Security Protection – Harry Waldron MVP Rotating Header Image

Windows 10 – Eleven recommend applications from Microsoft Store

Information Week shares 11 apps for Windows 10.  Most are free and the other products may be purchased for low cost.  “Microsoft Calculator” and “VLC Player” and “I Heart Radio” are all excellent additions that I would recommend

http://www.informationweek.com/software/operating-systems/11-windows-10-apps-for-your-upgraded-pc/d/d-id/1321895

Ever since it first unveiled Windows 10 earlier this year, Microsoft has emphasized the new Windows Store and Universal Apps platform as core components of its new OS.  Apps give life to our smartphones, tablets, and PCs. We use apps to talk, text, email, work, stay organized, play games, and listen to music. Windows 10 may run well on your PC, but it won’t reach its full potential without apps.  The universal apps approach is designed to simplify things for developers and customers. Developers can use mostly the same code base for smartphone and tablet apps. Consumers only have to download an app once to have it on all their devices.

Windows 10 – Current privacy and security concerns are easily addressed

Windows 10 offers new designs and this informative article shares beneficial techniques to address early concerns that have surfaced with certain default settings.

http://www.computerworld.com/article/2975004/microsoft-windows/4-overblown-windows-10-worries.html

Not long after Windows 10 was released late last month, it received a different kind of publicity than Microsoft wanted — concerns about everything from its privacy practices to fears about a new feature called Wi-Fi Sense to unhappiness with the way updates are delivered, and more. In all the sound and fury, one thing was lost — common sense. Some of these concerns had a basis in fact; others were based on rumors that blossomed into complete myths. So I’ve decided to try to get to the bottom of things and have taken an in-depth look at the four most common concerns about Windows 10.

Concern #1: Wi-Fi Sense will share all your Wi-Fi passwords.
Truth: Wi-Fi Sense will not share your passwords.

Concern #2: Windows 10 updates are automatically installed on your computer — and that’s a bad thing.
Truth: Automatically accepting Windows 10 updates isn’t a bad thing. And there are plenty of workarounds.

Concern #3: Microsoft’s use of peer-to-peer networking for Windows updates will slow down your network connection.
Truth: Windows 10 does use peer-to-peer networking to distribute updates. But it can be turned off — and a tweak could actually decrease your bandwidth use.

Concern #4: Windows 10 is a privacy nightmare.
Truth: You can protect yourself by changing the defaults.

Microsoft Security — Critical Internet Explorer MS15-093 update

A “patch now” and “out-of-band” IE update was released last week to help protect users from specially crafted malformed webpage attacks as described below:

ISC link — Microsoft Security Bulletin MS15-093 – Critical Internet Explorer update

https://technet.microsoft.com/library/security/MS15-093

https://support.microsoft.com/en-us/kb/3087985
https://support.microsoft.com/en-us/kb/3081444
https://support.microsoft.com/en-us/kb/3088903

This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients

Application Security – Top Ten attack methods in 2015

The following slide slow by eWeek provides excellent security awareness in defining popular security attack methods to avoid and setup protective defenses against: 

http://www.eweek.com/security/slideshows/top-10-common-application-attacks-to-avoid.html

Today, more and more application development processes are moving onto the Web. In fact, entire productivity suites, including Google Drive, email, storage, digital credit cards, photos and more are housed there. Despite major growth in this area, the application layer remains the hardest to defend, as Web app vulnerabilities often rely on complex and hard-to-define user input scenarios. This layer is also inherently the most exposed to the outside world, due to the specific nature of the app function and its need to be accessible over HTTP or HTTPS protocols, increasing its risk for being attacked. Recent IBM X-Force research found that SQL Injection, an application attack, was responsible for 8.1 percent of all data breaches in 2014.

To defend against these attacks, developers must understand how they work and create applications with built-in software defenses. To do this, the Open Web Application Security Project (OWASP) has put together a list of the top ten common application attacks. Based on information from the IBM Security Ethical Hacking team, eWEEK examines, in descending order, which app attacks tend to occur with the most frequency and severity.

Application Security – Top Ten attack methods in 2015

#1: Injection Attacks
#2: Broken Authentication and Session Management
#3: Cross-Site Scripting
#4: Insecure Direct Object References
#5: Security Misconfiguration (non-secure server settings)
#6: Sensitive Data Exposure (no encryption)
#7:  Missing Function Level Access Control
#8: Cross-Site Request Forgery
#9: Using Components With Known Vulnerabilities
#10: Un-validated Redirects and Forwards

Windows Security – Corporate Service Account protection

The ISC shares some of the security risks associated with corporate service account and the need for best practices to protect resources so that these accounts can’t be used interactively to log in. 

ISC link – Corporate Service Account protection

Windows Service Accounts have been one of those enterprise “neccessary evils” – things that you have to have, but nobody ever talks about or considers to be a problem.  All too often, these service accounts are in the Domain Admins group, with passwords like “Service123”, “S3rvic3” or something equally lame.  And all too often, application vendors that use these services insist on just such a configuration.

Why is using actual service accounts a bad thing?  Aside from the fact that the passwords are generally set to never change, the passwords are stored in the registry, in a text format that is easily captured to arrive at the actual password.  Needless to say, this generally allows an attacker to fly under the radar and move laterally to other hosts – pillaging your AD Domain at will.

