Posts Tagged ‘ Security ’

Q&A: Mobile app security should not be an afterthought

Written by admin
February 13th, 2016

As enterprises struggle to keep up with their internal demand for mobile apps, more are turning to rapid development workflows. What does this mean for security?

As enterprises struggle to keep up with their internal demand for mobile apps, more are turning to more speedy development workflows, such as the Minimum Viable Product (MVP) , which essentially calls for mobile development teams to focus on the highest return on effort when compared to risk when choosing apps to develop, and features to build within them. That is: focus on apps and capabilities that users are actually going to use and skip those apps and features they won’t.

Sounds simple, but what does that mean when it comes to security? We know application security is one of the most important aspects of data security, but if software teams are moving more quickly than ever to push apps out, security and quality assurance needs to be along for the process.
MORE ON CSO:Mobile Security Survival Guide

The flip side is minimum apps and features could mean less attack surface. To get some answers on the state of mobile app security and securing the MVP, we reached out to Isaac Potoczny-Jones research lead, computer security with a computer security research and development firm Galois.

Potoczny-Jones has been a project lead with Galois since 2004, is an active open source developer in cryptography and programming languages. Isaac has led many successful security and identity management projects for government organizations including (Navy, DOD), (DHS), federated identity for the Open Science Grid (DOE), and mobile password-free authentication (DARPA), and authentication for anti- forgery in hardware devices (DARPA).
ted talk
Four mindblowing Ted Talks for techies

TED talks make that possible to do in a single sitting. Here are four talks that in just over an hour
Read Now

Please tell us a little about Galois and your role there in security.

Galois is a computer security research and development firm out here in Portland, Ore. We do a lot of work with the US federal government, been around since 1999 and I’ve been here for 11 years now. I think a lot about this topic, I really appreciate and employ myself the lean methodologies for product development, and I love the lean startup approach. I also do security analysis for companies, so I’ve gone into a number of start-ups too and looked at their security profile for their products or their infrastructure, and help them to develop a security program. I’ve definitely seen both sides of the issue as far as where MVP thinking leads you.

What are you seeing out within organizations today when it comes to mobile security?

There’s definitely a lot more development in mobile happening. The best practices in mobile aren’t as well developed as best practices for the web. That’s getting a little bit better.Consider HTTPS. What we saw for quite some time was something that on the Web is relatively straightforward, which HTTPS is. People were doing it wrong on mobile for years before anyone really noticed. There’s a lot you can get wrong with HTTPS, and they were getting it all wrong. As people move over to mobile they are definitely having to relearn some of the lessons we learned over the years.
“A lot of things are easy to add at the end with security, but sometimes you run into systems that are just kind of broken from the foundation. As with any of these things, the later you catch it, the costlier it’s going to be be.”

Password security is another one of those. People began to make passwords on websites a lot more robust. You can’t just have a four or five letter password anymore on most websites. But because mobile devices are so difficult to type password into, a lot of sites have relaxed those password rules. In reality, the threat is just the same as it always has been.

What impact do you see the minimum viable product, or minimum viable app, trend?

On the MVP front, there’s a very fascinating challenge with security because security is a non-functional requirement. I tend to like the lean scrum methodology. I don’t know if you’re familiar with that one, but I can use that one as an example. They’re all kind of similar in some ways. They emphasize features, they emphasize things the users can see. They emphasize testing out ideas, and getting them into the market. Testing them, gathering metrics about how effective they are, and using that as feedback into the product. That’s a really good idea about how to develop a product. But because even just the terminology, minimum viable product, it is really emphasizing minimizing.

It emphasizes getting rid of what you don’t need. Those things together, minimizing things and really having an emphasis on what the user can do and see, that makes it so that non-functional requirements are kind of an afterthought. You have to squint to figure out how to apply non-functional requirements like security to a lot of these processes like scrum.

I would imagine with an MVP teams want to move the app out as quickly as possible, so they don’t want to spend a lot of time threat modeling and going through a lot of additional process, because that’s all adding to more development time. So there seems to be a natural friction between the goals of MVP and good security.

It’s absolutely a friction. It’s challenging because securing is mostly invisible. That means good security and bad security look exactly the same, until something goes wrong. Security is really visible when something is broken or somebody gets hacked and then you make the news. Then it kind of blows up in your face. We’ve seen this a few times, I don’t know how many start-ups it’s killed, it’s probably killed a few, but it’s definitely cost a lot of start ups when their first major news coverage is that they were hacked.

What are some ways organizations can ease that tension when it exists? Is there a way to bring security in so it’s not too obtrusive? Is there a way to separate out apps by data type? And possibly greenlight MVP apps that don’t touch more sensitive data, and give a closer look at those apps that do?

I think that’s a good approach. As you point out, one way is to say, let’s see if we can do an MVP with data that’s not as sensitive so you won’t have to focus as strongly on security. Nowadays, it’s a little more challenging. Even the minimum things you do you will need security. It kind of doesn’t matter what your data is, you will get targeted, you will get attacked, and even if it’s just with these automated bots that run around the Internet attacking everything. They’ll use your infrastructure for sending spam at the very least, if that’s all they can do. To me, the approach is you have to implement some of the industry best practices as far as the OWASP Top 10. You have to believe that security is an important part of a minimum viable product to start to even begin to get these user stories in there.

What I like to tell people is think about user stories, even negative user stories or things like that are, as a user, I don’t want to see my personal information leaked on the internet because I’ve shared something sensitive in your app or your website, I’ve stored something sensitive in your website. I don’t want to see that in the hands of people who will use my private information against me.

That sounds like something a security team could put a guide together, or put in place a checkpoint on whether an app can go through. For instance, if the app has certain conditions that are true, or one of these conditions that are true, the app has to go through a security review. If not, it’s OK for a security light approach within certain guidelines.

That’d be perfect. Typically these lean approaches have at least some kind of testing methodology built in, or acceptance testing. Or, as some of them call say, “What’s your definition of ‘done’?” The first step is just saying, “We’re going to include security in these definitions of done,” and once you’ve at least penetrated that level, which I don’t think a lot of people have, but once they get that, then they’re going to at least do the right things. You’re either going to start to build it either into the user stories or the acceptance testing.

