"Khrystos Voskres!"
(Christ is Risen!)
"Voistyno Voskres!"
(He is Truly Risen!)
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Sunday, March 31, 2013
Friday, March 29, 2013
Do you use SkyDrive only for storing photos and miscellaneous files? What about important correspondence or files containing personal information? What about sensitive files such as tax returns or copies of bank statements?
The question about sensitive information was raised in the comments of my article Moving to SkyDrive regarding the security for sensitive files on SkyDrive:
"Is Skydrive suitable as a place to sync/save sensitive information (e.g. tax/financial records) or is it just really for things like photos, unimportant Office files etc? It would make things simpler for me if I could use Skydrive to sync all my files including the sensitive ones, but I am hesitating on security grounds."In retrospect, my immediate reaction to the question was short-sighted:
"Short answer: Yes, sensitive documents (e.g. tax/financial records) saved to SkyDrive are secure. The only way to access those files is by secure logon with your Microsoft Account.Why, after reconsideration, do I consider my response short-sighted? Let's take a closer look at transporting and accessing files on SkyDrive.
That raises the reminder of ensuring that a strong/unique password is used for your Microsoft Account. For additional information regarding a strong password, see Password Generator & Checker | How Secure is my Password.
Additionally, regardless of whether anyone uses SkyDrive or not, I strongly recommend taking the steps to protect your account. This article written for "Hotmail" equally applies to the revamped Outlook.com: Hotmail Security to Protect and Recover Your Account ~ Security Garden."
Transporting Files to SkyDrive
When saving your files to SkyDrive, the method used for transport encryption of your data from your computer to SkyDrive is called Secure Socket Layer, or SSL. SSL protocol uses standard key cryptographic techniques for the communication session between the client (your computer) and server (SkyDrive).Thus, during transit from your computer to SkyDrive, your data is protected from interception and is reachable and readable only on SkyDrive. However, it is important to consider that SkyDrive does not include any additional encryption on the files after being uploaded.
Accessing Files on SkyDrive
The default setting of files saved from your computer to SkyDrive is set to "only me". Thus, no one can view your files and documents without your consent unless you intentionally select the folder and change the setting. (See this Microsoft help document for instructions on how to Share files and folders and change permissions.)In other words, the only way to access the files set to "only me" is by logging on to SkyDrive with your Microsoft Account. But, what if your Microsoft Account is compromised or if you inadvertently change the setting to public?
Another situation that could compromise the security of sensitive information is that anything uploaded via a mobile device is automatically stored in the Mobile uploads folder. Fellow Microsoft MVP, Richard Hay, discovered recently that the Mobile uploads folder in the SkyDrive cloud storage is set by default as Shared with Friends. The default setting can be changed by logging on to your SkyDrive account via your browser.
Securing Sensitive Files
There should be no concerns about security of your files stored in a private folder on SkyDrive, accessible only by you when you logon with your Microsoft Account. However, for sensitive files, you may want to add an additional layer of protection to those files.The easiest method is password protecting Microsoft Office files, illustrated in this Office support document: Protect your document, workbook, or presentation with passwords, permission, and other restrictions.
Important: Be careful to note somewhere offline the password used to protect your Office files. There is no way that Microsoft can help you retrieve forgotten passwords.
Ben Herila of Microsoft provided additional methods of protecting your data on SkyDrive in his post in How secure are files on SkyDrive?:
"Some examples of methods that will protect your data on SkyDrive include:For particularly sensitive information, I suggest you read both How secure are files on SkyDrive? and Microsoft account, Hotmail, SkyDrive.
- Password protected RAR or 7Z archives
- Password protected Office 2010+ documents or
- PDF documents with AES-256 encryption PGP-encrypted files"
~ ~ ~ ~ ~ ~
As a SkyDrive Insider, I am excited to share information about SkyDrive. If you have a question about this post, please leave a comment and I'll do my best to assist.
Learn more about the SkyDrive Insiders program here.
References
- Download SkyDrive Desktop App for Windows
- Download SkyDrive Apps
- Mobile Uploads Folder on SkyDrive Shared with Friends By Default
- New Videos Highlight Fundamentals of Service Reliability - Cloud Computing | Microsoft Trustworthy Computing Blog
- SkyDrive Help & How-to
- SkyDrive Status: https://status.live.com/
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Monday, March 18, 2013
Service Pack 1 (SP1) for Windows 7 was released over two years ago. Yet, there are many home computers that do not yet have it installed.
