markwilson.it

Tag: Security

  • The curious case of the Spotify squatter

    Yesterday, I was playing music on Spotify and it kept stopping because someone else was using my account… that’s not an uncommon occurrence as my kids are often using it but I didn’t think they were this time. After the usual squabble over “Play it here”, Nno, play it here”, “No. Play. It. Here.”, I managed to listen to the tracks I wanted to hear.

    Then, this morning, I tried to sync some music to my Spotify account, only to find that my iPhone told me Spotify was being used on a complete stranger’s Phone!

    One quick password change later and I was sure no-one else was using it. I later removed all devices from my account and re-added them, just for good measure.

    Later in the day though, I noticed that all of my playlists were missing. I also saw that my activity stream showed a lot of music that I hadn’t listened to:

    These are not my songs!

    Someone else has definitely been using my account. Or at least that’s what Spotify thinks!

    I could live with the account activity but missing playlists were a big concern. Luckily, Spotify support pointed me to a link to recover playlists where, sure enough, I saw they had been deleted yesterday! It took a few visits to that link before all of my playlists were located and recovered but I seem to be back to where I was before the mix-up.

    Now, I don’t think that Spotify has been compromised – if someone had hijacked my account they would have changed my password and locked me out, surely? But I do suspect a database corruption. Spotify aren’t admitting anything is up, of course… but my trust in the service has been severely damaged.

  • Don’t waste time and money on third party security software: Windows Defender is just fine!

    So far in my “series” of Windows 10 posts, I’ve written about refreshing or resetting the PC (to get a clean configuration) and about getting an Office 365 Home subscription for some productivity apps but I skipped one area that many people are sold products for… security software.

    Actually, this is one of my major bug-bears. In the enterprise, I often see third party security products used but there’s only one reason I can see for that: management. Not just of the updates, but of quarantine for any infections that are caught.

    Unfortunately, in the consumer space anti-virus products are often foisted onto unsuspecting consumers. Both the PCs I’ve bought for family in recent years have come with McAfee products installed (removed soon afterwards) and high street PC shops/office suppliers/supermarkets will happily sell alternatives.  I was particularly annoyed to see that, after my parents in-law went to a local “PC specialist” (because they thought I was too busy), Microsoft Security Essentials had been removed (from their Windows 7 PC) and replaced by AVG. Now, don’t get me wrong, there’s nothing wrong with AVG, except that, the last time I used the free version, it kept nagging to be upgraded to a paid one – and there’s simply no need to clog up the system with third party apps like this.

    Reputable providers of consumer advice seem to be caught up in the trap too: I took a look at the Which? report for security software best buys and even their best free antivirus software guide doesn’t include the software built into the operating system – indeed it says:

    “Two programs could interfere with one another causing problems. If you are installing a third party piece of security software make sure you uninstall Microsoft Defender.”

    I’d put it a different way: don’t waste time and money on third party anti-virus software – just use Windows Defender!

    • Windows Defender scans for malicious software. The schedule for scans can be edited in Task Scheduler.
    • In Windows 10, Windows Defender is enabled by default. It will turn itself off if you install another antivirus application, but equally it can be left in place and will receive updates through the same mechanism as other Windows updates.
    • If Windows Defender finds a virus it can’t remove, it will prompt to download and run Windows Defender Offline. Once the download is complete, the PC will automatically restart into the recovery environment, where Defender will run a more complete scan and remove threats.

    Other security features built into Windows (avoiding the need for third party products) include Windows Firewall (which helps to protect a PC from damage caused by worms or hackers attacking across a network) and SmartScreen (a phishing and malware filter implemented in several Microsoft products including Internet Explorer, Microsoft Edge, and inside Windows).

    Find out more about the security settings in Windows 10 by searching for Security and Maintenance.

    Windows 10 Control Panel - Security and Maintenance

  • Getting to grips with Office 365 Message Encryption

    As part of my work this week with Exchange transport rules, I needed to recreate another facility that my customer has grown used to in Office 365 – the ability to selectively encrypt emails using keywords.

