Posts tagged security
Microsoft will no longer issue security patches for Windows XP
This month’s “Patch Tuesday” includes the final round of security fixes Microsoft will issue for Windows XP, potentially leaving millions that continue to use the OS open to attack.
XP will become an easy target for attackers now that Microsoft has stopped supporting it, said Wolfgang Kandek, CTO for IT security firm Qualys.A The OS will no longer receive fixes for holes that Microsoft and others might find in the OS. Moreover, attackers will be able to reverse engineer patches issued for newer versions of Windows, giving them clues to the remaining unfixed vulnerabilities in XP, Kandek said.
Microsoft has acknowledged the problem and has been pushing hard to get users onto newer versions of Windows.
“If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses,” it said in an advisory.
Its efforts haven’t always been successful. Qualys compiled data from 6,700 companies and found that use of XP still represents a sizable portion of OSes running in the enterprise.A About one-fifth of companies in finance, for instance, still use XP — a surprisingly large number for an industry handling sensitive data. A
In retail, 14 percent of PCs still run XP, and in heath care the figure is 3 percent.
Organizations may be holding off on updating for a number of reasons, Kandek said. Some didn’t realize support was closing and are just now putting a migration plan in place. Others may be taking a calculated risk, saving on the cost of an upgrade and trying to minimize exposure by limiting access to the Internet and through other measures.
In addition to ending support for XP, Microsoft is no longer supporting Office 2003 or Internet Explorer 8.
The company released four security updates altogether on Tuesday. They cover 11 vulnerabilities in Windows, Internet Explorer, Microsoft Office and Microsoft Publisher. Two of the updates are marked as critical. One of those, MS14-018, fixes a number of issues with Internet Explorer. The other, MS14-017, addresses critical vulnerabilities in Microsoft Word and Office Web Apps. They include a zero day in how Office 2010 handles documents encoded in the Rich Text Format.
Even after that fix is applied, organizations might want to disable Word’s ability to open RTF files, if those types of files aren’t routinely used, Kandek advised.A
The two other updates in April’s round of patches were marked important. One of them, MS14-020, handles a vulnerability in the company’s Publisher program. The other, MS14-019, covers how Windows, including XP, handles files.
Kandek also advised administrators to apply the patch Adobe issued Tuesday for a serious vulnerability in its Flash multimedia software.
How to easily encrypt email, Gmail, Hotmail, Outlook, Yahoo; Virtru is free, protects your digital privacy, and is so super easy to use that even your non-techie grandma could and should use it.
I believe privacy is a fundamental right, so what better way to celebrate Data Privacy Day than to show you how to encrypt email easily and keep those emails both private and secure?
Meet Virtru, an email security app that encrypts your email before it leaves your device; it includes fine-grained privacy controls so only you and the person to whom you sent the email can access it…meaning government snoops, third parties, advertisers, ISPs and even cybercrooks can’t access your email messages. Thanks to Virtru’s Chrome and Firefox browser extensions, you can keep your Gmail, Outlook or Yahoo email accounts and still have secure and private email. And you can protect your digital privacy for the low, low price of FREE! Virtru is so super easy to use that even your non-techie grandma could and should use it.
Before we jump to the how-to, let me introduce the founders of Virtru: brothers Will and John Ackerly. When Will worked at the NSA as a cloud security architect, he invented the Trusted Data Format (TDF) that Virtru, and intelligence agencies, use. “After serving eight years at the NSA, he came away from the experience entirely convinced that users need to take action to preserve their own privacy.” John, who served as associate director of the National Economic Council and director of the Office of Policy and Strategic Planning at the Commerce Department under President George W. Bush, said of Virtru, “The fundamental motivator here is…the need to give individuals practical tools to exercise their fundamental right to privacy.”
How to encrypt email with Virtru
For webmail, Virtru currently offers a Chrome extension and Firefox add-on to encrypt Gmail, Outlook, Hotmail or Yahoo. There’s also a mobile app for Apple, with the Android app, as well as plugins for Outlook and Mac Mail programs, and extensions for Internet Explorer versions 10 and up, and Safari coming in the future. Although I’ve tested both Chrome and Firefox add-ons for Gmail, Hotmail and Yahoo, the following examples are primarily screenshot captures from Gmail and Hotmail. Email addresses have been redacted.
First, go get the add-on for Firefox and/or Chrome. After it is installed in your browser, simply click to activate Virtru for your webmail.
Virtru app permissions in Outlook:
Virtru app permissions in Outlook
Virtru in Outlook first look:
Virtru in Outlook first look
Virtru activate message if you send encrypted Gmail to a person not using Virtru:
Virtru activate message if you send Gmail to person not using Virtru
Virtru security bar
Virtru security bar new in Hotmail, Gmail, Outlook, YahooYou will then receive a message notifying you about the Virtru security bar.
You can easily turn Virtru on and off. If it’s grayed-out, then it’s off. It’s blue when you turn on Virtru protection.
