
However, the other side to that argument comes from Ira Winkler:
“The question to ask is whether the losses prevented by awareness training are more than the cost of the awareness program. So for example, as every successful phishing attack has a cost associated with it, if you are reducing phishing attacks by 50 percent, you are mitigating 50 percent of the potential losses…
“The original opinion also says that a sophisticated security awareness program can prevent 90-95 percent of attacks. A 90-percent-plus reduction of loss will always be a good return on security investment, especially when the cost of typical security awareness programs is minimal?”
Awareness programs are not a replacement for solid security infrastructure and policies. Nor are they a replacement for response and incident handling. They can’t be. The only thing awareness does is increase the odds of recovery, and increase response times should an incident occur.
While training employees to act as monitors for Phishing attacks or emails with malicious attachments is helpful, that doesn’t mean such campaigns won’t be successful. However it does mean that the security team may know about the problem sooner, and that could be the difference between preventing a disaster – or suffering through one.
One of the main steps to building a good security awareness program is to separate it from security training. Security awareness is not the same as security training when it comes to employees.
Security training serves to offer a structured set of rules, which is what most auditors will look for when assessing compliance. Security awareness, on the other hand, aims to modify behavior. If done right, the company’s employees will become an extension of the existing security program. However, while security training can be done annually, awareness programs are a continuous process.
A living proof of concept:
Amanda Berlin works in security for a medium-sized healthcare organization in the Midwest. Over the last few months, she has created an effective awareness program almost out of thin air.
Her organization didn’t have the resources to pay for external awareness development and training, but it was needed, so they had to go it alone. It’s taken some time, but her efforts have resulted in a program that benefits the company, keeps the staff engaged in security related topics, and has little to no impact to the bottom line.
“So we knew the weakest element in our security were people,” Berlin said in an interview with CSO.
“That’s probably the weakest part of any organization. You can have IDS / IPS, massive email filtering, but stuff is still going to get through and [criminals] are still going pretext.”
As mentioned, user education can go a long way to keeping outsiders off the network, but it isn’t a silver bullet.
In the past, prior to implementing the awareness program, Berlin’s organization had to deal with various socially-based attacks. Yet, those were mostly random phone calls and faxes (fake domain renewal bills for example), so need for a scaled awareness program wasn’t made abundantly clear until the company had a penetration test performed.
“We had a [penetration test] with some Phishing included, and that was what got them domain admin access. Right away, within fifteen minutes, somebody clicked and gave out their credentials, and they [the red team] were in from the outside.”
It was an eye-opening experience. Other than the expected security training, related to HIPAA and other regulatory requirements, nobody in her organization had given a thought to implementing user awareness training against Phishing or similar attacks.
However, the main takeaway from that initial penetration test was that if the human element had been hardened, or at least better prepared, then the other defenses on the network would have had a better chance of keeping the attackers out.
Training out of thin air and OSINT:
For Berlin, the process of building an awareness program from scratch started with a series of conversations with her boss and the organization’s education department.
The idea was to develop materials that would benefit any user. However, they had to keep the materials basic, so that the information was easily understood and the technical aspects were obtainable to anyone, no matter their personal skill set.
“[We used] things that would be really helpful for any end user, like ‘Don’t click on stuff’ emails. We didn’t get too far into it, but we used that and put it out there,” Berlin explained.
After the material was shared during formal and informal staff meetings, it was time to test the employees and see what they’ve learned.
The first month her program ran, the targets were selected by way of available OSINT, or open source intelligence. By targeting company email addresses that were already publicly available, Berlin was starting with the same pool of potential victims that an actual criminal could, which helped her set the tone for the program’s development.
Using the Social Engineer Toolkit, or SET, she created an initial campaign that consisted of an obviously suspicious email, and a simple link to a webpage she created to collect credentials.
“It was just a plain two, three line, HTML email. I wanted to try and make it as blatantly obvious that I wasn’t a legitimate source. I wanted to see how good their [personal] filter was,” Berlin, recalling the first email that was sent to users, explained.
The first set of emails were sent from a Gmail account created for the exercise. They contained no identifiable information, and used a basic HTML link to a local IP as the trap. Out of the initial run of a few hundred emails, Berlin said that she managed to get nearly 60 percent of the targets to enter their credentials.
The powers that be viewed the results as proof positive that something should be done about this gap in security, but the program needed to be tuned, and there needed to be a way to track the results. The process took a few months, but eventually Berlin was ready to launch her program officially.
Rewarding those who help:
While the initial test proved that an awareness program was needed, the question of who should be doing the training was the first hurdle. In fact, research showed that there were plenty of vendors available to come in and run an awareness program. However, the cost of hiring someone form the outside was steep, and would put additional pressure on an already taxed budget.
Instead, Berlin explained, the company opted to manage things internally. Moreover, some of the money that would have gone to an external training firm ($1,000) was allocated in order to establish a reward scheme for employees.
“So every time somebody reports a Phishing email, whether it be form me or the outside, they need to forward it to the help desk or call and let us know, so we can actually see the email. If it’s a legitimate one, we’ll go through the steps to actually block it; otherwise we’ll let them know they’ve been entered into the drawing.”
The program allows employees to report legitimate Phishing emails, as well as emails that are sent as part of the ongoing awareness training. In addition, other suspicious electronic activity may also count, such as emails with attachments that the employee didn’t expect, but that is determined on a case-by-case basis.
Another interesting aspect to the program is the encouragement to report people who are attempting to access the employee’s system that haven’t been authorized to do so.
The incentive scheme itself is simple and geared towards the staff’s personal interests. There is a monthly drawing for a $20 gift card, followed by a quarterly drawing for a $50 gift card to either Bass Pro Shops or Red Lobster. There is also a yearly grand prize worth $400 in the form of an Amazon gift card.
The financial motivation has helped things tremendously, Berlin noted, as the number of reports focused on legitimate Phishing attacks has “skyrocketed.” Even better, the stigma associated with reporting a potential problem, or admitting that an attack was successful, has plummeted to nothing.
