The password manager LastPass had been my password manager of choice before I switched to the Open Source password manager KeePass. LastPass supports multifactor authentication systems for some time now, for instance with the help of Yubikeys. But those usually came with a cost.

LastPass back in November introduced support for Google’s Authenticator app to add another multifactor authentication option to the service.

Google Authenticator is a mobile application for Android, iOS, Blackberry and Symbian devices that generates a temporary verification code that users need to enter when they log into LastPass from untrusted devices.

Google Authenticator needs to be linked to LastPass before the new security feature can be used. Here is how this is done.

• Google Authenticator needs to be installed on a mobile device. Google offers installation instructions for Android, iOS and Blackberry devices. Please note that you need to enable 2-step verification using the phone number as Google Authenticator cannot be setup otherwise.
• Once Google Authenticator is up and running properly, LastPass users need to visit this link to link the authenticator with their LastPass account. This is done by either scanning the displayed barcode with the mobile device, or by entering the Google Authentication key displayed on the website manually.

LastPass will from now on display a Google Authenticator Authentication page for log ins to the service from untrusted devices.

LastPass users then need to open the Google Authenticator app to generate a one-time verification code that they need to enter on the LastPass website. Users who require offline access to their LastPass password database can configure this during configuration. It is also possible to trust devices to avoid having to generate and enter verification codes on every log in.

Additional information about the setup are available on the LastPass Support website.

The new multifactor authentication adds a second layer of protection to the LastPass login process that makes it a lot harder for attackers to access a user’s password database.

Only the most recent versions of Microsoft Internet Explorer (9), Google Chrome (12 and 13) and Mozilla Firefox (5) were analyzed. Other browsers, like Opera or Safari, were not included in the research.

The results and areas that have been analyzed in the study are displayed in the table below.

All three browsers have implemented industry standard data execution prevention, address space layout randomization and stack cookies anti-exploitation technologies. The researchers found Firefox’s sandboxing, plug-in security and JIT hardening to be either unimplemented or ineffective. They also concluded that Chrome had the edge over Internet Explorer as the browser’s implementation of sandboxing and plug-in security was industry standard, while Internet Explorer’s was not.

Here is the conclusion of the research paper.

The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies,Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack

Neither the fact that the research was sponsored by Google, nor the missing definition of industry standard disqualifies the research paper immediately. It is however something that needs to be addressed and looked at.

It needs to be noted that core browser security plays just a part in a user’s threat protection. Other factors include the operating system, up-do-date plugins and browser versions, browser extensions or security software.

What’s your take on the research paper?

Fair Trade Digital Exchange is a revolutionary “digital first” publishing company devoted exclusively to technology topics. The Fair Trade DX development model lets us turn content from world-class authors into high-quality books and learning products, at a pace that leaves traditional print publishers in the dust. Unlike other publishers, we treat authors as full partners, and our shared goal is to inform, enlighten, and delight readers.

We’re proud to announce our first four titles, available today in all popular digital formats.

• Need2Know: Ed Bott’s Windows 8 Head Start, by Ed Bott
• Need2Know: Microsoft Office 365 Security Essentials, by Mike Halsey
• Need2Know: Broadcasting your PowerPoint Presentation, by Katherine Murray
• Need2Know: Building ASP.NET Web Pages with WebMatrix, by Jim Wang

I wanted to make this first book a really holistic view at Office 365 security for small businesses.  In this I look at every aspect of business computing from your ISP and Internet connection to your PCs, smartphones, tablets and even employment policies, home working and more.

It’s fantastic to have been invited into such esteemed company as they’re all brilliant authors, and doubly so to be with them during the launch of the publisher and their first new book series.

Regards Office 365 Security Essentials, the publisher says…

Many smaller organizations rely on a few tech savvy managers to ensure that Microsoft Office is configured and deployed to best support core business objectives. If you are one of these indispensable managers, you are probably aware that the online collaboration features of Office 365 also create security risks not associated with desktop versions of Office. In Need2Know: Microsoft Office 365 Security Essentials, author Mike Halsey identifies and explains those risks, and answers essential questions about how to run Office 365 safely and
securely. With a program that eliminates the need for a patchwork of third party solutions, it’s important to harness the tools at your disposal to the fullest.

Microsoft Office 365 Security Essentials shows you how to secure your Office 365 team site, how to manage your users and administrators, and how to employ secure practices with Microsoft and third-party tools, as well as good old common sense. Author Mike Halsey brings wisdom from his extensive work with Microsoft Windows and the Office product family to the table to help you address the security threats you must know how repel in order to protect your company and its assets.

In Microsoft Office 365 Security Essentials, you will quickly learn how to:

• Manage Office 365 email and contacts securely
• Implement team site security effectively
• Handle security when using Office 365 with other Microsoft products
• Create and manage different types of Office 365 user accounts
• Set appropriate permissions on Office 365 team site accounts
• Identify different types of Internet threats, and implement an effective antivirus solution
• Implement common sense password security and use encryption to protect sensitive data

Microsoft Office 365 Security Essentials also includes handy references to safe password creation, secure web browsing, and anti-spam best practices, suitable for sharing with employees and coworkers.

You can find out more about this new book series at the fair Trade Digital Exchange website.

Click to view full size

Columbia University researchers have discovered a vulnerability in some Hewlett-Packard LaserJet printer lines that could allow attackers to install a modified firmware to steal information, run attacks from within a network or cause physical damage to the printer.

