Archive for the ‘Microsoft’ Category

IT Consulting Case Studies: Microsoft SharePoint Server for CMS

Friday, February 14th, 2014

Gyver Networks recently designed and deployed a Microsoft SharePoint Server infrastructure for a financial consulting firm servicing banks and depository institutions with assets in excess of $200 billion.

Challenge:  A company specializing in regulatory compliance audits for financial institutions found themselves inundated by documents submitted via inconsistent workflow processes, raising concerns regarding security and content management as they continued to expand.

http://officeimg.vo.msecnd.net/en-us/files/819/194/ZA103888538.pngWith many such projects running concurrently, keeping up with the back-and-forth flow of multiple versions of the same documents became increasingly difficult.  Further complicating matters, the submission process consisted of clients sending email attachments or uploading files to a company FTP server, then emailing to let staff know something was sent.  Other areas of concern included:

  • Security of submitted financial data in transit and at rest, as defined in SSAE 16 and 201 CMR 17.00, among other standards and regulations
  • Secure, customized, compartmentalized client access
  • Advanced user management
  • Internal and external collaboration (multiple users working on the same documents simultaneously)
  • Change and version tracking
  • Comprehensive search capabilities
  • Client alerts, access to project updates and timelines, and feedback

Resolution: Gyver Networks proposed a Microsoft SharePoint Server environment as the ideal enterprise content management system (CMS) to replace their existing processes.  Once deployed, existing archives and client profiles were migrated into the SharePoint infrastructure designed for each respective client and, seamlessly, the company was fully operational and ready to go live.

Now, instead of an insecure and confusing combination of emails, FTP submissions, and cloud-hosted, third-party management software, they are able to host their own secure, all-in-one CMS on premises, including:

  • 256-bit encryption of data in transit and at rest
  • Distinct SharePoint sites and logins for each client, with customizable access permissions and retention policies for subsites and libraries
  • Advanced collaboration features, with document checkout, change review and approval, and workflows
  • Metadata options so users can find what they’re searching for instantly
  • Client-customized email alerts, views, reporting, timelines, and the ability to submit requests and feedback directly through the SharePoint portal

The end result?  Clients of this company are thrilled to have a comprehensive content management system that not only saves them time and provides secure submission and archiving, but also offers enhanced project oversight and advanced-metric reporting capabilities.

The consulting firm itself experienced an immediate increase in productivity, efficiency, and client retention rates; they are in full compliance with all regulations and standards governing security and privacy; and they are now prepared for future expansion with a scalable enterprise CMS solution that can grow as they do.

Contact Gyver Networks today to learn more about what Microsoft SharePoint Server can do for your organization.  Whether you require a simple standalone installation or a more complex hybrid SharePoint Server farm, we can assist you in planning, deploying, administration, and troubleshooting to ensure you get the most out of your investment.

IE 10 zero-day attack targets US military

Friday, February 14th, 2014

Fireeye, a security research firm, has identified a targeted and sophisticated attack which they believe to be aimed at US military personnel. Fireeye calls this specific attack Operation SnowMan.The attack was staged from the web site of the U.S. Veterans of Foreign Wars which the attackers had compromised. Pages from the site were modified to include code (in an IFRAME) which exploited an unpatched vulnerability in Internet Explorer 10 on systems which also have Adobe Flash Player.

The actual vulnerability is in Internet Explorer 10, but it relies on a malicious Flash object and a callback from that Flash object to the vulnerability trigger in JavaScript. Fireeye says they are in touch with Microsoft about the vulnerability.

The attack checks to make sure it is running on IE10 and that the user is not running the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a tool which can help to harden applications against attack. So running another version of IE, including IE11, or installing EMET would protect against this attack.

The attack was first identified on February 11. Fireeye believes that it was placed on the VFW site in order to be found by US military personnel, and that the attack was timed to coincide with a long holiday weekend and the major snowstorm which struck the eastern United States this week, including the Washington DC region.

Fireeye also presents evidence that the attack comes from the same group of attackers they have identified in previous sophisticated, high-value attacks, specifically Operation DeputyDog and Operation Ephemeral Hydra. They reach this conclusion by analyzing the techniques used. They say that this group has, in the past, attacked U.S. government entities, Japanese firms, defense industrial base (DIB) companies, law firms, information technology (IT) companies, mining companies and non-governmental organizations (NGOs).

Source:  zdnet.com

Unencrypted Windows crash reports give ‘significant advantage’ to hackers, spies

Wednesday, January 1st, 2014

Microsoft transmits a wealth of information from Windows PCs to its servers in the clear, claims security researcher

Windows’ error- and crash-reporting system sends a wealth of data unencrypted and in the clear, information that eavesdropping hackers or state security agencies can use to refine and pinpoint their attacks, a researcher said today.

Not coincidentally, over the weekend the popular German newsmagazine Der Spiegel reported that the U.S. National Security Agency (NSA) collects Windows crash reports from its global wiretaps to sniff out details of targeted PCs, including the installed software and operating systems, down to the version numbers and whether the programs or OSes have been patched; application and operating system crashes that signal vulnerabilities that could be exploited with malware; and even the devices and peripherals that have been plugged into the computers.

“This information would definitely give an attacker a significant advantage. It would give them a blueprint of the [targeted] network,” said Alex Watson, director of threat research at Websense, which on Sunday published preliminary findings of its Windows error-reporting investigation. Watson will present Websense’s discovery in more detail at the RSA Conference in San Francisco on Feb. 24.

Sniffing crash reports using low-volume “man-in-the-middle” methods — the classic is a rogue Wi-Fi hotspot in a public place — wouldn’t deliver enough information to be valuable, said Watson, but a wiretap at the ISP level, the kind the NSA is alleged to have in place around the world, would.

“At the [intelligence] agency level, where they can spend the time to collect information on billions of PCs, this is an incredible tool,” said Watson.

And it’s not difficult to obtain the information.

Microsoft does not encrypt the initial crash reports, said Watson, which include both those that prompt the user before they’re sent as well as others that do not. Instead, they’re transmitted to Microsoft’s servers “in the clear,” or over standard HTTP connections.

If a hacker or intelligence agency can insert themselves into the traffic stream, they can pluck out the crash reports for analysis without worrying about having to crack encryption.

And the reports from what Microsoft calls “Windows Error Reporting” (ERS), but which is also known as “Dr. Watson,” contain a wealth of information on the specific PC.

When a device is plugged into a Windows PC’s USB port, for example — say an iPhone to sync it with iTunes — an automatic report is sent to Microsoft that contains the device identifier and manufacturer, the Windows version, the maker and model of the PC, the version of the system’s BIOS and a unique machine identifier.

By comparing the data with publicly-available databases of device and PC IDs, Websense was able to establish that an iPhone 5 had been plugged into a Sony Vaio notebook, and even nail the latter’s machine ID.