While rewards are important, for Berlin’s organization, tracking and measuring progress is the main concern. After only a short time of operation, the stats from her program are impressive. The number of successful attacks in the training program have continued to fall steadily since the program officially started.
In January: 985 emails were sent to employees; and out of those, 53 percent of the targets actually clicked the Phishing link. Of those who clicked the link, 36 percent of them entered credentials and 11 percent of all the targets reported the attack.
In February: 893 emails were sent out, resulting in a click rate of 47 percent. Again, of those that clicked, 11 percent of them gave out credentials and 11 percent reported it.
The test in March didn’t go as well. There were 1,095 emails were sent, but only three percent of the targets clicked the link. Of those that clicked, none of them entered credentials. In fact, everyone who clicked the link in March also reported the email.
“In March I think the reason that I had such a low rate of participation in general was due to the all around subject/theme of the Phish,” Berlin said, when asked about the stats.
“We had a large push for the March of Dimes that month and it seems like every other email was about another donation opportunity, or bake sale of some sort. We think that the majority of them were just deleted along with the rest of them, or filtered out as noise.”
April was another interesting month. There was no opportunity to enter credentials this time around, as the goal was to target clicks. Anyone who clicked on the email was directed to a “You’ve been hacked!” message.
During this test, two percent of the 1,111 emails sent resulted in a click, and 25 percent of those who got the message reported it.
While Berlin’s awareness program clearly has changed user behavior, as well as improved the overall security posture for her organization, that doesn’t mean that it’s foolproof. There’s plenty of room to grow, and the program itself is in a constant state of tuning.
For example, there are plans to improve tracking, and make the process easier to manage. Currently, the tracking process is manual, so the goal is to have it completely automated. There are also plans to increase the program to include mobile devices directly, as many of the providers within the organization rely on tablets in their day-to-day routine.
Awareness is only part of the battle:
Security awareness programs are only one piece of a larger security puzzle. By the time a Phishing email reaches a user, parts of the security chain have failed (anti-Spam) and the weakest-link in the chain now has an active role in defense.
If the users are trained, or to use a stronger term, conditioned to spot random abnormalities, there is a greater chance that a passive Phishing attack will fail. But no one is perfect, and targeted Phishing attacks will succeed eventually.
This is why users should be encouraged to report not only the attempt, but any failures as well – without the fear of punishment. This engagement will help lower the time it takes to address the incident, and in some cases, it could actually prevent an incident from exploding into a monumental disaster.
Users are often snickered at for trading their passwords for candy during social engineering experiments. However, this willingness to do a task that takes little effort in exchange for something of value works both ways.
The user who will trade access for sugar is also someone that can be trained to spot attacks for gift cards, and financially, that’s affordable when compared to the cost of mitigating a data breach.
Microsoft will no longer issue security patches for Windows XP
This month’s “Patch Tuesday” includes the final round of security fixes Microsoft will issue for Windows XP, potentially leaving millions that continue to use the OS open to attack.
XP will become an easy target for attackers now that Microsoft has stopped supporting it, said Wolfgang Kandek, CTO for IT security firm Qualys.A The OS will no longer receive fixes for holes that Microsoft and others might find in the OS. Moreover, attackers will be able to reverse engineer patches issued for newer versions of Windows, giving them clues to the remaining unfixed vulnerabilities in XP, Kandek said.
Microsoft has acknowledged the problem and has been pushing hard to get users onto newer versions of Windows.
“If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses,” it said in an advisory.
Its efforts haven’t always been successful. Qualys compiled data from 6,700 companies and found that use of XP still represents a sizable portion of OSes running in the enterprise.A About one-fifth of companies in finance, for instance, still use XP — a surprisingly large number for an industry handling sensitive data. A
In retail, 14 percent of PCs still run XP, and in heath care the figure is 3 percent.
Organizations may be holding off on updating for a number of reasons, Kandek said. Some didn’t realize support was closing and are just now putting a migration plan in place. Others may be taking a calculated risk, saving on the cost of an upgrade and trying to minimize exposure by limiting access to the Internet and through other measures.
In addition to ending support for XP, Microsoft is no longer supporting Office 2003 or Internet Explorer 8.
The company released four security updates altogether on Tuesday. They cover 11 vulnerabilities in Windows, Internet Explorer, Microsoft Office and Microsoft Publisher. Two of the updates are marked as critical. One of those, MS14-018, fixes a number of issues with Internet Explorer. The other, MS14-017, addresses critical vulnerabilities in Microsoft Word and Office Web Apps. They include a zero day in how Office 2010 handles documents encoded in the Rich Text Format.
Even after that fix is applied, organizations might want to disable Word’s ability to open RTF files, if those types of files aren’t routinely used, Kandek advised.A
The two other updates in April’s round of patches were marked important. One of them, MS14-020, handles a vulnerability in the company’s Publisher program. The other, MS14-019, covers how Windows, including XP, handles files.
Kandek also advised administrators to apply the patch Adobe issued Tuesday for a serious vulnerability in its Flash multimedia software.
How to easily encrypt email, Gmail, Hotmail, Outlook, Yahoo; Virtru is free, protects your digital privacy, and is so super easy to use that even your non-techie grandma could and should use it.
I believe privacy is a fundamental right, so what better way to celebrate Data Privacy Day than to show you how to encrypt email easily and keep those emails both private and secure?
Meet Virtru, an email security app that encrypts your email before it leaves your device; it includes fine-grained privacy controls so only you and the person to whom you sent the email can access it…meaning government snoops, third parties, advertisers, ISPs and even cybercrooks can’t access your email messages. Thanks to Virtru’s Chrome and Firefox browser extensions, you can keep your Gmail, Outlook or Yahoo email accounts and still have secure and private email. And you can protect your digital privacy for the low, low price of FREE! Virtru is so super easy to use that even your non-techie grandma could and should use it.