Attacks can be carried out from different vectors. Printers that support a remote firmware update process could allow attackers to take control of a printer’s firmware over the Internet in less than a minute if the printer is not protected properly by a firewall. The researchers during a scan were able to find more than 40,000 devices that they said could be infected within minutes.

Local attacks are another possibility. The researchers were able to send print commands from Macintosh and Linux computer systems to trick the printer into reprogramming itself. It is not clear at the time of writing if Windows environments are safe or also affected by this.

Printers that the researchers analyzed do not verify the source of the firmware with the help of digital signatures. A HP spokesperson stated that all modern HP printers do require digitally signed firmware upgrades since 2009.

Even worse for consumers and companies, there is no way of telling if a printer’s firmware has bee compromised short from physically disassembling the printer and analyzing its chipset output.

According to RedTape, HP is currently analyzing the claims made by the researchers. HP could release a firmware update of their own to resolve the vulnerability. Compromised printers however may have been programmed to block new firmware updates. That’s bad on the one hand as companies would have to throw away the printer in this case (or talk to HP to find a solution) and good in another as they have just identified a compromised printer in their network.

The researchers have started analyzing printers manufactured by other companies recently but no results have been posted yet. They say it is likely that printers and other devices with Internet access are also vulnerable. (thanks Jojo for sending in the tip)

But surely you don’t keep any sensitive information on your phone unless people really are interested in text messages from a loved one or emails from Groupon?  Here you’d be wrong again.  In this article I want to have a look through the different types of important information you keep on your smartphone, and look at ways you can keep it safe and secure.

So what information do you keep on your handset?

Contacts

You might not keep really sensitive details about yourself on your phones such as your Social Security number or bank details, but you do keep ever growing details about all your contacts.  These include their full names, address, email address and multiple phone numbers and, crucially information such their full date of birth (which is used in faking IDs and gaining access to accounts) and possibly family connections that are possibly giving up details such as their mother’s maiden name.  In short you are being entrusted with a huge amount of information on a huge number of people, all of which can be used for identity theft.

Email

It might not be possible for someone to discover your email password or to change it from your handset, though a good hacker might still find a way, but depending on what emails you store locally in your inbox they might reveal all manner of additional detail about you perhaps including at least partial credit card details if you’ve been shopping online.

Documents

More and more of us are keeping documents on our phones and with the inclusion of support for services such as Windows Live SkyDrive in Windows Phone, it’s becoming far easier to not know what important and sensitive documents you actually can access from your phone, maybe without even knowing the functionality is already there and switched on.  If you use DropBox on your phone for instance what documents are you storing in the cloud that can be easily and instantly accessed by someone who has physical access to your phone?

GPS Locations

As more and more of us use smartphones as GPS devices, what locations have you got stored in your phone?  Do you, for example have “Home” listed as a location?  If you do a thief could be directed straight to your home at the time when they know, if they’ve just stolen the handset, that you’re out.

How can you secure your handset?

Use a Password Lock

The most basic and simple way to lock your phone is to put a passcode on it, be this a physical numerical code or a swipe pattern.  Make it a good one though, definitely not an obvious pattern or the same code as you use for the PIN number on your bank card.  Having a code or pattern that’s a bit harder to do might be a little more inconvenient for you, but it comes with a great deal more peace of mind.

Write down your IMEI number

The phone’s unique identifier code, it’s 15 digit IMEI number can usually be found close to the SIM card slot and battery compartment in a phone.  Write down this IMEI number and keep it in a safe place at home in case you need to cancel the phone, it will make things quicker, or more important to report the phone as lost or stolen to the police.  Having the IMEI number will help make sure the handset can be quickly returned to you if it is found.  You can check the IMEI number on the phone itself by typing *#06# on the keypad.

Edit Your Lock Wallpaper to add an ICE number

An ICE (In Case of Emergency) number can quite possibly save your life if you are involved in an accident or incapacitated and the emergency services can’t unlock your phone to call a relative or friend.  Unfortunately modern smartphones still don’t include support for ICE numbers but if you manually edit in a graphics package onto the image you use for your lock screen, it can be a great help in having your phone returned to you if it is found.

Use Anti-Malware Software

Malware and viruses on smartphones are becoming ever more common and regardless of how secure the platform might be, or how much vetting all the apps might go through, there’s no guarantee that malware won’t slip through the net.  Check the reviews online to see if the anti-malware software you’re buying is actually any good and preferably go for one of the big name companies such as AVG or Kaspersky for added peace of mind.

Use a Remote Management Service

Some smartphone platforms, including Windows Phone, come with a remote management service you can access online.  These services can allow you to remotely lock the phone, track it (even when locked) or even wipe it altogether and perform a hard reset if you suspect it is gone for good.  These services are accessed through any web browser and if your smartphone comes with such a service it is well worth signing up for it.

So what are your additional tips for keeping your smartphone, and its sensitive data safe and secure?  Write them in the comments here as we’d love to hear them.

Even worse; Changing the Dropbox account password did not stop the synchronization on the third party PC. The only option available was to end the session in the Dropbox user interface on the official service website.

Dropbox today has released an updated version of their software client that puts an end to this security loophole. The changelog notes that Dropbox version 1.2.48 ships with security enhancements that prevent attackers from stealing a computer’s account credentials just by copying the configuration files to another computer.

That’s a big step forward in terms of security and protection of accounts. Dropbox furthermore switched to a new encrypted database format to “prevent unauthorized access to local Dropbox client databases”.

The new version ships with Mac OS Lion integration and several smaller fixes that have not been explicitly mentioned in the forum post announcing the new version.