If hackers are looking for systems running outdated, and thus, vulnerable versions of Windows — XP SP2, for example — the in-the-clear reports will show which ones have not been updated.

Windows Error Reporting is installed and activated by default on all PCs running Windows XP, Vista, Windows 7, Windows 8 and Windows 8.1, Watson said, confirming that the Websense techniques of deciphering the reports worked on all those editions.

Watson characterized the chore of turning the cryptic reports into easily-understandable terms as “trivial” for accomplished attackers.

More thorough crash reports, including ones that Microsoft silently triggers from its end of the telemetry chain, contain personal information and so are encrypted and transmitted via HTTPS. “If Microsoft is curious about the report or wants to know more, they can ask your computer to send a mini core dump,” explained Watson. “Personal identifiable information in that core dump is encrypted.”

Microsoft uses the error and crash reports to spot problems in its software as well as that crafted by other developers. Widespread reports typically lead to reliability fixes deployed in non-security updates.

The Redmond, Wash. company also monitors the crash reports for evidence of as-yet-unknown malware: Unexplained and suddenly-increasing crashes may be a sign that a new exploit is in circulation, Watson said.

Microsoft often boasts of the value of the telemetry to its designers, developers and security engineers, and with good reason: An estimated 80% of the world’s billion-plus Windows PCs regularly send crash and error reports to the company.

But the unencrypted information fed to Microsoft by the initial and lowest-level reports — which Watson labeled “Stage 1” reports — comprise a dangerous leak, Watson contended.

“We’ve substantiated that this is a major risk to organizations,” said Watson.

Error reporting can be disabled manually on a machine-by-machine basis, or in large sets by IT administrators using Group Policy settings.

Websense recommended that businesses and other organizations redirect the report traffic on their network to an internal server, where it can be encrypted before being forwarded to Microsoft.

But to turn it off entirely would be to throw away a solid diagnostic tool, Watson argued. ERS can provide insights not only to hackers and spying eavesdroppers, but also the IT departments.

“[ERS] does the legwork, and can let [IT] see where vulnerabilities might exist, or whether rogue software or malware is on the network,” Watson said. “It can also show the uptake on BYOD [bring your own device] policies,” he added, referring to the automatic USB device reports.

Microsoft should encrypt all ERS data that’s sent from customer PCs to its servers, Watson asserted.

A Microsoft spokesperson asked to comment on the Websense and Der Spiegel reports said, “Microsoft does not provide any government with direct or unfettered access to our customer’s data. We would have significant concerns if the allegations about government actions are true.”

The spokesperson added that, “Secure Socket Layer connections are regularly established to communicate details contained in Windows error reports,” which is only partially true, as Stage 1 reports are not encrypted, a fact that Microsoft’s own documentation makes clear.

“The software ‘parameters’ information, which includes such information as the application name and version, module name and version, and exception code, is not encrypted,” Microsoft acknowledged in a document about ERS.

Source:  computerworld.com

Windows 7 given a reprieve of sorts to extend OEM sales

Friday, December 13th, 2013

October 30, 2014 is no longer the cut off date—well, at least for now.

Microsoft updated its Windows lifecycle table last week, quietly announcing that OEMs would have to cease preinstalling Windows 7 on new systems by October 30, 2014. Retail boxed copies of the operating system have already ceased, ending on October 30 of this year.

But the company has now removed that 2014 date, claiming that it was a mistake. The date is now “to be determined.” The issued statement about the mistake reads:

We have yet to determine the end of sales date for PCs with Windows 7 preinstalled. The October 30, 2014 date that posted to the Windows Lifecycle page globally last week was done so in error. We have since updated the website to note the correct information; however, some non-English language pages may take longer to revert to correctly reflect that the end of sales date is ‘to be determined.’ We apologize for any confusion this may have caused our customers. We’ll have more details to share about the Windows 7 lifecycle once they become available.”

This of course leaves open the possibility that the October 30, 2014 date could be the cut-off.

As things stand, Windows 7 is still due to leave mainstream support on January 13, 2015, giving Windows 7 systems just a few months of full support. Extended support—which for the most part means “security fixes”—is due to run until January 14, 2020.

More pressing is the end of Windows XP’s extended support, which is still due to terminate on April 8, 2014.

Source:  arstechnica.com

Microsoft exec hints at separate Windows release trains for consumers, business

Monday, December 9th, 2013

Resistance from enterprises, and Ballmer’s departure, may be changing Microsoft’s mind

Microsoft may revert to separate release schedules for consumer and business versions of Windows, the company’s top operating system executive hinted this week.

At a technology symposium hosted by financial services giant Credit Suisse, Tony Myerson acknowledged the operating system adoption chasm between consumers and more conservative corporations. Myerson, who formerly led the Windows Phone team, was promoted in July to head all client-based OS development, including that for smartphones, tablets, PCs and the Xbox game console.

“The world has shown that these two different customers really have divergent needs,” said Myerson Wednesday, according to a transcript of his time on stage. “And there may be different cadences, or different ways in which we talk to those two customers. And so [while Windows] 8.1 and [Windows] 8.1 Pro both came at the same time, it’s not clear to me that’s the right way to serve the consumer market. [But] it may be the right way to continue serving the enterprise market.”

Myerson’s comment hinted at a return to a practice last used in the early years of this century, when Microsoft delivered new operating systems to the company’s consumer and commercial customers on different schedules.

Before 2001’s arrival of Windows XP — when Microsoft shipped consumer and business versions simultaneously — Microsoft aimed different products, with different names, at each category. In 2000, for example, Microsoft delivered Windows ME, for “Millennium Edition,” to consumers and Windows 2000 to businesses. Prior to that, Windows 95, although widely used in businesses, was the consumer-oriented edition, while Windows NT 4.0, which launched in 1996, targeted business PCs and servers.

The update/upgrade-acceptance gap between consumers and businesses reappeared after Microsoft last year said it would accelerate its development and release schedule for Windows, then delivered on the first example of that tempo, Windows 8.1, just a year after the launch of its predecessor.

Enterprises have become nervous about the cadence, say analysts. Businesses as a rule are much more conservative about upgrading their machines’ operating systems than are consumers: The former must spend thousands, even millions, to migrate from one version to another, and must test the compatibility of in-house and mission-critical applications, then rewrite them if they don’t work.

That conservative approach to upgrades was a major reason why Windows XP retained a stranglehold on business PCs for more than a decade, and why Windows 7, not Windows 8 or 8.1, has replaced it.

It’s extremely difficult to serve both masters — consumer and commercial — equally well, said Patrick Moorhead, principal analyst at Moor Insights & Strategy. “No one has yet mastered being good on enterprise and good on consumer,” said Moorhead in an interview. “[The two] are on completely different cycles.”