But you can’t leave it to just be at the end of the process. If you leave security acceptance testing toward the end, and naturally your schedule is going to slip. Then you’ll get to the security testing and find there’s a lot more work to do. Then you’ll be in this unfortunate decision of either having to fix things and let your schedule slip, or choose to let something go out the door that’s not secure.

The real tragedy is when a system is kind of inherently insecure, it was built in a really insecure way that requires major rework, because you didn’t think about security at the beginning. A lot of things are easy to add at the end with security, but sometimes you run into systems that are just kind of broken from the foundation. As with any of these things, the later you catch it, the costlier it’s going to be be.

If you’re looking at your to-do list, whatever that to-do list is, whether it’s a list of stories or a big list of tasks and action items, you should be recognizing some security issues in there, as you go. You’ll get to a point, you’re developing something and one of your developers hopefully will say, “Well, look, our system is vulnerable to whatever cross site request forgery, cross site scripting attack. Which any system that’s not designed to protect against it, is going to be.

If you look at your bug list, you should see that pop up there at some point. Some of these security issues will come up during development, because nothing will be perfect. That’ll be an early indicator.

If you don’t have anything, if you look at your bug list and you don’t see anything, if your developers aren’t actively talking about security or saying, “We’re going to have to add some tasks for security,” you’re going to say, “Well, I want to add that feature for you but that’s going to have an impact on security.” If you’re not hearing it as part of the conversation, then there’s going to be a problem.

Click here to view complete Q&A of MB2-702 exam

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MB2-702 Training at

Newly hired graduates are often technology savvy, but not very enterprise security savvy. That can be a dangerous combination.

Newly hired college grads are a particular security risk to your organization, and special measures need to be taken to manage this “graduate risk.”

That’s the view of Jonathan Levine, CTO of Intermedia, a Calif.-based cloud services provider whose customers employ many recent graduates.

“The problem is that new graduates are often very computer savvy, but unfortunately they are not enterprise savvy,” he says. That’s different to what was the case in the past – certainly when many current CIOs took their first jobs – where most graduates knew nothing about computers or the security requirements of the organizations they were joining.

He points out that from middle school or even earlier students use apps to do their school work, and use various services to share documents. But they are rarely educated about corporate requirements like information security and confidentiality.

“Coupling a technical literacy in tools like Dropbox and Snapchat with a naiveté about the way that enterprises need to operate is a dangerous combination,” Levine warns.

That means it’s your IT department’s or security team’s responsibility to provide security education to graduates. This should warn them of the dangers of using consumer services, such as cloud storage or webmail, that generally offer inadequate auditing, management capabilities and security for use in an enterprise environment.

“Data loss is a big risk that graduates can introduce when they come from an academic environment,” Levine says. “They come from an environment where information wants to be free and open source programming is common, to the corporate world where we want some sorts of information to be free – and some definitely not to be free.

“We may want information to be shared, but we need to be able to know who is accessing it,” he adds.

Graduates also introduce a disproportionate risk that information useful to hackers may be shared on social media services such as Facebook or Twitter. That’s simply because they’re accustomed to using these services without thinking about the security implications of what they’re making public.

While educating graduates is key, making sure that they put what they learn into practice is also important. Here are six ways you can help ensure that this happens:

1. Judge graduates on the security they practice. Newly hired graduates usually undergo some sort of appraisal or performance review process on a regular basis. This provides the opportunity to make security – and adherence to security practices – a goal that new hires can be evaluated on.

2. Gamify security. Despite the name, this does not involve turning security into a game. Rather, it involves running incentivized security awareness programs.

This approach encourages graduates to attend security courses or gain security qualifications – which may just be internal courses or qualifications run or awarded by the IT department.

As graduates progress they can be awarded points that earn rewards appropriate to the organization, such as certificates, prizes, corporate perks or monetary bonuses.

3. Monitor graduate behavior. This adheres to the old adage of “trust but verify.” The idea is that the IT department should monitor certain aspects of graduate’s IT usage so that their managers can better understand how well they are adhering to security best practices – and intervene when necessary.

4. Make security easy. One way to reduce graduates’ temptation to use consumer services is to ensure that there are enterprise-grade alternatives that are attractive and easy to use.

So while it may be hard to get a graduate who has grown up with Gmail to start using an email client like Outlook that they may see as ugly and unwieldy, it may be easier to wean graduates off Gmail by providing alternatives. This could be something as simple as Outlook Web Access, or a more sophisticated alternative like offering access to Exchange data on a mobile device such as an iPhone or Android tablet using ActiveSync.

5. Run a security event. As an example, Levine says Intermedia runs a “Hacktober” event every fall. During the event the security team does everything that it has warned graduates against, such as leaving USB keys around (that contain harmless malware) and sending out phishing emails (which also do no real harm.)

The team can then contact any graduates who pick up and use these USB sticks or who respond to the phishing emails – and graduates can gain kudos but reporting that they have spotted these planted USB devices or phishing emails.

6. Quick win. If there’s one single thing you can do to make a big difference, Levine believes it is to drum it in to new graduates that they need to use separate passwords for each corporate system or application that they log in to.

It’s important to make sure that these are different to any passwords they use to provide access to consumer services. That’s because consumer services are tempting targets for hackers because they often have poor security, and if a hacker can get a password from a consumer service that’s also used in a corporate environment then that presents a significant security risk.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at

Machine intelligence can be used to police networks and fill gaps where the available resources and capabilities of human intelligence are clearly falling short

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Humans are clearly incapable of monitoring and identifying every threat on today’s vast and complex networks using traditional security tools. We need to enhance human capabilities by augmenting them with machine intelligence. Mixing man and machine – in some ways, similar to what OmniCorp did with RoboCop – can heighten our ability to identify and stop a threat before it’s too late.

