In the last three years, IT security issues haven’t changed that much - but perceptions might have. Trojans and worms might have taken over from viruses, but the problem is still a combination of security holes, social engineering and putting protection in the right place without destroying productivity.

We’re pleased to see Microsoft finally admit that, yes, Windows security could do with a helping hand. If you’re not running an anti-virus or anti-malware application you really don’t have any excuses any more. Microsoft Security Essentials isn’t a bells and whistles security package like McAfee or Norton, or even AVG. It is, to steal a cliche, what it is. And that’s an easy to download, quick to install, and simple to use anti-malware package.

MSE is also pleasantly processor friendly, with very little impact on performance - even on Atom netbooks. With low-powered devices increasingly common (and Windows 7 likely to be on of the main operating systems on the next generation of devices) it’s good to see a package that respects your CPU and still manages to keep you safe and secure. What Microsoft has learnt, and it’s something that other security vendors are also learning, is that the security you have is a lot better than no security at all. Sure some people want something that tells them every time there’s a possible threat, and that inspects every packet going in and out of a network connection - but what most people want (and what most people need) is a tool that just gives them enough protection to keep the most egregious malware away, blocking trojans and spyware, as well as keeping them safe from good old-fashioned viruses.

That’s what MSE is, and that’s all it is planned to be. It’s the tool I’d give my sweet white-haired retired-school teacher mother. And that’s probably the best recommendation you’d hear from me!

There’s only one place that security through obscurity works, and that’s in the criminal coding fraternity. If you use an OS that only another 5 people in the world use, it’s not worth the effort to hack into that OS. When Apple had 2% or 5% of the market, it could safely claim that Macs were more secure because they were less of a target and any security holes would get ignored by hackers. Hit enough market share and you have to get a bit more protection - especially as hackers target the apps that run on the platform and the Web pages users visit.

We’re glad to see that Apple has gone on a security hiring spree recently; security experts and cryptographers from companies like PGP and OLPC are now working on security at Apple. That doesn’t mean Macs and iPhones are instantly more secure than they were last week; but it does mean Apple isn’t sweeping the security problem under the keyboard any more.

And with this post it’s time to bid you all farewell. We’ve been writing this blog for the last three years, since the launch of IT Pro. All good things must come to an end, and it’s time for us to pack up our keyboards and ride off into the sunset. We’ve had fun writing here, and we hope you’ve had fun reading us.

–Mary and Simon

Is this another Beacon moment? Keeping apps out of the Facebook inbox is good security. Even though the new Facebook plan to give apps access to the contents of user inboxes is restricted to whitelisted apps, that doesn’t mean they’re safe apps. Despite Google’s airy claims, just because something runs online, in the browser, does not mean it is safe (I’m still boggling security professionals with the claim by the Google gears team at Google IO that “everything in the browser is inherently safe”). Whitelisting means the app isn’t only malicious, but it doesn’t guarantee it’s not vulnerable.

If you’ve ever spent time drilling into the Facebook APIs (and the FBML language) you won’t be surprised at just how much data a not-so well-behaved application can harvest and take back to its own servers. Sure, it helps build more complex games and powers the viral explosion of memes across Facebook, but it’s a whole heap of security violations just waiting to happen. Yes you have to opt-in to every request, but ticking boxes and clicking OS is what we’ve been doing on Facebook for the last couple of years. Why change your habits now?

And making inbox access opt in doesn’t make it safe. We’ve trained the monkey to click OK on just about any dialog box if what the dialog offers is tempting enough - or if the dialog box is in the way of what I really want to do. Put a dialog box between me and my plan to dash off a quick update as I jump in the taxi to the airport and I might not read that dialog with the same due care and attention you were counting on.

And Facebook is full of career-limiting, security-breaching detail. Bank security questions? I bet I can answer them if I can see what memes you’ve been answering. Last three things you bought, first pet, second school you went to? There’s a meme for that. What’s in your inbox that you wouldn’t want posted on some random Web site?

Inbox access is the latest opt-in feature for apps; but they can do a lot more than throwing sheep…
I’ve been waiting for the Google backlash for a couple of years now; the blanket promise ‘not to be evil’ is no replacement for a thorough security lifecycle and privacy policy. Facebook’s Beacon advertising obviously didn’t make people too worried; the recent collection of ‘resignation by incautious Facebook status update’ proves that. Facebook users want to share; it’s up to Facebook to make sure that the platform doesn’t turn that enthusiasm into a threat.