Dropbox 1.2.48 is already available for download on the official Dropbox website. Dropbox users and interested new users can head over there to download the client for their operating system. The new version can be installed over the old version.

Please note that the Dropbox client offers no update checker or automatic update installer. All users need to download and install the new version manually to benefit from the new version’s improvements.

Dropbox users who want to host important files on Dropbox should consider encrypting the files for extra protection. This can be done with specialized software like Boxcryptor or encryption software like True Crypt. (via)

Update: The Dropbox team informed me via email that their software has an automatic update feature and that all users of the service would be automatically updated to the latest version in the coming days.

The proof of concept works in Firefox, but the security researchers state that other browsers are also affected by it. They explicitly mention Microsoft’s Internet Explorer and note that the Google Chrome may be vulnerable as well. They do however mention that an attack may not be as easy to implement for that browser due to the fact that Chrome does not “send keydown/keyup events to JS when the autocomplete drop down menu is focused”.

Here is how the issue can be exploited:

It is possible to get key down / up events via JavaScript when a drop down autocomplete menu is shown. This means that it is possible to lure a user to play a game and steal arbitrary values from browsers autocomplete feature.

The proof of concept page demonstrates how third party websites can steal autocomplete information from Firefox. The page can check if autocomplete information are available for sites such as Twitter, Facebook, Gmail, Microsoft or Yahoo logins as well as three different types of inputs.

According to the security researcher, browser vendors should implement a feature into their browsers that ties the autocomplete input to a particular website. The only way to protect the data from being stolen is to disable the browser’s autocomplete feature for forms and searches.

Firefox users can do that in the preferences under the Privacy tab.

Internet Explorer users can disable autocomplete under Internet Options > Content > AutoComplete > Settings.

Are you using your browser’s autocomplete feature for forms? Let me know what you think of the vulnerability in the comments. (Thanks Venkat)

A side effect of this is that most advertisements and other script driven objects and elements will be blocked as well by the extension.

NoScript offers more than just script blocking and whitelisting though. It comes with additional modules to enforce HTTPS usage, Cross-Site Scripting filters, Clickjacking protection and a firewall like component that the developer calls Application Boundaries Enforcer.

The developer of NoScript has been working for quite some time on a Firefox Mobile port of the extension. The recently released NoScript 3 Alpha 9 version is the first feature-complete version of the security add-on for Firefox Mobile on Android and Maemo devices.

NoScript Mobile in particular offers the following major security features that the desktop version of the add-on offers:

• A domain based content permission management for scripts
• Anti-XSS (cross-site scripting) filtering options
• Clickjacking protection called ClearClick
• The web application firewall App Boundaries Enforcer

NoScript Mobile furthermore introduces permission presets that can be configured after installation and later on in the extension’s options.

The developer has added four different permission presets to the add-on.

• Easy Blacklist – The user picks the sites where JavaScript and plugins are blocked on
• Click to Play – Plugins are automatically blocked until activated with a click by the user
• Classic Whitelist – The standard setting on NoScript for desktop Firefox versions. Blocks all scripts automatically and will only run whitelisted scripts.
• Fortress – Like the Classic Whitelist setting but all contents are blocked even on whitelist sites until clicked on.

Another interesting feature that will be implemented eventually is the ability to synchronize NoScript settings between desktop and mobile versions.

Users interested in running NoScript on mobile devices can download the latest version from the NoScript Anywhere project website.

Two weeks later things have changed considerable. Several German states acknowledged that the backdoor was used by German police forces to spy on communication software installed on computers. According to the news spyware programs were in use since 2009.

The initial analysis of the contents was far from complete. Security experts at F-Secure and Kaspersky posted the results of their analysis recently which offer a more detailed view of the malware’s capabilities.

Kaspersky discovered that the trojan installer supports both 32-bit and 64-bit Windows operating systems. Experts previously assumed that only 32-bit systems could be targeted by it.

The second finding is a list of applications that the trojan has been designed to monitor. This list is larger than the initial list that the Chaos Computer Club published. A total of 15 applications are listed, including Firefox, Explorer, Opera, Skype, Microsoft Messenger, ICQ and Yahoo Messenger.

The trojan injects code into those processes:

Code injection into target processes is carried out by the dropper, two user-mode components and also a 32 bit kernel driver with extended functionality compared to the version previously analyzed, which only provided an interface for registry and file system modifications. This new driver starts an additional thread that constantly loops over the current list of running processes and injects a DLL into each whose image name matches an entry from the following list:

The 64-bit Kernel driver is limited in its functionality compared to the 32-bit component.

Contrary to the 32 bit version, the 64 bit driver does not contain any process infection functionality but only provides a rudimentary privilege escalation interface through file system and registry access. Similar to its brother, it creates a device and implements a basic protocol for communicating with user-mode applications.

Kaspersky identified the a 1024 bit RSA certificate issued by Goose Cert on April 11, 2010.

The F-Secure blog has more information on how the backdoor was installed on target systems.

In one case, the trojan was installed on a suspect’s laptop while he was passing through customs & immigration at the Munich International airport.

The existence of a 64-bit component, the monitoring of additional processes and information on how the trojan was installed on systems confirms that there has been more to that state sponsored trojan than initially assumed. The majority of security software available should detect the backdoor by now.

In this multi-part article I’m going to look at best-practice strategies for backing up your important files and documents.  I want to start with the home and begin this part by looking at some of the devices we now have our data stored on.  In years gone by it was just an Internet-connected PC on which you stored information.  Now however we have laptops, netbooks, tablets and smartphones.  All of these devices have personal data on them.