Windows 7 SP1 is a collection of security patches and non-security fixes, it also includes client-side support for RemoteFX and Dynamic Memory. More importantly, Windows 7 computers without SP1 installed reach "end of support" on April 9, 2013.
Due to the importance of Windows 7 SP1, it is being added to Automatic Updates starting March 19, 2013.
How to Determine if You Need SP1
Many Security Garden readers are comfortable moving around their computer, but others are not as experienced. For those readers who have no idea whether SP1 has been installed on their computer, here is how to find out.- Click Start and in the search box type winver
- Double-click winver.exe in the Programs list in the search results.
- About Windows will open. Look for Service Pack 1 as highlighted in this image:
If you see Service Pack 1, you are all set. On the other hand, if SP1 is not installed, it is very important to get it installed.
Installing Windows 7 SP1
In addition to the information provided in the Microsoft help document Learn how to install Windows 7 Service Pack 1 (SP1), linked below, note the following additional suggestions:- Make sure your computer is malware free. Run an updated scan with your antivirus and anti-malware software program.
- Back up important files to an external location (USB, CD, DVD, etc.)
- Some security programs may interfere with the installation so it is suggested that you temporarily disable them. Do not disable your Firewall. If you are unsure how to disable your security software, see the instructions in How to disable your security applications at the Tech Support Forum.
- If you are using a laptop, be sure to be plugged in to an electrical outlet rather than a wireless connection.
Problems Installing SP1 or other Windows Updates
In the event you have a problem installing the Service Pack, download and run the System Update Readiness Tool (SURT). Have patience because the tool may take as long as an hour to run. Windows 7 32-bit (x86) | ||
| Windows 7 64-bit (x64) |
Note: To determine whether you have a 32-bit or 64-bit operating system do the following:
- Click Start and type system in the search box.
- Click system in the Programs list.
- The operating system will be displayed as either a 32-bit Operating System or a 64-bit Operating System.
References
- Learn how to install Windows 7 Service Pack 1 (SP1)
- Windows 7 SP1 to start rolling out on Windows Update
- Windows 7 Support LifecCycle
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Tuesday, March 12, 2013
Microsoft released seven (7) bulletins. Four bulletins are identified as Critical with three bulletins rated Important.
The critical bulletins address 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Server Tools, and Silverlight. The bulletins rated Important address issues in Microsoft Windows and Office.
With today's Windows Update, Internet Explorer 10 in Windows 8 and Windows RT is being updated to enable Flash content to run by default. On Windows 8, all Flash content continues to be enabled for IE on the desktop. Additional information is available in the IE Blog post,
Included in updates today is an update addressing an issue in the Kernel-Mode Drivers where an attacker could own your machine by inserting a malicious USB device. In this scenario, logging on to the machine is not required. Additional details about the update are available in the below-linked MSRC Blog post.
| Bulletin Number | Bulletin Title | Bulletin KB |
|---|---|---|
| MS13-021 | Cumulative Security Update for Internet Explorer | 2809289 |
| MS13-022 | Vulnerability in Microsoft Windows | 2814124 |
| MS13-023 | Vulnerability in Microsoft Office | 2801261 |
| MS13-024 | Vulnerabilities in Microsoft Office | 2780176 |
| MS13-025 | Vulnerability in Microsoft Office | 2816264 |
| MS13-026 | Vulnerability in Microsoft Office | 2813682 |
| MS13-027 | Vulnerabilities in Microsoft Windows | 2807986 |
Support
The following additional information is provided in the Security Bulletin:- The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
- Security solutions for IT professionals: TechNet Security Troubleshooting and Support
- Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
- Local support according to your country: International Support
References
- MSRC: Evolving Response and the March 2013 Bulletin Release
- TechNet: Microsoft Security Bulletin Summary for March 2013
- Security and Safety Center: Microsoft security updates for March 2013
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
With today's Windows Update, Internet Explorer 10 in Windows 8 and Windows RT is being updated to enable Flash content to run by default. On Windows 8, all Flash content continues to be enabled for IE on the desktop. Additional information is available in the IE Blog post,
Adobe Flash Player was updated today to address critical security vulnerabilities. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Update Information
The newest versions are as follows: Windows and Macintosh: 11.6.602.180
Linux: 11.2.202.275
Android 4x: 11.1.115.48
Android 3x and lower: 11.1.111.44
Adobe AIR 3.6.0.6090
Release date: March 12, 2013
Vulnerability identifier: APSB13-09
CVE number: CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375
Platform: All Platforms
Flash Player Update Instructions
Flash Player for Windows, Macintosh and Linux
Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.
- Non-IE (Opera, Firefox, Etc.): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
- Windows XP, Vista and 7:
Flash Player For Internet Explorer 7, 8, 9, 10: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
Windows 8:
Flash Player for Internet Explorer 10: Microsoft updated Security Advisory 2755801. If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from the Download Center at Update for Internet Explorer Flash Player for Windows 8 Release Preview (KB2758994). - Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
Notes:
- If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box. It is not needed for the Flash Player update.
- Uncheck any toolbar offered with Adobe products if not wanted.
- If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
- The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.
Verify Installation
To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.Do this for each browser installed on your computer.
To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.
References
- Adobe Priority Ratings
- Adobe Security Advisory: Security updates available for Adobe Flash Player
- AIR Download Center
- PSIRT Blog: Security updates available for Adobe Flash Player (APSB13-09)
- Release Notes: Flash Player® 11.5 AIR® 3.5
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Thursday, March 7, 2013
The CanSecWest security conference is underway and Firefox fell along with others. However, Mozilla developers quickly diagnosed the issue, built a patch, validated the fix and the resulting builds, and Firefox version 19.0.2 has been sent to the release channels.
What’s New
FIXED -- 19.0.2: Security-driven release, see details in the associated security advisoryUpdate
To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu.If you do not use the English language version, Fully Localized Versions are available for download.
References
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
On Tuesday, March 12, 2013, Microsoft is planning to release seven (7) bulletins. Four bulletins are identified as Critical with three bulletins rated Important.
The critical bulletins will address vulnerabilities in Microsoft Silverlight, Internet Explorer, Office, and Microsoft Server Software. The bulletins rated Important and will address issues in Microsoft Windows and Office.
As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.
References
- MSRC Blog: Advance Notification Service for March 2013 Security Bulletin Release
- TechNet: Microsoft Security Bulletin Advance Notification for March 2013
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Tuesday, March 5, 2013
WinPatrol users who experienced the recent problem with crashes will be happy to learn that the source of the problem has been tracked down and resolved. For information about the crash problem, see Hackers Steal WinPatrol Data Already Available.
As Bill Pytlovany explained: The WinPatrol update includes a layer of protection that will discourage any future attacks and crash safely. If an error occurs for any reason, Scotty will continue to be graceful in his behavior so other programs will never at risk of losing work currently in progress.
With the release of v27.0.2013, WinPatrol now includes a long-requested feature of new version update notifications:
Download WinPatrol 27.0.2013
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Monday, March 4, 2013
Unfortunately, there are programs that require Java in order to function. In the event you are not in a position to uninstall Java, please update to the latest version, Java 7 Update 17 (correct, Version 16 was skipped).
Although Oracle was planning to wait until April to update Java to address CVE-2013-1493, Java 7 Update 17 was released by Oracle today. Security Alert CVE-2013-1493 addresses two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).
If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.
Java Security Recommendations
Although Oracle changed Java security settings to “high” by default, it is advised that users of Java confirm the setting.With the setting at high, you will be prompted to authorize the execution of applets which are either unsigned or are self-signed, thus providing the ability to deny the execution of a potentially malicious applet.
Changing the setting to "Very High" will result in unsigned (sandboxed) apps not being able to run.
1) In the Java Control Panel, set the security to high.
2) Keep Java disabled until needed. Uncheck the box "Enable Java content in the browser" in the Java Control Panel.
 |
| (Image via Sophos Naked Security Blog) |
3) If you use Firefox, install NoScript and only allow Java on those sites where it is required.
Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml
Download Information
Download link: Java Version 7 Update 17Verify your version: http://www.java.com/en/download/testjava.jsp
Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
Critical Patch Updates
For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:- 16 April 2013
- 18 June 2013
- 15 October 2013
- 14 January 2014
References
- Java, The Never-Ending Saga
- Java SE 7 Update Release Notes
- Critical Patch Updates, Security Alerts and Third Party Bulletin
- The Oracle Software Security Assurance Blog: Security Alert CVE-2013-1493 Released
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Subscribe to:
Comments (Atom)