    This one turned out to be relatively straightforward – Office 365 Message Encryption has been around for a while now (it replaced Exchange Hosted Encryption) and I was able to use a transport rule to detect a phrase in the subject or body (“encrypt me please”) and apply Office 365 Message Encryption accordingly. I could equally have done this based on other criteria (for example, I suggest that any message marked as confidential and sent externally would be a good candidate).

    So, the rule is fairly simple:

    New-TransportRule -Name 'Encrypt email on request' -Comments ' ' -Mode Enforce -SubjectOrBodyContainsWords 'encrypt me please' -ApplyOME $true

    Office 365 Message Encryption needs Azure RMS

    The challenge for me was that I wasn’t creating it in PowerShell – I was using the Exchange Admin Center and the appropriate options weren’t visible. That’s because Office 365 Message Encryption needs Azure Rights Management Services (RMS) to be enabled, and it’s necessary to use the More Options link to expose the option to Modify the Message Security… from which it’s possible to Apply Office 365 Message Encryption.

    Unfortunately that still didn’t work and the resulting error message was:

    You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled.

    It seems it’s not just a case of enabling RMS in the service settings. I also needed to run the following commands in PowerShell:

    Set-IRMConfiguration –RMSOnlineKeySharingLocation “https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc”

    (that’s the European command – there are alternative locations for other regions listed in the post I used to help me)

    Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
    Test-IRMConfiguration -RMSOnline

    (check everything passes)

    Set-IRMConfiguration -InternalLicensingEnabled $true

    With RMS/Information Rights Management (IRM) properly enabled I could create the rule as intended.

    Customising the experience

    Testing my rule was easy enough, but it’s also possible to customise the portal that recipients go to in order to read the encrypted message.

    This is all done in PowerShell, with some simple commands:

    Get-OMEConfiguration provides the current Office 365 Message Encryption configuration and to set the configuration to meet my requirements, I used:

    Set-OMEConfiguration -Identity "OME Configuration" -Image (Get-Content "markwilsonitlogo.png" -Encoding byte) -PortalText "markwilson.it Secure Email Portal" -EmailText "Encrypted message from markwilson.it"

    The tricky bit was working out how to provide the logo file as just the filename creates a PowerShell error and the Get-Content cmdlet has to be used to encode the file.

    Further reading

    Office 365 Message Encryption (and decryption) – steps – understanding, purchase options, configuration, branding and use.

  • Public key infrastructure explained

    Last week, I was attending a presentation skills course where we had to give an impromptu presentation (well, we had an hour to prepare) on a topic of our choice.  One of my colleagues, Richard Butler, gave his talk on public key infrastructure (PKI) and Richard was the first person who has explained PKI to me in a way that made me go “ah! got it!” because he used a great analogy.

    So, I’m going to attempt to repeat it here (with Richard’s permission)… and hopefully I’ll get it right!

    Richard’s first point was that PKI is thought of as a security tool, some technology, or something that’s needed to make the network secure. Actually, he suggests, there’s more to it than that…

    The first example Richard gives is one of a server certificate (used to ensure that a service can be trusted and that confidentiality is maintained), illustrated by way of border control.

    An airline passenger approaches a border (e.g. an immigration desk at the airport):

    1. The border is where the passenger expects it to be.
    2. A border guard wears a uniform, with an insignia (badge).
    3. The passenger recognises the insignia and trusts it as genuine.
    4. The passenger interacts with the border guard to negotiate entry to the country.

    A server certificate is similar because it’s presented to prove that the server is who they say they are and is trusted by users accessing its services. The certificate is issued by a certificate authority, just as the border guard’s badge is issued by a government agency.

    In Richard’s second example, a certificate is used to provide confidence that you are who you say you are, a process known as integrity or repudiation.

    1. As a citizen of a country, I request a passport from my government.
    2. The government validates my request.
    3. If my request is valid, a passport is issued.
    4. When visiting a foreign country, I present my passport at the border.
    5. The government of the foreign country trusts the government that issued the password to have carried out the necessary background checks that confirm I am who I say I am.
    6. I’m authorised to enter the country.