Easily turn Virtru security bar off and on
When Virtru is on in Outlook, Hotmail, Gmail or Yahoo, your “send” button Example of Virtru send secure buttonbecomes a “send secure” button as seen in this Outlook example.
Drafts on Yahoo are not encrypted by Virtru
As a side note of caution regarding the cloud, if you use Yahoo, then know that Yahoo drafts are not currently encrypted by Virtru. Try to avoid such drafts; it’s fodder for the mass surveillance powers-that-be if you’ve become a target.
Every email protected by Virtru is secured with the most Advanced Encryption Standard available, AES-256. The Virtru software, either installed via browser add-on or mobile app, encrypts your email before it leaves your device. When you hit send, Virtru protects the encryption keys with perfect forward secrecy. Only you and the person to whom you sent the email can access the content.
The TDF format controls access privileges for “all file types (ie, emails, text messages, Office files, pdfs, photos, videos).” When you send a Virtru-protected email, “your content is encrypted and secured inside a TDF wrapper. When your receiver attempts to open it, the wrapper communicates with the Virtru server to verify that the receiver is eligible to see the information.”
When you have installed Virtru and you receive an encrypted email, the decryption happens quickly when you open it.
Virtru decrypting email
Disable forwarding and set email expiration date
On the right-side of the Virtru security bar, you have options to disable email forwarding and to set up an expiration date for how long your recipient has access to your sent email.
Virtru disable email forwarding; set email expiration time
If you disable email forwarding, then if Alice sent email to Bob, and Bob forwarded Alice’s email to Mallory, Mallory would not be able to open it. Regarding The Register’s claim that a person can defeat Virtru by copying and pasting from the email, the fix for that is coming.
“On the copy/paste front, we have a technical solution, but we haven’t yet rolled it out,” Will told me. “Our main focus is on protecting the emails as they go from sender to recipient, as well as when stored on servers and your devices, but use after decryption isn’t our first ‘privacy’ concern.”
Revoke or reauthorize email messages
Virtru “thinks everyone deserves real privacy and control over their data, even after hitting the send button,” so sent email comes with an option to revoke access.The red hand icon allows you to revoke email; this is especially handy if you sent an unwise, angry email in haste.
Virtru revoke message
Below is what the recipient sees if you revoke access to a sent email:
Virtru revoked access message
Virtru, reauthorize revoked email
If you change your mind again, such as if the revoke access was due to a lover’s spat, then you click on the blue eye to reauthorize your recipient’s access to your sent email.
Virtru Secure Reader
If you want to send Virtru encrypted email to a person at work, who maybe does not have the admin rights to install browser add-ons, no problem. Virtru also has a web-based Secure Reader.
Virtru redirects to you have secure mail via browser add-on or install nothing and use web-based reader
When you send your first email to a person not using Virtru, if they choose the Virtru Secure Reader option, then they will be asked to verify their identity; this insures that only the recipient you intended can open the email. By using OpenID and OAuth protocols, the recipient does not need to setup a new account or yet another password. Instead, they can verify their identity via their existing Gmail, Microsoft or Yahoo email provider.
Virtru Secure Reader, verify your identity to use service where you received secure Virtru email
If your recipient forwards an email that you protected with “disable forwarding,” this is what the non-authorized person sees via Virtru Secure Reader.
Virtru secure reader, attempt to read forwarded email protected by disabled forwarding
Virtru wanted to make encryption easy for absolutely everyone to use without sacrificing security; the creators believe in your fundamental right to have digital privacy and provided a tool that combines strong encryption with granular privacy controls. They claim Virtru will change the way we use email, and it surely could. The purpose of all these screenshots was to show you every aspect of how easy it is to use Virtru.
For people who would like more in-depth details of how Virtru works, then I encourage you to go read more. Virtru also has an open source strategy, which includes making a collection of open source Virtru components available on GitHub.
Although it’s only in beta right now, I still highly recommend that you try Virtru. There is no reason Virtru should not be widely accepted by the masses to escape mass surveillance. Please do give it a try. Happy International Data Privacy Day! Why don’t you celebrate by taking back control of your email and digital privacy?
We may be facing a stalemate. Or, we may be evolving a new cyber biosphere.
Ceaselessly, with no end in sight despite outlays that amount to a tax on doing business, the decades-long struggle against malware drags on.
Today, around 5% of the average IT budget is devoted to security, estimates John Pescatore, a director at the SANS Technology Institute. Cybercrime (including malicious insider attacks and theft of devices) costs U.S. corporations an average of $11.6 million yearly, according to an October 2013 study by the Ponemon Institute that was sponsored by HP Enterprise Security. This cost represents a 23% increase over last year’s average of $8.9 million per company.
Asked why malware is the war without end, experts commonly embrace either a military or an ecological metaphor. Those with the military viewpoint say flawed defenses have led to a stalemate. The ecology-minded don’t see it as a war to be won or lost — they see an eternal cycle between prey and predator, and the goal is not victory but equilibrium.
Around 5% of the average IT budget is devoted to security, says John Pescatore, a director at the SANS Technology Institute.