Before we jump to the how-to, let me introduce the founders of Virtru: brothers Will and John Ackerly. When Will worked at the NSA as a cloud security architect, he invented the Trusted Data Format (TDF) that Virtru, and intelligence agencies, use. “After serving eight years at the NSA, he came away from the experience entirely convinced that users need to take action to preserve their own privacy.” John, who served as associate director of the National Economic Council and director of the Office of Policy and Strategic Planning at the Commerce Department under President George W. Bush, said of Virtru, “The fundamental motivator here is…the need to give individuals practical tools to exercise their fundamental right to privacy.”
How to encrypt email with Virtru
For webmail, Virtru currently offers a Chrome extension and Firefox add-on to encrypt Gmail, Outlook, Hotmail or Yahoo. There’s also a mobile app for Apple, with the Android app, as well as plugins for Outlook and Mac Mail programs, and extensions for Internet Explorer versions 10 and up, and Safari coming in the future. Although I’ve tested both Chrome and Firefox add-ons for Gmail, Hotmail and Yahoo, the following examples are primarily screenshot captures from Gmail and Hotmail. Email addresses have been redacted.
First, go get the add-on for Firefox and/or Chrome. After it is installed in your browser, simply click to activate Virtru for your webmail.
Virtru app permissions in Outlook:
Virtru app permissions in Outlook
Virtru in Outlook first look:
Virtru in Outlook first look
Virtru activate message if you send encrypted Gmail to a person not using Virtru:
Virtru activate message if you send Gmail to person not using Virtru
Virtru security bar
Virtru security bar new in Hotmail, Gmail, Outlook, YahooYou will then receive a message notifying you about the Virtru security bar.
You can easily turn Virtru on and off. If it’s grayed-out, then it’s off. It’s blue when you turn on Virtru protection.
Easily turn Virtru security bar off and on
When Virtru is on in Outlook, Hotmail, Gmail or Yahoo, your “send” button Example of Virtru send secure buttonbecomes a “send secure” button as seen in this Outlook example.
Drafts on Yahoo are not encrypted by Virtru
As a side note of caution regarding the cloud, if you use Yahoo, then know that Yahoo drafts are not currently encrypted by Virtru. Try to avoid such drafts; it’s fodder for the mass surveillance powers-that-be if you’ve become a target.
Every email protected by Virtru is secured with the most Advanced Encryption Standard available, AES-256. The Virtru software, either installed via browser add-on or mobile app, encrypts your email before it leaves your device. When you hit send, Virtru protects the encryption keys with perfect forward secrecy. Only you and the person to whom you sent the email can access the content.
The TDF format controls access privileges for “all file types (ie, emails, text messages, Office files, pdfs, photos, videos).” When you send a Virtru-protected email, “your content is encrypted and secured inside a TDF wrapper. When your receiver attempts to open it, the wrapper communicates with the Virtru server to verify that the receiver is eligible to see the information.”
When you have installed Virtru and you receive an encrypted email, the decryption happens quickly when you open it.
Virtru decrypting email
Disable forwarding and set email expiration date
On the right-side of the Virtru security bar, you have options to disable email forwarding and to set up an expiration date for how long your recipient has access to your sent email.
Virtru disable email forwarding; set email expiration time
If you disable email forwarding, then if Alice sent email to Bob, and Bob forwarded Alice’s email to Mallory, Mallory would not be able to open it. Regarding The Register’s claim that a person can defeat Virtru by copying and pasting from the email, the fix for that is coming.
“On the copy/paste front, we have a technical solution, but we haven’t yet rolled it out,” Will told me. “Our main focus is on protecting the emails as they go from sender to recipient, as well as when stored on servers and your devices, but use after decryption isn’t our first ‘privacy’ concern.”
Revoke or reauthorize email messages
Virtru “thinks everyone deserves real privacy and control over their data, even after hitting the send button,” so sent email comes with an option to revoke access.The red hand icon allows you to revoke email; this is especially handy if you sent an unwise, angry email in haste.
Virtru revoke message
Below is what the recipient sees if you revoke access to a sent email:
Virtru revoked access message
Virtru, reauthorize revoked email
If you change your mind again, such as if the revoke access was due to a lover’s spat, then you click on the blue eye to reauthorize your recipient’s access to your sent email.
Virtru Secure Reader
If you want to send Virtru encrypted email to a person at work, who maybe does not have the admin rights to install browser add-ons, no problem. Virtru also has a web-based Secure Reader.
Virtru redirects to you have secure mail via browser add-on or install nothing and use web-based reader
When you send your first email to a person not using Virtru, if they choose the Virtru Secure Reader option, then they will be asked to verify their identity; this insures that only the recipient you intended can open the email. By using OpenID and OAuth protocols, the recipient does not need to setup a new account or yet another password. Instead, they can verify their identity via their existing Gmail, Microsoft or Yahoo email provider.
Virtru Secure Reader, verify your identity to use service where you received secure Virtru email
If your recipient forwards an email that you protected with “disable forwarding,” this is what the non-authorized person sees via Virtru Secure Reader.
Virtru secure reader, attempt to read forwarded email protected by disabled forwarding
Virtru wanted to make encryption easy for absolutely everyone to use without sacrificing security; the creators believe in your fundamental right to have digital privacy and provided a tool that combines strong encryption with granular privacy controls. They claim Virtru will change the way we use email, and it surely could. The purpose of all these screenshots was to show you every aspect of how easy it is to use Virtru.
For people who would like more in-depth details of how Virtru works, then I encourage you to go read more. Virtru also has an open source strategy, which includes making a collection of open source Virtru components available on GitHub.
Although it’s only in beta right now, I still highly recommend that you try Virtru. There is no reason Virtru should not be widely accepted by the masses to escape mass surveillance. Please do give it a try. Happy International Data Privacy Day! Why don’t you celebrate by taking back control of your email and digital privacy?
We may be facing a stalemate. Or, we may be evolving a new cyber biosphere.
Ceaselessly, with no end in sight despite outlays that amount to a tax on doing business, the decades-long struggle against malware drags on.
Today, around 5% of the average IT budget is devoted to security, estimates John Pescatore, a director at the SANS Technology Institute. Cybercrime (including malicious insider attacks and theft of devices) costs U.S. corporations an average of $11.6 million yearly, according to an October 2013 study by the Ponemon Institute that was sponsored by HP Enterprise Security. This cost represents a 23% increase over last year’s average of $8.9 million per company.