    In this case:

    • The issuing government’s passport authority can be thought of as a certificate authority (CA) or issuing authority (IA) – it’s trusted by other countries to authorise passports.
    • The passport can be thought of as a validated “client” certificate – it is trusted, because the passport authority is trusted (i.e. there is a chain of trust).
    • The government in the foreign country can also be thought of as a certificate authority – it is trusted and authorises the immigration control.
    • As described in the first example, the border guard’s insignia can be thought of as a “server” certificate – it is trusted as the foreign country is trusted to issue certificates.
    • Humans apply logic to the approach and automatically make the appropriate assumptions and associations.

    In a public key infrastructure, there’s a hierarchy of certificate authorities:

    • The offline root CA signs requests for sub-ordinate servers and holds the private key for the certificate root.
    • A networked, subordinate CA signs requests for clients, and holds its own private key.
    • A certificate distribution point stores the public keys for the root CA and the subordinate CA (used to validate requests). It also holds information about certificate revocation (to use the passport analogy, this might be where a citizen has been denied the right to travel, for example due to a pending prosecution).

    Using this PKI infrastructure a number of interactions take place:

    1. A device creates a signing request and sends it to a certificate authority.
    2. The CA receives the signing request, validates the request, and issues a certificate signed with its private key.
    3. The original device receives the signed certificate and stores it for future use as a client/server certificate.
    4. When a connection to a service is attempted, the connecting device receives a copy of the certificate and validates the name and signing CA using their public key. This validates the certificate chain and the certificate is proved to be valid.

    At the outset of this description, Richard explained that there is more to PKI than just a security tool, or some technology services.  There’s actually a hierarchy of deployment considerations:

    • Private key protection. Private keys are critical to the ability to sign certificates and therefore crucial to the integrity of the chain of trust.
      • A chain is only as strong as its weakest link.
    • Management procedures:
      • Validation of requests (stopping fraudulent certificates from being issued).
      • Management of certificates (issuing, revocation, etc.)
    • Deployment procedures:
      • Deploying and managing the PKI infrastructure itself.
    • Technology choices:
      • Whose PKI infrastructure will be used?

    Drawn as a hierarchy (similar to Maslow’s hierarchy of needs), technology choices are at the top and are actually the least significant consideration.  Whilst having a secure technical solution is important, having the procedures to manage it are more so.

    Richard wrapped up his presentation surmising that:

    • PKI is 10% technology and 90% process.
    • Deployment is 10% of the solution and management is 90%.
    • PKI needs management from day one.

    If you do still want to know more about the technology (including seeing some diagrams that might have helped to illustrate this post if I’d had the time), there’s a Microsoft blog post series on designing and implementing PKI, written by the Active Directory Directory Services team.  Other PKI solutions exist, but as many organisations have an Active Directory, looking at the Microsoft implementation is as good a place as any to start to understand the various technologies that are involved.

  • Short takes: Lync/Skype and browsers; Bitlocker without TPM; OS X Finder preferences; and MyFitnessPal streaks

    A few more short mini-posts from the items that have been cluttering my browser tabs this week…

    Lync/Skype for Business meetings start in the Web App

    A few days ago, a colleague highlighted to me that, whenever she joined a Lync meeting from our company, it opened in Lync Web App, rather than using the full client. Yesterday I noticed the same – I tried to join a call hosted by Microsoft and the Skype for Business Web App launched, rather that the Lync client installed on my PC. It turns out that this behaviour is driven by the default browser: mine is Chrome and my colleague was also using something that’s not IE. Quite why I’d not seen this before, I don’t know (unless it’s related to a recent update) but for internal Lync meetings I do tend to use the Join Online button in the meeting reminder – that doesn’t seem to appear for external meetings. Of course, you can also control which client is used by editing the URL

    Using Bitlocker on drives without TPM

    When my wife asked me to encrypt the hard drive on her PC, I was pleased to be able to say “no need to buy anything, we can use Bitlocker – it’s built into Windows”. Unfortunately, when I tried to enable it, I found that her PC doesn’t have a trusted platform module (TPM) chip. I was pretty sure I’d worked around that in the past, with a netbook that I used to run Windows 7 on and, sure enough, found a How To Geek article on How To Use BitLocker on Drives without TPM. It’s been a while since I had to dive into the Local Computer Policy but a simple tweak to the “Require additional authentication at startup” item under Computer Configuration\Administrative Templates\Windows Components\Bit Locker Drive Encryption\Operating System Drives was all it took to let Windows encrypt the drive.

