// archives


This category contains 6 posts

Cover up your webcam – hands on solution


Back from vacation I read an article on vice about how a cybercriminal sent a woman pictures of herself that he took with her own webcam. The whole story is available here. Unfortunately it is in many cases trivial to take over a computer (regardless if Mac OS X, iOS or Windows or anything really) and have control over what is stored on it and track what is done with it or turn things on and off. The camera is just one of the many aspects that can be misused if the device is not adequately protected. However, an approach against the camera misuse is so trivial that I briefly wanted to share a 30 second hands-on solution that I am using on my devices.

What you need for it is one of these small screen cleaners that are typically handed out as a gift. They stick to the back of your phone and you can use them to clean the screen of it when needed. However, they are ideal to also cover the camera on your tablet, PC, Mac, phone and also TV if you have one of these smart TVs that have a built-in camera. The approach is simple and you just cut the screen cleaner sticky to a size that fits over the camera that you want to cover up. It can be taken away and re-attached many times and barely adds to the thickness of the device. And as an additional benefit you always have a screen cleaner with you and it is free. A win-win-win situation really.

Below two pictures showing one of these cleaner pads and how it looks on my Surface computer.

step one WP_20150806_18_17_24_Pro

RSA 2015 – Microsoft Key Announcements in Security


The US RSA conference is probably the world’s leading security conference with about 30’000 participants and took place last week in San Francisco. Scott Charney, Microsoft’s CVP Trustworthy Computing, gave a noteworthy keynote on Enhancing Cloud Trust that can be watched here. It is well worth the time.

The announcements made by us and the presence that Microsoft had at the conference was impressive. The main theme was very clearly that we truly live in a mobile first, cloud first world and that with the explosion of devices and apps come new challenges. Security has been a top priority for Microsoft for a long time already and Microsoft is committed to providing customers with transparency and control over their data in the cloud. Here are the highlights that we announced:

  • New Security & Compliance signals and activity log APIs so that customers can access enhanced activity logs of user, admin and policy related actions through the new Office365 Management Activity API.
  • New customer Lockbox for O365 that brings the customer into the approval workflow if one of our service engineers would have to troubleshoot an issue that requires elevated access. With the customer lockbox the customer has the control to approve or reject that request.
  • Device guard is the evolution of our malware protection offering for Windows 10 and brings a new capability to completely lock down the Windows desktop such that it is incapable of running anything other than trusted apps on the machine.
  • Increasing levels of encryption where O365 will implement content level encryption for e-mail in addition to the BitLocker encryption we offer today (similar to OneDrive for Business’ per-file encryption). In addition we expect enabling the ability for customers to require Microsoft to use customer generated and controlled encryption keys to encrypt their content at rest.
  • Microsoft Passport is a new two factor authentication designed to help consumers and businesses securely log-in to applications, enterprise content and online experiences without a password.
  • Windows Hello which will provide that Microsoft Passport can be unlocked using biometric sensors on devices that support that (most notably iris and face unlock feature in addition to fingerprint).
  • Azure Key Vault which helps customers safeguard and control keys and secrets using FIPS 140-2 Level 2 certified Hardware Security Modules in the cloud with ease and at cloud scale and provides enhanced data protection and compliance and control.
  • New Virtual appliances in Azure where we work with industry leaders to enable a variety of appliances so that customers have greater flexibility in building applications and enabling among others network security appliances in Azure.
  • Enterprise Mobility where we have the Enterprise Mobility Suite (EMS) bringing customers enterprise grade cloud identity and access management, mobile device management and mobile app management and data protection (Reto’s comment: not new but worthy to call out having grown our install base by 6x just in the last year)

More information can be found on Scott Charney’s blog on “Enabling greater transparency and control” that also has further links to more in-detail information on the individual technologies mentioned above.

OneNote – now also available for Mac and more

Working at Microsoft made me completely re-think how I work. On one hand I enjoy the mobility and the capabilities to work wherever and whenever. While this also has the danger that I don’t sufficiently separate work and private life it has the upside that my productivity has greatly increased. One of the central elements for such a mobile workstyle are the appropriate tools as carrying around paper is simply not practical any more. My central worktool for taking notes and sharing them is OneNote. I am doing more and more with it and don’t just use it for collecting my thoughts but extend it to my colleagues for projects.  When I share a OneNote page everybody can work on it online and offline and it synchronizes without problems once connection is available. I have it available on all devices being it my laptop, tablet or phone.