In October, outgoing CEO Steve Ballmer dismissed concerns over the faster pace. At a Gartner Research-sponsored conference, when analyst David Cearley noted, “Enterprises are concerned about that accelerated delivery cycle,” Ballmer simply shook his head.

“Let me push back,” said Ballmer, “and say, ‘Not really.’ If our customers have to take DVDs from us, install them, and do customer-premise software, you’re saying to us ‘Don’t upgrade that software very often … two to three years is perfect.’ But if we deliver something to you that’s a service, as we do with Office 365, our customers are telling us, ‘We want to be up to date at all times.'”

Another Gartner analyst, Michael Silver, countered Ballmer’s claim. “Organizations need to be afraid of what’s to come,” Silver said at the time. “If [companies] get on this release train, Microsoft will take them where [Microsoft] wants to go, or [Microsoft] will run them over.”

Myerson’s hint of separate release trains, to use Silver’s terminology, may be a repudiation of Ballmer’s contention. Or not.

His statement of, “It may be the right way to continue serving the enterprise market,” could be interpreted to mean that Microsoft will maintain an accelerated tempo for business versions of Windows — one faster than the three years between upgrades that the company has used in the past — and speed up Windows updates to consumers even more.

“The consumer really is ready for things to be upgraded on their own,” Myerson said.

“Microsoft’s biggest strategic question is, ‘Am I an enterprise company or a consumer company, or both?” said Moorhead. “Something has to break here.”

And one crack might be, according to Myerson, a separation of consumer and commercial on Windows.

Source:  infoworld.com

Study finds zero-day vulnerabilities abound in popular software

Friday, December 6th, 2013

Subscribers to organizations that sell exploits for vulnerabilities not yet known to software developers gain daily access to scores of flaws in the world’s most popular technology, a study shows.

NSS Labs, which is in the business of testing security products for corporate subscribers, found that over the last three years, subscribers of two major vulnerability programs had access on any given day to at least 58 exploitable flaws in Microsoft, Apple, Oracle or Adobe products.

In addition, NSS labs found that an average of 151 days passed from the time when the programs purchased a vulnerability from a researcher and the affected vendor released a patch.

The findings, released Thursday, were based on an analysis of 10 years of data from TippingPoint, a network security maker Hewlett-Packard acquired in 2010, and iDefense, a security intelligence service owned by VeriSign. Both organizations buy vulnerabilities, inform subscribers and work with vendors in producing patches.

Stefan Frei, NSS research director and author of the report, said the actual number of secret vulnerabilities available to cybercriminals, government agencies and corporations is much larger, because of the amount of money they are willing to pay.

Cybercriminals will buy so-called zero-day vulnerabilities in the black market, while government agencies and corporations purchase them from brokers and exploit clearinghouses, such as VUPEN Security, ReVuln, Endgame Systems, Exodus Intelligence and Netragard.

The six vendors collectively can provide at least 100 exploits per year to subscribers, Frei said. According to a February 2010 price list, Endgame sold 25 zero-day exploits a year for $2.5 million.

In July, Netragard founder Adriel Desautels told The New York Times that the average vulnerability sells from around $35,000 to $160,000.

Part of the reason vulnerabilities are always present is because of developer errors and also because software makers are in the business of selling product, experts say. The latter means meeting deadlines for shipping software often trumps spending additional time and money on security.

Because of the number of vulnerabilities bought and sold, companies that believe their intellectual property makes them prime targets for well-financed hackers should assume their computer systems have already been breached, Frei said.

“One hundred percent prevention is not possible,” he said.

Therefore, companies need to have the experts and security tools in place to detect compromises, Frei said. Once a breach is discovered, then there should be a well-defined plan in place for dealing with it.

That plan should include gathering forensic evidence to determine how the breach occurred. In addition, all software on the infected systems should be removed and reinstalled.

Steps taken following a breach should be reviewed regularly to make sure they are up to date.

Source:  csoonline.com

Microsoft ends Windows 7 retail sales

Friday, December 6th, 2013

Sets October 2014 cut-off for sales to OEMs

Microsoft has quietly ended retail sales of Windows 7, according to a notice on its website.

The company’s policies for shutting off sales to retailers and shipping licenses to OEMs (original equipment manufacturers) are posted on its site, which was recently updated to show that Windows 7’s “retail end of sales” date was Oct. 30.

The next deadline, marked as “End of sales for PCs with Windows preinstalled,” will be Oct. 30, 2014, less than a year away.

Microsoft’s practice, first defined in 2010, is to stop selling an older operating system in retail one year after the launch of its successor, and halt delivery of the previous Windows edition to OEMs two years after a new version launches. The company shipped Windows 8, Windows 7’s replacement, in October 2012.

As recently as late September, the last time Computerworld cited the online resource, Microsoft had not filled in the deadlines for Windows 7. At the time, Computerworld said that the end-of-October dates were the most likely.

A check of Microsoft’s own online store showed that the company has pulled Windows 7 from those virtual shelves.

In practical terms, the end-of-retail-sales date has been an artificial and largely meaningless deadline, as online retailers have continued to sell packaged copies, sometimes for years, by restocking through distributors which squirreled away older editions.

Today, for example, Amazon.com had a plentiful supply of various versions of Windows 7 available to ship, as did technology specialist Newegg.com. The former also listed copies of Windows Vista and even Windows XP for sale through partners.

Microsoft also makes a special exception for retail sales, telling customers that between the first and second end-of-sale deadlines they can purchase Windows 7 from computer makers. “When the retail software product reaches its end of sales date, it can still be purchased through OEMs (the company that made your PC) until it reaches the end of sales date for PCs with Windows preinstalled,” the company’s website stated.

The firmer deadline is the second, the one for offering licenses to OEMs. According to Microsoft, it “will continue to allow OEMs to sell PCs preinstalled with the previous version for up to two years after the launch date of the new version” (emphasis added).

After that date, Microsoft shuts off the spigot, more or less, although OEMs, especially smaller “white box” builders, can and often do stockpile licenses prior to the cut-off.

But officially, the major PC vendors — like Dell, Hewlett-Packard and Lenovo — will discontinue most Windows 7 PC sales in October 2014, making Windows 8 and its follow-ups, including Windows 8.1, the default.

Even then, however, there are ways to circumvent the shut-down. Windows 8 Pro, the more expensive of the two public editions, includes “downgrade” rights that allow PC owners to legally install an older OS. OEMs and system builders can also use downgrade rights to sell a Windows 8- or Windows 8.1-licensed system, but factory-downgrade it to Windows 7 Professional before it ships.

Enterprises with volume license agreements are not at risk of losing access to Windows 7, as they are granted downgrade rights as part of those agreements. In other words, while Microsoft may try to stymie Windows 7 sales, the 2009 operating system will long remain a standard.