One who favors the military metaphor is David Hoelzer, director of research for Enclave Forensics in Henderson, Nev. “We are essentially going in circles,” he says. “We improve only after our adversaries defeat our defenses. Most software is still riddled with vulnerabilities, but the vendors typically make no move to fix one until it becomes publicly disclosed. Coders are not trained in security, and ‘well written’ means ‘under budget.’”
Security consultant Lenny Zeltser chooses the ecology metaphor. “Attackers take advantage of the defenders, and the defenders respond. It’s part of the cycle,” he says. “If attackers get in too easily, they are spending too much to attack us. If we are blocking 100% of the attacks, we are probably spending too much on defense. We have been in a state of equilibrium for some time and always will be. But being complacent is dangerous, as we must constantly apply energy to maintain the equilibrium.”
Developments in the financial sector offer an example of why it’s important to constantly apply energy to maintain the equilibrium. A new report from Trend Micro points out that attacks aimed at stealing online banking credentials recently surged to a level not seen since 2002.
Nevertheless, experts agree that progress has been made — even if only toward the maintenance of ecological equilibrium or a military stalemate.
The wins so far
At this point, “there are no types of malware for which there are no defenses that we are currently aware of,” says Roel Schouwenberg, a researcher at anti-malware software vendor Kaspersky Lab.
“We no longer see the kinds of big spreading malware that we saw three or four years ago, [such as] the ILOVEYOU virus of 2000,” adds William Hugh Murray, a security consultant and a professor at the Naval Postgraduate School.
Interviews with analysts and executives at security vendors McAfee, AVG and Kaspersky Lab suggest that the following are the four principal weapons that make this possible:
• Signature detection. This approach gives you the ability to spot malicious code, among other things.
• Behavior monitoring. By adopting this technique, you can do things like spot malicious activity in a computer or determine if a suspicious file will respond to virtual bait
• Blacklisting. This is a mechanism for blocking access to sites and files that are included on a list of undesirable entities.
• Whitelisting. With this approach, essentially the opposite blacklisting, users are only allowed access to sites and files on a list of entities known to be harmless; access is denied to sites and files that aren’t on the list.
Each of the four has its supporters and detractors, and all the anti-malware software vendors queried for this article said they use some form of all four weapons, in combination.
Other defenses include firewalls, which can prevent intrusions and — with Windows at least — are part of the operating system, and periodic vendor patches to address vulnerabilities.
Frequency of cyberattacks
The frequency of different types of attacks experienced during a four-week period in 60 companies benchmarked.
Viruses, worms, trojans 100%
Web-based attacks 63%
Denial of service 50%
Malicious code 48%
Malicious insiders 42%
Phishing/social engineering 42%
Stolen devices 33%
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
A question sometimes raised is whether there are more advanced weapons that we haven’t yet learned about. “I’ve heard that [the anti-malware vendors] have better defenses up their sleeve that they choose not to release since they are not necessary yet, and they don’t want to tip their hand,” says Zeltser.
The vendors deny this. “Our secret weapons are in force every day — it’s a daily battle,” says Tony Anscombe, an executive at anti-malware software vendor AVG Technologies. Indeed, if vendors had something that can stop all viruses “it would be foolish to wait to use it,” says Kevin Haley, spokesman for anti-malware software vendor Symantec. “It would be a competitive advantage” to help sell more software, he points out.
Either way, the end result is that anti-malware software vendors can now respond to a new (or “zero-day”) exploit within two hours, although complicated exploits may require subsequent follow-up, says Haley.
In parallel, there have been efforts to make software less vulnerable to infection. For instance, Tim Rains, director of Microsoft Trustworthy Computing, says that Microsoft has revamped the code libraries used by developers to remove errors and vulnerabilities.
There are no types of malware for which there are no defenses that we are currently aware of.
Roel Schouwenberg, researcher, Kaspersky Lab
As a result, he notes, stack corruption was the vulnerability exploited 43% of the time in 2006, but now it’s used only 7% of the time. He also cites a study conducted in 2011 by analyst Dan Kaminsky and others indicating there were 126 exploitable vulnerabilities in Microsoft Office 2003, but only seven in Office 2010.
Years of security-related software patches downloadable by users have also had a measurable effect. Rains cites statistics derived from executions of Microsoft’s online Malicious Software Removal Tool, which showed that systems with up-to-date protection were 5.5 times less likely to be infected.
As of December 2012, the rate was 12.2 infections per 1,000 machines for unprotected systems vs. 2 per 1,000 for protected systems. The global average was 6 infections per 1,000.
On the other hand, infections still happen. But even the nature of the infections seems to have reached a state of equilibrium.
Today’s attacks: Two broad categories
Roger Thompson, chief security researcher at security testing firm and Verizon subsidiary ICSA Labs, divides today’s most common infections into two categories: APT (“advanced persistent threat”) and AFT (“another freaking Trojan.”)
