Microsoft’s iOS and Android Outlook app

Wednesday, February 4th, 2015 | Jim Cheetham | Comments Off

Microsoft have recently released a new “Outlook” email app on the iOS and Android mobile platforms. This app is a rebrand of the recently-purchased Acompli.

The user interface apparently is quite effective, mixing calendar and priority mail and allowing fast response to messages.

Unfortunately, at this stage in the app’s existence it takes some security shortcuts that are not ideal. All your email is copied into “the cloud” (this is a techno-marketing phrase that simply means “someone else’s computer” – and of course we should assume that “the cloud” will always be in a hostile legal environment, where government agencies from multiple countries will have free access to all your data). Worse, if you are accessing an Exchange service (i.e. University mail) your username and password are also stored in the cloud in order to make this work. The app doesn’t make this clear to users, and for some people that could represent a real problem.

More directly, this cloud-based login also actively violates the security policies that the University sets on Exchange email access. In order to protect University-owned data, devices that connect to Exchange are required to have local security policies like active screen locking, and to respond to remote wipe requests when they are reported stolen/missing. The current Outlook app does not apply these policies to the devices that use it, and although remote wipe might correctly remove data copied into the cloud, it doesn’t remove anything from the missing device. Worse, if you have multiple devices using this app, we can no longer wipe just the missing one; this app services them all from the same connection, and therefore a wipe affects all of them at the same time.

There has been a lot of press about this Outlook app recently – from the usability point of view it’s all positive, and from the security point of view it is all negative. Hopefully Microsoft will be able to put in some new development resources to help address these problems soon.

In the meantime, ISO recommend that you do NOT use this app with University email services.

Phone-to-email Spam

Wednesday, November 26th, 2014 | Jim Cheetham | Comments Off

Can I send you an email?

In the last few months there has been a rise in “pretexting” phone calls from legitimate marketing organisations, probably in response to anti-spam legislation around the world.

The usual script is an unsolicited phone call from a real live human, asking for permission to use your email address in order to send you some marketing material, usually described as a “White Paper”.

The calls are often made over a low-quality connection (i.e. cheap VoIP) and come from non-native English speakers (a kind way to suggest “offshore call centres”). However, they do generally respond well to a polite “No thanks” as an answer, and to requests to not be called again in the future. If permission is given the eventual email usually represents a legitimate trading company of some sort.

All in all, no real problem.

I have a business opportunity for you!

However, we’re beginning to hear of the same approach being used by spammers, particularly of the advance-fee fraud variety. A small amount of research (i.e. get your name and job title from a website), a hacked VoIP system (which lets them call anywhere in the world for free), and a fresh email address from one of the big free webmail providers potentially gives these criminals a much more direct line to your mailbox and your attention.

This is a particular worry because it won’t be long before these techniques are used for distributing fresh malware – you receive a difficult-to-understand phone call from someone with urgent information to send to you, and a couple of minutes later in comes the email, along with a juicy PDF attachment. Would you resist the temptation to click? How can you tell the difference between an attack, and a real foreign student or academic trying to work with the University?

(Some of you reading this might suddenly realise that you already open too many attachments without stopping to check fully the source!)

What should you do?

The best defence if you are unsure would be to check with your colleagues, see what they think; to check with your IT support; or to ask the ITS Information Security Office for an opinion.

If you don’t have an opportunity to get a second opinion, you have a few technical opportunities to reduce the risk. Firstly, wait a while … come back to the message in a couple of hours time. If the message came out of hours, just don’t open it until you are back at work. Remember that just because it seems to be urgent to someone else it is not necessarily urgent to the University!

Instead of just opening the attachment, ask your anti-virus software to scan it. This is best combined with the “wait a while” approach – if this is a new malware sample (there are tens of thousands per day automatically created), give your AV software time to get an update from the vendor.

Finally, open the attachment in an unusual program. For example, malware PDFs often only successfully attack Adobe Acrobat Reader, so if you have a different PDF reader available you could use that. Instead of opening untrusted attachments with Microsoft Word, open it with a copy of Libre Office. If your job role means that you will be receiving unsolicited attachments regularly, get your IT support to help you install these alternatives.

Finally, if you are in any doubt, leave the file alone and refer the whole thing to the Information Security Office. We can check a lot more details to find out what is going on, and we really don’t mind being asked.

TrueCrypt & file encryption

Thursday, June 26th, 2014 | Jim Cheetham | Comments Off

TrueCrypt is dead

We used to recommend TrueCrypt as an effective file encryption solution, suitable for exchanging data sets over untrusted networks as well as for medium-term offline storage or backups.

Unfortunately, over the last few weeks it has become clear that the TrueCrypt authors have withdrawn their support for the product; and while the source code is available (and is actively being audited), it is not Open Source licensed, and should not be used in the future. TrueCrypt is effectively dead.

What should I do?

What does this mean for people who are currently using TrueCrypt? I’d recommend that you migrate your data out of TrueCrypt and into some other format; not in a rush, because there are no currently-known attacks or vulnerabilities in the product, but in a well-planned way. You should not start any new storage schemes using TrueCrypt.

What alternatives are there?

There doesn’t seem to be any useable and “free” software that does everything that TrueCrypt did, but most people we talk to don’t actually need all of those features at the same time anyway.

We are currently recommending the 7z archive format with AES encyption as a solution to :-

  • Cross-platform support
  • Protection in transit (email, dropbox, etc); sharing
  • Medium-term storage on untrusted media

Please be aware that University-owned data should always be accessible by the University itself; so if the only copy of your data is encrypted in this way, the passphrase used as the key needs to be made (securely) available to the appropriate people (usually your employment line management).