There’s a petition against app inbox access over at http://www.keepmyinboxprivate.com/?ref=nf, which takes you in turn to
http://apps.facebook.com/keepmyinboxprivate/; ironically, the petition itself is an app that asks if it can publish a link to the petition on your Facebook Wall.

–Mary

If you’re an Exchange admin, use the “Require encryption on the device” policy, and you’ve got users out there who are using first and second generation iPhones to get their mail over Exchange ActiveSync, then be prepared for a whole rush of support calls as users update to the latest version of the iPhone OS.

Why?

Because iPhones have stopped lying to Exchange servers.

The hardware on earlier iPhone models doesn’t have the power needed to support whole device encryption -you need the 3GS for that - and  that means that if your business needs to secure its mail, then most of the iPhones out there can’t be trusted. Apple’s earlier versions of the iPhone email software just ignored that policy setting, and reported back that all policies had been applied.

That meant that devices that should have been encrypted (either for corporate or regulatory reasons)  weren’t - and all the mail on them was available for anyone with a USB connection and the appropriate software.

As I’m sure you can guess, that drove a coach and horses through your  security policies, and opened your business up to all sorts of regulatory problems.

Now at least those phones will stop getting mail.

But it’s a bit of a worrying thought that one of the most popular phones in the world was skating past security policies. Of course that leaves us with two more worrying thoughts:

First, how many other phones out there are doing just that without you knowing?

And secondly, just how are you going to tell your bosses that they can’t use their phones for email any more?

Remember macro viruses? Trojans and bots have taken over from them in the virus top ten, but there could easily still be binary Office documents lurking in your business’s fileservers with unwanted code in them. The XML file formats introduced with Office 2007 mean you know when a document has a macro by the file extension (an XLSX file can’t have code in, an XLSM can) but even though XML files are smaller as well as more secure, not everyone wants to spend the time to convert a backlog of many years. So to protect you from anything worrying, Office 2010 introduces a Protected View that locks documents when you open them, and runs in an isolated, low-integrity  process with a restricted token (rather like combining the protected mode that IE 8 runs in with the secure desktop you see with UAC elevation prompts - Protected View uses the same User Interface Privilege Isolation).

As the Office engineering blog post puts it, “For a malware to actually be able to run in Protected View it will first need to find a way around DEP, ASLR, GS and our new 2010 Office File validation checks.  After all that, the malware would need to find a way to break out of the sandbox.”

The Office team is confident enough in Protected View that opening and previewing attachments from Outlook will get less annoying; you won’t have to say yes, you trust every different type of document to open and preview individually the first time you come across it. It seems like a welcome security measure that will make life easier too. Sadly, as implemented it’s currently a productivity blocker that will be turned off or loathed by every user that comes across it.

On my system at least, every single document I open in Office 2010, binary or XML, from the office network is opened in Protected Mode and tagged as coming from ‘an unsafe location’. That’s supposed to be for documents downloaded from the Internet (”When a file is downloaded from the Internet the Windows Attachment Execution Service places a marker in the file’s alternate data stream to indicate it came from the Internet zone,” says the Office Engineering blog) and I’m kind of offended that Microsoft is telling me that our network isn’t secure - it is Windows Server 2008 we’re running. I’m also losing time on every document, having to click through before I can start editing.

I tried turning Protected View off; you can’t. You can go into the Trust center, ignoring the sign that tells you not to go in there and not to change anything, and tell Office to trust network documents (again, ignoring the warning that a network is a scary place and you shouldn’t be trusting it) but that didn’t fix it. I had to manually add the file shares on the server, mount point by mount point. You can’t just give office the name of your file server and trust the whole thing; Office refuses to mark the root of the server as safe.

This isn’t supposed to happen, says Microsoft. In some cases, the proxy settings are to blame (check out The LIZ and Proxies: the surprising connection for an explanation by Eric Lawrence of the IE team of why proxies are involved in the intranet at all. We don’t use a proxy. Maybe the Local intranet setting in Internet Options isn’t set to ‘Automatically detect’? It is, as it happen. 

Ah, says the Office team; it’s a bug, and they’re working on it. That’s good news; if I only have to put up with this until the beta of Office 2010 this autumn, that’s fair enough - you expect problems when you use a ‘technical preview’ (or alpha code as we used to call it).