    Finding my files in Finder

    One of the challenges I have with the Mac I bought a few months ago, is that modern versions of OS X seem to want to hide things from me. I’m a “browse the hard drive to find my files” kind of guy, and it took a tweak to the Finder preferences to show my Hard Disk and bring back the shortcut to Pictures.

    MyFitnessPal streak ends – counter reset

    Last weekend some connectivity issues, combined with staying away with friends meant I missed the cut-off for logging my food/exercise with MyFitnessPal and my “streak” was reset (i.e. the login counter). Knowing that I’ve been logging activity for a certain number of days is a surprisingly motivational piece of information but it turns out you can get it reset using the counter reset tool (which even predicted how many days the value should be – 81 in my case).

  • Confusion over accounts used to access Microsoft’s online services

    I recently bought a new computer, for family use (the Lenovo Flex 15 that I was whinging about the other week finally turned up). As it’s a new PC, it runs Windows 8 (since upgraded to 8.1) and I log in with my “Microsoft account”. All good so far.

    I set up local accounts for the kids, with parental controls (if you don’t use Windows Family Safety, then I recommend you do! No need for meddling government firewalls at ISP level – all of the major operating systems have parental controls built in – we just need to be taught to use them…), then I decided that my wife also needed a “Microsoft account” so she could be registered as a parent to view the reports and over-ride settings as required.

    Because my wife has an Office 365 mailbox, I thought she had a “Microsoft account” and I tried to use her Office 365 credentials. Nope… authentication error. It was only some time later (after quite a bit of frustration) that I realised that the “Organization account” used to access a Microsoft service like Office 365 is not the same as a “Microsoft account”. Mine had only worked because I have two accounts with the same username and password (naughty…) but they are actually two entirely separate identities. As far as I can make out, “organization accounts” use the Windows Azure Active Directory service whilst “Microsoft accounts” have their heritage in Microsoft Passport/Windows Live ID.

    Tweeting my frustrations I heard back from a number of online contacts – including journalists and MVPs – and it seems to be widely accepted that Microsoft’s online authentication is a mess.

    As Jamie Thomson (@JamieT) commented to Alex Simons (@Alex_A_Simons – the Programme Director for Windows Azure Active Directory), if only every “organization account” could have a corresponding “Microsoft account” auto-provisioned, life would be a lot, lot simpler.

  • Short takes: cyber security; stock images; PowerPoint presenter view; smart TVs, iPads and YouTube

    Lots of ideas for blog posts this week but limited time to commit pen to paper, or fingers to keyboard for that matter. Here are the highlights of what might have been…

    Cyber security

    Last year, I assisted one of the lecturers at University College London (UCL) with some “expert” opinion on the bring your own device phenomenon, for a module as part of the MSc course in Human Computer Interaction. It seemed to go reasonably well and I was invited back to speak on this year’s topic – cyber security.  I can’t claim to be an expert, but I could present some supplier-side views on the UK Government’s “10 steps to cyber security” advice which seems very sensible but is also based on aspirational and tactical solutions which could be costly to implement in full, so need to be considered with an understanding of the relative risks and an eye to the future.

    For anyone who’s interested, my presentation is available for viewing/download on SlideShare, although it’s very visual – full narrative is available in the notes.

     

    Searching for good images

    I’m a fan of full-page images on slides and limited text. I find it keeps the audience engaged and listening to the presenter, rather than reading pages of bullet points.  The down side is that it can be very time consuming to find the right images, especially without access to an account at a good stock library.

    As my presentation to UCL was as in individual, not representing my employer, I was able to use images licensed for non-commercial use under Creative Commons and Compfight is a great tool for searching Flickr for these.  I’ve attributed all of the photographers used in the deck above, and if you don’t have access to iStockPhoto, Fotolia, etc. then this can be a good way to find images.