The “dumb” tools that organizations rely on today are simply ineffective. There are two consistent, yet still surprising things that make this ineptitude fairly apparent. The first is the amount of time hackers have free reign within a system before being detected: eight months at Premera and P.F. Chang’s, six months at Nieman Marcus, five months at Home Depot, and the list goes on.

The second surprise is the response. Everyone usually looks backwards, trying to figure out how the external actors got in. Finding the proverbial leak and plugging it is obviously important, but this approach only treats a symptom instead of curing the disease.

The disease, in this case, is the growing faction of hackers that are getting so good at what they do they can infiltrate a network and roam around freely, accessing more files and data than even most internal employees have access to. If it took months for Premera, Sony, Target and others to detect these bad actors in their networks and begin to patch the holes that let them in, how can they be sure that another group didn’t find another hole? How do they know other groups aren’t pilfering data right now? Today, they can’t know for sure.

The typical response
Until recently, companies have really only had one option as a response to rising threats, a response that most organizations still employ. They re-harden systems, ratchet-up firewall and IDS/IPS rules and thresholds, and put stricter web proxy and VPN policies in place. But by doing this they drown their incident response teams in alerts.

Tightening policies and adding to the number of scenarios that will raise a red flag just makes the job more difficult for security teams that are already stretched thin. This causes thousands of false positives every day, making it physically impossible to investigate every one. As recent high profile attacks have proven, the deluge of alerts is helping malicious activity slip through the cracks because, even when it is “caught,” nothing is being done about it.

In addition, clamping down on security rules and procedures just wastes everyone’s time. By design, tighter policies will restrict access to data, and in many cases, that data is what employees need to do their jobs well. Employees and departments will start asking for the tools and information they need, wasting precious time for them and the IT/security teams that have to vet every request.

Putting RoboCop on the case
Machine intelligence can be used to police massive networks and help fill gaps where the available resources and capabilities of human intelligence are clearly falling short. It’s a bit like letting RoboCop police the streets, but in this case the main armament is statistical algorithms. More specifically, statistics can be used to identify abnormal and potentially malicious activity as it occurs.

According to Dave Shackleford, an analyst at SANS Institute and author of its 2014 Analytics and Intelligence Survey, “one of the biggest challenges security organizations face is lack of visibility into what’s happening in the environment.” The survey of 350 IT professionals asked why they have difficulty identifying threats and a top response was their inability to understand and baseline “normal behavior.” It’s something that humans just can’t do in complex environments, and since we’re not able to distinguish normal behavior, we can’t see abnormal behavior.

Instead of relying on humans looking at graphs on big screen monitors, or human-defined rules and thresholds to raise flags, machines can learn what normal behavior looks like, adjusting in real time and becoming smarter as they processes more information. What’s more, machines possess the speed required to process the massive amount of information that networks create, and they can do it in near-real time. Some networks process terabytes of data every second, while humans, on the other hand, can process no more than 60 bits per second.

Putting aside the need for speed and capacity, a larger issue with the traditional way of monitoring for security issues is rules are dumb. That’s not just name calling either, they’re literally dumb. Humans set rules that tell the machine how to act and what to do – the speed and processing capacity is irrelevant. While rule-based monitoring systems can be very complex, they’re still built on a basic “if this, then do that” formula. Enabling machines to think for themselves and feed better data and insight to the humans that rely on them is what will really improve security.

It’s almost absurd to not have a layer of security that thinks for itself. Imagine in the physical world if someone was crossing the border every day with a wheelbarrow full of dirt and the customs agents, being diligent at their jobs and following the rules, were sifting through that dirt day after day, never finding what they thought they were looking for. Even though that same person repeatedly crosses the border with a wheelbarrow full of dirt, no one ever thinks to look at the wheelbarrow. If they had, they would have quickly learned he’s been stealing wheelbarrows the whole time!

Just because no one told the customs agents to look for stolen wheelbarrows doesn’t make it OK, but as they say, hindsight is 20/20. In the digital world, we don’t have to rely on hindsight anymore, especially now that we have the power to put machine intelligence to work and recognize anomalies that could be occurring right under our noses. In order for cyber-security to be effective today, it needs at least a basic level of intelligence. Machines that learn on their own and detect anomalous activity can find the “wheelbarrow thief” that might be slowly syphoning data, even if you don’t specifically know that you’re looking for him.

Anomaly detection is among the first technology categories where machine learning is being put to use to enhance network and application security. It’s a form of advanced security analytics, which is a term that’s used quite frequently. However, there are a few requirements this type of technology must meet to truly be considered “advanced.” It must be easily deployed to operate continuously, against a broad array of data types and sources, and at huge data scales to produce high fidelity insights so as not to further add to the alert blindness already confronting security teams.

Leading analysts agree that machine learning will soon be a “need to have” in order to protect a network. In a Nov. 2014 Gartner report titled, “Add New Performance Metrics to Manage Machine-Learning-Enabled Systems,” analyst Will Cappelli directly states, “machine learning functionality will, over the next five years, gradually become pervasive and, in the process, fundamentally modify system performance and cost characteristics.”

While machine learning is certainly not a silver bullet that will solve all security challenges, there’s no doubt it will provide better information to help humans make better decisions. Let’s stop asking people to do the impossible and let machine intelligence step in to help get the job done.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at



Open-source software projects are often well intended, but security can take a back seat to making the code work.

OpenDaylight, the multivendor software-defined networking (SDN) project, learned that the hard way last August after a critical vulnerability was found in its platform.

It took until December for the flaw, called Netdump, to get patched, a gap in time exacerbated by the fact that the project didn’t yet have a dedicated security team. After he tried and failed to get in touch with OpenDaylight, the finder of the vulnerability, Gregory Pickett, posted it on Bugtraq, a popular mailing list for security flaws.

INSIDER: 5 ways to prepare for Internet of Things security threats

Although OpenDaylight is still in the early stages and generally isn’t used in production environments, the situation highlighted the need to put a security response process in place.

“It’s actually a surprisingly common problem with open-source projects,” said David Jorm, a product security engineer with IIX who formed OpenDaylight’s security response team. “If there are not people with a strong security background, it’s very common that they won’t think about providing a mechanism for reporting vulnerabilities.”