New examples of APT malware appear about once a month, are aimed at a particular target and are produced by organizations with impressive resources, abilities and patience, he says. The classic example is the Stuxnet virus of 2010, whose goal appears to have been to make centrifuges in Iranian nuclear research labs destroy themselves by spinning too fast.
“Each one is different and scary,” Thompson notes.
As for AFTs, self-replicating malware is no longer the infection vector of choice, with attackers preferring to launch drive-by attacks from infected websites against victims who were tricked into visiting. (However, worms and older malware are still lurking on the Internet, and an unprotected machine can still get infected in a matter of minutes, sources agree.)
Average annualized cybercrime cost
These costs are weighted by attack frequency in 60 companies benchmarked.
Denial of service – $243,913
Malicious insiders – $198,769
Web-based attacks – $125,101
Malicious code – $102,216
Phishing/social engineering – $21,094
Stolen devices – $20,070
Botnets – $2,088
Viruses, worms, trojans – $1,324
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
The acquisition of new Trojans appears to be limited only by a researcher’s ability to download examples, experts agree; hundreds of thousands can be collected each day. Many examples are simply members of long-standing malware families that have been newly recompiled, and some malicious websites will recompile their payload — creating a unique file — for each drive-by attack. There are probably no more than a thousand such families, since there is a finite number of ways to take over a machine without crashing it, notes Thompson.
The initial infection is usually a compact boot-strapping mechanism that downloads other components. It may report back to the attacker on what kind of host it has infected, and the attackers can then decide how to use the victim, explains Zeltser.
These days, an infected home system is typically hijacked by the attackers for their own use. With a small enterprise, the object is to steal banking credentials, while with large enterprises, the object is typically industrial espionage, Murray explains.
While the anti-malware vendors have adopted a multi-pronged strategy, so have the attackers — for instance, writing malware that does not stir until it sees that it is not in the kind of virtual machine used to trick malware into revealing itself.
Meanwhile, the attackers have formed their own economy, with a division of labor. “Some are good at crafting malware, others are good at infecting systems, and others are good at making money off the infections, such as by sending spam, or by launching distributed-denial-of-service attacks, or by pilfering data,” says Zeltser.
“You can buy the software required to do the account takeover, and then to convert the money into cash you hire mules,” Murray adds.
New battlefields include XP, Android
But while many pundits expect to see a continued cycle of attack and defense, they also foresee additional future dangers: Windows XP may become unusable because of the support situation, and the Android smartphone environment may be the next happy hunting ground for malware.
For its part, Windows Vista is no longer receiving mainstream support, but Microsoft has announced the company will continue issuing security updates for the OS through mid-April 2017.
Windows XP, released in 2001, is still widely used, but Microsoft will stop issuing security updates for it after April 2014. At that point, Microsoft will continue to issue security updates for Windows 7 and Windows 8, and after each one is issued the malware writers will reverse-engineer it to identify the vulnerability that it addresses, Rains predicts.
“They will then test XP to see if the vulnerability exists there, and if it does they will write exploit code to take advantage of it,” Rains says. “Since XP will never get another update, the malware writers will be in a zero-day-forever scenario. If they can run remote code of their choice on those systems it will be really hard for anti-virus protection to be effective. The situation will get worse and worse and eventually you will not be able trust the operating system for XP.”
“People should not be running XP,” agrees Schouwenberg. “When it was written the malware problem was very different than it is today. It had no mitigation strategies and is extremely vulnerable.”
Android, meanwhile, is going like gangbusters on smartphones — outselling Apple’s iOS phones in the third quarter of this year, according to Gartner — making it a huge target for crackers.
Experts see many parallels between Android’s development and the early history of the Windows market, with hardware vendors adapting a third-party operating system for their products, leaving no single party ensuring security. And with the Android market, the additional involvement of telecommunications carriers is a complicating factor.
Average days to resolve attack in 60 companies benchmarked
Malicious insiders include employees, temporary employees, contractors and, possibly, business partners.
Malicious insiders – 65.5
Malicious code – 49.8
Web-based attacks – 45.1
Denial of service – 19.9
Phishing/social engineering – 14.3
Stolen devices – $10.2
Malware – 6.7
Viruses, worms, trojans – 3
Botnets – 2
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
“It is not like the case with Apple, which can push security updates to every iPhone in the world in one day,” says Schouwenberg. “With Android, the manufacturer has to implement the patches and then go through certification with the carrier before the patches are deployed. Assuming your phone still gets security updates it may be months before you get them. That would not be considered acceptable with a laptop.”
“Android is in a position that Windows was in a few years ago; there is not enough protection,” adds Johannes Ullrich, head of research at the SANS Technology Institute, which certifies computer security professionals.
Is there hope?
Returning to the ecology metaphor, sometimes the impact of an asteroid will drive species into extinction. And, indeed, sources can point to extinction types of events in the short history of the malware biosphere.
