// archives

Security

This category contains 33 posts

Cover up your webcam – hands on solution

 

Back from vacation I read an article on vice about how a cybercriminal sent a woman pictures of herself that he took with her own webcam. The whole story is available here. Unfortunately it is in many cases trivial to take over a computer (regardless if Mac OS X, iOS or Windows or anything really) and have control over what is stored on it and track what is done with it or turn things on and off. The camera is just one of the many aspects that can be misused if the device is not adequately protected. However, an approach against the camera misuse is so trivial that I briefly wanted to share a 30 second hands-on solution that I am using on my devices.

What you need for it is one of these small screen cleaners that are typically handed out as a gift. They stick to the back of your phone and you can use them to clean the screen of it when needed. However, they are ideal to also cover the camera on your tablet, PC, Mac, phone and also TV if you have one of these smart TVs that have a built-in camera. The approach is simple and you just cut the screen cleaner sticky to a size that fits over the camera that you want to cover up. It can be taken away and re-attached many times and barely adds to the thickness of the device. And as an additional benefit you always have a screen cleaner with you and it is free. A win-win-win situation really.

Below two pictures showing one of these cleaner pads and how it looks on my Surface computer.

step one WP_20150806_18_17_24_Pro

Verizon 2015 data breach investigations report

 

I am quite a big fan of Verizon’s data breach investigations reports and am using their analysis regularly in security discussions. Verizon publishes these reports every spring since 2008 and I see them as especially valuable as they are pulling data from 70 contributing organizations covering over 79’000 security incidents, over 2’100 confirmed breaches and from over 60 countries.

The 2015 report was published recently (available here: 2015 Verizon DBIR) and while it isn’t exactly an easy read I agree with Rapid7’s marketing video that credential theft is the biggest takeaway. Patching is another highlight (or rather lowlight) and that detecting breaches still takes much too long (205 days). The latter is something that I can confirm from the experiences of our incedent response and recovery teams and it is very worrying to think what attackers have time to do for such a long time in an ICT infrastructure.

On the patching topic. A colleague of mine – James Kavanagh, the National Security Officer of Microsoft Australia, wrote a good blog post on “If you do only one thing to reduce your cybersecurity risk…” that I recommend to read and further information is then available in the report “Security Patching in Complex Environments”.

Below Rapid7’s video with highlights from the Verizon DBIR

RSA 2015 – Microsoft Key Announcements in Security

 

The US RSA conference is probably the world’s leading security conference with about 30’000 participants and took place last week in San Francisco. Scott Charney, Microsoft’s CVP Trustworthy Computing, gave a noteworthy keynote on Enhancing Cloud Trust that can be watched here. It is well worth the time.

The announcements made by us and the presence that Microsoft had at the conference was impressive. The main theme was very clearly that we truly live in a mobile first, cloud first world and that with the explosion of devices and apps come new challenges. Security has been a top priority for Microsoft for a long time already and Microsoft is committed to providing customers with transparency and control over their data in the cloud. Here are the highlights that we announced:

  • New Security & Compliance signals and activity log APIs so that customers can access enhanced activity logs of user, admin and policy related actions through the new Office365 Management Activity API.
  • New customer Lockbox for O365 that brings the customer into the approval workflow if one of our service engineers would have to troubleshoot an issue that requires elevated access. With the customer lockbox the customer has the control to approve or reject that request.
  • Device guard is the evolution of our malware protection offering for Windows 10 and brings a new capability to completely lock down the Windows desktop such that it is incapable of running anything other than trusted apps on the machine.
  • Increasing levels of encryption where O365 will implement content level encryption for e-mail in addition to the BitLocker encryption we offer today (similar to OneDrive for Business’ per-file encryption). In addition we expect enabling the ability for customers to require Microsoft to use customer generated and controlled encryption keys to encrypt their content at rest.
  • Microsoft Passport is a new two factor authentication designed to help consumers and businesses securely log-in to applications, enterprise content and online experiences without a password.
  • Windows Hello which will provide that Microsoft Passport can be unlocked using biometric sensors on devices that support that (most notably iris and face unlock feature in addition to fingerprint).
  • Azure Key Vault which helps customers safeguard and control keys and secrets using FIPS 140-2 Level 2 certified Hardware Security Modules in the cloud with ease and at cloud scale and provides enhanced data protection and compliance and control.
  • New Virtual appliances in Azure where we work with industry leaders to enable a variety of appliances so that customers have greater flexibility in building applications and enabling among others network security appliances in Azure.
  • Enterprise Mobility where we have the Enterprise Mobility Suite (EMS) bringing customers enterprise grade cloud identity and access management, mobile device management and mobile app management and data protection (Reto’s comment: not new but worthy to call out having grown our install base by 6x just in the last year)

More information can be found on Scott Charney’s blog on “Enabling greater transparency and control” that also has further links to more in-detail information on the individual technologies mentioned above.