As of the end of November, approximately 46.6% of all personal computers ran Windows 7, according to Web measurement vendor Net Applications, a number that represented 51.3% of all the systems running Windows.

Source:  computerworld.com

Microsoft disrupts ZeroAccess web fraud botnet

Friday, December 6th, 2013

ZeroAccess, one of the world’s largest botnets – a network of computers infected with malware to trigger online fraud – has been disrupted by Microsoft and law enforcement agencies.

ZeroAccess hijacks web search results and redirects users to potentially dangerous sites to steal their details.

It also generates fraudulent ad clicks on infected computers then claims payouts from duped advertisers.

Also called Sirefef botnet, ZeroAccess, has infected two million computers.

The botnet targets search results on Google, Bing and Yahoo search engines and is estimated to cost online advertisers $2.7m (£1.7m) per month.

Microsoft said it had been authorised by US regulators to “block incoming and outgoing communications between computers located in the US and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes”.

In addition, the firm has also taken control of 49 domains associated with ZeroAccess.

David Finn, executive director of Microsoft Digital Crimes Unit, said the disruption “will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection”.

‘Most robust’

The ZeroAccess botnet relies on waves of communication between groups of infected computers, instead of being controlled by a few servers.

This allows cyber criminals to control the botnet remotely from a range of computers, making it difficult to tackle.

According to Microsoft, more than 800,000 ZeroAccess-infected computers were active on the internet on any given day as of October this year.

“Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today and was built to be resilient to disruption efforts,” Microsoft said.

However, the firm said its latest action is “expected to significantly disrupt the botnet’s operation, increasing the cost and risk for cyber criminals to continue doing business and preventing victims’ computers from committing fraudulent schemes”.

Microsoft said its Digital Crimes Unit collaborated with the US Federal Bureau of Investigation (FBI) and Europol’s European Cybercrime Centre (EC3) to disrupt the operations.

Earlier this year, security firm Symantec said it had disabled nearly 500,000 computers infected by ZeroAccess and taken them out of the botnet.

Source: BBC

Microsoft and Symantec push to combat key, code-signed malware

Wednesday, October 23rd, 2013

Code-signed malware hot spots said to be China, Brazil, South Korea

An alarming growth in malware signed with fraudulently obtained keys and code-signing certificates in order to trick users to download harmful code is prompting Microsoft and Symantec to push for tighter controls in the way the world’s certificate authorities issue these keys used in code-signing.

It’s not just stolen keys that are the problem in code-signed malware but “keys issued to people who aren’t who they say they are,” says Dean Coclin, senior director of business development in the trust services division at Symantec.

Coclin says China, Brazil and South Korea are the hot spots today where the problem of malware signed with certificates and keys obtained from certificate authorities is the worst right now. “We need a uniform way to vet companies and individuals around the world,” says Coclin. He says that doesn’t really exist today for certificates used in code-signing, but Microsoft and Symantec are about to float a plan that might change that.

Code-signed malware appears to be aimed mostly at Microsoft Windows and Java, maintained by Oracle, says Coclin, adding that malicious code-signing of Android apps has also quickly become a lawless “Wild West.”

Under the auspices of the Certificate Authority/ Browser Forum, an industry group in which Microsoft and Symantec are members, the two companies next month plan to put forward what Coclin describes as proposed new “baseline requirements and audit guidelines” that certificate authorities would have to follow to verify the identity of purchasers of code-signing certificates. Microsoft is keenly interested in this effort because “Microsoft is out to protect Windows,” says Coclin.

These new identity-proofing requirements will be detailed next month in the upcoming CAB Forum document from its Code-Signing Group. The underlying concept is that certificate authorities would have to follow more stringent practices related to proofing identity, Coclin says.

The CAB Forum includes the main Internet browser software makers, Microsoft, Google, Opera Software and The Mozilla Foundation, combined with many of the major certificate authorities, including Symantec’s  own certificate authority units Thawte and VeriSign, which earlier acquired GeoTrust.

Several other certificate authorities, including Comodo, GoDaddy, GlobalSign, Trustwave and Network Solutions, are also CAB Forum members, plus a number of certificate authorities based abroad, such as Chunghwa Telecom Co. Ltd., Swisscom, TURKTRUST and TAIWAN-CA, Inc. It’s part of a vast and larger commercial certificate authority global infrastructure with numerous sub-authorities operating in a root-based chain of trust. Outside this commercial certificate authority structure, governments and enterprises also use their own controlled certificate authority systems to issue and manage digital certificates for code-signing purposes.

Use of digital certificates for code-signing isn’t as widespread as that for SSL, for example, but as detailed in the new White Paper on the topic from the industry group called the CA Security Council, code-signing is intended to assure the identity of software publishers and ensure that the signed code has not been tampered with.

Coclin, who is co-chair of the CAB Forum, says precise details about new anti-fraud measures for proofing the identity of those buying code-signing certificates from certificate authorities will be unveiled next month and subject to a 60-day comment period. These new proposed identity-proofing requirements will be discussed at a meeting planned in February at Google before any adoption of them.

The CAB Forum’s code-signing group is expected to espouse changes related to security that may impact software vendors and enterprises that use code-signing in their software development efforts so the CAB Forum wants maximum feedback before going ahead with its ideas on improving security in certificate issuance.

Coclin points out that commercial certificate authorities today must pass certain audits done by KPMG or PricewaterhouseCoopers, for example. In the future, if new requirements say certificate authorities have to verify the identity of customers in a certain way and they don’t do it properly, that information could be shared with an Internet browser maker like Microsoft, which makes the Internet Explorer browser. Because browsers play a central role in the certificate-based code-signing process, Microsoft, for example, could take action to ensure its browser and OS do not recognize certificates issued by certificate authorities that violate any new identity-proofing procedures. But how any of this shake out remains to be seen.

McAfee, which unlike Symantec doesn’t have a certificate authority business unit and is not a member of the CAB Forum, last month at its annual user conference presented its own research about how legitimate certificates are increasingly being used to sign malware in order to trick victims into downloading malicious code.

“The certificates aren’t actually malicious — they’re not forged or stolen, they’re abused,” said McAfee researcher Dave Marcus. He said in many instances, according to McAfee’s research on code-signed malware, the attacker has gone out and obtained legitimate certificates from a company associated with top-root certificate authorities such as Comodo, Thawte or VeriSign. McAfee has taken to calling this the problem of “abused certificates,” an expression that’s not yet widespread in the industry as a term to describe the threat.

Coclin notes that one idea that would advance security would be to have a “code-signing portal” where a certificate authority could scan the submitted code to be checked for signs of malware before it was signed. He also said a good practice is hardware-based keys and security modules to better protect private keys used as part of the code-signing process.

Source:  networkworld.com

Windows RT 8.1 update temporarily pulled due to a “situation”

Monday, October 21st, 2013

Some devices left unbootable after installing the update.