While I write rarely about Apple products I wanted to share that OneNote is now also available for Mac and it is even free. With this OneNote is available on all the platforms being it PC, Mac, Windows tablets, Windows Phone, iPad, iPhone, Android and the web and they are always in sync. I recommend to have a look at it and maybe that gives you the opportunity to re-think how you work. Check out the Video below for some ideas. For more information see the original blogpost.


Posting personal Information online? Beware if you overshare!

A new Microsoft study shows that before posting personal information online, more than half of U.S. teens and parents don’t truly consider the potential consequences of their actions.  Teens recognize the importance of limiting what they share online, yet they still reveal more personal data than their parents.  Six in 10 teens also say they have so-called “friends” in their social networks whom they’ve never met in person.

Chances are you already have a “digital reputation,” and you may not even know it.  On the Internet, we create an image of ourselves through the information we share in blogs, comments, tweets, photos, videos, and the like. Others add their opinions – both good and bad – and contribute to our online reputations.  Anyone can find this information and make judgments.  Accordingly, everyone needs to be cognizant of what they’re posting online, and how that aggregated information can tell one’s personal story and shape their digital impression.

A recent Microsoft survey  found that 79 percent of hiring managers and job recruiters in the U.S. said they routinely review online reputational information when considering job applicants.   All of sudden, that photo of you partying hardy or playing a practical joke on a friend may not be so funny after all even if you consider them your private matter. College admissions officers are also looking into social networks. As college board vice president James Montoya points out, the people who evaluate applications at most schools are “often under 30 years old and often Facebook users themselves.” Of course they will check out your online reputation. Should a partying foto matter? I agree – no it shouldn’t. Can it make the tipping point in deciding for or against an applicant? Yes it very well can. As the Microsoft study shows – 70% of employers have turned down job applicants because they didn’t like what they found online.

Managing one’s online behavior and reputation is a key component of being a good digital citizen. Digital citizenship is usually defined as “the norms of behavior with regard to technology use.”  But digital citizenship is more than just teaching social norms – it’s a way to prepare young people for life in a technology-rich society. Digital citizenship empowers young people and helps them develop a sense of ownership and personal responsibility – in order to make appropriate, ethical decisions in the online world.

In an effort to create a culture of “good digital citizens,” Microsoft is committed to helping youth, teens, parents and caregivers think about their online reputations.  Today we are releasing a new whitepaper titled Fostering Digital Citizenship and a Teen Reputation Guide.  The guide notes a series of tips, including …

  • Tip 1 If you wouldn’t wear it, Don’t share it!
  • Tip 2 Don’t use technology as a weapon. Really angry? Walk away from the keyboard – hands off your smartphone.
  • Tip 3 Know what the Internet is telling people about you. Regularly search yourself online.
  • Tip 4 Create strong passwords, change them often, and don’t share them with friends.

We make a host of digital citizenship resources available at our Safety & Security Center.  In addition to our research, reputation guide and whitepaper we’ve recently created three infographics, depicting how teens spend their time online, as well as an “at school” Internet safety tip card. Check them out or contact me if you are interested in learning more.

Rather than relying solely on protective measures, an approach to online safety that includes digital citizenship will help young people interact more safely in the online world. Teaching them about digital literacy, and digital ethics and etiquette is an important part of successfully navigating today’s online and offline world. It can make the difference between getting into the university they want and getting the job they applied for.

FaceNiff – who is posting your Facebook updates?

So, you are sitting at Starbucks or at the airport or any other relatively crowded place and you have Facebook open or twitter or Amazon. You look to your right and see a nicely dressed woman/man tap on his/her mobile. Maybe you are smiling – thinking that he/she texts too much. Well – think again – because your seemingly nice neighbor might be in that second updating your Facebook status, adding weird “Friends”, posting a twitter message or rummaging through your Amazon shopping basket.