Now it’s not always easy to back data up on tablets and smartphones, though some services such as HP’s TouchPad do back your data up securely by default.  You can also get third-party backup software for these devices.  More often than not though you will find that the data on these devices is almost always duplicated elsewhere, such as in your email account.  It’s best in these cases then simply to make certain that these devices are protected by a secure password.  To create a secure password use a combination of letters, numbers and symbols and make the password at least eight, preferably ten or more, characters.

This leaves out desktops, laptops and netbooks.  Now these computers are most likely running either a version of Windows or Apple’s OS X.  Both operating systems are secure by default.  You should always make sure you have a strong password on any portable computer however and also preferably on a desktop PC.  This won’t stop someone getting at your data if they remove the hard disk, but it will make it difficult for the average thief.

Home users will commonly not have access to the encryption technologies available to business users with the Professional and Enterprise copies of operating systems such as Windows, so have to rely on passwords alone to keep their data secure.

With backups however it’s very easy and important to make sure that you have backups of all your files and data.  In previous years people have used CDs and DVDs to store backups.  I don’t recommend this any more.  These mediums are prone to data degradation over time and under certain conditions, such as heat or cold.  Hard disk technology has dropped in price considerably in the last few years however and a good-sized external hard disk can be bought for under $100.

Keeping regular backups (ie. settings either an automated backup solution using software such as Windows Backup or setting yourself an alarm reminder) once a month or maybe even more frequently is a fantastic routine to get into.  It doesn’t take much time or effort to make a backup once you have it running.

You might wonder though what you would do with this external hard disk once you have your backup?  After all, if you have a burglary or a house fire it too could be destroyed and surely an online backup service such as Mozy or Carbonite would be better.  If you don’t have a large file collection then online backups are excellent.  For everybody else though it can take months, or even longer to back up all your files online.  Also when it comes to restoring them should your computer be lost or damaged, can also take days or even weeks.

Thus my recommendation, while you can use this in concert with an online backup service, is to store this external hard disk somewhere secure but off site, away from your home.  Perhaps you can keep it with a family member or close friend.  Try to avoid the obvious locations where thieves may look, such as the back of the wardrobe.  Perhaps the bottom of the sideboard could be more hidden away.

Then once a month or so you can bring the hard disk back for a day or two, update the backup and send it away again.  This way, not only do you have a safe and secure backup, even safe from a house fire, you can also restore your files quickly should you need to.

In part two of this article series I’ll look at good backup strategies for small businesses.

In a blog post today, the company said that 24.4% of all web browsers are outdated and insecure.  Of this 15.2% includes Internet Explorer 6 and 7 (it’s odd that Microsoft are suddenly now calling IE7 insecure) and 7.5% are older versions of Mozilla Firefox.

In their breakdown by country the USA appears to be the worst offender with just under 22 million computers using insecure browsers.  Brazil is second with just over 7 million, France is third with 5 million, the UK has 4.2 million and China has just under 4 million.  I’m not completely sure where this fits with Microsoft’s IE6 Countdown site which states that more than 25% of all browser usage in China is still IE6.

Microsoft’s stats say that this 24.4% equates to around 340 million PCs worldwide.  In a statement they said…

With that in mind, we’ve partnered with the Anti-Phishing League, Identity Theft Council, and Online Trust Alliance to raise awareness of the critical role browsers play in online security and make it as easy as possible for people to protect themselves.

The new website itself does more than just give your browser a health rating.  There is useful information there on what malware is, with a useful video for the uninitiated.  There is also information on what modern browsers do to keep people safe when they’re online and also help and advice on how you can stay safer when you’re online.

Oddly, what the browser doesn’t do is bring the latest version of Internet Explorer front and centre, instead relegating it to a small download button hidden away on the website’s last page.  This is probably a very good idea given the organisations that Microsoft has formed alliances with for this project.

It is very true that you should always make sure you have the latest and most up to date version of whatever browser you are using, be that Internet Explorer, Chrome, Firefox, Safari or Opera and that you have installed all the latest security and other patches.

It is always good to see when companies try and give the public additional advice too.  People can become too reliant on the web browser protecting them from ‘everything’ and they can then feel they can click around random links with impunity.  In fact this is the best way to get your computer infected with malware, or have your identity stolen, and it is the responsibility of every Internet user to remain cautious and vigilant when online.

The Online Trust Alliance say of the project…

“The mission of the Online Trust Alliance is to enhance online trust and confidence.  When it comes to online security and privacy, the browser plays an important part in helping to make the internet safer for all users.  Since our inception, OTA has been a proponent of improving browser security and getting people to move to more secure platforms…   More must be done to help educate users on the need to move to more modern browsers and we applaud Microsoft’s leadership and collaboration in this important initiative.”

Martin’s take

Your Browser Matters is a new site by Microsoft and partners that aims to make Internet users aware of security in general, and the web browser they use in particular. Some users may decide to ignore the site completely considering that it is maintained by Microsoft, others might want to check it out to see what it is all about and if the points that it tries to make are valid.

When you open the homepage of the informational site in a supported web browser you get a score for that browser right away. The site unfortunately does not support beta versions of web browsers which means that I was only able to get a score for Internet Explorer 9. Neither Firefox Aurora, Google Chrome Dev nor the latest stable Opera version were compatible with the site.

Microsoft’s Internet Explorer 9 scores 4 out of 4 points, which obviously is the highest possible score. Ed Bott ran Chrome Stable and Firefox Stable through the test and noticed that the browsers scored 2.5 (Chrome) and 2 (Firefox) respectively.