    PowerPoint Presenter View

    I’ve blogged before about PowerPoint’s presenter view and I’m amazed that more people don’t use it (although, the people who don’t are generally fans of dull corporate decks with lots of bullet points – yawn!). Somehow though, my PC had reverted to not using it, and I needed to Google to find where the option is in the PowerPoint 2007/2010 ribbon!  In the end, it was this Cybernet New post that showed me the important option: on the Slide Show tab, in the Monitors section.

    YouTube smart TV and mobile apps

    I wanted to re-watch a presentation that I’d missed last year and that I knew was on YouTube. Given that it was nearly an hour long, I thought the comfort of my living room would be a good place to do this, using the YouTube app on my smart TV. It was. At least until I lost the stream part way through and the Samsung YouTube app refused to play ball with the fast forward control. Another annoyance was that the “Watch Later” functionality in YouTube isn’t recognised by the a-little-bit-dumb app on the “smart” TV, so I needed to add the video to another playlist first.

    Eventually, I finished up watching the second half of the video on my iPad. Here, again, it’s useful to know that the built-in iOS YouTube app is feature light and that there is a newer version available from Google in Apple’s AppStore.

  • More retail banking security theatre

    Yesterday, I bought a new suit. Nothing remarkable there but I paid on my Lloyds TSB Duo Avios credit card. A card that I will shortly be cutting into little pieces because it’s useless to me if the bank declines transactions on an apparently random basis…

    You see, I also wanted an extra pair of trousers and they were out of stock. The very helpful guy at John Lewis went through the online order process, I supplied my credit card details and all was good. Then we went to the till and paid for the suit jacket and first pair of trousers.

    The £250 transaction for the suit went through OK but a short while later I was called by John Lewis to say that the £80 order for the trousers placed a few minutes earlier had been declined.  That seemed strange – especially as it was placed before the larger transaction (I’d expect the large one to be declined if there was some sort of anti-fraud flag triggered by a small purchase and then a large one) so we tried again. No joy. Declined by the bank. So I supplied some different card details and all was OK.

    I was annoyed. I use multiple credit cards for good reasons but at least I had been able to use a different card even if that does mean that my personal and business transactions are mixed up. Fast forward to this morning and I was incensed.

    Sunday morning, 10am: enjoying a rare lie-in whilst the kids are away; the phone rings – it might be my in-laws and it might be important, so I answer.

    “This is an automated anti-fraud call from Lloyds TSB…” (or similar). I’m angry now, but I comply with the whole process as I think I might be charged twice for my trousers.  This process involved:

    • Confirming that I was (imagine robotic voice) “Mr Mark Wilson”. 1. Yes, that’s me.
    • Confirming my year of birth. Not exactly a secret, especially not to anyone who might answer my home phone.
    • Confirming my day and month of birth. Again, public information, and known to all in my household.
    • Listening to some details of some possibly fraudulent transactions: two declined for £80 and one approved for £250; both flagged as Internet purchases at John Lewis, a “grocery or supermarket” retailer. Not much help there as John Lewis is a department store (Waitrose is their supermarket brand) and clearly store transactions are incorrectly flagged as Internet purchases – which means the information is unreliable at best and confusing if it had been a different retailer with whom I was less familiar.
    • Confirming I had made those transactions. Tempting to say no but that would be fraudulent. I said 1 for yes, anyone in the house who answered my phone could have answered anything…
    • Supplying my mobile phone number for future anti-fraud calls (I probably didn’t supply it in the first place because I was concerned they would use it for marketing…). Well, at least my mobile is more immediate, and more secure than the home phone (only I use it).

    Pure security theatre.

    I can understand the banks wanting to reduce fraud – it costs them millions. But my account has a significantly larger credit limit than transactions I attempted in John Lewis yesterday and they could go a lot higher before declining transactions and inconveniencing me as a customer. I can see some patterns that might have flagged the anti-fraud systems but not the sense in declining the first and third transactions yet accepting the second (larger) one. It’s possible that John Lewis stored my card details and applied them after a short delay but, even so, I’d think it’s pretty common for people to make in-store transactions and place orders through the retailer’s online channel at or around the same time (in scenarios like the one I described).