Asked why malware is the war without end, experts commonly embrace either a military or an ecological metaphor. Those with the military viewpoint say flawed defenses have led to a stalemate. The ecology-minded don’t see it as a war to be won or lost — they see an eternal cycle between prey and predator, and the goal is not victory but equilibrium.
Around 5% of the average IT budget is devoted to security, says John Pescatore, a director at the SANS Technology Institute.
One who favors the military metaphor is David Hoelzer, director of research for Enclave Forensics in Henderson, Nev. “We are essentially going in circles,” he says. “We improve only after our adversaries defeat our defenses. Most software is still riddled with vulnerabilities, but the vendors typically make no move to fix one until it becomes publicly disclosed. Coders are not trained in security, and ‘well written’ means ‘under budget.’”
Security consultant Lenny Zeltser chooses the ecology metaphor. “Attackers take advantage of the defenders, and the defenders respond. It’s part of the cycle,” he says. “If attackers get in too easily, they are spending too much to attack us. If we are blocking 100% of the attacks, we are probably spending too much on defense. We have been in a state of equilibrium for some time and always will be. But being complacent is dangerous, as we must constantly apply energy to maintain the equilibrium.”
Developments in the financial sector offer an example of why it’s important to constantly apply energy to maintain the equilibrium. A new report from Trend Micro points out that attacks aimed at stealing online banking credentials recently surged to a level not seen since 2002.
Nevertheless, experts agree that progress has been made — even if only toward the maintenance of ecological equilibrium or a military stalemate.
The wins so far
At this point, “there are no types of malware for which there are no defenses that we are currently aware of,” says Roel Schouwenberg, a researcher at anti-malware software vendor Kaspersky Lab.
“We no longer see the kinds of big spreading malware that we saw three or four years ago, [such as] the ILOVEYOU virus of 2000,” adds William Hugh Murray, a security consultant and a professor at the Naval Postgraduate School.
Interviews with analysts and executives at security vendors McAfee, AVG and Kaspersky Lab suggest that the following are the four principal weapons that make this possible:
• Signature detection. This approach gives you the ability to spot malicious code, among other things.
• Behavior monitoring. By adopting this technique, you can do things like spot malicious activity in a computer or determine if a suspicious file will respond to virtual bait
• Blacklisting. This is a mechanism for blocking access to sites and files that are included on a list of undesirable entities.
• Whitelisting. With this approach, essentially the opposite blacklisting, users are only allowed access to sites and files on a list of entities known to be harmless; access is denied to sites and files that aren’t on the list.
Each of the four has its supporters and detractors, and all the anti-malware software vendors queried for this article said they use some form of all four weapons, in combination.
Other defenses include firewalls, which can prevent intrusions and — with Windows at least — are part of the operating system, and periodic vendor patches to address vulnerabilities.
Frequency of cyberattacks
The frequency of different types of attacks experienced during a four-week period in 60 companies benchmarked.
Viruses, worms, trojans 100%
Web-based attacks 63%
Denial of service 50%
Malicious code 48%
Malicious insiders 42%
Phishing/social engineering 42%
Stolen devices 33%
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
A question sometimes raised is whether there are more advanced weapons that we haven’t yet learned about. “I’ve heard that [the anti-malware vendors] have better defenses up their sleeve that they choose not to release since they are not necessary yet, and they don’t want to tip their hand,” says Zeltser.
The vendors deny this. “Our secret weapons are in force every day — it’s a daily battle,” says Tony Anscombe, an executive at anti-malware software vendor AVG Technologies. Indeed, if vendors had something that can stop all viruses “it would be foolish to wait to use it,” says Kevin Haley, spokesman for anti-malware software vendor Symantec. “It would be a competitive advantage” to help sell more software, he points out.
Either way, the end result is that anti-malware software vendors can now respond to a new (or “zero-day”) exploit within two hours, although complicated exploits may require subsequent follow-up, says Haley.
In parallel, there have been efforts to make software less vulnerable to infection. For instance, Tim Rains, director of Microsoft Trustworthy Computing, says that Microsoft has revamped the code libraries used by developers to remove errors and vulnerabilities.
There are no types of malware for which there are no defenses that we are currently aware of.
Roel Schouwenberg, researcher, Kaspersky Lab
As a result, he notes, stack corruption was the vulnerability exploited 43% of the time in 2006, but now it’s used only 7% of the time. He also cites a study conducted in 2011 by analyst Dan Kaminsky and others indicating there were 126 exploitable vulnerabilities in Microsoft Office 2003, but only seven in Office 2010.
Years of security-related software patches downloadable by users have also had a measurable effect. Rains cites statistics derived from executions of Microsoft’s online Malicious Software Removal Tool, which showed that systems with up-to-date protection were 5.5 times less likely to be infected.
As of December 2012, the rate was 12.2 infections per 1,000 machines for unprotected systems vs. 2 per 1,000 for protected systems. The global average was 6 infections per 1,000.
On the other hand, infections still happen. But even the nature of the infections seems to have reached a state of equilibrium.
Today’s attacks: Two broad categories
Roger Thompson, chief security researcher at security testing firm and Verizon subsidiary ICSA Labs, divides today’s most common infections into two categories: APT (“advanced persistent threat”) and AFT (“another freaking Trojan.”)
New examples of APT malware appear about once a month, are aimed at a particular target and are produced by organizations with impressive resources, abilities and patience, he says. The classic example is the Stuxnet virus of 2010, whose goal appears to have been to make centrifuges in Iranian nuclear research labs destroy themselves by spinning too fast.
“Each one is different and scary,” Thompson notes.
As for AFTs, self-replicating malware is no longer the infection vector of choice, with attackers preferring to launch drive-by attacks from infected websites against victims who were tricked into visiting. (However, worms and older malware are still lurking on the Internet, and an unprotected machine can still get infected in a matter of minutes, sources agree.)
Average annualized cybercrime cost
These costs are weighted by attack frequency in 60 companies benchmarked.