But the fact that Office 2010 is relying on Internet Explorer options that may or may not apply if you don’t have Internet Explorer on your system is a little worrying (Firefox doesn’t use security zones, for example). And Simon, who is joined to the domain doesn’t see Protected View on network documents. So the underpinnings of Protected view seem to be a tangle of Internet Explorer, Active Directory and Microsoft network settings; that’s fine for an all-Microsoft business - like Microsoft. It’s less useful for the rest of the world where heterogeneous networks are the norm and security is important - but will always get demoted if it gets in the way of getting your job done. Let’s hope the bug fix does more than just tweak things; Protected View uses a spiffy new architecture inside Windows and it needs to take a clear and manageable approach to defining what a ’safe’ or ‘unsafe’ location actually is, or it’s going to be unpopular and insecure (cue everyone copying documents onto their laptop to edit them without the nagging and leaving them in the pub car park).
-Mary
 

Amazon’s withdrawal of ebooks by George Orwell seems positively Orwellian; ‘owners’ of the ebooks on Kindle woke up last week to discover that they should have read the small print. All they had was a licence for the ebooks and when it turned out that the publisher didn’t have the rights to sell that licence to Amazon to sell on to customers , Amazon revoked the licences and issued automatic refunds. A seamless if disturbing experience that proves that one cheap ebook reader from Elonex does not a mass market make. But if you needed to update a company price list or redact internal guidelines, could you do it with anything approaching the same efficiency?

A rich permissions-based licence system (as opposed to a simple encrypted, here’s one key and don’t lose it DRM system) gives content owners a lot of control. A writer could give away a free chapter with a discount code, give away a 3-month ready copy that you had to pay to keep or have their backlist turn free for a month every year or whatever incentive model they wanted to try out – and they could change it if it didn’t work. Can you even block last month’s price list from being sent out by accident?

The Windows Rights Management service in Windows Server is a start, coupled with Office and SharePoint (one of the reasons Google Docs isn’t as scary to Microsoft as the free Office 2010 Web apps might make you think). Keep pricelists in a SharePoint library set to expire after 30 days and people will have to go to a lot more trouble (extracting and resaving the information) to use out of date prices than to get current ones. Sure people can photograph the screen or read the document out to an accomplice over the phone. At that point you’re dealing with malicious behaviour rather than the simple desire to do your job that is responsible for the majority of information leaks and technology isn’t the right solution. But if you’re doing modern security and reperimeterisation (the perimeter isn’t gone, it’s just around the data itself), you need to think about information in terms of rights and licences, not bits and bytes and firewalls.

-Mary

Voice is mobile’s killer app. Secure voice? That’s another story.

Way back in the early days of the GSM specification, the designers came up with a voice cryptography standard, called A. Governments and security agencies  weren’t too happy as they felt that A was too strong - and it would make conversations far too hard to monitor. The result was A5/1, a rather less strong cryptosystem. Whether the over the air path was encrypted or not didn’t really matter - as once your call hit the wired network it was transmitted in the clear.

Not every call can run in the clear.

Some contain significantly price sensitive information - details of a new drug, information about the location of an oil field, negotiations for a merger or an acquisition. It’s information that if it’s lost could cost you, or your business, a lot of money. There’s also no way of quantifying the risk. Then there’s information that could be damaging if it’s intercepted - the details of a divorce settlement, or a bitter custody dispute. You might also be a government employee, trying to keep secrets secret. And finally there’s the issue of the current economic downturn, where very little is certain - apart from the fact that industrial espionage always increases during a recession.

So how do you secure your voice calls?

You could buy a secure cellphone, but it’s not really an economic proposition - it’s expensive to run, the call quality is reltively poor, and there’s lots of lag. More importantly, the phones are large and obvious, so anyone who sees you make a call with one knows you have something to hide.

One alternative is a UK startup, Cellcrypt, which has developed a software voice encryption client that runs on a standard smartphone. We sat down with the CEO, Dr Simon Bransfield-Garth at RIM’s WES event in Orlando to find out more.

There’s a new mantra in the mobile industry: voice is data. Cellcrypt treats it just that way, using IP to connect devices together. The result is a service that’s secure over GPRS, 3G, and WiFi. All of the encryption is in the device, so there’s no reliance on the network - all you need to do is run an application that looks like a standard phone application. Just choose a contact, and the application secures a channel and makes a voice connection between two devices.

The authentication key is set using RSA and 204-bit elliptic curve Diffie Hellman (elliptic curve cryptography gives you a lot of encryption per bit, and is very efficient). Once a session has been authenticated Cellcrypt generates a session key to handle the conversation cryptography, using 256-bit AES wrapped in 256-bit RC4. The whole process is currently being certified for government use by FIPS, and there are plans to go through the UK’s CAPS certification.