The Windows RT 8.1 update for devices such as Microsoft’s Surface RT has been removed from the Windows Store temporarily, after a “situation” prevented a “limited number of users” from being able to upgrade successfully.

The problem appears to be that the update is damaging certain boot data, causing affected machines to blue screen on startup. The issue is recoverable if you’ve created a recovery USB key (or have access to a machine that can create one), but Microsoft currently appears to have no easy way to create a suitable USB key from non-ARM machines.

To call this embarrassing for Microsoft is something of an understatement. While x86 PCs have extraordinary diversity in terms of hardware, software, and drivers—all things that can prevent straightforward upgrading—the Windows RT devices are extremely limited in this regard. Upgrading Windows RT tablets should be absolutely bulletproof. It’s very disappointing that it isn’t.

Update: Partially alleviating the problem, Microsoft has released a system image for Windows RT 8.1, so as long as you have another PC and a USB key, it should now be relatively easy to recover from broken upgrades.

Source:  arstechnica.com

Schools’ use of cloud services puts student privacy at risk

Tuesday, September 24th, 2013

Vendors should promise not to use targeted advertising and behavioral profiling, SafeGov said

Schools that compel students to use commercial cloud services for email and documents are putting privacy at risk, says a campaign group calling for strict controls on the use of such services in education.

A core problem is that cloud providers force schools to accept policies that authorize user profiling and online behavioral advertising. Some cloud privacy policies stipulate that students are also bound by these policies, even when they have not had the opportunity to grant or withhold their consent, said privacy campaign group SafeGov.org in a report released on Monday.

There is also the risk of commercial data mining. “When school cloud services derive from ad-supported consumer services that rely on powerful user profiling and tracking algorithms, it may be technically difficult for the cloud provider to turn off these functions even when ads are not being served,” the report said.

Furthermore, by failing to create interfaces that distinguish between ad-free and ad-supported versions, students may be lured from ad-free services for school use to consumer ad-driven services that engage in highly intrusive processing of personal information, according to the report. This could be the case with email, online video, networking and basic search.

Also, contracts used by cloud providers don’t guarantee ad-free services because they are ambiguously worded and include the option to serve ads, the report said.

SafeGov has sought support from European Data Protection Authorities (DPAs), some of which endorsed the use of codes of conduct establishing rules to which schools and cloud providers could voluntarily agree. Such codes should include a binding pledge to ban targeted advertising in schools as well as the processing or secondary use of data for advertising purposes, SafeGov recommended.

“We think any provider of cloud computing services to schools (Google Apps and Microsoft 365 included) should sign up to follow the Codes of Conduct outlined in the report,” said a SafeGov spokeswoman in an email.

Even when ad serving is disabled the privacy of students may still be jeopardized, the report said.

For example, while Google’s policy for Google Apps for Education states that no ads will be shown to enrolled students, there could still be a privacy problem, according to SafeGov.

“Based on our research, school and government customers of Google Apps are encouraged to add ‘non-core’ (ad-based) Google services such as search or YouTube, to the Google Apps for Education interface, which takes students from a purportedly ad-free environment to an ad-driven one,” the spokeswoman said.

“In at least one case we know of, it also requires the school to force students to accept the privacy policy before being able to continue using their accounts,” she said, adding that when this is done the user can click through to the ad-supported service without a warning that they will be profiled and tracked.

This issue was flagged by the French and Swedish DPAs, the spokeswoman said.

In September, the Swedish DPA ordered a school to stop using Google Apps or sign a reworked agreement with Google because the current terms of use lacked specifics on how personal data is being handled and didn’t comply with local data laws.

However, there are some initiatives that are encouraging, the spokeswoman said.

Microsoft’s Bing for Schools initiative, an ad-free, no cost version of its Bing search engine that can be used in public and private schools across the U.S., is one of them, she said. “This is one of the things SafeGov is trying to accomplish with the Codes of Conduct — taking out ad-serving features completely when providing cloud services in schools. This would remove the ad-profiling risk for students,” she said.

Microsoft and Google did not respond to a request for comment.

Source:  computerworld.com

iOS and Android weaknesses allow stealthy pilfering of website credentials

Thursday, August 29th, 2013

Computer scientists have uncovered architectural weaknesses in both the iOS and Android mobile operating systems that make it possible for hackers to steal sensitive user data and login credentials for popular e-mail and storage services.

Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission, according to a just-published academic paper from scientists at Microsoft Research and Indiana University. The so-called same-origin policy is a fundamental security mechanism enforced by desktop browsers, but the protection is woefully missing from many iOS and Android apps. To demonstrate the threat, the researchers devised several hacks that carry out so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks to surreptitiously download user data from handsets.

The most serious of the attacks worked on both iOS and Android devices and required only that an end-user click on a booby-trapped link in the official Google Plus app. Behind the scenes, a script sent instructions that caused a text-editing app known as PlainText to send documents and text input to a Dropbox account controlled by the researchers. The attack worked against other apps, including TopNotes and Nocs.

“The problem here is that iOS and Android do not have this origin-based protection to regulate the interactions between those apps and between an app and another app’s Web content,” XiaoFeng Wang, a professor in Indiana University’s School of Informatics and Computing, told Ars. “As a result, we show that origins can be crossed and the same XSS and CSRF can happen.” The paper, titled Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation, was recently accepted by the 20th ACM Conference on Computer and Communications Security.

All your credentials belong to us

The Plaintext app in this demonstration video was not configured to work with Dropbox. But even if the app had been set up to connect to the storage service, the attack could make it connect to the attacker’s account rather than the legitimate account belonging to the user, Wang said. All that was required was for the iPad user to click on the malicious link in the Google Plus app. In the researchers’ experiments, Android devices were susceptible to the same attack.

A separate series of attacks were able to retrieve the multi-character security tokens Android apps use to access private accounts on Facebook and Dropbox. Once the credentials are exposed, attackers could use them to download photos, documents, or other sensitive files stored in the online services. The attack, which relied on a malicious app already installed on the handset, exploited the lack of same-origin policy enforcement to bypass Android’s “sandbox” security protection. Google developers explicitly designed the mechanism to prevent one app from being able to access browser cookies, contacts, and other sensitive content created by another app unless a user overrides the restriction.

All attacks described in the 12-page paper have been confirmed by Dropbox, Facebook, and the other third-party websites whose apps were tested, Wang said. Most of the vulnerabilities have been fixed, but in many cases the patches were extremely hard to develop and took months to implement. The scientists went on to create a proof-of-concept app they called Morbs that provides OS-level protection across all apps on an Android device. It works by labeling each message with information about its origin and could make it easier for developers to specify and enforce security policies based on the sites where security tokens and other sensitive information originate.