Denial of service – $243,913
Malicious insiders – $198,769
Web-based attacks – $125,101
Malicious code – $102,216
Phishing/social engineering – $21,094
Stolen devices – $20,070
Botnets – $2,088
Viruses, worms, trojans – $1,324
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
The acquisition of new Trojans appears to be limited only by a researcher’s ability to download examples, experts agree; hundreds of thousands can be collected each day. Many examples are simply members of long-standing malware families that have been newly recompiled, and some malicious websites will recompile their payload — creating a unique file — for each drive-by attack. There are probably no more than a thousand such families, since there is a finite number of ways to take over a machine without crashing it, notes Thompson.
The initial infection is usually a compact boot-strapping mechanism that downloads other components. It may report back to the attacker on what kind of host it has infected, and the attackers can then decide how to use the victim, explains Zeltser.
These days, an infected home system is typically hijacked by the attackers for their own use. With a small enterprise, the object is to steal banking credentials, while with large enterprises, the object is typically industrial espionage, Murray explains.
While the anti-malware vendors have adopted a multi-pronged strategy, so have the attackers — for instance, writing malware that does not stir until it sees that it is not in the kind of virtual machine used to trick malware into revealing itself.
Meanwhile, the attackers have formed their own economy, with a division of labor. “Some are good at crafting malware, others are good at infecting systems, and others are good at making money off the infections, such as by sending spam, or by launching distributed-denial-of-service attacks, or by pilfering data,” says Zeltser.
“You can buy the software required to do the account takeover, and then to convert the money into cash you hire mules,” Murray adds.
New battlefields include XP, Android
But while many pundits expect to see a continued cycle of attack and defense, they also foresee additional future dangers: Windows XP may become unusable because of the support situation, and the Android smartphone environment may be the next happy hunting ground for malware.
For its part, Windows Vista is no longer receiving mainstream support, but Microsoft has announced the company will continue issuing security updates for the OS through mid-April 2017.
Windows XP, released in 2001, is still widely used, but Microsoft will stop issuing security updates for it after April 2014. At that point, Microsoft will continue to issue security updates for Windows 7 and Windows 8, and after each one is issued the malware writers will reverse-engineer it to identify the vulnerability that it addresses, Rains predicts.
“They will then test XP to see if the vulnerability exists there, and if it does they will write exploit code to take advantage of it,” Rains says. “Since XP will never get another update, the malware writers will be in a zero-day-forever scenario. If they can run remote code of their choice on those systems it will be really hard for anti-virus protection to be effective. The situation will get worse and worse and eventually you will not be able trust the operating system for XP.”
“People should not be running XP,” agrees Schouwenberg. “When it was written the malware problem was very different than it is today. It had no mitigation strategies and is extremely vulnerable.”
Android, meanwhile, is going like gangbusters on smartphones — outselling Apple’s iOS phones in the third quarter of this year, according to Gartner — making it a huge target for crackers.
Experts see many parallels between Android’s development and the early history of the Windows market, with hardware vendors adapting a third-party operating system for their products, leaving no single party ensuring security. And with the Android market, the additional involvement of telecommunications carriers is a complicating factor.
Average days to resolve attack in 60 companies benchmarked
Malicious insiders include employees, temporary employees, contractors and, possibly, business partners.
Malicious insiders – 65.5
Malicious code – 49.8
Web-based attacks – 45.1
Denial of service – 19.9
Phishing/social engineering – 14.3
Stolen devices – $10.2
Malware – 6.7
Viruses, worms, trojans – 3
Botnets – 2
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
“It is not like the case with Apple, which can push security updates to every iPhone in the world in one day,” says Schouwenberg. “With Android, the manufacturer has to implement the patches and then go through certification with the carrier before the patches are deployed. Assuming your phone still gets security updates it may be months before you get them. That would not be considered acceptable with a laptop.”
“Android is in a position that Windows was in a few years ago; there is not enough protection,” adds Johannes Ullrich, head of research at the SANS Technology Institute, which certifies computer security professionals.
Is there hope?
Returning to the ecology metaphor, sometimes the impact of an asteroid will drive species into extinction. And, indeed, sources can point to extinction types of events in the short history of the malware biosphere.
Thompson, for instance, points out that the adoption of Windows 95 drove MS-DOS malware into extinction by adding protected mode, so one program could not overwrite another at will. Microsoft Office 2000 drove into extinction (PDF) malware based on Office 1995 macros by adding a feature that basically required user permission before a macro could run. Windows XP Service Pack 2 in 2004 set the Windows firewall on by default, wiping out another generation of malware.
The success rate for social engineering is phenomenal.
John Strand, network penetration tester, Black Hills Information Security
“But there is no extinction-level-event in sight to wipe out the current Trojans,” Thompson says.
Even if there were such a miracle, attackers could fall back on persuasive email, officious phone calls, smiling faces or other non-technical manipulations usually referred to as “social engineering.”
“The success rate for social engineering is phenomenal,” says John Strand, network penetration tester with Black Hills Information Security in Sturgis, SD.
People will call in pretending to be from a help desk, suggesting that the user download (infected) software. Or plausible emails such as a delivery notification will entice users to click on infected links, he explains.
And then there’s software that tells the user to disable the system’s malware protection “to ensure compatibility.” “I don’t think there is any legitimate software that needs you to disable security protection for compatibility reasons,” says Schouwenberg. “But some software does ask you to disable it during installation, creating a precedent, so they think it’s all right when they get email from a website telling them to turn it off.”
Even if users are trained to resist such ploys, smiling people with clipboards and faux badges may show up at the front desk saying they need to inspect the server room on some pretext — and they’ll probably be allowed in, says Strand.
Beyond that, large numbers of log-in credentials to corporate networks are always for sale at various malicious sites, because people have registered at third-party sites using their office email addresses and passwords — and those sites were later compromised, Strand adds.
“The good news is that it is relatively easy to defend against most malware, if you use up-to-date anti-virus software, run a firewall, get security updates and use strong passwords,” Rains says. “These techniques can block the major attacks used today and probably for years to come.”