It all boils down to the test criteria. When you look at all of them in the screenshot below you will notice that Microsoft analyses how the browser handles the following four attack forms: Dangerous downloads, Phishing websites, Attacks on your browser and Attacks on websites.

You will also notice that no browser scores perfectly in all tests. Microsoft’s Internet Explorer 9 for instance fails in three of the sixteen tests, Chrome in seven and Firefox even in nine tests.

When you look at the core differences you notice that Microsoft’s Internet Explorer is the only browser in the test that passes all dangerous download tests which the company attributes to its SmartScreen technology. Both Firefox and Chrome fail in the tests.

All browsers pass the phishing websites tests. The attacks on your browser group of tests is divided into securing extensions and effective sandbox. Internet Explorer is the only browser according to Microsoft with the ability to restrict extensions and plugins on a per-site basis. The browser also passes the “benefits from Windows operating system features that protect against structured exception handling overwrite attacks” test where the two others fail.

Chrome on the other hand is the only browser in the list that passes the sandbox test.

Internet Explorer passes four of five tests of the attacks on websites test. It is the only browser that can automatically block insecure content from https pages and to sanitize HTML to remove potentially problematic code.

The question at this point is obviously if the tests are biased towards Internet Explorer by leaving out tests that might not be as favorable.

I can list a few missing tests without really thinking much about it, for instance:

• Is the browser protecting the user from third party extension or plugin installations?
• Does the browser warn the user of outdated plugins?
• Can users disable security related features, like JavaScript on a per site basis.
• Does the browser support different user profiles?

What I like about the site in general is that it offers information that educate users. The prevention tab for instance lists basic but important security information on one page.

Security is obviously only one feature when users pick a favorite browser that they use most of the time. There are other features like speed, extensions support or general compatibility with web standards that can make a difference.

What’s your take on Your Browser Matters? Is Microsoft making a valid point here or is this just marketing mumbo-jumbo?

Before you answer note that that Internet Explorer 6 scores 0 of 4 points and Internet Explorer 7 1 out of 4.

If you have a laptop computer with a TPM chip then using BitLocker to encrypt the content of your hard disk is a very worthwhile activity, especially for work computers where you may be carrying sensitive personal data on staff or customers, or where any data you are carrying will be subject to local data protection regulations anyway.

Bitlocker is easy to use too, you just go into the BitLocker option in the Windows Control Panel, select your hard disk(s) you want to encrypt and, if your computer has  TPM chip, turn it on.  But what atre the problems and pitfalls of using BitLocker?

Bitlocker will work very effectively and silently in the background and you won’t even realise it’s there.  This can cause problems should something go wrong with Windows and you need to either restore it from a backup, or reinstall it completely.

When you encrypt your disk with BitLocker, Windows will prompt you to store a copy of your encryption key on a USB pen Drive.  There are good reasons for this and it’s wise to keep a copy of the encryption key on that Pen Drive and keep the drive itself somewhere safe but handy.  Obviously if you’re taking a laptop out and about you shouldn’t keep the Pen Drive with you at all times where it could be stolen with the laptop, this is almost as bad as having no encryption at all.

If you need to restore Windows from a backup image however Complete System Restore in Windows will ask you for a copy of the encryption key before it can work with your hard disk(s).  It will happily look on Pen Drives and find the appropriate keys.  Without these keys the restore process simply won’t work at all, neither will any the startup repair options in Windows 7.

When you come to reinstall Windows the problems will be worse.  Before you can do this it is extremely wise to completely decrypt your BitLocker-protected drives; a process that’s probably best left running over-night.  You can create yourself all types of security problems if you try to reinstall Windows 7 over a partition that’s already encrypted, or if you wipe the original partition and recreate it and have a second partition or disk for files.

A BitLocker encrypted disk is tied to the boot loader of a Windows installation, and it is this that it looks for to check it’s not been modified before the TPM chip releases the decryption key.  It would be too easy to reinstall Windows and then find you no longer have any access to your files and data because they’re encryped and not backed up in an unencrypted form somewhere safe.

Backups are essential when you are dealing with any form of file or disk encryption, even Windows EFS (Encrypted File System) which I personally hate as it strips useful metadata out of files when it compresses them for reasons that make no sense.  You should always make sure there is at least one fully unencrypted backup copy of your files stored in a secure location.

I would also recommended keeping a copy of your encryption key in a safe location, perhaps Microsoft’s SkyDrive service.  It wouldn’t even matter here if hackers gained access to your account and downloaded the keys, as without physical access to the computer they relate to, the keys are completely useless to them.

So while BitLocker is a fantastic idea and one that I use on my own laptop paired with a fingerprint scanner, you need to be very careful when putting it into implementation.

The problems for OS X seem to stem from user privileges.  While Windows 7 isn’t perfect, OS X seems to have more “soft spots” according to a report by Network World.  “OS X networks are significantly more vulnerable to network privilege escalation” according to the researchers, who went on to say that “almost every OS X server service offers weak or broken authentication mechanisms.”

This news will come as a shock to some and a surprise to many.  While Apple still maintain that there is no malware threat on their desktop platform, despite the recent proliferation of the Mac Defender malware, OS X is still generally considered to be more secure than Windows 7 because of it’s Unix origins.

The fact that it’s user privileges and authentication, which is one of Unix’s strongest suits, will cause many great concern.

The researchers say that the latest version of OS X has gone some way to rectifying the problems with new sandboxing, that keeps programs isolated.