The OpenDaylight project was launched in April 2013 and is supported by vendors including Cisco Systems, IBM, Microsoft, Ericsson and VMware. The aim is to develop networking products that remove some of the manual fiddling that administrators still need to do with controllers and switches.

Having a common foundation for those products would help with compatibility, as enterprises often use a variety of networking equipment from many vendors.

Security will be an integral component of SDN, since a flaw could have devastating consequences. By compromising an SDN controller—a critical component that tells switches how data packets should be forwarded—an attacker would have control over the entire network, Jorm said.

“It’s a really high value target to go after,” Jorm said.
The Netdump flaw kicked OpenDaylight into action, and now there is a security team in place from a range of vendors who represent different projects within OpenDaylight, Jorm said.

OpenDaylight’s technical steering committee also recently approved a detailed security response process modeled on one used by the OpenStack Foundation, Jorm said.

If a vulnerability is reported privately and not publicly disclosed, some OpenDaylight stakeholders—even those who do not have a member on the security team—will get pre-notification so they have a chance to develop a patch, Jorm said. That kind of disclosure is rare, though it is becoming more common with open-source projects.

The idea is that once a flaw is disclosed, vendors will generally be on the same page and release a patch around the same time, Jorm said.

OpenDaylight’s security response process is “quite well ironed out now,” Jorm said.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at

I like the IBM Edge conference because it tries to showcase how infrastructure can provide a large company with a competitive edge. While the event clearly contains content on IBM products and services, the emphasis appears to be on getting things. This year’s event also offered a snapshot of how IBM is adapting to address one of the most massive changes the technology market has yet made.

Remember, the Fountain of Youth Is a Myth
Perhaps the strongest metaphor for the problem that IBM faces was the opener for the first keynote talk: A brilliant guitarist who’s only 11 and has been playing for just three years. (I found that personally depressing.) An older musician soon joined him; he was able to keep up, and perhaps even outplay him, thanks to his experience.

This older musician represents IBM’s potential. IBM can never again be an amazing young company, but its experience and history should let it step up and at least match any young firm. The key here is that the older musician matched the younger musician’s tune and didn’t try to step in with classic rock. IBM must be agile enough to play as well as the young companies entering the market to make its experience seem like an advantage.

As the youngster left the stage, and he was asked who he wanted to be like, he said he just wanted to be himself. There’s the problem with the young company – it’s still trying to figure out what it will be. That’s a painful path that the older company has already completed. IBM knows what it is – and that’s the sustaining advantage that any older company must remember. IBM’s most iconic CEO, Thomas Watson Jr., said it best: To succeed, you have to be willing to change everything but who you are.

IBM Partnerships, Products Position Company Well
Perhaps IBM’s most powerful and interesting move to the sale of the IBM System X group to Lenovo. This goes to the heart of the “change everything” part of the equation. System X wasn’t working inside IBM. Lenovo’s own server group represents an increasing threat, but it’s not growing very quickly. System X brings low margin to IBM, but Lenovo is a low-margin company, so it could take this division and actually increase its margins. In short, IBM is trying to eat its cake and have it, too.

In addition, the ongoing drama between the U.S. and China on data security makes it nearly impossible for U.S. companies to sell in China and vice versa. IBM and Lenovo clearly execute better than most companies, but this issue still hampers them both. The deal surrounding the acquisition provides an answer: Lenovo can take the lead selling IBM products in China, while IBM can take the lead selling products in the parts of the U.S. where this conflict poses problems (such as the U.S. government). Neither company has ever been identified as working against its customers, and both firms’ ability to assure a willing outcome should be a common competitive advantage.

That said, IBM does have another clear advantage: Watson. IBM is the only company working on artificial intelligence at enterprise scale, and Watson represents the next big step in real-time applied analytics-based decision support.

Integrated into IBM offerings, this system should significantly improve the decision accuracy of IBM executives and IBM customers as well. Watson stands out in IBM’s line as a massive competitive advantage, as it turns the rest of IBM’s data analytics solution into something that’s nothing short of industry changing.

One IBM customer, a huge healthcare company, said its goal was an enterprise-scale solution using cloud methods and technologies. Buyers at this size need the compliance of an enterprise company and want the cost advantages of the cloud.

Everything Old Is New Again
That’s what IBM presented this week – and it demonstrated that IBM’s transition to a very different company continues. Once complete, IBM will have offerings such as Watson and partnerships with firms such as Lenovo that are unique, powerful and unmatched in the rapidly changing technology world.

IBM Edge 2014 provided a unique view into the future of at-scale cloud computing infrastructure and the near-term future of IBM as a company that plans to be the very best at providing what you need when you need it.

.MCTS Certification, MCITP Certification

Microsoft MCTS Certification, MCITP Certification and over 3000+
Exams with Life Time Access Membership at


According to leaked screenshots and secret sources, Microsoft will scrap ‘Metro’ and roll boot-to-desktop as the default in the Windows 8.1 update coming in March.

If you hated the Live Tiles presented as the default on the Windows 8.x Start screen, then Microsoft allowed users to tweak the setting in Windows 8.1 to bypass the “Metro” interface at boot and instead boot to desktop. But boot-to-desktop will be the default, according to leaks from Microsoft insiders and screenshots of the upcoming Windows 8.1 update. Rumor has it that the update will roll out on Patch Tuesday in March.

The Russian site Wzor first posted leaked Windows 8.1 test build screenshots showing the change enabled by default.

Leaked Windows 8.1 test build, no more Metro Start screen, boot to desktop as default
Then Microsoft insiders, or “sources familiar with Microsoft’s plans,” told The Verge that Microsoft hopes to appease desktop users by bypassing the Start screen by default, meaning users will automatically boot straight to desktop. “Additional changes include shutdown and search buttons on the Start Screen, the ability to pin Windows 8-style (“Metro”) apps on the desktop task bar, and a new bar at the top of Metro apps to allow users to minimize, close, and snap apps.”