As mentioned earlier, desktop browsers have long steadfastly enforced a same-origin policy that makes it impossible for JavaScript and other code from a domain like evilhacker.com to access cookies or other sensitive content from a site like trustedbank.com. In the world of mobile apps, the central role of the browser—and the gate-keeper service it provided—has largely come undone. It’s encouraging to know that the developers of the vulnerable apps took this research so seriously. Facebook awarded the researchers at least $7,000 in bounties (which the researchers donated to charity), and Dropbox offered valuable premium services in exchange for the private vulnerability report. But depending on a patchwork of fixes from each app maker is problematic given the difficulty and time involved in coming up with patches.

A better approach is for Apple and Google developers to implement something like Morbs that works across the board.

“Our research shows that in the absence of such protection, the mobile channels can be easily abused to gain unauthorized access to a user’s sensitive resources,” the researchers—who besides Wang, included Rui Wang and Shuo Chen of Microsoft and Luyi Xing of Indiana University—wrote. “We found five cross-origin issues in popular [software development kits] and high-profile apps such as Facebook and Dropbox, which can be exploited to steal their users’ authentication credentials and other confidential information such as ‘text’ input. Moreover, without the OS support for origin-based protection, not only is app development shown to be prone to such cross-origin flaws, but the developer may also have trouble fixing the flaws even after they are discovered.”

Source:  arstechnica.com

Amazon and Microsoft, beware—VMware cloud is more ambitious than we thought

Tuesday, August 27th, 2013

http://cdn.arstechnica.net/wp-content/uploads/2013/08/vcloud-hybrid-service-640x327.png

Desktops, disaster recovery, IaaS, and PaaS make VMware’s cloud compelling.

VMware today announced that vCloud Hybrid Service, its first public infrastructure-as-a-service (IaaS) cloud, will become generally available in September. That’s no surprise, as we already knew it was slated to go live this quarter.

What is surprising is just how extensive the cloud will be. When first announced, vCloud Hybrid Service was described as infrastructure-as-a-service that integrates directly with VMware environments. Customers running lots of applications in-house on VMware infrastructure can use the cloud to expand their capacity without buying new hardware and manage both their on-premises and off-premises deployments as one.

That’s still the core of vCloud Hybrid Service—but in addition to the more traditional infrastructure-as-a-service, VMware will also have a desktops-as-a-service offering, letting businesses deploy virtual desktops to employees without needing any new hardware in their own data centers. There will also be disaster recovery-as-a-service, letting customers automatically replicate applications and data to vCloud Hybrid Service instead of their own data centers. Finally, support for the open source distribution of Cloud Foundry and Pivotal’s deployment of Cloud Foundry will let customers run a platform-as-a-service (PaaS) in vCloud Hybrid Service. Unlike IaaS, PaaS tends to be optimized for building and hosting applications without having to manage operating systems and virtual computing infrastructure.

While the core IaaS service and connections to on-premises deployments will be generally available in September, the other services aren’t quite ready. Both disaster recovery and desktops-as-a-service will enter beta in the fourth quarter of this year. Support for Cloud Foundry will also be available in the fourth quarter. Pricing information for vCloud Hybrid Service is available on VMware’s site. More details on how it works are available in our previous coverage.

Competitive against multiple clouds

All of this gives VMware a compelling alternative to Amazon and Microsoft. Amazon is still the clear leader in infrastructure-as-a-service and likely will be for the foreseeable future. However, VMware’s IaaS will be useful to customers who rely heavily on VMware internally and want a consistent management environment on-premises and in the cloud.

VMware and Microsoft have similar approaches, offering a virtualization platform as well as a public cloud (Windows Azure in Microsoft’s case) that integrates with customers’ on-premises deployments. By wrapping Cloud Foundry into vCloud Hybrid Service, VMware combines IaaS and PaaS into a single cloud service just as Microsoft does.

VMware is going beyond Microsoft by also offering desktops-as-a-service. We don’t have a ton of detail here, but it will be an extension of VMware’s pre-existing virtual desktop products that let customers host desktop images in their data centers and give employees remote access to them. With “VMware Horizon View Desktop-as-a-Service,” customers will be able to deploy virtual desktop infrastructure either in-house or on the VMware cloud and manage it all together. VMware’s hybrid cloud head honcho, Bill Fathers, said much of the work of adding and configuring new users will be taken care of automatically.

The disaster recovery-as-a-service builds on VMware’s Site Recovery Manager, letting customers see the public cloud as a recovery destination along with their own data centers.

“The disaster recovery use case is something we want to really dominate as a market opportunity,” Fathers said in a press conference today. At first, it will focus on using “existing replication capabilities to replicate into the vCloud Hybrid Service. Going forward, VMware will try to provide increasing levels of automation and more flexibility in configuring different disaster recovery destinations,” he said.

vCloud Hybrid Service will be hosted in VMware data centers in Las Vegas, NV, Sterling, VA, Santa Clara, CA, and Dallas, TX, as well as data centers operated by Savvis in New York and Chicago. Non-US data centers are expected to join the fun next year.

When asked if VMware will support movement of applications between vCloud Hybrid Service and other clouds, like Amazon’s, Fathers said the core focus is ensuring compatibility between customers’ existing VMware deployments and the VMware cloud. However, he said VMware is working with partners who “specialize in that level of abstraction” to allow portability of applications from VMware’s cloud to others and vice versa. Naturally, VMware would really prefer it if you just use VMware software and nothing else.

Source:  arstechnica.com

Update for deprecation of MD5 hashing algorithm for Microsoft Root Certificate Program

Thursday, August 22nd, 2013

Executive Summary

Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

The update is available on the Download Center for all affected releases of Microsoft Windows except for Windows RT (no update for Windows RT is available at this time). In addition, Microsoft is planning to release this update through Microsoft Update on February 11, 2014 after customers have a chance to assess the impact of this update and take necessary actions in their environments.

Recommendation

Microsoft recommends that customers download, test, and apply the update at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.

Note that the 2862966 update is a prerequisite and must be applied before this update can be installed. The 2862966 update contains associated framework changes to Microsoft Windows. For more information, see Microsoft Knowledge Base Article 2862966.

Known Issues

Microsoft Knowledge Base Article 2862973 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.

Excerpt from:  microsoft.com

Microsoft botches six Windows patches in latest Automatic Update

Friday, August 16th, 2013

Microsoft acknowledges problems with KB 2876063, KB 2859537, KB 2873872, KB 2843638, KB 2843639, and KB 2868846, all released earlier this week

In an amazing tour de force, Microsoft’s Automatic Update chute released at least six bad patches on Tuesday. Here’s what’s amazing: It’s just 48 hours or so since the bomb bay doors opened, and Microsoft has acknowledged problems with all of these patches. That’s a first, I think — and the biggest positive development in the Automatic Update minefield I’ve seen in a long time.