The research also looked at the vulnerability count for the two operating systems over the past few years.  In that time OS X has seen 1,151 vulnerabilities with Windows being not much higher, at 1,325.  While this is higher than the count for OS X it’s not significantly so.

On the upside, they also pointed out that Apple’s mobile operating system, iOS, is better at sandboxing applications.  It has a dynamic signing feature which the device has to approve before an application can run.  This is opposed to OS X which will accept certificates that it is given.

Whatever the outcome of this it is further proof that Apple have let their game slip in recent years by being complacent about security in their operating systems, especially OS X.  The line that it’s just secure by design is no longer true as malware these days works on the user rather than the OS itself.  It will be interesting to see how, or even if, Apple respond.

Here is how the deal works. You can trade-in your current antivirus solution for a one or two year license of Agnitum Outpost Security Suite. The current license needs to be valid for at least three months to get the free version. If it is valid for more than 12 months, you’d even get a two year license instead.

A total of 15 different vendors are accepted by Agnitum, including Avast, Symantec, McAfee, AVG and ZoneAlarm.

Agnitum wants you to provide evidence of the license. This is done by making a screenshot of the purchase confirmation email, in-application or the active account screen from the security vendor’s website.

I cannot really say what’s on the next page after you have clicked on the Send button. I have send an email to my contact at Agnitum to find out more about that part of the process.

Update: The next page displays information about the upcoming steps. It contains a download link to a trial version and information that it will take up to two days to get the product key by email.

You have submitted your license in exchange for an equivalent license for Outpost Security Suite Pro. While you’re waiting for confirmation of your eligibility, please DOWNLOAD a free 30-day full-functional trial version and get ready for up to 2 years of high-performance proactive security!

Within 2 business days, you will receive an email from Agnitum Technical Support with the registration code for your Outpost Security Suite Pro with one or two years of free updates, upgrades and support. This license will be valid for up to 3 or 5 PCs for personal and/or family members usage, depending on the competing license you provide.

I’m also not sure if you can only trade-in Internet Security suites, as mentioned on the page, or standalone antivirus solutions as well. Try to get an answer here as well for you guys.

You probably would like to know what Output Security Suite has to offer, and how it competes against comparable suites.

The product page at the Agnitum homepage links to a pdf datasheet with information about the product. Outpost Security Suite is an all-in one solution that combines antivirus protection with a software firewall and other security related modules like a system and application guard or an anti-spam module.

I found several test sites where the security software was tested. I cannot vouch for those sites.

• Proactive Security Challenge: Result Top 5 Listing
• 2 out of 5 from PC Mag
• 4 out of 5 from Softpedia

It needs to be noted that Agnitum is offering a free version of the Outpost Security Suite that anyone can download and use. The free suite comes with most of the features of the professional version. It offers the same antivirus and firewall protection. What it does not offer are unique ID theft prevention, priority updates and technical support.

Many applications are writing to the hard drive perpetually. By excluding the files and folders they are writing to or reading from, assuming they are assuredly trusted and safe, you will speed up PC processes and still have sufficient antivirus protection. Which files to exclude?

• Subversion / TortiseSVN Folders
• Virtual Machine Directories
• Personal Photo/Video folders
• Windows Update Folders
• Connected Mobile Devices

These are just some examples. You may choose anything appropriate to your configurations. It is difficult to specify what files and folders to exclude for any given PC, considering the myriad configurations, software combinations, and uses that PCs will have. It will be a different scenario for everyone, but the approach is basic. This will work with any antivirus software program. In the examples below, Microsoft Security Essentials is being used. Other software versions may be appropriate for users. This is just an easier way to show how to work with antivirus software exclusions settings in general:

2. Here you can browse all files and locations and include them, once identified, by clicking “Add.” This is a one by one process, but its simplicity and tedium should not be taken for granted. This approach helps you ensure that you do not include files that may be unsafe. There are a variety of ways to use exclusions for each different antivirus software type and all involve going to a Settings option. You may be given a scroll list to choose from once you have built a significant list of exclusions and this will allow you to change any of those exclusions as necessitated. With Microsoft Security Essentials, you can click the Advanced option and gain more generalized options for situations that may require broad, more generalized exclusions.

It is always best to create a System Restore point before making changes to any software, but especially antivirus software. Also take steps to backup the files that you are planning on excluding. There are no guarantees from software to software and system to system. With a set restore point, you can always go back and undo something undesirable. Secure your settings and files first, and then alter your security.

The Malware Prevention Fix-It belongs to that category. While it still comes with an option to check and repair everything automatically, it can also be run manually to give the user the option to accept or deny suggested actions.

The program runs a series of security related checks on the system to find possible security issues. It can fix a variety of settings and tools, including Windows Firewall, Antivirus protection, User Account Control, Data Execution Prevention or the system’s phishing and smartscreen filters.

Users get the option to let the Fix-It tool detect the problems and apply the fixes, or to do that manually. The manual option is suggested for experienced users, and users who want to know about the changes that are made to the system.

Users who select the manual option get a list of possible security issues that have been found on the system. All issues are displayed with checkboxes to enable or disable their fixes.

Additional information are displayed in a mouse over popup. These can be handy for users who want to know more about a specific tool, feature or service listed there. There is also an option to display a detailed report which lists all issues that have been checked on the system.

The Fix-It then tries to resolve the issues on the Windows operating system. It displays a status report in the end listing the issues and their fix status.