One thing to note - there is a server in the cloud to handle call connections and routing, but it doesn’t do any cryptography at all, it just handles the call initiation and licence management. There’s also no central key server, and keys generated from first principles in the phone - giving you a very secure end-to-end environment.

I gave it a try - even in the crowded wireless spectrum of WES the call quality was good. There is some latency, which is only to be expected, and the lower the quality network, the greater the latency. WiFi networks should expect 250ms, 3G, 370ms, and 2G, 500 ms. The business model is based around a service fee of $1K/person/year.

–S

I hate VPNs. I’m not alone; the VPN that Microsoft – who ought to be able to get IT right - runs for internal staff is so slow (it takes four or five minutes to get connected) that many staff refuse to use it whenever possible, which makes it hard to patch their systems. And the less they connect, the longer the connection takes, because it’s busy forcing security updates on them and slowing down the connection even more. DirectAccess, a new feature in Windows 7,  could make that a thing of the past, creating a secure connection that’s more efficient than a VPN and much easier to use, so you can tell end users you’re making their life easier and get access to their machines for maintenance at the same time.

But the way DirectAccess makes the secure tunnel between the remote PC and your network to give them access to file shares and applications and everything else, is by using IPSec and IPv6. You need IPv6 on your internal network and on the network they’re connecting from – and that’s still rare. Luckily, there are ways around it.

One way is use the Forefront Unified Access Gateway; this does a lot more than DirectAccess, including enforcing application whitelisting on remotely connected systems, but it simplifies setting up DirectAccess. “We’re the plumbing,” says Scott Roberts of the Windows team; “sometimes what we give you is the 16-step guide to do something – and UAG is the friendly face on top. They have some really nice wizards.” UAG also helps you configure DirectAccess without needing an end-to-end IPv6 connection.

The roadmap for Forefront includes a version of UAG to run on the mid-market two-server system (codenamed Centro – it’s the step up from SBS), which will also support DirectAccess  DirectAccess isn’t going to be available on SBS, at least in the Windows 7 timescale, because it needs two servers, one of them with two network cards – so you can’t run it in a VM or behind a NAT firewall - and because Microsoft feels that the complexities of setting up DirectAccess are too much for small companies.

The other solutions involve encapsulating IPv6 packets inside IPv4. You can do it using the 6to4 and Teredo protocols, but not all networks support those; if you’re visiting a business that does outbound proxying for security, they won’t work. You can put in a protocol translation adapter on your network, or use a Windows Server 2008 R2 system running ISATAP to convert IPv6 into IPv4 to move the packets across your network. Or you can just use the new IP-HTTPS protocol which takes IPv6 into IPv4, just like an SSL VPN.

If you don’t want to put IPSec on your network, you can send the packets across your internal network in clear text; if you do have IPSec you can choose between integrity assurance and full encryption, but that does limit you to using DirectAccess to access resources on servers that support both IPSec and IPv6. That’s fine for Windows Server 2008 and for many Linux systems, but not Windows Server 2003. The DirectAccess server itself needs to be running Windows Server 2008 R2. All that means that DirectAccess while will make life a lot easier for your users, and give you a way of reaching out to touch PCs as soon as they go online rather than only when they’re forced to use a VPN – but it’s going to take a fair amount of setting up, and that may seem like too much work when it doesn’t work with any other versions of Windows than Windows 7.

-Mary

What’s the difference between a hacker, a security expert and someone looking for a job? Hackers play around with systems, find vulnerabilites and exploit them - for fun, fame, or profit. Security experts play around with systems, find vulnerabilites and report them to the vendor - which occasionally brings fame or profit. Both methods improve the system in question, but exploiting vulnerabilities instead of reporting them - even exploiting them to get vendors to pay attention - puts users at risk. You might be doing it for the best of reasons, but someone less altruistic now knows how to attack the system. Proving that you can get past security on live systems looks good on the CV, but what about the ramifications?

Twitter has had more than its share of attacks recently, many of them pure social engineering (was Jack Straw really stranded with no better way of asking for help?), others the good old virus-disguised-as-video. The 17-year old behind last weekend’s StalkDaily and Mikeyy worms turned his hacking into a job application and has been picked up by a Web development and hosting provider in the US, who presumably value the combination of tech ability and publicity nose more than any moral issues about whether recruiting black hat hackers quite so openly is a good idea. The spate of public messages the CEO has fired off to the founder of Twitter are a combination of disingenuous defence and more publicity seeking: “hope u understand Mikeyy did u favor and could have compromised personal information,” he says. Some favour…

Security companies have always hired hackers; usually white hat hackers who stuck to penetration testing and notification. Some black hats grow up and turn responsible. Frank Abergnale - whose story is far more interesting that the film (Catch Me If You Can) - went to the FBI; after his sentence and because he wanted to. Kevin Mitnick didn’t take consulting gigs until after he came out of jail.

