Sunday, March 31, 2013

Happy Easter! "Khrystos Voskres!"


"Khrystos Voskres!"

(Christ is Risen!)






"Voistyno Voskres!"


(He is Truly Risen!)




Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Friday, March 29, 2013

SkyDrive Security


SkyDrive

Do you use SkyDrive only for storing photos and miscellaneous files?  What about important correspondence or files containing personal information?  What about sensitive files such as tax returns or copies of bank statements?

The question about sensitive information was raised in the comments of my article Moving to SkyDrive regarding the security for sensitive files on SkyDrive:
"Is Skydrive suitable as a place to sync/save sensitive information (e.g. tax/financial records) or is it just really for things like photos, unimportant Office files etc? It would make things simpler for me if I could use Skydrive to sync all my files including the sensitive ones, but I am hesitating on security grounds."
In retrospect, my immediate reaction to the question was short-sighted:
"Short answer: Yes, sensitive documents (e.g. tax/financial records) saved to SkyDrive are secure. The only way to access those files is by secure logon with your Microsoft Account.

That raises the reminder of ensuring that a strong/unique password is used for your Microsoft Account. For additional information regarding a strong password, see Password Generator & Checker | How Secure is my Password.

Additionally, regardless of whether anyone uses SkyDrive or not, I strongly recommend taking the steps to protect your account. This article written for "Hotmail" equally applies to the revamped Outlook.com: Hotmail Security to Protect and Recover Your Account ~ Security Garden."
Why, after reconsideration, do I consider my response short-sighted?  Let's take a closer look at transporting and accessing files on SkyDrive.

Transporting Files to SkyDrive

When saving your files to SkyDrive, the method used for transport encryption of your data from your computer to SkyDrive is called Secure Socket Layer, or SSL.  SSL protocol uses standard key cryptographic techniques for the communication session between the client (your computer) and server (SkyDrive).

Thus, during transit from your computer to SkyDrive, your data is protected from interception and is reachable and readable only on SkyDrive. However, it is important to consider that SkyDrive does not include any additional encryption on the files after being uploaded.

Update 06Dec2013:   Please see this important information by Brad Smith, General Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft, about plans to strengthen the encryption of customer data across Microsoft networks and services. Protecting customer data from government snooping.

Accessing Files on SkyDrive

The default setting of files saved from your computer to SkyDrive is set to "only me".  Thus, no one can view your files and documents without your consent unless you intentionally select the folder and change the setting. (See this Microsoft help document for instructions on how to Share files and folders and change permissions.)

In other words, the only way to access the files set to "only me" is by logging on to SkyDrive with your Microsoft Account.  But, what if your Microsoft Account is compromised or if you inadvertently change the setting to public?

Another situation that could compromise the security of sensitive information is that anything uploaded via a mobile device is automatically stored in the Mobile uploads folder.  Fellow Microsoft MVP, Richard Hay, discovered recently that the Mobile uploads folder in the SkyDrive cloud storage is set by default as Shared with Friends.  The default setting can be changed by logging on to your SkyDrive account via your browser.

Securing Sensitive Files

There should be no concerns about security of your files stored in a private folder on SkyDrive, accessible only by you when you logon with your Microsoft Account.  However, for sensitive files, you may want to add an additional layer of protection to those files.

The easiest method is password protecting Microsoft Office files, illustrated in this Office support document:   Protect your document, workbook, or presentation with passwords, permission, and other restrictions.
Important:  Be careful to note somewhere offline the password used to protect your Office files.  There is no way that Microsoft can help you retrieve forgotten passwords.

Ben Herila of Microsoft provided additional methods of protecting your data on SkyDrive in his post in How secure are files on SkyDrive?:
"Some examples of methods that will protect your data on SkyDrive include: 
  • Password protected RAR or 7Z archives
  • Password protected Office 2010+ documents or 
  • PDF documents with AES-256 encryption PGP-encrypted files"
For particularly sensitive information, I suggest you read both How secure are files on SkyDrive? and Microsoft account, Hotmail, SkyDrive.