Of course, Microsoft continues to lose millions upon millions of customers to iOS and Android. That desperation is likely what drove Microsoft to force a touch-centric operating system on customers. If customers can’t easily use a Windows OS on a traditional desktop, then Microsoft hoped its “make-them-eat-Metro” strategy would force people to buy its tablet to deal with the touch-based OS. For Microsoft, it was like killing two birds with one stone. But despite the company’s “One Microsoft” vision, we’re not birds and we don’t like having stones thrown our way.

Microsoft claimed that telemetry data justified the removal of the Start button in Windows 8, and then its return in Windows 8.1. That same telemetry data shows “the majority of Windows 8 users still use a keyboard and mouse and desktop applications.” The Verge added, “Microsoft may have wanted to push touch computing to the masses in Windows 8, but the reality is that users have voiced clear concerns over the interface on desktop PCs.”

“Microsoft really dug a big hole for themselves,” Gartner’s David Smith told Gregg Keizer, referring to the Redmond giant’s approach with Windows 8. “They have to dig themselves out of that hole, including making some fundamental changes to Windows 8. They need to accelerate that and come up with another path [for Windows].”

Back in December, NetMarketShare stats showed that more people were still using the hated Windows Vista than Windows 8.1. January 2014 stats showed Windows 8.1 on 3.95% of desktops with Vista on 3.3%. Despite Microsoft warning about the evils of clinging to XP, and the April death of XP support, Windows XP, however, was still on 29.23%. Many people still hate Windows 8, which may be why the company plans to jump to the next OS as soon as possible.

Microsoft plans to start building hype for “Windows 9” at the BUILD developers’ conference in April. The new OS is supposedly set to come out in the second quarter of 2015. While it seems wise for the company to want to ditch the hated Windows 8.x as soon as possible, Microsoft had better to do something to encourage developers as the expected boot-to-desktop change will mean folks won’t see the Metro apps on the Start screen.

Windows 8.1 update leaked screenshot of test build
According to the test build screenshot, Microsoft is urging people to “switch to a Microsoft account on this PC. Many apps and services (like the one shown for calendar) rely on a Microsoft account to sync content and settings across devices.” Note that “sign into each app separately instead” is “not recommended” by Microsoft. Of course, setting up a Windows 8 computer without it being tied to a Microsoft email account was “not recommended” either…but it can be done with about any email address or set up as a local account tied to no email address. If you use SkyDrive, aka the newly dubbed “OneDrive,” then why not just log in when you need it?

Trying to keep its developers “happy,” may be part of the reason Microsoft does not recommend signing into your Microsoft account on an individual app basis. Sure there’s still the Windows Phone Store, but some people complain that the Windows Phone Store is full of junk and fake apps. Of course, since Windows 8’s dueling tablet-PC interface was a flop, perhaps Microsoft will follow Apple’s lead and come up with a separate OS for tablets. That move might help out Microsoft and developers; without developers, there’s no apps. Without good apps, even a new OS for tablets won’t help Microsoft from continuing to decline and falling into the abyss of irrelevancy.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at

The Syrian Electronic Army hacked all of Skype’s social media accounts and accused Microsoft of helping the government spy and monitor our email.

It’s said there is no rest for the wicked, and New Year’s Day had Skype social media managers scrambling to scrub evidence of being hacked off of its Skype blog, Twitter and Facebook accounts. That evidence was planted by the Syrian Electronic Army and accused Microsoft of spying for the “governments.”

After the SEA’s attack, Skype sent out a pair of tweets to its 3 million Twitter followers, warning:

Hacked Skype tweet warns against using Microsoft products

Skype tweet stop spying on people

Those Skype tweets were deleted and then replaced with this tweet: “You may have noticed our social media properties were targeted today. No user info was compromised. We’re sorry for the inconvenience.”

The SEA also hacked the Skype blog:

Skype blog, Facebook, Twitter hacked by Syrian Electronic Army

Hacked Skype blog says don’t use Microsoft products

These posts were mirrored on Skype’s Facebook page before quickly being deleted.

Skype Facebook hacked posts removed

Then reporter Matthew Keys tweeted this screenshot “proof” of the Skype hack sent to him by the SEA.

Screenshot Skype hack

The SEA also tweeted Steve Ballmer’s contact information along with the message, “You can thank Microsoft for monitoring your accounts/emails using this details. #SEA”

Although the SEA has successfully hacked many major companies, the Skype hack seems to be referring to Microsoft’s alleged cooperation with the NSA. Microsoft denied providing backdoor real-time access, but revelations provided by Edward Snowden indicated that the NSA can successfully eavesdrop on Skype video calls. Although Microsoft vowed to protect users from NSA surveillance, the Redmond giant “forgot” to mention Skype in its promises.

As security expert Graham Cluley pointed out, “Chances are that Skype didn’t read my New Year’s resolution advice about not using the same passwords for multiple accounts.”

In fact, Skype seems to have disregarded its parent company’s advice. Microsoft’s Security TechCenter has a post regarding “selecting secure passwords.” Regarding “Password Age and Reuse,” it states:

Users should also change their passwords frequently. Even though long and strong passwords are much more difficult to break than short and simple ones, they can still be cracked. An attacker who has enough time and computing power at his disposal can eventually break any password. In general, passwords should be changed within 42 days, and old passwords should never be reused.

Skype itself has a few password “rules” such as:

A password must:

Be at least 6 characters and not longer than 20 characters.

Contain at least one letter and one number.

Not have any spaces.

Not contain your Skype Name (case insensitive).

Not be a part of Skype Name (case insensitive).

Your password also cannot contain any of the following words:

1234, 4321, qwert, test, skype, myspace, password, abc123, 123abc, abcdef, iloveyou, letmein, ebay, paypal.