European Union’s recent activities on Security

The European Union is quite active on security and especially cybersecurity issues but is less present in the media for it than for example the US. To raise awareness on current reports and recommendations that I see as relevent please find some links below. We can now debate if this is too much, just raight or not enough but for that discussion knowing more about what actually exists or is in process is a prerequisite of course.

Joint Supervision Tool for Telecom Security
On 9 April, ENISA published a joint framework to supervise the security of services and personal data processing by telecom providers in the EU in accordance with Article 13a and Article 4. Full report is available here.

Electronic Evidence – a Basic Guide for First Responders
On 25 March, ENISA published a report based on past work done in the field of good practices for CERTs and LEAs in the fight against cybercrime. The main aim of the report is to provide a guide for first responders with a special emphasis in evidence gathering.

National/Governmental CERTs – ENISA’s Recommendations on Baseline Capabilities
On 20 March, ENISA published recommendations on baseline capabilities. The document covers ENISA’s updated considerations for capabilities of so called national / governmental CERTs, thus teams who serve the government of a country to protect critical information infrastructure. The primary target audience of this document are these CERTs and those policy-making bodies in the European Union Member States that are responsible for initiating and planning the establishment and operation of a national / governmental CERT. Still quite an interesting reading.

Standardisation in the Field of Electronic Identities and Trust Service Providers
On 24 March, ENISA published a paper that explains why standards are important for cybersecurity, specifically in the area of electronic identification and trust services providers. Additionally, the paper also discusses concrete standardisation activities associated with electronic IDs and trust service providers, providing an overview of standards developed under the mandate from the European Commission and others, related to eIDAS Regulation. It concludes with a proposal of a standard on cryptographic suites for electronic signatures and infrastructures, put forward by ENISA and related to the ETSI TS 119 312. Full report is available here.

Motion for a European Parliament Resolution on Cybersecurity
On 30 March, Italian MEP Nicola Caputo published a motion for resolution on cybersecurity and calls on the Council and the European Commission to strengthen the EU’s response capability to this global threat, to strengthen network and information security and to support Member States in their research and innovation aimed at promoting public and private digital security. steps on the dossier were not disclosed. Interesting though that the security of IoT (Internet of Things) starts to become also a policy topic. I expect that we will see more to come and hope that it will help in addressing the real challenges that we face.

Security Webinars on Cloud Resilience and Addressing Modern Cyberthreats

Security Webinar I recently gave two live webinars as part of a security webinar series of Microsoft Switzerland where I covered aspects of cloud resilience and achieving resilience against modern cyberthreats. The webinars are in German and if you are interested you can get access to the recording below.

 

 

 

Webinar 1: Schutz vor Gefahren aus dem Cyberspace
Die heutigen Gefahren aus dem Cyberspace sind immer grösser, Angriffe werden immer ausgefeilter, die Hacker selbst immer professioneller. Traditionelle Schutzmechanismen, wie beispielsweise Virenschutzprogramme und Firewalls, sind angesichts der neuen Entwicklungen nicht mehr ausreichend. Erfahren Sie in diesem Webinar alles über die Vorteile eines dynamischen Sicherheitskonzepts, das Ihre IT-Landschaft basierend auf den Prinzipien Protect – Detect – Respond effektiv vor modernen Cybergefahren schützen kann und für hohe Resilienz sorgt. Das Webinar ist hier verfügbar.

Webinar 2: Resilienz und Cloud Computing
Cloud Computing verändert und beschleunigt die Arbeitswelt; standardisierte Services aus der «Rechenzentrumswolke» entlasten Unternehmen von Investitionen in eigene, teure Server-Infrastrukturen. Dennoch bestehen grosse Vorbehalte hinsichtlich Verfügbarkeit, Sicherheit und Datenschutz – speziell in einem Umfeld, in dem Gefahren durch kriminelle Aktivitäten lauern und NSA-/PRISM-Aktivitäten für Rechtsunsicherheit sorgen. In diesem Webinar dreht sich daher alles um Fragen wie Resilienz mit der Cloud, Resilienz in der Cloud oder Resilienz trotz der Cloud. Das Webinar ist hier verfügbar

On Lenovo’s “Superfish” and how to remove it

I am quite a fan of Lenovo devices mostly still from the time where they were IBM ThinkPads. However, when the discussion started on the “Superfish” adware they put onto some Lenovo devices I took a mental step back and asked myself how a company that develops and sells plenty of business devices could make such a bad decision.