Fixing the Problem –  Microsoft has come up with a decent way to mitigate this issue.  Where possible, have your services run as “LocalSystem“, “NT AUTHORITY\LocalService” or “NT AUTHORITY\NetworkService” … These settings are run levels for services only (they can’t be used for interactive login), with differing security permissions, but NO PASSWORD.  What this means is that the service has the authority that it needs, but there isn’t a password to crack, and the account can’t be used for a normal interactive login session.

Adobe Security Updates – AUGUST 2015

Adobe has a  large release as part of their monthly security update process.  They usually release on the same day as Microsoft’s “Patch Tuesday”.  Users should patch expediently, as prompted. 

https://grahamcluley.com/2015/08/adobe-flash-patch-pronto/

https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

If you still have Adobe Flash installed on your computer, you should patch it pronto – regardless of whether you are running Windows, OS X or Linux.   Yesterday, Adobe released a Godzilla-sized patch that fixes a sea of over 30 different security vulnerabilities in Flash and Adobe AIR.   If left unpatched, it’s possible that malicious hackers could exploit the vulnerabilities to infect your computer with malware. The good news is, so far at least, Adobe hasn’t seen any evidence of the vulnerabilities being exploited in the wild.  But don’t let that fool you into thinking that patching isn’t still a high priority.

The most recent version of Flash is always available from the Flash download page.

Microsoft Security Updates – AUGUST 2015

On Tuesday, Microsoft released a large number of security bulletins for newly discovered vulnerabilities.  All home & corporate users should promptly update their systems:

http://technet.microsoft.com/en-us/security/bulletin/MS15-AUG

https://isc.sans.edu/forums/diary/August+2015+Microsoft+Patch+Tuesday/20023/

Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month’s security updates and advisories can be found in the Security TechNet Library.

Mozilla Firefox 40 – Third party add-ins now will require certification controls

Firefox 40 is set to “WARN only” allowing some time for 3rd party vendors to come up to speed.  Still, this is a beneficial change based on past user experiences where malware infections can more easily occur without this needed control  

Firefox Brings Fresh new Look to Windows 10 and Makes Add-ons Safer
http://www.cnet.com/uk/news/firefox-tries-to-edge-out-microsoft-in-windows-10-browser-battle/
https://blog.mozilla.org/blog/2015/08/11/firefox-brings-fresh-new-look-to-windows-10-and-makes-add-ons-safer/

Released on Tuesday, Firefox 40 is the latest version of Mozilla’s browser and the first designed with Windows 10 in mind yet with its own look and feel. The icons sport greater contrast to better stand out. The screen opens up more real estate for the actual web pages. And a minor renovation paints the top and bottom areas of the browser a more user-friendly gray instead of the standard white. There’s one more change in the new version of Firefox aimed toward beefing up security. Browser add-ons can sometimes be a source of malware, most notably those that aren’t certified. Starting with Firefox 40, Mozilla will now certify all add-ons that you attempt to install. For now, the browser will simply warn you that the add-on is uncertified, or unsigned. But in future releases, Firefox will actually disable any add-ons that are not signed.

Leadership – Ambition and Attitude are key attributes for success

John Maxwell’s blogs are an awesome free resource for IT and business leaders. This weekly article explores key attributes of successful leaders.

http://www.johnmaxwell.com/blog/whats-the-one-thing-all-successful-people-have-in-common

What’s the one thing all successful people have in common?  Some would say it’s great ability or intelligence. But we all can probably think of someone who’s not particularly talented who’s doing quite well.  Others would point to a privileged upbringing. In other words, a head start via training or opportunities that others didn’t have. But many successful people can point to very humble beginnings or to major obstacles that didn’t set them up to win in life.

And what about naked ambition? Sure, there are some very cutthroat “successes” out there, but there are also just as many kind and unselfish people who are succeeding in their field.  In my years of learning and teaching about personal growth and leadership, I believe I’ve discovered the one thing all successful people do have in common. It’s described very well by one of my favorite authors, Dale Carnegie:

“The biggest lesson I have ever learned is the stupendous importance of what we think. If I knew what you think, I would know what you are, for your thoughts make you what you are; by changing our thoughts we can change our lives.”

How we think: I believe that’s the key to success, because thinking comes before action. We can’t do things that lead to success until we think in a successful way.

Windows 10 – Improved Privacy settings for travel or other needs

This eWEEK slide show shares Windows 10 settings that can help improve privacy as needed based on how, when, and where users may need avoid risk (e.g., while traveling where greater exposures may be present)

http://www.eweek.com/security/slideshows/how-to-lock-down-windows-10s-privacy-settings.html

Windows 10 has been out for more than a week, and so far the industry’s reaction has been fairly positive. There’s a lot to like. Keyboard jockeys get a desktop experience similar to Windows 7, while users of 2-in-1s can seamlessly switch between desktop and tablet modes with the operating system’s new Continuum feature. Microsoft’s fast and minimalist Edge browser is leagues ahead of its predecessor, Internet Explorer. Virtual desktop functionality is built-in, enabling power users to configure their workspaces to their heart’s content. But as with any major Windows release, there are also some controversial aspects to Microsoft’s flagship operating system. In keeping with Microsoft’s “mobile-first, cloud-first” product strategy, Windows 10 is the company’s most cloud-connected OS to date. Features like Cortana, Microsoft’s voice-activated virtual assistant, reach out to the company’s servers when users ask about the weather or plan a road trip, causing concerns about how much the tech titan is learning about its customers. The new Wi-Fi Sense feature makes it easy to share access to a WiFi router with Facebook friends and Outlook.com contacts—a little too easy, some argue. This eWEEK slide show explores some Windows 10 settings that privacy-minded folks will want to get to know.