The Windows Security Fix-It can be handy for users who are recovering from a malware attack on their system. Malware sometimes makes changes to the system’s security, and this tool can be used to revert possible changes. It can also be used if you want to check your system’s default security settings, for instance during regular security assessments.

Windows users can download the Fix-It from the Microsoft Support website. (via)

There are two main attack vectors on today’s Internet. First the programs that users make use of to connect to websites, and second user ignorance, carelessness and lack of security sense.

Inexperienced users fall prey to attacks at a much higher rate than experienced users. Even commonly known best security practices, like making sure that an Internet browser is updated when the developer releases a new security patch, are often run in a time frame that is giving attackers ample time to exploit those issues.

But it is not only the technology that is making attacks successful. It is also its users. Phishing for instance has been a problem for more than a decade on the Internet. One would think that users would learn to identify phishing emails by now, but that’s not the reality. People fall for phishing attacks on a daily basis. This article would go to far to look at the root causes for this, but it is likely that ignorance plays a large part in this.

Lets go back to the browser for a moment. Most users know that they have to upgrade the browser when a new version comes out. Most browsers come with automatic update checks and installations these days. Only Google Chrome updates without user interaction, the other browsers, at least for now, display the update notification and give the user the option to run the update. If users opt out, they leave their browser insecure if the update fixed security issues.

Do you want to know how your browser compares to others? Sites like Browserscope allow you to run tests and compare the results with other versions of the same browser and Internet browsers from other companies.

Lets assume you have got your browser updated to the latest version, and that you generally update the application immediately when a new version comes out. You are secure now, right? Nope, you are not. Why? Because it is not only about the browser software. Browsers make automatic use of other applications, commonly called plugins. Popular plugins like Adobe Flash, Microsoft Silverlight or Java are attack vectors as well, and successful ones too.

If you fail to update the plug-ins that are enabled in the browser, you are still prone to attacks. That’s why companies like Mozilla have started to integrate plug-in checks into the browser to inform the user about updates.

But you are secure when you update your operating system, browser and plugins whenever they are updated, right? Wrong again. Two attack vectors remain. First the user and second software vulnerabilities that have not been discovered or fixed yet. (There are actually more if you consider the local network as well. The computer could have a virus for instance that could render all browser security pointless. Another vector are local area network attacks)

A browser cannot help a user who enters his credit card number, verification code and social security number in a web form on a site like paypal.com.sxrixxree.cn. Browsers could block the web address if it has been previously identified as a phishing website, if it was not, it is up to the user to come to that conclusion.

Browser developers are trying to automate security as much as possible, especially for users who do not know a thing about it. But even with all that automation, it boils down to the individual user in the end. Tech savvy users know that everyone should have at least a basic understanding of security to avoid the dangers on today’s Internet. The reality on the other hand looks grim, and it does not look like it is going to change anytime soon.

How do you cope with the dangers on today’s Internet? Do you try to educate family and friends, or have you given up on that?

Modern smartphones have lock screens that swipe in one way or another.  Sometimes too they will have a pin unlock.  Now these pin unlock screens by law have to include a button to allow you to make an emergency call, 999, 911 or 112, without physically having to unlock the handset.  But what about people who don’t have a pin code on their phone?

Modern smartphones are quite complex, and easily customisable.  After you’ve used a smartphone for a period you’ll be completely comfortable with where things are and how you access them.  For people who have recently bought their phone, or just got an upgrade on their contract, this isn’t always the case though.  A friend of mine only yesterday had to make an emergency call, fortunately not a critical one, and found he had to swipe up the lock screen on his brand new Windows Phone, go into the People hub and then find the small icon that would bring up the call pad to allow him to make the call.  This took valuable time.  He wasn’t familiar with the handset though as he’d only had it for a day.

Then there are problems with ICE numbers.  For those of you who don’t know it’s useful to mark one of the contacts in your phone as ICE (In Case of Emergency).  This is an idea piloted by a UK Police force and it gives the emergency services a valuable contact to call in the case you are incapacitated, and it’s something that the emergency services will specifically look for on a handset.

With a traditional mobile phone you would just have a phone book of the people you like to call and who call you.  On a smartphone though there can be contacts from Facebook, LinkedIn, Twitter and more in your list, and finding the appropriate person to call can prove difficult or even sometimes impossible.

Modern smartphones are set up in such a way as the lock screen will provide you with useful information such as the time, date and any forthcoming appointments you may have.  They’re not set up to show you ICE numbers though.  What’s more PIN screens, while allowing you access to make emergency calls, won’t allow you to call a next of kin, spouse or housemate in the event that you are hospitalised.

This all brings me back to traditional mobile phones.  These too came with optional pin codes that would have prevented you from accessing the contacts list, though many would have given the option to bring up owner information.  Here you could put a valuable second contact number for the emergency services.

I’ve spoken before about smartphone security, and how it needs to be brought front and centre of the smartphone experience to keep our data and personal information safe.  However there also needs to exist a way to keep us safe and protected in the event that a disaster occurs.

This is something that the main mobile OS manufacturers, Apple, Google, RIM and Microsoft need to consider more as they build more and more security into our handsets by default.  These updates, which are pretty much inevitable, will make it even harder for the emergency services to access our contacts information, or for strangers who may not have a phone of their own or be unfamiliar with your phone’s operating system, to use yours to make an emergency call.

Overall I’d like to think that my phone is set up to allow this, I use a Windows Phone.  As things stand though, there is no way at all for me to provide an ICE contact to people without leaving the handset permanently unlocked.  So it seems that I’m damned if I do, and doomed if I don’t!