There are some good descriptions on what “Superfish” does so I will not repeat that in detail. In the end it seems that the adware hijacks encrypted web sessions and it seems that it may make users vulnerable to https man -in-the-middle attacks that are simple for attackers to exploit. If you are interested in knowing more I recommend that you read the Arstechnica article on that topic.

Lenovo was slow to pick-up on this topic although by now they reacted and the Lenovo CTO said in an interview with the Wall Street Journal that  “we didn’t do enough” due diligence before installing Superfish, but that the company doesn’t believe laptop owners were harmed by the app”. You can read here the full article on the WSJ blog.

Another interesting question on why Lenovo pre-loads any software and here is his response: Hortensius: In general, we get pretty good feedback from users on what software we pre-install on computers. What we’re going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers’ computers. The outcome could be a clearer description of what software is on a user’s machine, and why it’s there.” It seems that I am clearly not their targeted audience if they say such things. When I get a new computer the first thing I do is to newly install Windows from scratch and with that get rid of any bloatware and adware that might be on there. Then install the necessary drivers (not many any more – Windows 8.1 or 10 is in the majority of cases (if not all) taking care of that) and apply all updates and the computer is running faster, more stable and the disk has quite some more space in most cases than before.

So what to do now if you have a Lenovo computer and are not sure if Superfish runs on there or you know and want to remove it? One way to address this is to run Microsoft’s security software which will detect and remove the Superfish software from the Lenovo device. If you have Windowws 8 or 8.1 on your computer Windows Defender is installed by default so you only need to let it update itself. If you have an older version of Windows you might already have the Security Essentials installed where the same applies to. And if you are not sure check out the website on our free security software that you can download and that will take care of Superfish.

Security Snippets: February Reading Nr. 1

 

The security snippets series highlights some articles that I read recently. I hope they help in keeping up with the raise of security incidents and trends which becomes more and more difficult with the increasing professionalism of cyber attacks.

 

Bank Hackers Steal Millions via Malware
as read in the New York Times

The New York Times writes based on Kaperski information that a group of attackers impersonated bank officers and took over cash machines and transferred millions of dollars from more than 100 banks in Russia, Japan, Switzerland, the United States, and the Netherlands into fake accounts set up in other countries. This brings a new scale to Cybercrime.

 

Evolution and Adaptation in the Security Jungle
as read in Threatpost

 Enterprise security teams need to catch up on understanding the methods that modern attackers use. The article on Threatpost does a good job at giving an overview. Active defense is crucial in that aspect and I described that with the protect, detect, response framework also in my whitepaper on achieving resilience against modern cyberthreats.

 

Visa Wants to Track Your Smartphone to Prevent Credit Card Fraud
as read in the Hacker News

It seems that Visa plans to release a new location-based feature that will help cardholders update their location via smartphone. With credit card fraud still on the raise that could be a good way to fight that. I just hope that it will be clear to the user that another service performs location tracking.

 

PlugX Is RAT of Choice for Nation States 
as read in eSecurity Planet

The “2014 CrowdStrike Global Threat Intel” report finds that the PlugX Remote Access Tool (RAT) is the most observed malware variant used by nation-state backed threat adversaries. I don’t think that this is necessarily so clear as in my view many nation states have more customized and elaborate capabilities but it shows how far such tools have come.

 

One Billion Data Records Compromised in 2014 Worldwide
as read in Softpedia

The article writes about a report from the Breach Level Index (BLI) which finds a 49 percent increase in data breaches and a 78 percent increase in number of records that were stolen or lost in 2014. While the absolute number might be even higher the massive increase is something that we observe as well.

 

Microsoft Achieves Globally Recognized ISO/IEC 27018 Privacy Standard
as read in the Microsoft Cyber Trust Blog

This more on privacy and trust than security although that also plays an important aspect. Microsoft on February 16, 2015, obtained the ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. Brad Smith’s blog has more information on that and is worthwhile reading in my view.

 

How to Keep Your Webcam Safe from Hackers [Video]
as read in We Live Security

If you follow the link you will see a video that covers five tips to prevent someone from spying on you through your webcam. Something becoming more important after an anonymous website began posting live streams of the world’s unprotected webcams.