What? How? Why? These are the thoughts that might run through your mind. Well it’s easy – because there is a new app in town running on Android. It’s called FaceNiff and it highjacks everybody’s Facebook, Twitter, Youtube, Amazon and Nasza-Klasa account (more to come) that has it open on the same wireless network. It’s not really much new – firesheep did more or less the same a while ago but now it’s even less obvious and even easier (watch the video on here). It is a shame that the platforms that are affected did not take the firesheep warning serious and secure their systems better and maybe they learn from it. However, I see the problem at least as much in the mobile platform. Android is in effect an open platform. If you have an app that runs on it – you can install it. It might be easier or harder but even something that is just out there to download can be put on a rooted device. This leaves the door wide open to take the step to develop mobile platforms into mobile attack platforms. The mobile devices get more and more powerful and they are so unintrusive – the perfect platform for the new cyber criminal. And yes – I regard everybody that breaks into my accounts as a cyber criminal. There is no glory involved – it is just cheap and it’s exploiting my privacy and might be harmful to me and/or my reputation.

So what should we do? First – think again if you sign into any of the affected platforms when connected to a shared network. Second, show to providers that you support closed platforms. As an example, you will not find FaceNiff on a Microsoft Windows Phone platform because Microsoft (and others too to some extent) has a phone architecture that only lets apps installed through the their marketplace. Only apps get onto the marketplace that have been tested. And there is no jealbreak for WP7 so that option is out too. So you can favor platforms that protect you and you can write to the makers of the less secure platforms and voice your concern. Please do iit if you care. Will it help for the next time you sit at Starbucks? No it will not – but I believe that in time the platform(s) will survive that serve all customers and not just an individual. This is not about telling you what you are allowed to do on your mobile – as long as you are doing something legitimate. Consumers should have a choice, they should be able to make choices. That is what brings us further and boosts innovation. But I also want to have my private and work life on an Internet that is more secure for everybody than what we see today and phone platforms will have a massive impact on that.

So, if you sit at Starbucks next time – maybe look around with a new question on your mind. Who is posting updates on their own – and who on other person’s accounts. You might be surprised.

Phone 7 update: not NoDo – DO

I was one of the lucky ones that got a message that the Phone 7 update was ready for me to be installed. This being the one that brings copy-past to my phone (often called NoDo update). Well – NoDo? I would recommend to DO it! The update went smoothly although took quite a while. The estimate at the beginning was about 23 minutes but ultimately, with backing up the phone and everything that Zune does, it was closer to 45 minutes. For the ones that get nervous during the update when they stare at the Zune screen that doesn’t have any progress indicator – no worries – the indicator is on the phone! And yes – it moves – but it moves slow. Very very slow.

So now I am one of the lucky ones that can cut and paste. No big deal you might think but it helps a lot if one uses the phone as a work tool as regularly as I do. That was one of the things that bothered me when I traded my iPhone with the Windows Phone 7 on my first day working at Microsoft. And I never really looked back. While there are still some features missing that would make it even better I am very happy about the underlaying (security) architecture and it doesn’t surprise me that the phone was left undefeated in a hacking competition (together with Android) while the iPhone and RIM were compromised. Looking at the roadmap of the phone we will see some very exciting things coming! Some of them were already announced like the multitasking and the IE9 integration and others are coming later so stay tuned. And with that Gartner might be not far off with their prognosis that by 2015 Windows Phone will have overtook iPhone and RIM and be the second most used phone OS behind Android.

One word for the people that are tempted to update the phone before the release is available for your phone. There are multiple reports on possibilities to force the update but the most common is probably the tool that Chris Walshie developed. The problem is – do you really know what is being installed on your phone? Pocket PC described the process that the tool is downloading a “compromised” file. Well do I want to trust that the compromised file is really not doing anything that it shouldn’t do? What code is landing on my phone that might circumvent some safety features? I am not saying Chris inserted something on purpose but how long will it take that these Chevron.WP7Updater files are easily downloaded from P2P networks and dubious websites and how certain are you that they only contain what they should contain? I for my part don’t want to find out and recommend to think about it, have some patience (I know – also not my strongest suit and I get the temptation very well) and run the update once it is pushed to your phone. In the meantime – check out the Windows Phone blog for more information.

About the Author

Reto is partner at PwC Switzerland. He is leading the Cybersecurity practice and is member of PwC Digital Services leadership Team. He has over 15 years work experience in an information security and risk focused IT environment. Prior to working at PwC he was Microsoft's Chief Security Officer for Western Europe and also has work experience as group CIO, Chief Risk Officer, Technical Director and Program Manager.

more about me and contact info

replica Rolex