Microsoft have recently released a new “Outlook” email app on the iOS and Android mobile platforms. This app is a rebrand of the recently-purchased Acompli.
The user interface apparently is quite effective, mixing calendar and priority mail and allowing fast response to messages.
Unfortunately, at this stage in the app’s existence it takes some security shortcuts that are not ideal. All your email is copied into “the cloud” (this is a techno-marketing phrase that simply means “someone else’s computer” – and of course we should assume that “the cloud” will always be in a hostile legal environment, where government agencies from multiple countries will have free access to all your data). Worse, if you are accessing an Exchange service (i.e. University mail) your username and password are also stored in the cloud in order to make this work. The app doesn’t make this clear to users, and for some people that could represent a real problem.
More directly, this cloud-based login also actively violates the security policies that the University sets on Exchange email access. In order to protect University-owned data, devices that connect to Exchange are required to have local security policies like active screen locking, and to respond to remote wipe requests when they are reported stolen/missing. The current Outlook app does not apply these policies to the devices that use it, and although remote wipe might correctly remove data copied into the cloud, it doesn’t remove anything from the missing device. Worse, if you have multiple devices using this app, we can no longer wipe just the missing one; this app services them all from the same connection, and therefore a wipe affects all of them at the same time.
There has been a lot of press about this Outlook app recently – from the usability point of view it’s all positive, and from the security point of view it is all negative. Hopefully Microsoft will be able to put in some new development resources to help address these problems soon.
In the meantime, ISO recommend that you do NOT use this app with University email services.
I’ve posted before about external hard drives with built-in encryption. These devices have their own keypad to enter the password/decryption key. If you should happen to connect it to a computer infected with a keystroke logger, the key will not be revealed (although such a computer may have other malware installed on it!)
Wired have a four-way comparison of:
- Apricorn Aegis Padlock 3
- Rocstor Rocsafe MX
- Lenovo ThinkPad USB 3.0 Secure Drive
- DataLocker DL3
I’ve just returned from the excellent OWASP regional conference in Sydney (the one with the long name of OWASP AppSec AsiaPac 2012), where I presented “How MITMproxy has been slaying SSL Dragons“.
The presentation covered the basics of what MITMproxy is (a developers/pen-testers HTTPS interception/modification proxy), why such software is useful, and what MITMproxy itself is especially good at.
The section on how to use MITMproxy ran about 90% successfully over the live Internet, which is always a risk for a demo at a conference!
The slides are available here, as the original LibreOffice ODP format, or as a PDF. They are Copyright © The University of Otago, released under the CC By-SA 3.0 NZ license.
Screenshot of the Tails website
Tails is a Linux distribution that offers internet privacy by default, and comes as a live CD or live USB.
So you would insert the Live USB drive, restart the computer, and it would startup the Tails Linux Operating Sustem. You can encrypt any files you create with built-in tools, and any internet traffic is anonymised. When you’re done, shut down and remove the USB drive.
The concept is fantastic! There are far too many uses to list – from the noble and important goals of safeguarding communications within a repressive government, to simply protecting your privacy when using public WiFi (e.g. At a hotel, Starbucks or McDonalds).
It’s only version 0.10 at the moment (meaning there is a lot of work still to be done), but I’ll be following this closely. Check out the various ways you can support this project.
Technical Stuff: Astute readers will correctly note that you’re still vulnerable to hardware intrusions like keyloggers if you use untrusted hardware. Regardless, some protection (e.g. Tor network) of your activity is better than nothing. There are also various methods of avoiding keyloggers if you suspect hardware tampering – like using on-screen keyboards (incidentally, Tails ships with one).
The other concern is whether one can trust the Tails developers. To each their own.
At the LCA2012 conference earlier this year I presented “MITMproxy — use and abuse of a hackable SSL-capable man-in-the-middle proxy“.
The video of the talk is now available in a number of places :-
MITMproxy is a python-based console tool to help you inspect & alter the HTTP conversation between a client and a server, regardless of whether it is over HTTPS or not. “It is not an attack tool”, but instead is a powerful tool for debugging applications at either end of the conversation.
Giving a talk at an LCA conference is excellent fun, and very rewarding. I have 6 months to come up with my next submissions!