 

 

Whitepaper: Achieving resilience against modern cyberthreats

Whitepaper

Whitepaper

I have written the whitepaper “Achieving resilience against modern cyberthreats” and looking at how the intensity of cyberattacks is again on the raise it is getting more important to implement a dynamic security framework.

As our use of mobile computing and social media technologies grows, so does our exposure to risk. On the one hand, the widespread adoption of new mobile, social media, cloud services and big data technologies creates unprecedented opportunities for productivity and flexibility. Yet without the right defenses in place, they can also open us to new kinds of vulnerabilities, as attacks that target devices operating outside the enterprise perimeter are quickly growing in volume and sophistication.

Passive protection is no longer sufficient for ensuring the security of information and IT infrastructures. My new Microsoft white paper, Achieving resilience against modern cyberthreats, explores the ways that governments and enterprises can protect their valuable information by creating a holistic security strategy, built on risk management, to achieve resilience against in an era of constant targeted attacks and determined adversaries.

The paper explores Microsoft’s holistic “Protect, Detect and Respond” approach to security strategy, including key principles for organizations, the importance of trustworthy cloud services, and the steps to take for securing an IT infrastructure in today’s threat landscape. This proactive strategy requires that an organization understand its assets and its exposure, and apply appropriate protection throughout the entire IT ecosystem in a continuous process. It also recognizes that enterprises must manage their inevitable risk – absolute security is not possible, so organizations must go beyond just protecting resources and also establish processes for detecting, responding and recovering from incidents when they occur.

If you are interested see my complet blog post, Achieving resilience against modern cyberthreats at Microsoft on Safety and Defense.

When thunderstorms and airtravel meet

It has been a few weeks since I have flown to Atlanta for work and I was lucky to have had smooth travels. If you know the Atlanta airport however that isn’t necessarely a given. On one hand it is the worlds busiest airport serving close to 30 million passengers every year and then it is in a location that has frequent tunderstorms. When I now stumbled over a video that shows what happens when thunderstorms occur over the area I was amazed by the resulting images. While not as nicely presented as the pictures in my earlier post on the beauty of airtravel it shows the beauty of technology being able to adapt and overcome obstacles.

Enjoy!

 

Snipplet: About the ease to hack hospital equipment

From now on I will be blogging about topics that I have read somewhere else and that I find noteworthy. You will find them in my new “snipplets” category. Today I am starting with the keypoints of a WIRED Magazine Threat Level article by Kim Zetter. Here are the keypoints:

In a study spanning two years they found severe security issues with common medical equipment used across a large chain of Midwest health care facilities including:

  1. Drug infusion pumps for delivering morphine drips, chemotherapy and antibiotics could be remotely manipulated to change the dosage for patients.
  2. Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring.
  3. X-rays that can be accessed by outsiders lurking on a hospital’s network.
  4. Temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage.
  5. Digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.
  6. In some instances you can blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all lab test equipment.

Many hospitals are unaware of the high risk associated with these devices. A wide cross-section of devices shared a handful of common security holes, including:

  1. Lack of authentication to access or manipulate the equipment
  2. Weak passwords or default and hardcoded vendor passwords like “admin” or “1234″
  3. Embedded web servers and interfaces that allows an attacker to identify and manipulate devices.

There are very few devices that are firewalled off from the rest of the organization, once you get a foothold into the network, you can scan and find almost all of these devices.

  • The vendors don’t have any types of security programs in place, nor is it required as part of pre-market submission to the FDA. The guidelines for medical devices now place the onus on vendors to ensure that their systems are secure and patched.
  • Vendors often tell customers they can’t remove hard coded passwords from their devices or take other steps to secure their systems because it would require them to take the systems back to the FDA for approval afterward, the FDA guidelines for medical equipment includes a cybersecurity clause that allows a post-market device to be patched without requiring recertification by the FDA.

This reflects unfortunately the discussions that I am having with healthcare Providers across Western Europe. Considering that Cybercrime is only starting to become “mature” (not happy to use this word in a criminal context but it describes it best) then the risks need to be mitigated and hospitals have an important aspect by insisting on secured systems and investing overall into their own IT hygiene.

The original WIRED article can be found here.

About the Author

I am Microsoft's Chief Security Officer for Western Europe and have over 15 years work experience in an information security and risk focused IT environment as group CIO, Chief Risk Officer, Technical Director and Program Manager.

more about me and contact info

Translate

Chinese (Simplified)EnglishFrenchGermanItalianPortugueseRussianSpanish