“The best practices I was telling people about 10 years ago I still have to tell people about today,” Haley adds. “Have good security software, update the system and use good common sense. Don’t link to email that doesn’t seem right.”
Finally, Pescatore suggests looking to the field of public health (rather than the military or ecology) for a metaphor about living with malware. “We have learned to wash our hands and keep the cesspool a certain distance from the drinking water,” he notes. “We still have the common cold, and we still have occasional epidemics — but if we react quickly we can limit the number who are killed.”
Microsoft was credited with inventing practically everything first, directly through innovation before its time, or indirectly and invisibly because everything runs on Microsoft software.
Well, it seems as if Microsoft is being credited with inventing almost everything.
We’ll start with the post by TechRadar defending Microsoft and crediting the company with inventing practically everything, including the wheel – the mouse wheel. The did-you-know flavored list begins with Google TV, but pointed out that Microsoft did that first in 1997 by acquiring WebTV, then renaming it MSN TV, and eventually using the technology for Xbox and Xbox 360. WebTV was first to allow web access with a computer, but let’s toss in the little-known fact that in 1996, before it became Microsoft’s product, the U.S. government classified WebTV as “munitions (a military weapon)” due to its use of strong encryption. It was a change in law, not Microsoft touching the technology, that stopped the military weapon classification.
The TechRadar article goes on to credit Microsoft with being the first to invent its version of the iPad, dubbed the Tablet PC, which shipped in 2002, but were “too big, bulky and expensive.” Facebook’s walled garden was credited to Microsoft’s 1995 version of MSN. The Redmond giant was first to market smart watches (Smart Personal Object Technology, or SPOT) which took advantage of mobile data. In 2000, the Redmond giant put out the first eReader; also in 2000, Microsoft invented the first smartphone, Microsoft’s Pocket PC platform. In fact, TechRadar compared Microsoft Bob, released in 1995, to the earliest version of today’s Siri and Google Now. The lack of success of Microsoft’s many invented products was attributed to them coming before their time or having no killer apps.
But those examples of what Microsoft invented are just a drop in the bucket if you use the “invisible” supportive structures reasoning presented by Microsoft’s Matt Wallaert, Behavioral Psychologist for Bing. Wallaert, who recently defended Microsoft’s Bing it on challenge claims, mentioned that fight in his Forbes article, before describing the worst part about working at Microsoft. “Every time you take a pot shot at Microsoft just to be a jerk, you distract us from doing the work that makes the world better.”
It is safe to say that most people reading this probably don’t respect Microsoft very much. Asked to name the most innovative tech company, they’ll say Apple or Google. And they’ll do it with a straight face, while sitting in a chair made by Microsoft.
Wait, Microsoft makes chairs? No, not directly. But the part of that chair? Manufactured in facilities running on, you guess it, Microsoft software. Transported in trucks built by Microsoft software, on roads built by Microsoft software, sold by companies running Microsoft software.
Imagine you got out of that chair for a second. Walked across the street to get a cup of coffee. Got hit by a bus. The ambulance that picks you up? Microsoft. The hospital that saves you? Microsoft. The doctor? Trained at a school running Microsoft, using delicate instruments running Microsoft. If you prefer not getting hit by a bus, think about the role that Microsoft has had in making sure your baby was born healthy.
So there you have it; if you consider the “invisible” supportive structures, then, hey, Microsoft can be credited with inventing pretty much everything and we apparently underrate its value.
How Microsoft invented almost everything
By the same token, if you consider the “invisible” argument of Microsoft software being behind all good things, would it also have to be behind all the bad? If you fell out of your computer chair — because you didn’t rest well the night before on the mattress manufactured in a factory running Microsoft software — and decided to go across the street to fetch a cup of coffee, what caused the accident?
Your mobile phone rings as you step onto the street. It’s your distressed non-techy mom describing how Windows crashed, so you close your eyes briefly and smother a curse word. The bus driver, who is busy texting on his Windows phone, doesn’t see and therefore hits you; but no worries because a Microsoft-built ambulance picks you up and transports you to the hospital filled with doctors trained at schools running Microsoft. The delicate instruments running Microsoft software save you, despite running on an OS infected with malware. Your doctor, who is looking down at notes on his Surface tablet, greets you in the recovery room and tells you that your sex change operation went great. But before you can freak out, elsewhere Chinese Army hackers exploited a zero-day to break into government computers running Windows and stole classified codes to launch nukes. The world, running on Microsoft, ends.
Just kidding, but that’s the problem with the “invisible” supportive structures argument; it can be used in far-out scenarios for good and for bad.
“Your privacy is very important to us,” Microsoft is fond of saying. But if a former Microsoft Privacy Chief no longer trusts Microsoft, should you?
Bowden’s statements were made during a conference about privacy and surveillance that was held in Lausanne, Switzerland, and reported on by the Guardian. At one point, Bowden’s presentation slide showed a “NSA surveillance octopus” to help illustrate the evils of surveillance in the U.S. cloud; but this was not a PowerPoint presentation. He was using LibreOffice 3.6 because he doesn’t trust Microsoft software at all anymore. In fact, he said he only uses open source software so he can examine the underlying code.
An attendee pointed out that free software has been subverted too, but Bowden called open source software “the least worst” and the best option to use if you are trying to avoid surveillance. Another privacy tip…the privacy pro also does not carry a personal tracker on him, meaning Bowden gave up on carrying a mobile phone two years ago.
No privacy in the cloud: zero, zippy, none
According to Bowden, “In about 2009 the whole industry turned on a dime and turned to cloud computing – massively parallel computation sold as a commodity at a distance.” He said, “Cloud computing leaves you no privacy protection.” However, “cloud computing is too useful to be disinvented. Unlike Echelon, though, which was only interception, potentially all EU data is at risk. FISA (Foreign Intelligence Surveillance Act) can grab data after it’s stored, and decrypted.”
