Category Archives: Microsoft

Security News for the Week Ending August 23, 2019

Remember That Vague Client Alert Earlier This Week?

For those of you who are clients, you received an out of cycle client alert on Tuesday (they usually come out on Wednesday) providing a copy of the Homeland Security Alert on the Sodinokibi ransomware going after Managed Service Providers or MSPs.   It now appears that the attack on Texas towns (see below) is based on an attack on the MSP hosting the systems of those municipalities.  Assuming that is true (The state of Texas is being very vague on the whole situation), that could explain why DHS issued the alert at this time.  To reiterate the recommendation in the alert – make sure that your MSPs’ security programs are up to the task.  In the case of Texas, one town has announced that the attacker wants that town to pay $2.5 million in ransom.  Source: Bleeping Computer.

20 Texas Towns Hit by Ransomware.  Wait 23.  Wait …..

Cities and towns across the country have been hit by a wave of ransomware attacks, but of course, everything is bigger in TEXAS.

While the press release is very short on details, the Governor has called out the Texas Military Department (that is the combination of the Army National Guard, the Air National Guard and the Texas State Guard, which is an organized militia as defined in the Constitution) along with the experts at Texas A&M University (The Aggies have a world class cybersecurity capability) to help the cities impacted deal with the situation.  While Colorado was the first state to activate the National Guard to help with a cyber attack, Texas is now the third (after Louisiana) in what may become a trend. Source: KUT, Austin’s Public Radio Station. 

IRS Notifies Thousands of Cryptocurrency Traders of Back Taxes and Penalties

Not wanting to leave money – even digital money – on the table, the IRS has sent out letters to thousands of cryptocurrency traders who did not report the trades on their tax returns assessing them  taxes and penalties along with the threat of possible criminal prosecution.  Not a big surprise, but if you thought you could escape the tax man…  Of course, if you are trading peer to peer, then it is 100% unlikely that the tax man will ever find you.  Source: CNBC.

 

Huawei Goes Into Full Battle Mode

Huawei CEO Ren Zhengfei sent a memo to the company that says, in light of the US bans, that it was time for the company to go into full battle mode, making references to the military bible, The Art of War.

As President Trump effectively admitted, the ban on Huawei has only a little to do with national security and all to do with his trade war, by continuing to suspend the ban – which is affecting US companies bottom lines and user’s security.

In the mean time, Huawei says that it will build 60,000 5G base stations this year and 1.5 million next year – all without any US components.  Since other countries continue to buy Huawei equipment and US rural cell carriers say that that it will cost them more than a billion dollars to replace Huawei equipment which they do not have – meaning that they will dramatically slow 5G deployments.

Currently the US is lagging in 5G deployment and despite the President’s wishes that this is not so, this is not likely to change any time soon.  Read the details of this dance here.

 

Plan for End of Life of Software Support

End-of-life in software and hardware means no more security fixes and given the number of fixes we see every month, using software and hardware that is no longer supported is not a good plan.  No more patches does not mean no more flaws – just no more fixes for those flaws.  Hackers count on that fact.  Here is what is coming up to the end of life soon:

Python 2 on January 1, 2020 (about 4 months)

Windows 7 on January 14, 2020 (also about 4 months)

Windows Server 2008 and 2008 R2 also on January 14, 2020 (4 months).  As an incentive to get you to migrate to Azure, if you migrate your Windows 2008 servers to Azure before January 14th (and therefore pay Microsoft monthly cash), they will support Server 2008/2008 R2 for three more years.

For states with cybersecurity and privacy laws that say that you have to take reasonable measures to protect your data, it will be hard to defend in court, if you have to, that using unsupported software is taking reasonable measures.

Facebooktwitterredditlinkedinmailby feather

Google to Add GMail Features – Maybe – For A Fee?

Google has a interesting strategy.  Build prototypes of products.  Show them or leak them.  See if anyone cares.   Kill them if it doesn’t work out – there are lots of examples.  After many users are already using them.

One other thing that they do is attempt to lock users into the Google ecosystem.  Of course.

Tech Crunch is reporting that Google is working on a self destructing email (like Snap Chat for email?).  But it only works if both users are on GMail and only if both users use the web client for GMail.  Sounds a bit limiting.  If one user is not using the GMail web client, they get a link instead that takes them to the web.

They may also be adding a feature to stop printing and stop forwarding.

Again, if they do, it will only work for GMail on both ends and only with the GMail web client.

Information for this post came from The Register.

So what does this mean?