However, after the Skype hack gave Microsoft a black eye with spying accusations, it’s a pretty safe bet that whoever controls Skype social media will no longer resuse the same password to protect all of the company’s accounts. And if you reuse the same password on different sites, it would be a great 2014 resolution to change all your passwords, keep them in a password safe, and make sure you don’t use the same one for multiple sites.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at



A decade after it started, Microsoft excels at addressing security concerns when compared with its competitors

Today marks the 10th anniversary of the debut of Microsoft’s Patch Tuesday program, through which it would regularly issue fixes to its software on the second Tuesday of every month. It had been possible to check for updates via the Windows Update application in Windows XP, but now Microsoft was actually going to push out fixes.

Steve Ballmer introduced Patch Tuesday at the Worldwide Partner Conference in New Orleans in October 2003. “Our goal is simple: Get our customers secure and keep them secure,” Ballmer said in a statement. “Our commitment is to protect our customers from the growing wave of criminal attacks.”

RELATED: Microsoft finally patches gaping IE exploit with Patch Tuesday update

Patch Tuesday brought order to the patching process but allows network administrators to plan for network-wide upgrades ahead of time, since Microsoft would put out an alert the Thursday before Patch Tuesday to say what was coming. Microsoft always had to be judicious in how much information it released ahead of time because it didn’t want to tell the bad guys where it found a problem.

The day after the patches are pushed out, Microsoft holds a live chat, usually at 11 am Pacific time, to discuss the fixes.

In addition to Patch Tuesday, there has been the occasional Super Patch Tuesday, where Microsoft issues optional and non-security updates. Plus, if a really bad exploit is found, Microsoft has been known to ship what are called out-of-band patches.

It’s also had to issue patches of patches, because sometimes things get fouled up. Just this past August Microsoft had to recall six patches because they introduced new problems that, in some cases, rendered the PC unusable.

In 2008, Microsoft introduced the Microsoft Exploitability Index, which told people how severe the exploit was and whether or not an IT manager should rush out the fix. While most of us just update on patch day without a second thought, some people do actually have to be careful that the fix doesn’t break their existing apps.

At the same time, Microsoft introduced security-related programs to share early information with partners to help coordinate efforts to protect them from attacks in the wild before they become widely known. The program also provides additional information and guidance to help customers evaluate risks and prioritize the deployment of Microsoft security updates.

Critics have accused Patch Tuesday of being a gift to hackers, because if they have an exploit that isn’t fixed in one month, they have a full month to exploit it with their malware. Also, by issuing so many fixes at once, Microsoft tells the bad guys where the bugs are. They very well might rush out malware to exploit the hole in PCs that are slow to patch. This led to the term “Exploit Wednesday.”

All of this is true; and Microsoft has on a few occasions let Patch Tuesdays go by with big exploits unpatched. But compared to the track record of other firms, Microsoft is on top of things. Apple has had several instances in the last few years where exploits went for many months before being fixed. It doesn’t have a structured patch cycle like Microsoft does.

And then there’s Oracle. Since inheriting a complex and often-buggy piece of software in Java when it acquired Sun Microsystems, Oracle has been very sluggish in responding to Java problems. The result of Oracle’s flat-footed responses is that Java is the top target for hackers, according to a report from security software developer F-Secure (PDF).

Java is so insecure that 95 percent of all exploit attacks can be found in five security flaws, four of which are in Java (the fifth is a Microsoft True Type font exploit). The best thing you can do to secure your infrastructure is turn off Java, F-Secure says. That’s sad, especially given that Oracle has a huge investment in Java-based products. You’d think it would move heaven and earth to secure Java.

You can see by the fact that most exploits are in apps, browsers and Java that the company has hardened the OS significantly. Patch Tuesday isn’t flawless or without its share of problems, but it did force Microsoft to move a lot faster in addressing its problems, certainly faster than Apple and Oracle.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification,
Microsoft MCITP Training at


Don’t waste any time – get that thing rolled out quick because it’s wide-ranging and already being exploited.

Normally companies should proceed at their own pace when deploying Microsoft’s monthly updates, known as Patch Tuesday, since they come out on the second Tuesday of every month.

This month’s batch, though, is pretty hefty in terms of impact and volume, so you may want to make them a priority. This month’s Patch Tuesday consists of seven bulletins addressing a total of 34 vulnerabilities, and half of them are in Internet Explorer. Six of the seven bulletins are critical, a little more than usual, that can give attackers power to execute code on victim machines.

Fortunately, the bugs in Windows and IE require the end user to do something, like use their browser to visit an infected site or click on a link in an instant messenger. “So they all require end-user actions. If you don’t browse or use instant messenger, it won’t affect you. So on servers you can take your time, they are not that urgent,” said Wolfgang Kandek, CTO of the security firm Qualys.

For desktop users, however, these are critical because that’s how most PCs get infected – by user interaction of one form or another. Kandek called attention to two of the Bulletins. Bulletin MS13-055 rounds up 17 known vulnerabilities and exploits in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

Kandek said at least one of the vulnerabilities is already being exploited by hackers, so either patch IE or use another browser until you do.

MS13-053 handles two publicly disclosed and six privately reported vulnerabilities in Windows, the most severe of which could allow remote code execution if a user views shared content that embeds TrueType font files.

With so many critical fixes to the OS and browser, Kandek said the desktop users should prioritize rolling out the fixes. “I don’t see why you would extensively need to test it,” he said.

Lost in the hoopla of Patch Tuesday was a trio of important bulletins from Adobe Systems, which issued significant fixes for Flash, Shockwave and ColdFusion.

Also, there will be a Java patch issued by Oracle next week, which appears to be running its own Patch Tuesday cycle, except it’s on the third Tuesday of every month.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at



The 5 worst mobile threats of 2012

Written by admin
November 3rd, 2012

New types of mobile malware make headlines every day, but what are the most prevalent threats out there? The team at Nominum decided to find out by analyzing Domain Name System (DNS) data of approximately half a million users from various countries.

Most malware uses the DNS to communicate and our technology processes about 30% of the worlds’ DNS traffic, so we were able to identify the top five mobile-only malware threats.

We defined greatest threat as the most widespread malware that meets a baseline level of risk to the end user — for example, malware that attempts to steal a person’s identity and/or money. What follows is a summary of the current mobile malware landscape and a short description of each malware threat, along with some thoughts on what can be done to protect end users.
But how bad is it, really?