Bowden authored a paper about “the U.S. National Security Agency (NSA) surveillance programs (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens’ fundamental rights.” While it mostly dissects how “surveillance activities by the U.S. authorities are conducted without taking into account the rights of non-U.S. citizens and residents,” it also looks at some “serious limitations to the Fourth Amendment for U.S. citizens.”
“The thoughts prompted in the mind of the public by the revelations of Edward Snowden cannot be unthought. We are already living in a different society in consequence,” Bowden wrote [pdf]. He again pointed out the dangers to privacy in cloud computing. “The scope of FAA creates a power of mass-surveillance specifically targeted at the data of non-U.S. persons located outside the U.S., including data processed by ‘Cloud computing’, which eludes EU Data Protection regulation.”
Data can only be processed whilst decrypted, and thus any Cloud processor can be secretly ordered under FISA 702 to hand over a key, or the information itself in its decrypted state. Encryption is futile to defend against NSA accessing data processed by US Clouds (but still useful against external adversaries such as criminal hackers). Using the Cloud as a remote disk-drive does not provide the competitiveness and scalability benefits of Cloud as a computation engine. There is no technical solution to the problem.
He concluded that there is an “absence of any cognizable privacy rights for ‘non-U.S. persons’ under FISA.”
Microsoft’s strategy: Grind down people’s privacy expectations
It was Bowden’s position over privacy policies for Microsoft that makes his point of view important. This man, a privacy expert, no longer trusts Microsoft as a company, nor its software.Microsoft ‘your privacy is our priority’ Yet Microsoft (and most all other companies) love to publicize the quote, “Your privacy is very important to us.” But does Microsoft really care about your privacy?
During an interview with Bowden, the London School of Economics and Political Science (LSE) asked, “Do you think the general public understands how much privacy they have in the digital world?”
Bowden replied, “There’s been a grinding down of people’s privacy expectations in a systematic way as part of the corporate strategy, which I saw in Microsoft.”
Regarding the Guardian’s report that Bowden does not trust the Redmond giant, Microsoft sent this PR-damage control statement to CNET:
“We believe greater transparency on the part of governments – including the U.S. government – would help the community understand the facts and better debate these important issues. That’s why we’ve taken a number of steps to try and secure permission, including filing legal action with the U.S. government.”
About that transparency…LSE asked Bowden, “What’s your view on the transparency policies of tech-companies?”
Bowden replied, “It is purely public relations strategy – corporate propaganda aimed at the public sphere – and due to the existence of secret mass-surveillance laws will never be truly transparent.”
From anywhere on the planet, a hacker could open and close the lid to your smart toilet, turn your child’s smart toy into a covert surveillance device, or unlock the doors of your smart home.
Disregard for a moment why you would ever want to connect a toilet to the Internet to “record a toilet diary,” and instead ask why would a person hack a smart toilet? Because it’s there; it’s vulnerable and it helps to highlight new security risks associated with smart devices connected to the web, making up the Internet of Things.
LIXIL Satis Bluetooth smart toilet
Since the Japanese manufactured LIXIL Satis smart toilet is extremely expensive, as much as about $6,000, and not readily available in the U.S., researchers at the security firm Trustwave reverse-engineered an Android app for the bluetooth-controlled Satis. It has a hard-coded PIN of “0000,” according to the security advisory, and:
any person using the “My Satis” application can control any Satis toilet. An attacker could simply download the “My Satis” application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.
Although that hack is more of a prank, you might take the security risk more seriously if an attacker could secretly access the webcam in your child’s toy, capture video and then upload it to a remote server.
Violet’s Karotz Smart Rabbit
The toy in question is a Karotz plastic bunny that “can connect to the Internet (to download weather forecasts, read its owner’s email, etc.),” stated the bunny security advisory. It “can be controlled from a smartphone app and is outfitted with a video camera, microphone, RFID chip a speakers.” In fact, an attacker could “take control of it from a computer and remotely watch live video, turning it into an unwitting surveillance camera.”
Hacking smart houses
At the Black Hat Home Invasion v2.0 presentation, Trustwave researchers showed serious topics as well, such as how someone other than the home or business owner can unlock doors from anywhere in the world. As an example, Trustwave security researcher Dan Crowley took a random four-digit number from a hacking conference attendee and then changed the lock’s PIN. They also discussed poor security issues discovered when testing a Belkin WeMo Switch, Linksys Media Adapter, Radio Thermostat, and Sonos Bridge.
Although one of the benefits of having a smart home is that you remotely control it via a smartphone, tablet or PC, that convenience comes with a plethora of personal security and privacy risks. During the Black Hat session [pdf slides], the researchers showed how the home automation gateways Mi Casa Verde Veralite and Insteon Hub have “vulnerabilities that, if not fixed, could result in covert audio and video surveillance, physical access to buildings or even personal harm.”
“The big risk is that a compromise could give you access to hundreds of thousands of homes all at once,” Crowley stated. “I could see that as an attack someone could actually use to launch a crime spree.” He added that if someone broke into your house, but there was no sign of forced entry, then how would you get your insurance company to pay?
Granted the toilet hack is invasive but more like a prank, yet an attacker could also seriously mess with a person’s mind by simply running a web search for smart homes with Insteon and then remotely taking control of the lights as if the house were “haunted.”
The potential for hacking smart homes and the Internet of Things—from exploiting network connected toys, thermostats, wireless speakers, to automated door locks—will only continue to grow as more people adopt these technologies. There are plenty of privacy risks in addition to the security vulnerability issues as their white paper [pdf] states:
There are also privacy concerns in the compromise of these devices. Compromise of a device with a built-in microphone or camera comes with the ability to perform audio and video surveillance. Compromise of a motion sensor could be used to determine when there are people at a physical location. Reading the status of door locks and alarm systems as could be achieved by compromising the VeraLite could be used to determine when the building in which it resides is occupied.
Legally, devices that store data on third party servers also enjoy a lower level of privacy protections due to the 3rd Party Doctrine. Many of the devices in this paper fall into this category.
Mud slinging round one million: Google CEO Larry Page warned against companies being “negative,” before claiming Microsoft is “milking” Google. Microsoft zinged back about the cease and desist letter Google sent.