Thompson, for instance, points out that the adoption of Windows 95 drove MS-DOS malware into extinction by adding protected mode, so one program could not overwrite another at will. Microsoft Office 2000 drove into extinction (PDF) malware based on Office 1995 macros by adding a feature that basically required user permission before a macro could run. Windows XP Service Pack 2 in 2004 set the Windows firewall on by default, wiping out another generation of malware.
The success rate for social engineering is phenomenal.
John Strand, network penetration tester, Black Hills Information Security
“But there is no extinction-level-event in sight to wipe out the current Trojans,” Thompson says.
Even if there were such a miracle, attackers could fall back on persuasive email, officious phone calls, smiling faces or other non-technical manipulations usually referred to as “social engineering.”
“The success rate for social engineering is phenomenal,” says John Strand, network penetration tester with Black Hills Information Security in Sturgis, SD.
People will call in pretending to be from a help desk, suggesting that the user download (infected) software. Or plausible emails such as a delivery notification will entice users to click on infected links, he explains.
And then there’s software that tells the user to disable the system’s malware protection “to ensure compatibility.” “I don’t think there is any legitimate software that needs you to disable security protection for compatibility reasons,” says Schouwenberg. “But some software does ask you to disable it during installation, creating a precedent, so they think it’s all right when they get email from a website telling them to turn it off.”
Even if users are trained to resist such ploys, smiling people with clipboards and faux badges may show up at the front desk saying they need to inspect the server room on some pretext — and they’ll probably be allowed in, says Strand.
Beyond that, large numbers of log-in credentials to corporate networks are always for sale at various malicious sites, because people have registered at third-party sites using their office email addresses and passwords — and those sites were later compromised, Strand adds.
“The good news is that it is relatively easy to defend against most malware, if you use up-to-date anti-virus software, run a firewall, get security updates and use strong passwords,” Rains says. “These techniques can block the major attacks used today and probably for years to come.”
“The best practices I was telling people about 10 years ago I still have to tell people about today,” Haley adds. “Have good security software, update the system and use good common sense. Don’t link to email that doesn’t seem right.”
Finally, Pescatore suggests looking to the field of public health (rather than the military or ecology) for a metaphor about living with malware. “We have learned to wash our hands and keep the cesspool a certain distance from the drinking water,” he notes. “We still have the common cold, and we still have occasional epidemics — but if we react quickly we can limit the number who are killed.”
Microsoft was credited with inventing practically everything first, directly through innovation before its time, or indirectly and invisibly because everything runs on Microsoft software.
Well, it seems as if Microsoft is being credited with inventing almost everything.
We’ll start with the post by TechRadar defending Microsoft and crediting the company with inventing practically everything, including the wheel – the mouse wheel. The did-you-know flavored list begins with Google TV, but pointed out that Microsoft did that first in 1997 by acquiring WebTV, then renaming it MSN TV, and eventually using the technology for Xbox and Xbox 360. WebTV was first to allow web access with a computer, but let’s toss in the little-known fact that in 1996, before it became Microsoft’s product, the U.S. government classified WebTV as “munitions (a military weapon)” due to its use of strong encryption. It was a change in law, not Microsoft touching the technology, that stopped the military weapon classification.
The TechRadar article goes on to credit Microsoft with being the first to invent its version of the iPad, dubbed the Tablet PC, which shipped in 2002, but were “too big, bulky and expensive.” Facebook’s walled garden was credited to Microsoft’s 1995 version of MSN. The Redmond giant was first to market smart watches (Smart Personal Object Technology, or SPOT) which took advantage of mobile data. In 2000, the Redmond giant put out the first eReader; also in 2000, Microsoft invented the first smartphone, Microsoft’s Pocket PC platform. In fact, TechRadar compared Microsoft Bob, released in 1995, to the earliest version of today’s Siri and Google Now. The lack of success of Microsoft’s many invented products was attributed to them coming before their time or having no killer apps.
But those examples of what Microsoft invented are just a drop in the bucket if you use the “invisible” supportive structures reasoning presented by Microsoft’s Matt Wallaert, Behavioral Psychologist for Bing. Wallaert, who recently defended Microsoft’s Bing it on challenge claims, mentioned that fight in his Forbes article, before describing the worst part about working at Microsoft. “Every time you take a pot shot at Microsoft just to be a jerk, you distract us from doing the work that makes the world better.”
It is safe to say that most people reading this probably don’t respect Microsoft very much. Asked to name the most innovative tech company, they’ll say Apple or Google. And they’ll do it with a straight face, while sitting in a chair made by Microsoft.
Wait, Microsoft makes chairs? No, not directly. But the part of that chair? Manufactured in facilities running on, you guess it, Microsoft software. Transported in trucks built by Microsoft software, on roads built by Microsoft software, sold by companies running Microsoft software.
Imagine you got out of that chair for a second. Walked across the street to get a cup of coffee. Got hit by a bus. The ambulance that picks you up? Microsoft. The hospital that saves you? Microsoft. The doctor? Trained at a school running Microsoft, using delicate instruments running Microsoft. If you prefer not getting hit by a bus, think about the role that Microsoft has had in making sure your baby was born healthy.