Mikeyy (to whom I’d like to suggest that naming malware after yourself isn’t the way to stay undetected) has a new job. His new employers have plenty of publicity. And everyone who uses Twitter has to hope that the service patched all the holes he found so that someone looking for more immediate rewards can’t use them.
-Mary

The clock is counting down to the 6th of March and the opening of the Watchmen movie. There’s not really much point in watching it, as the real watchmen are among us, and they’re armed with database queries.

Last week we had a meeting with a senior Microsoft VP, who was to brief us on the next steps before the launch of Windows 7. As we sat on the tube we got a phone call - telling us he’d be late, due to some unspecified car trouble.It was only when he arrived, armed with a brand-new anecdote that we learnt just what had happened.

The London Congestion Charge zone is surrounded by cameras, all hooked up to a massive number plate recognition system. As his car crossed through the ring of cameras it was photographed, and the number uploaded onto the system. The car number tripped a rules engine somewhere in the CC database - as it was wanted by the police.

A nearby police motorcycle quickly intercepted his car, and it soon turned out that someone had cloned both its number plate and the taxi company’s petrol card. Someone was using them to defraud garages, getting fuel for nothing.

It took some time to sort things out, and for the driver to prove his innocence (the fact that his car didn’t match the forecourt photographs made a big difference). If it hadn’t been for the cameras and the software behind them he’d have made our meeting on time…

There’s something slightly unnerving about automatic systems sending the police off to stop a car. Any automation can be corrupted, and it’s all to plausible to think of this system being used to delay important business meetings - a real denial of service attack.

Who watches the watchmen? At this point it seems to be no-one!

–Simon

If you work for a security company you wouldn’t normally leave your laptop and your BlackBerry with a journalist you’ve only just met when you go to fetch coffee. Feeling comfortable doing that says you’re confident in your security. Susan Callahan of Safend isn’t worried about leaving her laptop on a table, in a security tray, or anywhere. If she loses it, it’s just an inconvenience - not a security breach.

You probably know of Safend as a tool for protecting USB ports. That’s a big part of the security story today. Flash memory sticks are everywhere - they’re the new floppy disk that can carry all your information. Walking around the various memory companies at CES we found all shapes and sizes of memory stick, all united by being something that easily fits in a pocket. 1GB devices cost almost nothing, and the latest generation give you up to 64GB of storage. You’ll even find them built into Swiss Army knives.

64GB? That’s more than many laptop hard disks. It’s also more than 13 DVDs-worth of data.

With that amount of low cost storage available to all and sundry, it’s not surprising that businesses are seeing flash drives as a security risk. Two CD-ROMs worth of tax data caused one of the biggest data losses in the UK, so it’s easy to imagine just how much damage a tiny memory stick can do.

So how do you protect your data, when it can easily move onto a keyring?

We spent some time on a hot January afternoon at a Silicon Valley Starbucks with Susan, talking about how businesses can use endpoint security tools to protect their data. Securing USB sticks is just part of their story, as the Safend software lets you control exactly how you can use USB ports. You can set up policies for approved devices, and provide different levels of access for different classes of users. There are also rules for controlling just how DVD and CD writers can work, as well as tools for handling hard disk encryption.

That means that the CEO may get full access, while sales teams will only be able to read data sent to them by clients. Other teams might only be able to share data using encrypted memory sticks that are automatically encrypted as soon as they’re connected to a PC. Managing the rules is easy enough, with a central console and a single policy server that can handle up to 10,000 client devices. You can even set up geographic rules, to handle the differences between EU and US privacy requirements, or provide rules that work on specific file content or sizes. There’s even the option to set up rules based on content – so you could have rules that would allow staff to copy any document that doesn’t contain credit card numbers or any other identity information.

Data loss isn’t just about the network, and the Safend tools also help handle disk encryption (which is why the ThinkPad was safe on the cafe table). Lose a protected laptop and anyone who “acquires” it won’t be able to read the files – let alone copy them onto a CD or a flash disk.

There’s enough regulation out there to make device protection as important as your firewalls – so have you locked down your laptops yet?

–Simon (in Silicon Valley)