~   ~   ~   ~   ~   ~

This program has been discontinued. As a SkyDrive Insider, I am excited to share information about SkyDrive.  If you have a question about this post, please leave a comment and I'll do my best to assist.

Learn more about the SkyDrive Insiders program here.

References



Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Monday, March 18, 2013

Windows 7 Service Pack 1 (SP1) Added to Automatic Update


Windows 7

Service Pack 1 (SP1) for Windows 7 was released over two years ago.  Yet, there are many home computers that do not yet have it installed.

Windows 7 SP1 is a collection of security patches and non-security fixes, it also includes client-side support for RemoteFX and Dynamic Memory.  More importantly, Windows 7 computers without SP1 installed reach "end of support" on April 9, 2013.

Due to the importance of Windows 7 SP1, it is being added to Automatic Updates starting March 19, 2013.

How to Determine if You Need SP1

Many Security Garden readers are comfortable moving around their computer, but others are not as experienced.  For those readers who have no idea whether SP1 has been installed on their computer, here is how to find out.
  1. Click Start and in the search box type winver

    winver
  2. Double-click winver.exe in the Programs list in the search results.
  3. About Windows will open.  Look for Service Pack 1 as highlighted in this image:

    About Windows













If you see Service Pack 1, you are all set. On the other hand, if SP1 is not installed, it is very important to get it installed.

Installing Windows 7 SP1

In addition to the information provided in the Microsoft help document Learn how to install Windows 7 Service Pack 1 (SP1), linked below, note the following additional suggestions:
  1. Make sure your computer is malware free.  Run an updated scan with your antivirus and anti-malware software program.
  2. Back up important files to an external location (USB, CD, DVD, etc.)
  3. Some security programs may interfere with the installation so it is suggested that you temporarily disable them.  Do not disable your Firewall.  If you are unsure how to disable your security software, see the instructions in How to disable your security applications  at the Tech Support Forum
  4. If you are using a laptop, be sure to be plugged in to an electrical outlet rather than a wireless connection.

Problems Installing SP1 or other Windows Updates

In the event you have a problem installing the Service Pack, download and run the System Update Readiness Tool (SURT).  Have patience because the tool may take as long as an hour to run. 

Windows 7 32-bit (x86)

Windows 7 64-bit (x64)



Note:  To determine whether you have a 32-bit or 64-bit operating system do the following:
  1. Click Start and type system in the search box.
  2. Click system in the Programs list.
  3. The operating system will be displayed as either a 32-bit Operating System or a 64-bit Operating System.
    If, after running  SURT, you are still unable to install SP1, expert help is available at Sysnative.  Register for a free account and follow the instructions in the Windows Update Forum Posting Instructions topic.

    References 



    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, March 12, 2013

    Microsoft Security Bulletin Release for March 2013


    Microsoft released seven (7) bulletins.  Four bulletins are identified as Critical with three bulletins rated Important.

    The critical bulletins address 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Server Tools, and Silverlight.  The bulletins rated Important address issues in Microsoft Windows and Office.

    With today's Windows Update, Internet Explorer 10 in Windows 8 and Windows RT is being updated to enable Flash content to run by default. On Windows 8, all Flash content continues to be enabled for IE on the desktop. Additional information is available in the IE Blog post, Flash in Windows 8.

    Included in updates today is an update addressing an issue in the Kernel-Mode Drivers where an attacker could own your machine by inserting a malicious USB device.  In this scenario, logging on to the machine is not required.  Additional details about the update are available in the below-linked MSRC Blog post.

    Bulletin NumberBulletin TitleBulletin KB
    MS13-021Cumulative Security Update for Internet Explorer 2809289
    MS13-022Vulnerability in Microsoft Windows 2814124
    MS13-023Vulnerability in Microsoft Office 2801261
    MS13-024Vulnerabilities in Microsoft Office 2780176
    MS13-025Vulnerability in Microsoft Office 2816264
    MS13-026Vulnerability in Microsoft Office 2813682
    MS13-027Vulnerabilities in Microsoft Windows 2807986

    Support

    The following additional information is provided in the Security Bulletin:

    References





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Critical Adobe Flash Player and Adobe AIR Update



    Adobe Flash Player was updated today to address critical security vulnerabilities.  These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
    With today's Windows Update, Internet Explorer 10 in Windows 8 and Windows RT is being updated to enable Flash content to run by default. On Windows 8, all Flash content continues to be enabled for IE on the desktop. Additional information is available in the IE Blog post, Flash in Windows 8.