The mobile malware threat is real with a significant number of infections in existence today that are capable of stealing mobile phone users’ identity, and this number is growing everyday. Our research shows that Android remains the top target of malware writers.

Despite that finding, our data was not extensive enough to prove just how prevalent threats were in the U.S. specifically, but recent research has shown that malicious links within text continue to be the biggest concern for mobile device users in the U.S. with 4 in 10 American users likely to click on an unsafe link.

Although Androids topped the list of mobile malware targets, there are still major regional differences in mobile malware prevalence. For instance, “Notcompatible” has a much higher infection rate in Latin America, while “SMSPACEM” and “Netisend” are much more prevalent in the Asia Pacific regions.

These regional differences may be explained by end users’ personal networks. Like a cold or virus in the real world, once someone in a community gets infected with a mobile malware, they are more likely to spread it to others in that community — instead of a sneeze, it is through SMS. As the mobile malware area is less mature than its fixed counterpart, it may take more time for mobile threats to “jump” networks; this will change soon, though, as malware threats get more sophisticated.

Mobile malware writers are leveraging many of the same social engineering techniques (e.g., spreading through end users’ contact lists) and technical capabilities (e.g., rootkits) to spread and make money they’ve used on the Fixed side for years. As the proliferation of smartphones continues and the mobile ad market matures, the incentive of higher profit possibilities will encourage malware writers to write more sophisticated malware.

With multiple mobile operating systems and a vast array of devices, device-based anti-malware software alone isn’t a scalable solution to the problem. The DNS enables a network-based approach for preventing malware that works regardless of what type of device is infected.

The DNS is primarily thought of as a functional technology to navigate the Web, as its original role was to facilitate ease of use of the Internet. DNS eliminates the need to type in long strings of numbers (IP addresses) to access content and translates the numbers into words. Due to its history, DNS has become an often-overlooked layer but it is essential to the network running. As network activity has advanced (think the proliferation of applications, mobile banking, etc.), the DNS layer has evolved into an efficient network infrastructure tool that guides high-performance transactions.

In the case of mobile malware threats, the DNS layer can be analyzed to detect and mitigate suspicious activity. Accordingly, solutions have been invented that enable mobile carriers to layer security applications upon their pre-existing DNS network. These applications can conduct a number of roles from detecting and thwarting hackers’ efforts to alerting users of potentially dangerous mobile websites.

Compared to other solutions, utilizing the DNS layer allows for a faster response time and cost-effective options — both important benefits to a mobile carrier and its subscribers. The DNS’s ability to secure networks should be a part of the modern mobile operator’s security playbook because the mobile malware problem is only going to get worse before it gets better.

Here are the top threats that we’re up against:

* NOTCOMPATIBLE — The worst of all malware created in 2012 is a drive-by Trojan which can infect Android phones via their mobile Web browsers. When a browser’s download is completed, it will ask for user permission to install as depicted below. After infection, the Android phone can work as a proxy. It is widespread and growing every day. [Also see: “For the first time, hacked websites deliver Android malware”]

* SMSPACEM — This is the second-most widespread malware for Android phones in 2012. It will change a phone’s wallpaper and send anti-Christian jokes by SMS to all the user’s contacts. Here is an example: “Looks like Jesus is a no-show, maybe Judaism was on to something Cannot talk right now, the world is about to end Just saw the four horsemen of the apocalypse and man did they have the worst case of road rage Prepare to meet thy maker, make sure to hedge your bet just in case the Muslims were right.”

* LENA — This Android-based malware is capable of taking over a user’s phone without asking permission by using an exploit such as gingerbreak or appearing as a VPN app. Once gaining root access, LENA can start to communicate with its command an control site, download additional components and update installed binaries.

* NETISEND — An information stealer on Android phones, it can retrieve information like IMEI, IMSI, model information and installed applications. After downloading, the malware will ask permission to connect to the Internet and open a backdoor with its C&C domain site.

* BASEBRIDGE — It can get an Android phone root access by exploiting netlink message validation local privilege escalation vulnerability. Once infected, Basebridge can disable installed AV software, download additional malware components and open a backdoor with its C&C site. It will steal IMSI, manufacture and model info. It can also send SMS messages, delete SMS messages from inbox and dial phone numbers.

These five mobile malware threats are just the tip of the iceberg. New types of mobile malware are designed everyday by ill-intentioned individuals, and hardware-based security is just a temporary Band-Aid to defend against sophisticated mobile threats. Staying aware of what is out there and abreast of the latest threats is the first step in protecting yourself, but a joint effort is necessary and carriers will soon need to start arming their networks with security layers for their customers’ sake too.

Nominum is the worldwide leading provider of integrated subscriber, network and security solutions for network operators. Nominum is the provider of the N2 Platform that leverages more than 1 trillion DNS queries daily and enables the rapid development and seamless integration of applications that leverage DNS data. These applications are generated by the Nominum IDEAL ecosystem, an open ecosystem of application providers. The combined value of the N2 Platform and the IDEAL ecosystem provides network operators with the ability to deliver a differentiated subscriber experience with cost efficiency and agility. Nominum is a global organization headquartered in Redwood City, Calif.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification,
Microsoft MCITP Training at

In a recent interview, Kaspersky Lab founder and CEO Eugene Kaspersky claimed that Apple is “10 years” behind Microsoft on security, as evidenced by the recent malware attacks affecting Mac OS X

There’s been a lot of chatter lately that the recent Flashback and Flashfake malware infestations plaguing Apple’s Max OS X are a sign that the Mac is not nearly as secure as Apple and its devout fans would like you to believe.
MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training

Eugene Kaspersky, however, founder and CEO of Kaspersky Lab—a leading producer of security software—claims things are much worse. He says that Apple is in a potentially dire position and must change its approach to patches and updates, much in the same way Microsoft did year ago to more quickly and efficiently address vulnerabilities in Windows.

In a recent interview with CBR Online, Kaspersky said,

“I think they are ten years behind Microsoft in terms of security. For many years I’ve been saying that from a security point of view there is no big difference between Mac and Windows. It’s always been possible to develop Mac malware, but this one was a bit different. For example it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms.”

Of course it’s possible to develop malware for OSX. Malware could be developed for any OS. As far as malware exploiting vulnerabilities, is that what’s been happening on Windows systems for ages?

Before we go on, we should point out what we believe to be a serious flaw in that statement. When Kaspersky says “there is no big difference between Mac and Windows,” that may be true on some level because they are both consumer operating systems, but the underlying technologies in OS X and Windows are fundamentally different. OS X is based on UNIX, which is decades more mature than Windows. And with that maturity also comes strong security.

Kaspersky goes on to say, “They will understand very soon that they have the same problems Microsoft had ten or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software.”

This may or may not be the case. Kaspersky asserts that the success of Flashback / Flashfake will result in more malware being released for OS X. We’re not so sure. Most malware producers are in it to make a quick buck, not for notoriety. And the success of one piece of malware, doesn’t guarantee more will follow. Flashback / Flashfake may be getting some attention now, but targeting the Mac just doesn’t make as much financial sense as targeting Windows.

The fact of the matter is, even with relatively strong Mac sales, Windows-based systems far outsell the Mac and malware producers are always going to more aggressively target the largest install base. At least that’s our opinion. What say you?

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training

In the first part of my three-part series on increasing productivity when using SharePoint and SQL Server, we will focus on searching product data from the Adventure Works database, including the use of meta-data and managed properties. The second part will show how to link the search results to a page highlighting some of the Business Intelligence (BI) features of SharePoint based on product data. The third will focus on maintaining expertise in MySites in a managed fashion.
MCTS Training, MCITP Trainnig
Best Microsoft MCTS Certification, Microsoft MCITP Training

Searching Product Data from the Adventure Works Database
One of the great benefits of using SharePoint is that it provides search, business intelligence, collaboration and portals on a unified platform. This provides a huge benefit in terms of cost-savings and productivity. To take advantage of the search functionality and provide the capability to search products in an intranet or public-facing website, it can be done by defining the taxonomy, putting that taxonomy into SharePoint and tying it to a crawl of the products database.

The products in the Adventure Works database are broken down into categories and sub-categories. Go into your Managed Metadata Service and define an Adventure Works Group.

Then, create a term set for both the categories and sub-categories. Now, add the items from the database. These can also be imported using the term store import functionality.

The next step is to create a view in the database that joins the products, sub-categories and categories to be indexed.

In order to connect to the data, go into your secure store application and create a target application to connect to the database. Name the target application “Adventure Works”. Use a Target Application Type of Group. Set the user name and password for Windows. Then, map the Members group to an AD Group that should have access to connect to those credentials.

Now open SharePoint Designer 2010 and connect to your site to create an External Content Type.

Click on External Content Types and choose the option to create a new one.

Enter the name of the content type. In this case, we will name it Adventure Works Products.

Choose Generic List as the Office Item List Type.

Hit the link named “Click Here to Discover External Data Sources and Define Operations” and choose SQL Server.

Enter the database server and database name and choose Connect with Impersonated Custom Identity. Enter the name of the desired secure store application used to connect to the AdventureWorks database.

Create “Read Item” and “Read List” operations for the view we created to expose the products, sub-categories and categories for searching by right-clicking the view name and choosing the new option for each. Accept all defaults on both.

Choose “Create Lists and Form” and name the list “Adventure Works Products”. Now, browse the list to ensure it pulls the products from the database.

Next, go into the Search Service Application to create a crawl of the external content type.

In central administration, open the search service application you wish to use.

Click on Content Sources, then choose New Content Source.

Once the full crawl completes, the next step is to map the Metadata Properties. Click the link to Metadata Properties under Queries and Results in the Search Service Application. Also, ensure the service account used to crawl the products has access to the Adventure Works BCS service application.

Click “Categories”, then “Business Data”.

At this point, there will be a list of properties from the products view.

Click the ProductCategory property and map it to the ProductCategory Managed property. Do the same for ProductSubCategory.

Run the full crawl again on the Adventure Works content source in the search service application.

Next, setup the action to view the product once it is returned by the search. Go to your business data connectivity service for Adventure Works Products, open it, and click the “View Profile” action and set it as follows:

Now we are set on the search of the products. Go to a search center or create one in your SharePoint environment. Add refinement filters to include the product and product subcategories.

Edit the search web page and modify the Refinement Panel web part.

Expand the Refinement grouping in the web part and de-select the Use Default Configuration option.

Add two <Category> tags to the XML in the Filter Category Definition property:

<Category Title=”Product Category” Description=”Use this filter to restrict results authored by a specific category” Type=”Microsoft.Office.Server.Search.WebControls.ManagedPropertyFilterGenerator” MetadataThreshold=”1″ NumberOfFiltersToDisplay=”4″ MaxNumberOfFilters=”20″ SortBy=”Frequency” SortByForMoreFilters=”Name” SortDirection=”Descending” SortDirectionForMoreFilters=”Ascending” ShowMoreLink=”True” MappedProperty=”ProductCategory” MoreLinkText=”show more” LessLinkText=”show fewer” />

<Category Title=”Product Subcategory” Description=”Use this filter to restrict results authored by a specific sub-category” Type=”Microsoft.Office.Server.Search.WebControls.ManagedPropertyFilterGenerator” MetadataThreshold=”1″ NumberOfFiltersToDisplay=”4″ MaxNumberOfFilters=”20″ SortBy=”Frequency” SortByForMoreFilters=”Name” SortDirection=”Descending” SortDirectionForMoreFilters=”Ascending” ShowMoreLink=”True” MappedProperty=”ProductSubCategory” MoreLinkText=”show more” LessLinkText=”show fewer” />

Search for Accessories and view the results. You can now search for products by product information, category and sub-category. Hover over the link to the product results and view the URL.

In the second part of the article series, we will create a product page with some BI features. .
MCTS Training, MCITP Trainnig
Best Microsoft MCTS Certification, Microsoft MCITP Training