7z?

7z is the file format originally implemented by the Open Source 7-Zip file archiver, it is publicly described and there are now multiple software implementations available. It is currently regarded as the ‘best’ performing compression software available. Read more on the Wikipedia entry. Command-line users might like the p7zip implementation, packaged in Debian and the EPEL repository for RedHat.

7z applications usually do not use encryption by default; make sure that you select this option for secure storage.

 

Keep an ear out for this – vishing

Thursday, May 1st, 2014 | Mark Bedford | Comments Off

The security firm PhishLabs has released some interesting research on a new type of phishing attack involving Voice over Internet Protocol (VoIP). Seems the bad guys send a SMS text message to unsuspecting users advising them that their debit card has been deactivated and advising them to enter their card number and PIN to reactivate it.

So far this has only been seen in the United States and has yet to make it to our shores. It will come just as those nasty irritating hoax Microsoft support calls eventually showed up.

So knowing that this type of attack is in use means that you can have the upper hand, before you reply with your credentials consider, have you actually given you mobile number to your bank, contact your bank using the number from the phone book advising them that you have received such a message (don’t delete the message as it maybe be helpful in pursuing the offender).

Could this happen in NZ

Aside

While scanning my security news feeds I came across this article from azcentral.com which caused me to wince a little. It seems that the Maricopa County Community College District could be spending around $17.1 million, with most of it going on lawyers and services to the millions of people whose personal data was exposed.

The article cites that a breach in 2011 was never addressed properly and this lead to the more costly 2013 event. During April 2013 a server was compromised exposing Social Security numbers and banking information for 2.4 million current and former students and staff from as long as 30 years ago.

Thursday, November 21st, 2013 | Mark Bedford | Comments Off

Well it is hard to believe that we are well into November and what a month it has been. With the recent Adobe password debacle where 150 million email addresses, their password hashes and the hints were exposed on the internet. Then there was Kiwicon, the New Zealand hacker conference in Wellington, where “AmmonRa” took us for a ride.

With the Christmas shopping season just around the corner many will be purchasing online and there are the usual reminders. Things to watch out for are nicely organised in this SANSĀ article by Lenny Zeltser.

While you are shopping, perhaps this Microsoft blog article from Holly Stewart will encourage you to finally ditch your old XP computer. A couple of noteworthy points in the article are that XP is six times more likely to get infected than Windows 8, and when XP service pack 2 went out of support there was a huge disparity of infections as much as 66% higher than the supported XP service pack 3. So plan now to buy your Windows 8 replacement computer before it gets infected.

 

Fake Dropbox password reset

Wednesday, October 23rd, 2013 | Mark Bedford | Comments Off

There are reports of a recent spam campaign that tries to deceive Dropbox users in to resetting their passwords but instead leads to malware. Dropbox, which is a popular cloud storage service who sometimes do in fact reset users’ passwords when they haven’t been changed for a while. They DON’T send an advisory email though, instead at their website they require a password reset before linking a new computer, phone, tablet, or API app on their web site.

The spam has quite a convincing message along the lines of

Hello <user>
We have a warning in our system that you recently tried to login in to Dropbox with a password that you haven;t changed long time already. Your old password has expired and you’ll need to create a new one to log in.

Please visit the page to update your password

Clicking on the link takes the user to a suspicious looking page hosted in the .ru (Russian domain) that tries to pass itself off as a Microsoft site with several downloads for non Microsoft browsers. All very suspicious.

So if you had followed our tips on how to detect phishing emails you would have caught on to their ruse and saved yourself some grief.

Patching Java

Monday, October 21st, 2013 | Mark Bedford | Comments Off

Oracle have settled on a quarterly patch period for not only their database products but also Java. I have yet to decide if this is good or bad as I really would like to see a shorter update period to reduce to time that the unpatched vulnerability exists in the wild. The release notes are here for 7u45

The schedule is
14 January 2014
15 April 2014
15 July 2014
14 October 2014

Cyber Attackers Access 72,000 Confidential Employee Details

Thursday, August 1st, 2013 | Mark Bedford | Comments Off

The University of Delaware was on the 22nd July the recipient of a criminal attack on one of its systems. The criminals were able to steal files that contained 72,000 names, addresses and other personally identifiable information for past, present and student employees. The University is working with the Federal Bureau of Investigation and Mandiant to determine the scope of the attack after having taken immediate corrective action. The University has indicated that the attackers used a vulnerability in software acquired from an unnamed vendor.

Oracle releases Java updates

Wednesday, June 26th, 2013 | Mark Bedford | Comments Off

Oracle Fixes 40 Vulnerabilities in Java.
On Tuesday, June 18, Oracle issued a Critical Patch Update for Java 7 for Mac and for Windows. There are 40 security issues fixed as well as enabling online certificate revocation checking by default. On the same day, Apple issued an updated version of Java 6 for OS X Snow Leopard, Lion, and Mountain Lion. Snow Leopard users cannot upgrade to Java 7.

http://krebsonsecurity.com/2013/06/critical-update-plugs-40-security-holes-in-java/
http://www.scmagazine.com//oracle-releases-java-update-to-close-37-high-risk-vulnerabilities/article/299264/
http://www.computerworld.com/s/article/9240173/Java_7_Update_fixes_40_security_issues_turns_on_certificate_revocation_check?taxonomyId=17
http://www.computerworld.com/s/article/9240171/Apple_pours_OS_X_Snow_Leopard_another_Java_fix?taxonomyId=17

 
 
 

Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.