    Update Information

    The newest versions are as follows:
    Windows and Macintosh:  11.6.602.180
    Linux: 11.2.202.275
    Android 4x:  11.1.115.48
    Android 3x and lower:  11.1.111.44
    Adobe AIR 3.6.0.6090

    Release date: March 12, 2013
    Vulnerability identifier: APSB13-09

    CVE number: CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375
    Platform: All Platforms

    Flash Player Update Instructions


    Flash Player for Windows, Macintosh and Linux

    Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

    Notes:
    • If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
    Adobe Flash Player for Android

    The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References







    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Thursday, March 07, 2013

    Mozilla Firefox 19.0.2 Security Update Due to Pwn2Own



    The CanSecWest security conference is underway and Firefox fell along with others.  However, Mozilla developers quickly diagnosed the issue, built a patch, validated the fix and the resulting builds, and Firefox version 19.0.2 has been sent to the release channels.

    What’s New

    FIXED -- 19.0.2: Security-driven release, see details in the associated security advisory

    Update

    To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

    If you do not use the English language version, Fully Localized Versions are available for download.

    References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Security Bulletin Advance Notice for March 2013

    Security Bulletin
    On Tuesday, March 12, 2013, Microsoft is planning to release seven (7) bulletins.  Four bulletins are identified as Critical with three bulletins rated Important.

    The critical bulletins will address vulnerabilities in Microsoft Silverlight, Internet Explorer, Office, and Microsoft Server Software. The bulletins rated Important and will address issues in Microsoft Windows and Office.


    As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

    References



    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, March 05, 2013

    WinPatrol® 2013 Update v27.0.2013 Released

    WinPatrol 2013

    WinPatrol users who experienced the recent problem with crashes will be happy to learn that the source of the problem has been tracked down and resolved. For information about the crash problem, see  Hackers Steal WinPatrol Data Already Available

    As Bill Pytlovany explained:  The WinPatrol update includes a layer of protection that will discourage any future attacks and crash safely.  If an error occurs for any reason, Scotty will continue to be graceful in his behavior so other programs will never at risk of losing work currently in progress.

    With the release of v27.0.2013, WinPatrol now includes a long-requested feature of new version update notifications:

    WinPatrol New Version Available


    Download WinPatrol 27.0.2013 

    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Monday, March 04, 2013

    Another Out-of-Band Critical Java Security Update

    java

    Unfortunately, there are programs that require Java in order to function.  In the event you are not in a position to uninstall Java, please update to the latest version, Java 7 Update 17 (correct, Version 16 was skipped).

    Although Oracle was planning to wait until April to update Java to address CVE-2013-1493, Java 7 Update 17 was released by Oracle today.  Security Alert CVE-2013-1493 addresses two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).

    If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

    Java Security Recommendations

    Although Oracle changed Java security settings to “high” by default, it is advised that users of Java confirm the setting.

    With the setting at high, you will be prompted to authorize the execution of applets which are either unsigned or are self-signed, thus providing the ability to deny the execution of a potentially malicious applet.

    Changing the setting to "Very High" will result in unsigned (sandboxed) apps not being able to run.

    1)  In the Java Control Panel, set the security to high.
    2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

    Java ControlPanel
    (Image via Sophos Naked Security Blog)

    3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

    Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

    Download Information

    Download link:  Java Version 7 Update 17

    Verify your version:  http://www.java.com/en/download/testjava.jsp

    Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

    Critical Patch Updates

    For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
    • 16 April 2013
    • 18 June 2013
    • 15 October 2013
    • 14 January 2014

      References





      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...