So there you have it; if you consider the “invisible” supportive structures, then, hey, Microsoft can be credited with inventing pretty much everything and we apparently underrate its value.
How Microsoft invented almost everything
By the same token, if you consider the “invisible” argument of Microsoft software being behind all good things, would it also have to be behind all the bad? If you fell out of your computer chair — because you didn’t rest well the night before on the mattress manufactured in a factory running Microsoft software — and decided to go across the street to fetch a cup of coffee, what caused the accident?
Your mobile phone rings as you step onto the street. It’s your distressed non-techy mom describing how Windows crashed, so you close your eyes briefly and smother a curse word. The bus driver, who is busy texting on his Windows phone, doesn’t see and therefore hits you; but no worries because a Microsoft-built ambulance picks you up and transports you to the hospital filled with doctors trained at schools running Microsoft. The delicate instruments running Microsoft software save you, despite running on an OS infected with malware. Your doctor, who is looking down at notes on his Surface tablet, greets you in the recovery room and tells you that your sex change operation went great. But before you can freak out, elsewhere Chinese Army hackers exploited a zero-day to break into government computers running Windows and stole classified codes to launch nukes. The world, running on Microsoft, ends.
Just kidding, but that’s the problem with the “invisible” supportive structures argument; it can be used in far-out scenarios for good and for bad.
“Your privacy is very important to us,” Microsoft is fond of saying. But if a former Microsoft Privacy Chief no longer trusts Microsoft, should you?
Bowden’s statements were made during a conference about privacy and surveillance that was held in Lausanne, Switzerland, and reported on by the Guardian. At one point, Bowden’s presentation slide showed a “NSA surveillance octopus” to help illustrate the evils of surveillance in the U.S. cloud; but this was not a PowerPoint presentation. He was using LibreOffice 3.6 because he doesn’t trust Microsoft software at all anymore. In fact, he said he only uses open source software so he can examine the underlying code.
An attendee pointed out that free software has been subverted too, but Bowden called open source software “the least worst” and the best option to use if you are trying to avoid surveillance. Another privacy tip…the privacy pro also does not carry a personal tracker on him, meaning Bowden gave up on carrying a mobile phone two years ago.
No privacy in the cloud: zero, zippy, none
According to Bowden, “In about 2009 the whole industry turned on a dime and turned to cloud computing – massively parallel computation sold as a commodity at a distance.” He said, “Cloud computing leaves you no privacy protection.” However, “cloud computing is too useful to be disinvented. Unlike Echelon, though, which was only interception, potentially all EU data is at risk. FISA (Foreign Intelligence Surveillance Act) can grab data after it’s stored, and decrypted.”
Bowden authored a paper about “the U.S. National Security Agency (NSA) surveillance programs (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens’ fundamental rights.” While it mostly dissects how “surveillance activities by the U.S. authorities are conducted without taking into account the rights of non-U.S. citizens and residents,” it also looks at some “serious limitations to the Fourth Amendment for U.S. citizens.”
“The thoughts prompted in the mind of the public by the revelations of Edward Snowden cannot be unthought. We are already living in a different society in consequence,” Bowden wrote [pdf]. He again pointed out the dangers to privacy in cloud computing. “The scope of FAA creates a power of mass-surveillance specifically targeted at the data of non-U.S. persons located outside the U.S., including data processed by ‘Cloud computing’, which eludes EU Data Protection regulation.”
Data can only be processed whilst decrypted, and thus any Cloud processor can be secretly ordered under FISA 702 to hand over a key, or the information itself in its decrypted state. Encryption is futile to defend against NSA accessing data processed by US Clouds (but still useful against external adversaries such as criminal hackers). Using the Cloud as a remote disk-drive does not provide the competitiveness and scalability benefits of Cloud as a computation engine. There is no technical solution to the problem.
He concluded that there is an “absence of any cognizable privacy rights for ‘non-U.S. persons’ under FISA.”
Microsoft’s strategy: Grind down people’s privacy expectations
It was Bowden’s position over privacy policies for Microsoft that makes his point of view important. This man, a privacy expert, no longer trusts Microsoft as a company, nor its software.Microsoft ‘your privacy is our priority’ Yet Microsoft (and most all other companies) love to publicize the quote, “Your privacy is very important to us.” But does Microsoft really care about your privacy?
During an interview with Bowden, the London School of Economics and Political Science (LSE) asked, “Do you think the general public understands how much privacy they have in the digital world?”
Bowden replied, “There’s been a grinding down of people’s privacy expectations in a systematic way as part of the corporate strategy, which I saw in Microsoft.”
Regarding the Guardian’s report that Bowden does not trust the Redmond giant, Microsoft sent this PR-damage control statement to CNET:
“We believe greater transparency on the part of governments – including the U.S. government – would help the community understand the facts and better debate these important issues. That’s why we’ve taken a number of steps to try and secure permission, including filing legal action with the U.S. government.”
About that transparency…LSE asked Bowden, “What’s your view on the transparency policies of tech-companies?”
Bowden replied, “It is purely public relations strategy – corporate propaganda aimed at the public sphere – and due to the existence of secret mass-surveillance laws will never be truly transparent.”
From anywhere on the planet, a hacker could open and close the lid to your smart toilet, turn your child’s smart toy into a covert surveillance device, or unlock the doors of your smart home.
Disregard for a moment why you would ever want to connect a toilet to the Internet to “record a toilet diary,” and instead ask why would a person hack a smart toilet? Because it’s there; it’s vulnerable and it helps to highlight new security risks associated with smart devices connected to the web, making up the Internet of Things.
LIXIL Satis Bluetooth smart toilet
Since the Japanese manufactured LIXIL Satis smart toilet is extremely expensive, as much as about $6,000, and not readily available in the U.S., researchers at the security firm Trustwave reverse-engineered an Android app for the bluetooth-controlled Satis. It has a hard-coded PIN of “0000,” according to the security advisory, and:
any person using the “My Satis” application can control any Satis toilet. An attacker could simply download the “My Satis” application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.
Although that hack is more of a prank, you might take the security risk more seriously if an attacker could secretly access the webcam in your child’s toy, capture video and then upload it to a remote server.
Violet’s Karotz Smart Rabbit
The toy in question is a Karotz plastic bunny that “can connect to the Internet (to download weather forecasts, read its owner’s email, etc.),” stated the bunny security advisory. It “can be controlled from a smartphone app and is outfitted with a video camera, microphone, RFID chip a speakers.” In fact, an attacker could “take control of it from a computer and remotely watch live video, turning it into an unwitting surveillance camera.”
Hacking smart houses
At the Black Hat Home Invasion v2.0 presentation, Trustwave researchers showed serious topics as well, such as how someone other than the home or business owner can unlock doors from anywhere in the world. As an example, Trustwave security researcher Dan Crowley took a random four-digit number from a hacking conference attendee and then changed the lock’s PIN. They also discussed poor security issues discovered when testing a Belkin WeMo Switch, Linksys Media Adapter, Radio Thermostat, and Sonos Bridge.
Although one of the benefits of having a smart home is that you remotely control it via a smartphone, tablet or PC, that convenience comes with a plethora of personal security and privacy risks. During the Black Hat session [pdf slides], the researchers showed how the home automation gateways Mi Casa Verde Veralite and Insteon Hub have “vulnerabilities that, if not fixed, could result in covert audio and video surveillance, physical access to buildings or even personal harm.”
“The big risk is that a compromise could give you access to hundreds of thousands of homes all at once,” Crowley stated. “I could see that as an attack someone could actually use to launch a crime spree.” He added that if someone broke into your house, but there was no sign of forced entry, then how would you get your insurance company to pay?
Granted the toilet hack is invasive but more like a prank, yet an attacker could also seriously mess with a person’s mind by simply running a web search for smart homes with Insteon and then remotely taking control of the lights as if the house were “haunted.”
The potential for hacking smart homes and the Internet of Things—from exploiting network connected toys, thermostats, wireless speakers, to automated door locks—will only continue to grow as more people adopt these technologies. There are plenty of privacy risks in addition to the security vulnerability issues as their white paper [pdf] states:
There are also privacy concerns in the compromise of these devices. Compromise of a device with a built-in microphone or camera comes with the ability to perform audio and video surveillance. Compromise of a motion sensor could be used to determine when there are people at a physical location. Reading the status of door locks and alarm systems as could be achieved by compromising the VeraLite could be used to determine when the building in which it resides is occupied.
Legally, devices that store data on third party servers also enjoy a lower level of privacy protections due to the 3rd Party Doctrine. Many of the devices in this paper fall into this category.
Mud slinging round one million: Google CEO Larry Page warned against companies being “negative,” before claiming Microsoft is “milking” Google. Microsoft zinged back about the cease and desist letter Google sent.
Last week, Microsoft incorporated Google Talk into Outlook and SkyDrive to allow users “to chat with friends stuck on Gmail.” Then Google CEO Larry Page criticized Microsoft for “taking advantage” of “interoperating” with Google, “but not doing the reverse.” That’s “really sad,” Page said at I/O, “And that’s not the way to make progress. You need to actually have interoperation, not just people milking off one company for their own benefit.”
YouTubeIn return, Microsoft spokesperson Frank Shaw stated, “It’s ironic that Larry is lending his voice to the discussion of interoperability considering his company’s decision — today — to file a cease and desist order to remove the YouTube app from Windows Phone, let alone the recent decision to make it more difficult for our customers to connect their Gmail accounts to their Windows experience.”Cease and desist
Google claimed that Microsoft violated Google’s Terms of Service with the YouTube app. The Verge got its hands on a copy of that cease and desist letter that Google sent Microsoft. It demands that Microsoft “immediately withdraw this application from the Windows Phone Store and disable existing downloads of the application by Wednesday, May 22, 2013.” Google’s real gripe stems from the fact that Microsoft’s YouTube app has “features that specifically prevent ads from playing.”
After the cease and desist letter went public, Microsoft responded by “saying it’s happy to include advertising.” However, ZDNet speculated that the Windows Phone 8 YouTube app might have been part of Microsoft’s Scroogled campaign.
You wouldn’t know all this background cease and desist drama from what Page said at I/O.
Every story I read about Google gives off a notion of “us versus some other company” or some stupid thing. Being negative is not how we make progress. The most important things are not zero-sum. There is a lot of opportunity out there.
Opportunities on “Google Island”
Gadget Lab’s Mat Honan wrote about some of those far-out and freaky opportunities in a fictional piece about “Google Island.” It’s an interesting and trippy read. Honan talked about arriving at Google Island in a “driverless boat” to find Page’s naked “Google Being” explaining “complete openness” made possible by experimenting on an island in which no pesky government’s laws could get in the way with privacy.
At I/O, Page expressed an interest in setting aside a place “where people could experiment freely and examine the effects.” Honan joked that the place is Google Island, where Page would claim, “As soon as you hit Google’s territorial waters, you came under our jurisdiction, our terms of service. Our laws-or lack thereof-apply here. By boarding our self-driving boat you granted us the right to all feedback you provide during your journey.”
Besides Google knowing everything about a user’s health, “genetic blueprint” and even “the chemical composition of your sweat,” Honan’s fictional Page claimed that Google has “looked at everything you’ve looked at online. Everything. We know what you want, and when you want it, down to the time of day. Why wait for you to request it? And in fact, why wait for you to discover that you even want to request it? We can just serve it to you.”
OK, so that was fiction…but it harkens back to a time when then Google CEO Eric Schmidt said, “With your permission you give us more information about you, about your friends, and we can improve the quality of our searches. We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.” Schmidt later added, “I actually think most people don’t want Google to answer their questions…They want Google to tell them what they should be doing next.”
Google is all about ad revenue and the company will never allow Microsoft to block ads on YouTube. Meanwhile, speaking of YouTube and ads, Nintendo is scanning for fan-made YouTube clips that show footage of its games, such as how to get through a level, and then “hijacks” the ad revenue. Nintendo is not blocking screencaps that feature its intellectual property; however, by using content ID match to identify game footage videos uploaded by fans, Nintendo is adding advertising “at the beginning, next to or at the end of the clips.”
Summary: About 20 percent of compromised credentials, exposed via hacks on other service providers, match Microsoft Account logins due to password reuse
Around 20 percent of the logins found on lists of compromised credentials match those of Microsoft Accounts due to consumers using the same login details across more than one service, the company has said.
The lists are circulated by organisations and hackers in the wake of attacks on third-party service providers.
People re-use passwords and login details across services from different providers, Microsoft Account group manager Eric Doerr noted in a blog post on Sunday. That reuse means that if one set of logins is compromised, other accounts are at risk.
“These attacks shine a spotlight on the core issue — people reuse passwords between different websites,” said Doer, speaking after the Yahoo breach last week that exposed 400,000 user details. “On average, we see successful password matches of around 20 percent of matching usernames.”
Doer revealed the figure in a run-down of some Microsoft Account security practices, meant to reassure customers after the Yahoo hack. Microsoft Account is a single sign-on tool for Microsoft services such as SkyDrive, Hotmail, Xbox and Messenger.
Microsoft regularly gets lists of compromised third-party login details from ISPs, law enforcement and vendors, as well as from lists published on the internet by hackers, according to Doerr. This information is checked against Microsoft login details using an automated process to check for any overlap. While 20 percent is the average, in one recent breach it was only 4.5 percent, said Doerr.
After a hack attack on another provider, Microsoft monitors its user accounts to see if they are being used to send spam. If it sees signs of criminal activity, it suspends the account, and the affected customer has to go through an account recovery process before being able to log in again.
If Microsoft suspects, but is not certain, that there has been a breach, it will ask customers to reset their passwords.
The company also uses behavioural monitoring technology similar to that used by banks to log patterns of access and location, to see if an attempted login is suspicious. The technology can block the attempt, or ask an additional identity question to decide whether to grant access.
The Microsoft Account team is working on tightening up security, Doerr said. The current 16-character limit on password length is set to increase, to make brute force attacks more difficult, for example. However, Microsoft is having problems making passwords longer because of its ecosystem, he noted.
“Unfortunately, for historical reasons, the password validation logic is decentralised across different products, so it’s a bigger change than it should be and takes longer to get to market,” Doerr said.
Yahoo, Gmail, Hushmail, Yandex and MyOperaMail all allow passcode lengths of 30 characters, as one Microsoft account holder, MondayBlues, pointed out in a comment.
Doerr noted that people using SkyDrive device-synchronisation software and buying products on Xbox.com are required to use two-factor authentication. Microsoft is working on implementing this security measure in more products and services, he said, but did not specify which.
Updated: This article was updated at 5.22pm BST after clarification from Microsoft.