The gory details:

  • MS13-061/KB 2876063 — a remote code execution hole in Exchange Server — has been pulled. The problem only affects Exchange 2013. From the Exchange team blog:

Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed. For those that have already installed the MS13-061 security update for Exchange Server 2013, we already have KB 2879739 that provides the steps on how to resolve this issue. However, due to this issue and that it affects all Mailbox server installations, we have decided to pull the MS13-061 security update temporarily. Note: This issue does not occur in Exchange 2010 or Exchange 2007.

To give credit where due, Microsoft may or may not be the source of the problem. According to the SANS Internet Storm Center, “Oracle … disclosed the vulnerabilities in their patch updates in April and July 2013. Microsoft licensed the vulnerable libraries from Oracle. There are also functional changes non security changes rolled up into this update.”

  • MS13-063/KB 2859537 — another botched Windows Kernel patch — has not been pulled (at least it’s still being offered on the systems I work with), but Microsoft has acknowledged at least one problem in the KB article:

Some users may experience issues with certain games after they install security update 2859537. In some cases, users may not successfully start and sign in to the games. Microsoft is researching this problem and will post more information in this article when the information becomes available.

Apparently, with this patch applied, the game Rift crashes immediately after authentication, as does Defiance. Softpedia reports that the patch causes BSODs on Windows 7 systems. One poster on the Microsoft Answers forum says it triggers an Error 0xc0000005, and “it’s not possible to run almost all applications include IE, Personalize screen, components from control panel and many other ‘native windows features and applications.'” There’s an avalanche of bug reports online, many in Russian.

Microsoft is aware of problems with the security updates described in MS13-066 that affect Active Directory Federation Services (ADFS) 2.0. The problems could cause ADFS to stop working. Microsoft has removed the updates for ADFS 2.0 from Windows Update and the Download Center. Microsoft is researching this problem and will post more information in this article when the information becomes available.

In addition:

You may experience functionality issues with security update 2843639 if you do not have update 2790338 already applied. We recommend that that customers who are experiencing these issues install update 2790338. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2790338 Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0

Here’s the punch line. The SANS Internet Storm Center religiously tracks which Microsoft patches cover holes that are publicly known. For this month’s bunch, only two of the eight security bulletins — MS13-061 and MS13-063 — have known active exploits; the others have no publicly known exploits. You guessed it: Both security bulletins are causing major headaches.

Microsoft has had no end of problems with patches lately, with at least four botched patches just last month. For a change, this time the company is fessing up to it — quickly and as best I can tell accurately, and the mea culpas are posted where they’re supposed to be posted.

That’s a start.

Source:  infoworld.com

FBI, Microsoft takedown program blunts most Citadel botnets

Friday, July 26th, 2013

Microsoft estimates that 88% of botnets running the Citadel financial malware were disrupted as a result of a takedown operation launched by the company in collaboration with the FBI and partners in technology and financial services. The operation was originally announced on June 5.

Since then, almost 40% of Citadel-infected computers that were part of the targeted botnets have been cleaned, Richard Domingues Boscovich, an assistant general counsel with Microsoft’s Digital Crimes Unit, said Thursday in a blog post.

Microsoft did not immediately respond to an inquiry seeking information about how those computers were cleaned and the number of computers that remain infected with the malware.

However, Boscovich said in a different blog post on June 21 that Microsoft observed almost 1.3 million unique IP addresses connecting to a “sinkhole” system put in place by the company to replace the Citadel command-and-control servers used by attackers.

After analyzing unique IP addresses and user-agent information sent by botnet clients when connecting to the sinkhole servers, the company estimated that more than 1.9 million computers were part of the targeted botnets, Boscovich said at the time, noting that multiple computers can connect through a single IP address.

He also said that Microsoft was working with other researchers and anti-malware organizations like the Shadowserver Foundation in order to support victim notification and remediation.

The Shadowserver Foundation is an organization that works with ISPs, as well as hosting and Domain Name System (DNS) providers to identify and mitigate botnet threats.

According to statistics released Thursday by Boscovich, the countries with the highest number of IP addresses corresponding to Citadel infections between June 2 and July 21 were: Germany with 15% of the total, Thailand with 13%, Italy with 10%, India with 9% and Australia and Poland with 6% each. Five percent of Citadel-infected IP addresses were located in the U.S.

Boscovich praised the collaboration between public and private sector organizations to disrupt the Citadel botnet.

“By combining our collective expertise and taking coordinated steps to dismantle the botnets, we have been able to significantly diminish Citadel’s operation, rescue victims from the threat, and make it more costly for the cybercriminals to continue doing business,” he said Thursday in the blog post.

However, not everyone in the security research community was happy with how the takedown effort was implemented.

Shortly after the takedown, a security researcher who runs the abuse.ch botnet tracking services estimated that around 1,000 of approximately 4,000 Citadel-related domain names seized by Microsoft during the operation were already under the control of security researchers who were using them to monitor and gather information about the botnets.

Furthermore, he criticized Microsoft for sending configuration files to Citadel-infected computers that were connecting to its sinkhole servers, saying that this action implicitly modifies settings on those computers without their owners’ consent. “In most countries, this is violating local law,” he said in a blog post on June 7.

“Citadel blocked its victims’ ability to access many legitimate anti-virus and anti-malware sites in order to prevent them from being able to remove the malware from their computer,” Boscovich said on June 11 in an emailed statement. “In order for victims to clean their computers, the court order from the U.S. District Court for the Western District of North Carolina allowed Microsoft to unblock these sites when computers from around the world checked into the command and control structure for Citadel which is hosted in the U.S.”

Source:  computerworld.com

3 more botched Windows patches: KB 2803821, KB 2840628, and KB 2821895

Thursday, July 18th, 2013

Two Black Tuesday patches — MS 13-052 and MS 13-057 — and last month’s nonsecurity patch KB 2821895 cause a variety of problems

Microsoft’s patching problems have hit a new low, with three botched patches now in desperate need of attention. MS 13-052 is supposed to plug security holes in .Net Framework and Silverlight, but it has problems getting along with Configuration Manager 2012 and ConfigMgr 2007), as well as with plug-ins running under Microsoft CRM 2011. MS 13-057 causes black bands to appear at the top of Windows Media videos, and it still hasn’t been fixed — although Microsoft has finally acknowledged the problem. The KB 2821895 Windows 8/Windows RT patch causes false System File Checker reports and hangs; Microsoft acknowledges the problem in its KB article, but the patch is still available.

Somebody please tell me who is in charge?