Last week, Microsoft incorporated Google Talk into Outlook and SkyDrive to allow users “to chat with friends stuck on Gmail.” Then Google CEO Larry Page criticized Microsoft for “taking advantage” of “interoperating” with Google, “but not doing the reverse.” That’s “really sad,” Page said at I/O, “And that’s not the way to make progress. You need to actually have interoperation, not just people milking off one company for their own benefit.”
YouTubeIn return, Microsoft spokesperson Frank Shaw stated, “It’s ironic that Larry is lending his voice to the discussion of interoperability considering his company’s decision — today — to file a cease and desist order to remove the YouTube app from Windows Phone, let alone the recent decision to make it more difficult for our customers to connect their Gmail accounts to their Windows experience.”Cease and desist
Google claimed that Microsoft violated Google’s Terms of Service with the YouTube app. The Verge got its hands on a copy of that cease and desist letter that Google sent Microsoft. It demands that Microsoft “immediately withdraw this application from the Windows Phone Store and disable existing downloads of the application by Wednesday, May 22, 2013.” Google’s real gripe stems from the fact that Microsoft’s YouTube app has “features that specifically prevent ads from playing.”
After the cease and desist letter went public, Microsoft responded by “saying it’s happy to include advertising.” However, ZDNet speculated that the Windows Phone 8 YouTube app might have been part of Microsoft’s Scroogled campaign.
You wouldn’t know all this background cease and desist drama from what Page said at I/O.
Every story I read about Google gives off a notion of “us versus some other company” or some stupid thing. Being negative is not how we make progress. The most important things are not zero-sum. There is a lot of opportunity out there.
Opportunities on “Google Island”
Gadget Lab’s Mat Honan wrote about some of those far-out and freaky opportunities in a fictional piece about “Google Island.” It’s an interesting and trippy read. Honan talked about arriving at Google Island in a “driverless boat” to find Page’s naked “Google Being” explaining “complete openness” made possible by experimenting on an island in which no pesky government’s laws could get in the way with privacy.
At I/O, Page expressed an interest in setting aside a place “where people could experiment freely and examine the effects.” Honan joked that the place is Google Island, where Page would claim, “As soon as you hit Google’s territorial waters, you came under our jurisdiction, our terms of service. Our laws-or lack thereof-apply here. By boarding our self-driving boat you granted us the right to all feedback you provide during your journey.”
Besides Google knowing everything about a user’s health, “genetic blueprint” and even “the chemical composition of your sweat,” Honan’s fictional Page claimed that Google has “looked at everything you’ve looked at online. Everything. We know what you want, and when you want it, down to the time of day. Why wait for you to request it? And in fact, why wait for you to discover that you even want to request it? We can just serve it to you.”
OK, so that was fiction…but it harkens back to a time when then Google CEO Eric Schmidt said, “With your permission you give us more information about you, about your friends, and we can improve the quality of our searches. We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.” Schmidt later added, “I actually think most people don’t want Google to answer their questions…They want Google to tell them what they should be doing next.”
Google is all about ad revenue and the company will never allow Microsoft to block ads on YouTube. Meanwhile, speaking of YouTube and ads, Nintendo is scanning for fan-made YouTube clips that show footage of its games, such as how to get through a level, and then “hijacks” the ad revenue. Nintendo is not blocking screencaps that feature its intellectual property; however, by using content ID match to identify game footage videos uploaded by fans, Nintendo is adding advertising “at the beginning, next to or at the end of the clips.”
Summary: About 20 percent of compromised credentials, exposed via hacks on other service providers, match Microsoft Account logins due to password reuse
Around 20 percent of the logins found on lists of compromised credentials match those of Microsoft Accounts due to consumers using the same login details across more than one service, the company has said.
The lists are circulated by organisations and hackers in the wake of attacks on third-party service providers.
People re-use passwords and login details across services from different providers, Microsoft Account group manager Eric Doerr noted in a blog post on Sunday. That reuse means that if one set of logins is compromised, other accounts are at risk.
“These attacks shine a spotlight on the core issue — people reuse passwords between different websites,” said Doer, speaking after the Yahoo breach last week that exposed 400,000 user details. “On average, we see successful password matches of around 20 percent of matching usernames.”
Doer revealed the figure in a run-down of some Microsoft Account security practices, meant to reassure customers after the Yahoo hack. Microsoft Account is a single sign-on tool for Microsoft services such as SkyDrive, Hotmail, Xbox and Messenger.
Microsoft regularly gets lists of compromised third-party login details from ISPs, law enforcement and vendors, as well as from lists published on the internet by hackers, according to Doerr. This information is checked against Microsoft login details using an automated process to check for any overlap. While 20 percent is the average, in one recent breach it was only 4.5 percent, said Doerr.
After a hack attack on another provider, Microsoft monitors its user accounts to see if they are being used to send spam. If it sees signs of criminal activity, it suspends the account, and the affected customer has to go through an account recovery process before being able to log in again.
If Microsoft suspects, but is not certain, that there has been a breach, it will ask customers to reset their passwords.
The company also uses behavioural monitoring technology similar to that used by banks to log patterns of access and location, to see if an attempted login is suspicious. The technology can block the attempt, or ask an additional identity question to decide whether to grant access.
The Microsoft Account team is working on tightening up security, Doerr said. The current 16-character limit on password length is set to increase, to make brute force attacks more difficult, for example. However, Microsoft is having problems making passwords longer because of its ecosystem, he noted.
“Unfortunately, for historical reasons, the password validation logic is decentralised across different products, so it’s a bigger change than it should be and takes longer to get to market,” Doerr said.
Yahoo, Gmail, Hushmail, Yandex and MyOperaMail all allow passcode lengths of 30 characters, as one Microsoft account holder, MondayBlues, pointed out in a comment.
Doerr noted that people using SkyDrive device-synchronisation software and buying products on Xbox.com are required to use two-factor authentication. Microsoft is working on implementing this security measure in more products and services, he said, but did not specify which.
Updated: This article was updated at 5.22pm BST after clarification from Microsoft.