Well first, what seems to be missing is end to end encryption, which seems like a pretty important feature.  

But encryption stops them from reading your email and doing things that they like to do.  They don’t read your emails to target ads – they have better ways to target ads – but they do read them for other features.

Next, the speculation is that this will only be available under the paid GMail model (GMail for business).  The paid version costs either $10 or $25 a month per user.  At that price there are competitors.

As of last year, Google said that they had 3 million paying users.  Microsoft says that they have 60 million paying Office 365 users and adding 50,000 customers (not mailboxes) a month.  Google never wants to play second fiddle.

It is certainly possible that they will give it away for free, but given that they are so far behind Microsoft, maybe not.  With GDPR taking effect in the European Union next month and other countries, not including the U.S. following the EU lead, maybe ad revenue might be less predictable going forward.  Millions of monthly paying customers might be nice.

If you are looking for a free answer for secure email, Proton mail is a good choice.  They also have a paid version with more features, but the free version is pretty good.

Office 365 has nice security features at well below $25 a month.  Microsoft has said that they are about to roll out end to end encryption for all paid Office 365 users at all levels.

The bottom line is that if you are looking for a secure email solution there are some decisions to make.  To me, Google’s solution is not so great.

 

Facebooktwitterredditlinkedinmailby feather

Microsoft 0, EU 1, Users 10

Microsoft has been, ever since Windows 10 was released, on a race to collect more and more data on how you as a user do things.  While users have complained, Microsoft remained steadfast and not only did not change its habits, but also remained pretty quiet as to what data they were collecting.

Then the E.U.’s Working Party 29 (WP29) came along.  Last year the E.U. started investigating Microsoft’s privacy practices.  The E.U. has a different perspective on privacy than the U.S. does.

In fact, in the E.U., come next year when the General Data Protection Regulation (GDPR) goes into effect, a company can be fined up to 4 percent of the annual global turnover (revenue).

Apparently, Microsoft decided that this was not a game of chicken that it wanted to play and so they folded.

So, what did they do?

First, they added a privacy section to each user’s web account (https://account.microsoft.com/privacy ) that  allows a user to see his or her browsing history, search history, location history and Cortana history, among other data.

Then they added a new privacy panel in the Windows 10 release that is going out next week (called Creators Update).

Here is a screen shot of the new panel:

Next, they updated the privacy statement on their web site at https://privacy.microsoft.com .

While all of this is interesting, what is the most interesting is that they finally outlined what data on you and me they are collecting in Windows 10.

They posted two Wiki pages detailing the information that they are collecting.   The two pages represent two different data collection options that a user has, basic or full.

This is, by far, the most information that Microsoft has published to date on Windows 10 data collection practices.

While you cannot turn off all of the collection activities, at least we now know what data is being collected.  I am sure that researchers and reporters will be combing over this data in the days and weeks ahead to give us a better view of what this means.

A few of the data types they are collecting include:

  • OS name, version, build, and locale
    User ID
    Xbox UserID
    Device properties
    Device capabilities
    Device preferences and settings
    Device peripherals
    Device network info
    App usage
    App or product state
    Login properties
    Device health and crash data
    Device performance and reliability data
    Installed applications and install history
    Device update information
    Content consumption data (movies, TV, reading, photos)
    Microsoft browser data
    Information about local search activity
    Voice, inking, and typing
    ​​​​​​​Licensing and purchase data

And just think. All it took was the threat of WP29 fining Microsoft up to $4 billion.  I guess, even to Microsoft, $4 billion is a lot.

Information for this post came from the Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Security News: Apple, Microsoft and Lastpass

A few short items today.

First, Lastpass, one of the two password managers that I like (the other is Keepass) has been hit with three different security bugs in the last couple of weeks.  This is due to the fact that Google Project Zero security researcher Tavis Ormandy has put Lastpass in his sights.  The first two bugs were each patched within a day of Tavis’ disclosure to Lastpass, which compared to many other companies, is pretty amazing.  The third one has not been fixed yet and Tavis says that is a fundamental architectural issue and cautioned Lastpass to take some time and fix it right.  Lastpass automatically updates it’s software, so as soon as the patches are available, they will be installed across the entire user base.

These bugs highlight the conflict between security and convenience.  All of the bugs are related to integrating Lastpass into the browser so that users can have it automatically push userids and passwords to a website’s login page.   If you did not do the browser integration, then none of these compromises would work.  Keepass does not have any browser integration so it is not susceptible to these types of attacks.  The downside of not integrating it is that users have to look up and type or copy/paste the passwords manually, which, of course, is not so convenient.