Here you can update and edit Word, Excel and PowerPoint documents you have stored in the cloud and it’s the one feature I’ve been looking forward to the most.  I have for many years had spreadsheets that I want to use on the move and used this facility as far back at the late 90′s with handheld computers like the Psion Series 3.  Needless to say then I found that the omission of this feature from Windows Phone at launch, and the inability to be able to transfer and sync documents with PCs made the Office hub almost completely unusable for me, and a waste of time.

Now though I have full access to these spreadsheets.  I’ve stored them on SkyDrive ever since I first installed Office 2010 on my PCs.  The main reason for doing this was security, with the files not actually residing on my computers and hidden behind a password and encryption there, the theft of anything from my home wouldn’t reveal personal and critical financial data to others.  How could anyone resist the opportunity to make their financial data so secure!?  There was also the added benefit of having access to these spreadsheets on any device and from anywhere in the world.  This is something I have also found extremely useful when on trips and holidays.

What I really wanted though was to be able to carry these files around with me too, on my smartphone.  After all, this is what a smartphone is for isn’t it?

You would imagine then that now I have achieved spreadsheet nirvana I would be ecstatic and as happy as happy can be.  You might be surprised then to hear that I’m feeling quite the contrary.  In fact I’m now deeply concerned about the security of these files, and it all comes down the lack of adequate security features in the smartphone OS itself.

Now I won’t speak about iOS or Android here, though all smartphone and tablet operating systems have got some faults in this area.  I’ll concentrate here on Windows Phone.  With this operating system you have a simple choice between ease of use and secure and safe, but sadly it’s very difficult to have both together.

What upsets me so much is that true spreadsheet nirvana for me would be an incredibly simple thing to achieve, if only Microsoft would put in one or two tiny little features to the main lock screen on the OS and one more feature to their Office Live platform.

At the moment the way things stand is like this.  You have a choice of either a lock screen that you swipe up to unlock the phone, or a lock screen that swipes up to reveal a numeric keypad onto which you have to type a code.  The latter of these two options is fully secure but the former will just allow anybody access to all your files and data.

You would imagine then that I would have my phone behind a password, to be safe and secure.  I don’t do this though as I use my smartphone an lot, an awful lot in fact and for a great many different things.  The process of having to swipe the lock screen up and then type in a password is annoying, cumbersome and frankly too much to ask people to do.

This makes me think of Android phones I have used where unlocking the phone involves swiping your finger across the screen to make a pattern that you yourself can set.  This is what I would call secure and with this I would be very happy.  A very similar feature to this is being added to Windows 8, or so it appears, but so far (and we should remember that Mango is still in beta, though Microsoft have a history of only releasing ‘near final’ betas these days) there’s no similar feature in Mango at all.

What Mango does bring to the table is the option to only ask for the password after X minutes of inactivity.  The options only go up to 30 minutes however, which may seem fair enough.  It is at least a huge improvement over what we had before.  It’s not configurable enough for many people though and will need to be looked at.

Then there’s the problem that the phone will automatically show, on it’s Office hub main page, links to every file and document I store in Microsoft’s cloud services.  There’s no option to hide any or just show some.  It’s all or nothing with this OS!

The other problem resides with Microsoft’s Office Live service.  This service is still failing to support passwords on documents.  This would make the problem go away for me (though it still wouldn’t sort out everything else on my phone being easily accessible to a thief).  This means that anyone clicking a link to a file on my phone will find that the file just opens for them, straight away and without worry.

It amazes me then that security on Smartphones is still not being given the importance by many companies that it truly deserves.  We’re all doing more and more with our smartphones these days and many people are literally carrying their entire lives around in their pockets, unsecured and open to theft and abuse by anyone that finds or steals the handset.

This situation has simply got to change, and change quickly.  If Microsoft, Apple and Google are ever going to convince the world, especially business, that their smartphone platforms are ‘the way forward’ then they need to bring security front and centre.  Unless and until this happens we’re all in trouble.

Why? It should be clear that anyone can access public data, including companies, organizations and future employees. If they find something that they do not like, you can be sure that you won’t get that job that you wanted so badly. It can also have implications on your private life, bullying in class for instance or a divorce.

Forbes is reporting today that “the Federal Trade Commission gave a stamp of approval to a background check company that screens job applicants based on their Internet photos and postings”. The company gets hired to perform background checks by crawling social media sites, networks and other public sites for user information.

But what about data that is secured by an account, like Dropbox for file hosting? Two dangers come to mind: First hacking, which has been happening a lot lately. If hackers manage to break into a site, they can do all kind of things, including accessing your information and maybe even your files.

Second bugs that lead to data being publicly accessible. The latter has actually happened yesterday. Dropbox notified their users in a blog post that an update that they applied to their service had the result that for a brief period of time (according to Dropbox, Techcrunch states four hours) account log ins without the correct password were possible. Someone else could have accessed your Dropbox account during that time, which included accessing and downloading files hosted there.

Dropbox in the meantime has emailed all users who might have been affected by this.

If you need to sync or host files online, use encryption if the files are important to you. Check out BoxCryptor, Dropbox Realtime Encryption or SecretSync, Security Layer To Protect Sensitive Files On Dropbox for software reviews that do that automatically.

Closing Words

The majority of Internet users seem to lack an understanding of privacy, considering that many post public information on social networking sites like Facebook or Twitter, without giving a thought to possible consequences. The information are there for a very long time, which means that employees might base a decision to hire or fire on something that you have posted on Twitter or Facebook several years ago.