I’ve been covering the vagaries of Windows patches for a decade, and I’ve never seen the situation deteriorate like this. Here are the highlights:

  • MS 13-052/KB 2840628, a critical patch rolled out the Automatic Update chute as part of last week’s Black Tuesday disgorge, is throwing out exceptions with plug-ins running under Microsoft CRM 2011. There’s a detailed explanation of the problem on the North52 blog. There are also known problems with Configuration Manager 2012 and ConfigMgr 2007. MyITForum documents one problem with ConfigMgr 2007 and two with ConfigMgr 2012. According to MyITForum, Microsoft has acknowledged the problems as “database replication between sites (CAS/Primary/Secondary) with SQL 2012 will fail” and “Software Update point synchronization may fail at the end of the sync process.” The knowledge base article has no mention of these problems. But it looks like Microsoft has pulled the patch: My Windows 7 and Windows 8 PCs don’t show it. However, there’s been no indication of how to fix the problems (aside from some “short time” kludges in the MyITForum article) or whether Microsoft will release a fix for the patch or a new version of the patch.
  • MS 13-057/KB 2803821 (for Windows 7) has been turning the top half of WMV videos black, either on encoding or decoding. As I reported last week, people running Adobe Premier Pro CS6, Camtasia Studio 8.1, and Serif MoviePlus X6 had all reported problems, with a full description and fix offered by one burned customer on the day after the patch was released. It took five days after that fix appeared online, and four days after my article appeared, for Microsoft to acknowledge the problem in KB 2803821. But as I write this, the patch still appears in the Automatic Update queue, checked, ready to be installed on any Win7 machine that’s looking for updates.
  • KB 2821895, a Windows 8/Windows RT “servicing stack update” released in tandem with last month’s Black Tuesday patches, causes a lot of problems with the System File Checker. After installing the patch, running an sfc /scannow command freezes the computer for up to 10 minutes, then generates many bogus error messages about corrupted files it cannot fix. Microsoft’s recommendation is to run the DISM tool to repair Windows, when the only thing that’s broken is this botched patch. There’s been no fix to the patch, nor a new patch that I can find. If you installed this patch, there’s no way to uninstall it. More damning: Right now, KB 2821895 appears in Windows Update as an optional unchecked patch — Microsoft hasn’t even bothered to pull the patch.

Source: infoworld.com

Microsoft helped NSA circumvent its own encryption, report says

Friday, July 12th, 2013

Microsoft helped the U.S. National Security Agency circumvent the company’s own encryption in order to conduct surveillance on email accounts through Outlook.com, according to a report in the Guardian.

Microsoft-owned Skype also worked with U.S. intelligence agencies last year to allow them to collect video conversations through the service, according to the U.K. newspaper, citing secret documents. Microsoft also worked with the U.S. Federal Bureau of Investigation this year to allow easier access to its cloud storage service, SkyDrive, the Guardian reported.

Microsoft and Skype have both emphasized their privacy protections as a benefit of using their services. Microsoft has criticized Google’s privacy practices, saying in its Scroogled campaign that Google shares personal information on the Android mobile operating system with app developers.

Skype’s privacy policy reads: “Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic data and communications content.”

Microsoft, in a statement, said it follows “clear principles” when responding to government demands for customer information.

“First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes,” the company said. “Second, our compliance team examines all demands very closely, and we reject them if we believe they aren’t valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks.”

Microsoft does not provide “any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product,” the company added. “There are aspects of this debate that we wish we were able to discuss more freely.”

The NSA routinely shares information it collects from Prism, its email and Web communications monitoring program, with the FBI and Central Intelligence Agency, the newspaper reported. One NSA document described Prism as a “team sport,” the Guardian said.

The NSA’s Prism program targets Internet communications of people outside the U.S., according to recent reports in the Guardian and other outlets. The U.S. Foreign Intelligence Surveillance Court has allowed the NSA to collect mass Internet communications when NSA officials believe that there is a 51 percent chance those communications come from outside the U.S., according to news reports.

A spokesman for the U.S. Office of the Director of National Intelligence didn’t immediately respond to a request for comments on the new report.

Source:  computerworld.com

Microsoft adds business intelligence to Office 365

Monday, July 8th, 2013

Microsoft is adding a set of BI (business intelligence) tools to its hosted Office 365 service, including some capabilities not yet offered in stand-alone Microsoft software products.

Power BI for Office 365 “brings together our entire BI stack and offers it as a service,” said Eron Kelly, general manager for SQL Server product marketing.

Power BI will offer users what Kelly calls “self-service BI,” or “the ability for the end user closest to the business problem to bring together data and information.”

Microsoft will unveil this service at the company’s Worldwide Partner Conference (WPC) this week in Houston.

Office 365 already offers some BI capabilities. Office 365 ProPlus offers both Power View and Power Pivot through the online edition of Excel.

With this new service, users are given a landing page, provided by SharePoint, along with a catalog of data sources and a set of analysis tools. Excel serves as the starting point for analysis.

The data sources, chosen by an administrator, can be taken from either the organization itself, or from public data sources such as Wikipedia tables.

The user can load one or more data sources in an online Excel spreadsheet, and analyze them through a number of new tools.

One tool, called Power Query, formerly called Data Explorer, allows a user to pull external data into an Excel spreadsheet. A user, for instance, could create a spreadsheet from a Twitter feed, dividing the Twitter messages, dates, locations and users into separate columns.

Another tool, called Power Map, can place geographically coded data on a map, provided by Bing Maps. It could visually summarize, for instance, how many Twitter messages originated in each city in a country, indicating the number of messages by the height of a bar that rises above the location of the map. Power Map debuted as a beta Excel 2013 plug-in called GeoFlow.

Once a user creates a report, it can be published back to the organization’s data catalog, where others can view it. Microsoft is planning on releasing a Power BI mobile app for Windows 8 and iOS devices. Reports, which are published through Power View, can also be rendered in HTML5, in addition to Power View’s default Silverlight format.

Power BI will also come with a new natural language query engine. A user can type in a query into a search box, such as “How much revenue did product X generate last year?” and Power BI would return a graph, based on existing data, showing the revenue data for the past several years.

The natural language query engine “makes it easier for an average user who doesn’t know how to structure a proper SQL query,” Kelly said.

Pricing for Power BI has not yet been finalized, though it will be based on per-user, per-month model. Microsoft did not set a date for general availability of the service

Source:  computerworld.com

Microsoft security bulletin advance notification for July 2013

Friday, July 5th, 2013

This is an advance notification of security bulletins that Microsoft is intending to release on July 9, 2013.

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical
Remote Code Execution
May require restart Microsoft .NET Framework,
Microsoft Silverlight
Bulletin 2 Critical
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 3 Critical
Remote Code Execution
May require restart Microsoft Windows,
Microsoft Office,
Microsoft Visual Studio,
Microsoft Lync
Bulletin 4 Critical
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 5 Critical
Remote Code Execution
May require restart Microsoft Windows
Bulletin 6 Critical
Remote Code Execution
May require restart Microsoft Windows
Bulletin 7 Important
Elevation of Privilege
Does not require restart Microsoft Security Software

Excerpt from: microsoft.com