    I’ll make the most of the interest-free period until my next bill, pay in full (as always) and then I’ll be closing my account with Lloyds TSB. “Security” that stops me using my cards when I want to, and disturbs my privacy at home (with an automated call using publicly-available information!) is “security” I can do without…

  • McAfee, Internet Explorer and a lack of quality control at Toshiba

    Last week, I wrote about helping my father-in-law to ensure that the insurance company wasn’t fleecing him whilst replacing his stolen laptop.  His new machine (a Toshiba Satellite C855-12G) arrived this week (although it appears to be a discontinued model, which is presumably the reason it was discounted…) and I’ve spent part of the evening on family IT support duty getting it set up for him.

    Unfortunately, I also found that the webcam is faulty (at least, neither Toshiba’s webcam application, Windows Device Manager nor Skype can see it, despite having downloaded the latest drivers from the Toshiba website), suggesting that Toshiba’s quality control is pretty shoddy (this doesn’t appear to be an isolated incident – see link 1, link 2, link 3). Back in the day, Toshiba was a respected notebook PC brand but I guess I should have insisted on Lenovo, Samsung or Dell…

    Anyway, the real purpose of this post was to record some of the issues (and resolutions) that I found whilst removing the “crapware” from this new PC. To be fair, I’ve seen worse and the main thing to remove (apart from a non-English version of Windows Live Essentials) was McAfee Internet Security.  It never ceases to amaze me how many people will shell out cash for this type of application when there are perfectly good free alternatives, so I replaced it with Microsoft Security Essentials.

    Unfortunately the McAfee uninstaller wouldn’t run, displaying an Internet Explorer-esque “Navigation was cancelled” screen (but without any chrome).  As Skype was also having problems adding contacts, I started to suspect something was blocking web traffic and that hunch turned out to be valid. Disabling Internet Exploder 9’s Content Advisor did the trick. How anybody can use it is beyond me (I had to enter a password four times  just to switch from Windows Update to Microsoft Update) but, once Content Advisor was disabled, both Skype and the McAfee uninstaller worked as they should.

     

     

  • Network access control does its job – but is a dirty network such a bad thing?

    Earlier this week, I was dumped from my email and intranet access (mid database update) as my employer’s VPN and endpoint protection conspired against me. It was several hours before I was finally back on the corporate network, meanwhile I could happily access services on the Internet (my personal cloud) and even corporate email using my mobile phone.

    Of course, even IT service companies struggle with their infrastructure from time to time (and I should stress that this is a personal blog, that my comments are my own and not endorsed by my employer) but it raises a real issue – for years companies have defended our perimeters and built up defence-in-depth strategies with rings of security. Perhaps that approach is less valid as end users (consumers) are increasingly mobile and what we really need to do is look at the controls on our data and applications – perhaps a “dirty” network is not such a bad thing if the core services (datacentres, etc.) are adequately secured?

    I’m not writing this to “out” my employer’s IT – generally it meets my needs and it’s important to note that I could still go into an office, or pick up email on my phone – but I’d be interested to hear the views of those who work in other organisations – especially as I intend to write a white paper on the subject…

    In effect, with a “dirty” corporate network, the perimeter moves from the edge of the organisation to its core and office networks are no more secure than the Wi-Fi access provided to guests today – at the same time as many services move to the cloud. Indeed, why not go the whole way and switch from dedicated WAN links to using the public Internet (with adequate controls to encrypt payloads and to ensure continuity or service of course)? And surely there’s no need for a VPN when the applications are all provided as web services?

    I’m not suggesting it’s a quick fix – but maybe something for many IT departments to consider in adapting to meet the demands of the “four forces of IT industry transformation”: cloud; mobility; big data/analytics and social business?

    [Update: Neil Cockerham (@ncockerhreminded me of the term “de-perimiterisation” – and Ross Dawson (@rossdawson)’s post on tearing down the walls: the future of enterprise tech is exactly what I’m talking about…]