I absolutely still recommend password managers and if you are on the overly paranoid side, disable Lastpass’s browser integration until these issues are resolved.

On the Microsoft front, they run a web site called Docs.com, which they bill as a way to showcase your documents.  While no bugs were found, by default, documents uploaded to Docs.com, but not those created in Office 365, DEFAULTED to public viewing.  With this setting search engines indexed the files  and a number (like thousands) of very sensitive documents like passports, password lists, medical records and other documents were exposed.

After this was publicly revealed Microsoft made a change to the site.  While uploaded documents are still public by default, you get a huge warning telling you that and it pushes you down on the page where you can easily change that setting – but only for that document.

This means that the user needs to pay attention and make sure that the permissions on documents are what they want them to be.  Why the permissions on Office 365 documents are different than on uploaded documents is still a mystery to me.  Seems like you should set it to default to private and make people intentionally share it if that is there intention, but that is not what Microsoft is doing right now.

This is a reminder to all users of cloud storage systems such as Box, Dropbox, Google Drive and others to make sure that the privacy settings on documents are what they expect.  In many cases, if you send someone a link to a document, then anyone who has access to the link can open the document.

Finally, Apple just released IOS 10.3.  To dispel the myth that Apple is a superhero, the list of bugs is pretty long.  Apple, while very security conscious, still uses human beings to program their software (as far as I know) and humans make mistakes.  If you have not installed the  new version, you should as attackers use these announcements to exploit vulnerabilities in non-updated software.  A partial list of the count of bugs fixed by category includes:

  • Accounts -1
  • Audio -1
  • Carbon -1
  • CoreGraphics – 2
  • CoreText –  3
  • Data Access -1
  • Font Parser – 3
  • HomeKit – 1
  • Http Protocol -1
  • ImageIO – 4
  • iTunes Store – 1
  • Kernel – 8
  • Keyboards – 1
  • Safari -4
  • Safari Reader – 1
  • Safari View Controller – 1
  • Security – 4
  • Webkit – 17 (this is the basis of Safari)

And a bunch of others.

As you can see, this fixes bugs all over the operating system, not just in one area.

This is not a dig at Apple , just a reminder that you really do need to make sure that your Apple (and other) devices stay updated.

Information for this post came from Steve Gibson at Gibson Research.  If you are not familiar with Steve’s security podcast, I highly recommend it, but it is a bit geeky.

Facebooktwitterredditlinkedinmailby feather

Microsoft Internet Explorer Users Have Six Weeks To Get Current

January 12th is the deadline for Windows Internet Explorer users to upgrade to the current version of IE or lose support and patches.

Last June Microsoft told the nearly 370 million IE users that they had until January to switch to IE 11.  There are a couple of exceptions.  Windows Vista and Windows  Server 2008 users can run IE9 and Windows Server 2012 users can run IE10.  Everyone else has to upgrade to IE 11 or Microsoft Edge.

Over a hundred million users were running IE9 in November.  Over 70 million users were running IE10.

The good news is that those browsers will continue to work – but Microsoft won’t patch any bugs that hackers find.

And you can count on the fact that hackers will start targeting those users knowing that they are on their own.

Likely the biggest groups of users using elderly versions of IE are large corporations and government entities at all levels – those groups don’t deal with change well.

So, if you are one of those users who are using an outdated version of IE, then you should either upgrade or use an alternative browser such as Chrome or Firefox.

And if you work for one of those organizations that won’t let you do that, hope that they paid for extended support, assuming Microsoft is offering it – which it looks like they are not offering.

For enterprises that need older IE version compatibility, Microsoft has built a number of addins that allow IE11 to act like older versions.  See the article below for more details on that.

Consider yourself alerted.

Information for this post came from Computer World.

Facebooktwitterredditlinkedinmailby feather

Microsoft Releases Out Of Band Kerberos Patch

Microsoft released an out of band patch today for all supported versions of Windows.  The patch fixes a privately reported bug in the Kerberos Key Distribution Center (KDC) protoccol.  If unpatched, it would allow an unauthorized user to execute an elevation of privilege attack.

“The problem stems from a failure to properly validate cryptographic signatures which allows certain aspects of a Kerberos service ticket to be forged,”

Microsoft says that limited attacks on Windows servers are already in the wild – hence the very unusual situation of releasing a patch out of band.

Assuming that the domain is infected, the only solution is to rebuild the domain from scratch.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather