Category Archives: Microsoft

Microsoft 0, EU 1, Users 10

Microsoft has been, ever since Windows 10 was released, on a race to collect more and more data on how you as a user do things.  While users have complained, Microsoft remained steadfast and not only did not change its habits, but also remained pretty quiet as to what data they were collecting.

Then the E.U.’s Working Party 29 (WP29) came along.  Last year the E.U. started investigating Microsoft’s privacy practices.  The E.U. has a different perspective on privacy than the U.S. does.

In fact, in the E.U., come next year when the General Data Protection Regulation (GDPR) goes into effect, a company can be fined up to 4 percent of the annual global turnover (revenue).

Apparently, Microsoft decided that this was not a game of chicken that it wanted to play and so they folded.

So, what did they do?

First, they added a privacy section to each user’s web account (https://account.microsoft.com/privacy ) that  allows a user to see his or her browsing history, search history, location history and Cortana history, among other data.

Then they added a new privacy panel in the Windows 10 release that is going out next week (called Creators Update).

Here is a screen shot of the new panel:

Next, they updated the privacy statement on their web site at https://privacy.microsoft.com .

While all of this is interesting, what is the most interesting is that they finally outlined what data on you and me they are collecting in Windows 10.

They posted two Wiki pages detailing the information that they are collecting.   The two pages represent two different data collection options that a user has, basic or full.

This is, by far, the most information that Microsoft has published to date on Windows 10 data collection practices.

While you cannot turn off all of the collection activities, at least we now know what data is being collected.  I am sure that researchers and reporters will be combing over this data in the days and weeks ahead to give us a better view of what this means.

A few of the data types they are collecting include:

  • OS name, version, build, and locale
    User ID
    Xbox UserID
    Device properties
    Device capabilities
    Device preferences and settings
    Device peripherals
    Device network info
    App usage
    App or product state
    Login properties
    Device health and crash data
    Device performance and reliability data
    Installed applications and install history
    Device update information
    Content consumption data (movies, TV, reading, photos)
    Microsoft browser data
    Information about local search activity
    Voice, inking, and typing
    ​​​​​​​Licensing and purchase data

And just think. All it took was the threat of WP29 fining Microsoft up to $4 billion.  I guess, even to Microsoft, $4 billion is a lot.

Information for this post came from the Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Security News: Apple, Microsoft and Lastpass

A few short items today.

First, Lastpass, one of the two password managers that I like (the other is Keepass) has been hit with three different security bugs in the last couple of weeks.  This is due to the fact that Google Project Zero security researcher Tavis Ormandy has put Lastpass in his sights.  The first two bugs were each patched within a day of Tavis’ disclosure to Lastpass, which compared to many other companies, is pretty amazing.  The third one has not been fixed yet and Tavis says that is a fundamental architectural issue and cautioned Lastpass to take some time and fix it right.  Lastpass automatically updates it’s software, so as soon as the patches are available, they will be installed across the entire user base.

These bugs highlight the conflict between security and convenience.  All of the bugs are related to integrating Lastpass into the browser so that users can have it automatically push userids and passwords to a website’s login page.   If you did not do the browser integration, then none of these compromises would work.  Keepass does not have any browser integration so it is not susceptible to these types of attacks.  The downside of not integrating it is that users have to look up and type or copy/paste the passwords manually, which, of course, is not so convenient.

I absolutely still recommend password managers and if you are on the overly paranoid side, disable Lastpass’s browser integration until these issues are resolved.

On the Microsoft front, they run a web site called Docs.com, which they bill as a way to showcase your documents.  While no bugs were found, by default, documents uploaded to Docs.com, but not those created in Office 365, DEFAULTED to public viewing.  With this setting search engines indexed the files  and a number (like thousands) of very sensitive documents like passports, password lists, medical records and other documents were exposed.

After this was publicly revealed Microsoft made a change to the site.  While uploaded documents are still public by default, you get a huge warning telling you that and it pushes you down on the page where you can easily change that setting – but only for that document.

This means that the user needs to pay attention and make sure that the permissions on documents are what they want them to be.  Why the permissions on Office 365 documents are different than on uploaded documents is still a mystery to me.  Seems like you should set it to default to private and make people intentionally share it if that is there intention, but that is not what Microsoft is doing right now.

This is a reminder to all users of cloud storage systems such as Box, Dropbox, Google Drive and others to make sure that the privacy settings on documents are what they expect.  In many cases, if you send someone a link to a document, then anyone who has access to the link can open the document.

Finally, Apple just released IOS 10.3.  To dispel the myth that Apple is a superhero, the list of bugs is pretty long.  Apple, while very security conscious, still uses human beings to program their software (as far as I know) and humans make mistakes.  If you have not installed the  new version, you should as attackers use these announcements to exploit vulnerabilities in non-updated software.  A partial list of the count of bugs fixed by category includes:

  • Accounts -1
  • Audio -1
  • Carbon -1
  • CoreGraphics – 2
  • CoreText –  3
  • Data Access -1
  • Font Parser – 3
  • HomeKit – 1
  • Http Protocol -1
  • ImageIO – 4
  • iTunes Store – 1
  • Kernel – 8
  • Keyboards – 1
  • Safari -4
  • Safari Reader – 1
  • Safari View Controller – 1
  • Security – 4
  • Webkit – 17 (this is the basis of Safari)

And a bunch of others.

As you can see, this fixes bugs all over the operating system, not just in one area.

This is not a dig at Apple , just a reminder that you really do need to make sure that your Apple (and other) devices stay updated.

Information for this post came from Steve Gibson at Gibson Research.  If you are not familiar with Steve’s security podcast, I highly recommend it, but it is a bit geeky.

Facebooktwitterredditlinkedinmailby feather

Microsoft Internet Explorer Users Have Six Weeks To Get Current

January 12th is the deadline for Windows Internet Explorer users to upgrade to the current version of IE or lose support and patches.

Last June Microsoft told the nearly 370 million IE users that they had until January to switch to IE 11.  There are a couple of exceptions.  Windows Vista and Windows  Server 2008 users can run IE9 and Windows Server 2012 users can run IE10.  Everyone else has to upgrade to IE 11 or Microsoft Edge.

Over a hundred million users were running IE9 in November.  Over 70 million users were running IE10.

The good news is that those browsers will continue to work – but Microsoft won’t patch any bugs that hackers find.

And you can count on the fact that hackers will start targeting those users knowing that they are on their own.

Likely the biggest groups of users using elderly versions of IE are large corporations and government entities at all levels – those groups don’t deal with change well.

So, if you are one of those users who are using an outdated version of IE, then you should either upgrade or use an alternative browser such as Chrome or Firefox.

And if you work for one of those organizations that won’t let you do that, hope that they paid for extended support, assuming Microsoft is offering it – which it looks like they are not offering.

For enterprises that need older IE version compatibility, Microsoft has built a number of addins that allow IE11 to act like older versions.  See the article below for more details on that.

Consider yourself alerted.

Information for this post came from Computer World.

Facebooktwitterredditlinkedinmailby feather

Microsoft Releases Out Of Band Kerberos Patch

Microsoft released an out of band patch today for all supported versions of Windows.  The patch fixes a privately reported bug in the Kerberos Key Distribution Center (KDC) protoccol.  If unpatched, it would allow an unauthorized user to execute an elevation of privilege attack.

“The problem stems from a failure to properly validate cryptographic signatures which allows certain aspects of a Kerberos service ticket to be forged,”

Microsoft says that limited attacks on Windows servers are already in the wild – hence the very unusual situation of releasing a patch out of band.

Assuming that the domain is infected, the only solution is to rebuild the domain from scratch.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather