Monthly Archives: October 2013

Centrify Backs ‘Bring Your Own Mac’ Initiatives

Centrify Backs “Bring Your Own Mac” Initiatives with Day One Support and Interoperability of New Mac Mavericks Operating System — Leading Active Directory-based Solution for Identity and Access Management of Mac and Mobile Devices Supports Apple’s New Mac OS X 10.9 Mavericks OS Released

Centrify Corporation, the leader in Unified Identity Services across data center, cloud and mobile , announced that its Centrify User Suite offering supports the just-released Apple OS X 10.9 Mavericks operating system for Macs, enabling organizations to leverage Centrify’s proven Active Directory-based security service to manage users and devices and address enterprise mobility and BYOD challenges, including “Bring Your Own Mac.” The Centrify User Suite solution maximizes security and visibility through centralized access management and reporting of enrolled devices and installed applications, allowing IT staff to quickly and securely bring large populations of Macs and Apple and Android devices under management by leveraging existing Active Directory identity infrastructure and skill sets.

With Centrify User Suite, Mac Edition (“Centrify for Mac”), both on-premise and remote Macs and mobile devices are seamlessly integrated into Microsoft Active Directory, leveraging organizations’ existing AD infrastructures, processes and skill sets to deliver enhanced security and centralized management for IT; and secure, single sign-on access for Mac users at work. This unparalleled integration with an organization’s on-premise Active Directory infrastructure and Group Policy-based management tools makes it easy to enforce and update Mac and mobile security settings. From locking or remotely wiping devices to securing access to email networks and enforcing use of passcodes, the Centrify solution enables administrators to easily assign devices to users and manage the associated properties and settings for each user’s device without the hassle of deploying complex new infrastructure or a separate management console.

“The fact that Apple is increasing the security of its Mac platform and is making it even better for the enterprise use will further fuel the rapid growth of Macs operating in organizations today, both company owned and personally owned devices,” said David McNeely, Centrify senior director of product management. “With Centrify for Mac, we make it just as easy to manage Mac workforces as it is to manage Windows users with Group Policy. And for Mac users, we are the first to add Single Sign-On to all their approved enterprise services and applications. Customers appreciate Centrify’s commitment for continued ‘day one’ support of every new Apple operating system release.”

Centrify’s day one support includes Smart Card (CAC, CAC NG, PIV and PIV-I) login support on OS X 10.9, ensuring strong authentication and single sign-on to other applications and services for Active Directory users. Smart card login combined with Centrify’s ability to enforce security policies required in high security environments helps to ensure compliance with corporate and federal policies, enabling further adoption of Mac OS X 10.9 systems in these environments. Additional features such as user self-service support enable users to upgrade, wipe or lock devices themselves without involving IT, reducing overall IT costs.

Availability

Centrify support for the Apple OS X 10.9 Mavericks release is available as part of the Centrify User Suite, Mac Edition. For more information, see http://www.centrify.com/mac.

Via: enterprise-security-today

Apple Follows In Microsoft’s Windows 8.1 Footsteps, Makes OS X Updates Free

Apple announced at its event at San Francisco’s Yerba Buena Gardens that its forthcoming update to OS X, Mavericks, will come at no cost to consumers. This is a change for Apple, a company that in the past charged for updates to its desktop operating system.

Those fees were low — less than $50 — but they existed. And by dropping the cost of OS X updates to zero, Apple is following in Microsoft’s footsteps. Microsoft, of course, recently released its Windows 8.1 update to Windows 8 for free to all Windows 8 users.

If Apple were to charge for the update to OS X after Microsoft — a company notorious for high software prices — made its own update free, Apple would appear quite miserly.

Now, there are some small pieces to keep in mind. Given that Apple only sells OS X as a component of its PC line, it therefore only charges for its operating system as part of its hardware. Microsoft sells Windows as a standalone product, given that people still build their own PCs.

So, Apple now won’t charge for OS X directly ever, or at least ever again. This puts Microsoft in a spot somewhat of its own making: It cannot charge for OS updates ever again. Microsoft can keep charging for Windows as a standalone product, both directly to consumers and to its OEM partners, but that’s different.

We’re seeing certain software cost points decline to zero. That will squeeze margins.

Whatever the case, if you Windows, you get an update. If you Mac, you get an update. Everybody gets an update.

Via: techcrunch

Apple Adds Collaboration To iWork For iCloud To Take On Google Docs

Apple is trying to make its productivity software a little more appealing to users by making it free for those purchasing Mac or iOS devices. But that only matters if people use it. In an effort to get its iWork apps more widely adopted among enterprise users, it’s adding collaboration features to take on cloud-based productivity tools like Google Apps.

The newest versions of iWork apps – Pages, Numbers and Keynote – will now allow users to create, edit and share documents with other users in real time using iCloud. At Apple’s event in San Francisco today, Eddy Cue showed how it works by collaborating on a Keynote presentation with another exec onstage.

Before, Apple users had to either send docs back and forth by email to update them – or, well, use other tools to do so. But the addition of collaboration could compel more Apple users to take advantage of the software that they’ll now be getting for free with the purchase of any new Mac or iOS device.

Via: techcrunch

Google Debuts Parental Controls For Chrome & Chromebook Computers With A “Supervised Users” Feature


Google is officially beginning to roll out parental controls in its Chrome web browser in the form of a new “Supervised Users” feature that is live now in the beta channel for early testing ahead of its expected public release. The option allows a user, most likely a parent, to lock down the Chrome browser running on their device in order to allow and block access to certain websites, enable SafeSearch for filtering Google search results, and maintain a history of the websites visited, among other things.

The “Supervised Users” option has been in testing for some time. It was first spotted in the wild this past December when developers found an option called “Managed User Settings” in Chrome’s Canary/Chromium build. Then this summer, the feature became more broadly accessible to users of the Canary build, as it was able to be switched on and off using a couple of flags.

Google had yet to officially comment on its plans with parental controls, however, until today. In a blog post, software engineer Pam Greene introduced the “Supervised Users” option, relating how she liked to sit with her own daughter when browsing the web, but also needed more tools to keep her family safe.

Though the option is offered in the Chrome browser, it’s obviously designed with Chromebook users in mind – like those buying the new HP Chromebook 11 devices, which TechCrunch recently got its hands on. On Chromebooks, the browser is the operating system, so locking down how it behaves can change the entire user experience.

In the case of Supervised Users, a Chromebook user with full permissions can visit chrome.com/manage to control and edit their kids’ (or other supervised users’) accounts. Parents can set the browser to only allow access a pre-approved list of websites; they can turn on Google’s SafeSearch to filter adult content from search results; review children’s requests for access to restricted sites; and view web histories. There are also options for more granular controls, like blocking all subdomains for a host. (To do so, you enter a star * before the main domain, e.g. *.example.com).

On Chromebooks, the option to create a Supervised User will appear on the main sign-in screen. You’ll click “Add user” to launch the “Sign In” dialog box, then click on “Create a Supervised User” on the right. On Mac, Windows and Linux PCs, however, the option to create the account will be accessible from the “Users” section in the “Settings” menu.

Google says the Supervised Users setting will begin rolling out to users this week. Having just attempted to try it on the Chromebook 11, I found it hadn’t arrived just yet, but your mileage, as they say, may vary.

Via: techcrunch

Google to release two-factor security token

Google is planning a two-factor authentication token, the firm’s principal engineer, Mayank Upadhyay, has confirmed.

The security industry has long recognised that passwords are becoming increasingly insecure and difficult to use as they become more complex and difficult to remember.

“Authentication is a key part of security, and with technology shifts we have an opportunity to redefine it so that it is easy to use and is more secure,” Upadhyay told the ISSE 2013 security conference in Brussels.

Google plans to introduce a single USB token that can be used to authenticate to multiple online services.

Users will register the token’s public key, and then registering with each new service will create a unique pairing with the token’s private key without ever exposing the private key.

“This eliminates the need for one-time passcode (OTP) mechanisms, the need to store secrets in the datacentre, and the possibility of man-in-the-middle [MITM) attacks,” said Upadhyay.

Until now, second factor authentication has relied on OTPs by text message, but this approach has several challenges, such as when users lose their mobile phone.

“Hackers have also adapted to the use of OTPs by creating ways of stealing user credentials as well as OTPs,” said Upadhyay.

Giving users control of online accounts

Google is optimistic about user adoption of the proposed token because it will give users a sense of being in control over who has access to their online account, he said.

The company also expects adoption to be supported by the fact that the token does not require any middleware, it can be used for multiple services, and website integration is simple and easy.

For this purpose, Google plans to create two JavaScript application programming interfaces (APIs) – one for registering and one for signing in to a service.

“In this way, website users remain in complete control of the user interface,” said Upadhyay.

Google is testing the proposed token internally for allowing staff to access corporate data and is working with the Fido alliance on new industry standards on authentication.

The token is also being tested with a small group of partners ahead of the public roll-out, which Upadhyay said was likely to be some time in 2014.

Secure password alternatives

Longer term, Google sees the token as the opportunity to reduce passwords to a single personal identification number that can be used with the token for multiple accounts.

“A single PIN is typically used for multiple bank cards nowadays, which is a model that could be extended to online services using the proposed token,” said Upadhyay.

As trusted platform modules (TPMs) with cryptoprocessors become available in all devices, tokens could be built into devices such as smartphones using the secure area of the built-in TPM.

Google decided not to use TPMs for the initial implementation of its universal authenticator because many legacy devices are not equipped with the TPM chips.

“We believe USB will provide the best connectivity across the types of devices in use around the world at the moment,” said Upadhyay.

The first tokens will have near field communication (NFC) capability, which will enable them to be used with the new smartphones that are using this technology.

Strengthening cloud authentication

Through this project, Google hopes to introduce “non-stealable” credentials, which the firm considers a key component in making security easier for users.

Other key components are malware-resistant platforms, secure communication channels, and out-of-band notifications relating to sensitive transactions.

“The whole IT industry needs to work together to establish standards for strong device to cloud authentication – we must seize the opportunity to make it happen,” said Upadhyay.

Previous attempts at introducing password alternatives have failed because of the need for all web services to adopt the same standard, but pundits say Google may be big enough to make it happen.

Via: computerweekly

Gatekeeper on Mac OS X 10.9 Mavericks

One of the Mac OS X platform’s security features is Gatekeeper, which was first introduced in 2012 and works with Lion, Mountain Lion, and Mavericks. If a program is downloaded from the Internet and launched, Gatekeeper will first validate its digital signature and choose whether to let it run based on the user’s settings. How has this changed in Mavericks?

First, a background on how exactly Gatekeeper works. The user can allow only applications from the Mac App Store to be run, allow all applications, or applications from the Mac App Store and those with a valid digital signature, which means it comes from an Apple-certified developer. This last setting is the default in Mountain Lion.

How does Gatekeeper know which files to check? It is designed to only operate on files that have the extension attribute of quarantine. When a file is downloaded, the downloading application (usually the browser) marks the program’s extension attribute of quarantine. The origin of the program and time when it was downloaded are also kept in the extension attributes:


Figure 1. Extension attributes of a downloaded archive

Even if the application is stored in an archive or disk image, the quarantine attribute is copied over from the original archive or image. The attribute also contains a UUID which can be used by OS X to trace it to the source file, and provide information to the user.


Figure 2. Extracted file’s inherited attributes

When the user attempts to run an application that does not satisfy Gatekeeper’s settings, it displays an alert as seen below. On previous versions, the alert shows the current Gatekeeper setting; on Mavericks this is not shown.


Figure 3. New and old warning dialogs

If the user wants to run an application blocked by Gatekeeper, they have several options. Gatekeeper could, in effect, be turned off by letting it run all applications. A power user may opt to remove the quarantine attribute or use the spctl command to add a new policy in the security assessment policy subsystem.


Figure 4. Using the “spctl” command to change policies

Mavericks provides a new option. In the Security & Privacy panel of System Preferences, a new option is provided to the user – they can opt to force-launch the last blocked app. Unlike removing the extension attribute or adding a new assessment policy, this is a more user-friendly way to allow the execution of a single unsigned program.


Figure 5. New Mavericks dialog box

The first part of the semicolon-separated quarantine value represents where the file came from. As earlier, Safari downloaded the test program and set the value to 0002. If the user uses the “Open Anyway” option above, this value is modified (the third digit is set to 6). Whatever the previous value is, if the third digit is 6, Gatekeeper will let the application run.

However, this quarantine attribute can also be kept. If the file is transferred to another Mac (if copied using a compatible file system), this setting will also be honored by this other device.


Figure 6. Quarantine value of allowed program

This highlights a way for an attack to bypass Gatekeeper. If one user allows the execution of an unsigned program on their Mac, the file can be spread to other Macs via ways that keep this attribute (such as shared folders and USB flash disks). On these other systems, the program can be launched without any warning messages.


Figure 7. Gatekeeper allowing an application to run

To summarize: Mavericks provides users an easier way to create exceptions to Gatekeeper and allow unsigned programs to run. However, this was done in such a way that could put other users at risk. It would have been better for Apple to implement this in such a way to keep the exception from being enforced elsewhere; if I want to put myself at risk I shouldn’t be allowed to put other Macs at risk.

Via: trendmicro

Apple releases iOS 7.0.3 – fixes yet more lockscreen holes, including a call-anybody bug

Soon after iOS 7 came out, a pair of holes in the lockscreen were outed and then quickly fixed in iOS 7.0.2.

It turns out that Apple didn’t fix future problems of this sort proactively, because the just-announced iOS 7.0.3 closes three more locked-phone holes.

The three bugs this time deal with similar problems to those patched in 7.0.2:

  • Another flaw in the emergency call feature, where hitting the call button at a carefully-planned moment lets you call any number, not just 911 or your local equivalent.
  • A passcode lockout bypass, so that crackers can continue trying passcodes even after the phone decides they’ve had too many goes and locks them out.
  • Access to the Contacts pane even when the phone is locked.

Interestingly, the bug fix for the emergency call problem is described as follows:

A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped while a notification was being swiped and while the camera pane was partly visible. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed. This issue was addressed by avoiding the NULL dereference.

If you are experiencing déjà vu, you should be, because you’ve seen this before, in the iOS 7.0.2 security notes:

A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped repeatedly. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed. This issue was addressed by avoiding the NULL dereference.

As we explained last time, NULL pointers (references to memory addresses) can’t be dereferenced – that makes no programmatic sense, since a NULL pointer is, as a matter of definition, one that doesn’t point anywhere.

When a progam tries to dereference NULL, it’s almost impossible to determine what the programmer intended – who knows what memory location was supposed to be used instead? – so the operating system has little choice but to terminate it.

→ A NULL pointer usually means an uninitialised variable, or a memory allocation error, denoted with the special value NULL, that has been ignored. In the former case, you’re trying to use memory without even trying to allocate it first; in the second, you’re trying to use memory that you requested but never actually received.

So, correcting the NULL dereference wasn’t the wrong thing for Apple to do, but it clearly wasn’t enough to deal generically with this sort of lockscreen flaw.

When iOS 7.0.2 came out, we offered the following observations:

  • You can argue that Apple should make other software wait while the lockscreen is restarting, because of the key security function it performs.
  • You can argue that Apple should code things to fail closed: if the lockscreen software doesn’t know or can’t tell you whether the phone is locked or unlocked, treat it as locked, for security’s sake.

Of course, that’s easier said than done, because mobile phone regulators pretty much mandate some sort of bypass mechanism in a phone’s lockscreen.

That’s so emergency calls can be made any time the phone is powered up and in contact with the network. (You can even make 911 calls without a SIM card, for example).

That makes it hard to implement a lock screen “in reverse” – in other words, so that the phone is only unlocked when the lockscreen software is running, not the other way around – and it probably explains Apple’s reluctance to make big changes in the way the lock screen works for what is just a point release of iOS.

The flip side of that, if it’s true, is that iOS 7.0.3 ought to be uncontroversial, due to making only modest code changes inside the operating system.

In other words, if you are keen on security, you may as well make sure you grab this update as soon as you can, if your phone hasn’t done it for you already.

Via: sophos

Close the gates by updating your browsers

Browsers are the gateway drugs of internet security: they give users direct access to millions of potentially malicious websites with payloads targeting deeper vulnerabilities. Between phishing scams and socially engineered malware attacks, there’s no lack of threats available online. With browsers giving users access to everything outside the protected network, users can inadvertently expose the network to malware or other threats. Most employees depend on browsers for their productivity, whether it be for email, project management, or other required applications. In many cases, the browser has become the first line of defense.

Whether because they are more targeted, or just inherently more insecure, web browsers now have more vulnerabilities than the operating systems they run on. In 2012, the National Vulnerability Database listed 454 vulnerabilities for the top five web browsers, 36 more than all operating systems combined. Since the bulk of exploits target known vulnerabilities, it is vitally important to keep all the web browsers on your network up to date. According to SOPHOS, “90% of attacks can be prevented with an existing patch“. Microsoft, Google, and Mozilla are releasing patches for known vulnerabilities on a regular basis. Just in February of this year, Microsoft released patches that fixed 14 different vulnerabilities. These patches are making browser exploits harder and harder to find, even for those who get paid to find them.

ControlsInsight provides detailed information on your coverage of these potentially huge security holes. Once you’re logged into ControlsInsight, you can get an instant view of your coverage:


When you click on “Assets with Firefox up to date”, you will be taken to Deployment and Coverage Details which includes steps to apply updates across your network, plus a list of assets that are currently out of date. You can even see the exact version installed on each asset:


By following the deployment procedure, you can keep your users’ browsers up to date and prevent the majority of attacks. That decrease in risk will be reflected in an improved grade in ControlsInsight.

 

Via: rapid7

Malwarebytes Anti-Malware Mobile now protects Android devices

Malwarebytes, a malware search and destroy company, has extended their reach. Learn how they intend to protect the mobile-device space.

 

Malwarebytes has built a reputation on being able to detect and remove cutting-edge malware from computers- malware that other security platforms are not even detecting. Malwarebytes now extends that same protection to Android devices with the release of Malwarebytes Anti-Malware Mobile (MBAM Mobile).

Cluttered field

Security pundits have been warning that it’s only a matter of time before all sorts of digital havoc begin assaulting mobile devices, particularly those using Android operating systems. To fill the void, there is a plethora of security apps, free and paid versions, for Android users to choose from. The mobile-security app Lookout would be a good example, currently protecting over 30 million mobile devices.

MBAM Mobile features

First and foremost, what Malwarebytes brings to the table is proven expertise. More often than not, Malwarebytes Anti-Malware is the first solution suggested to rid computers of malware. That same expertise created MBAM Mobile. Here are some of the more tangible features employed by MBAM Mobile:

Privacy Manager: Identifies every application’s access privileges in detail, and breaks down access privileges by category: Contacts, Identity Information, Simple Message Service, and Security Settings.


Security Audit: Identifies security vulnerabilities on mobile devices, and suggests remediation. Links seamlessly to Android Device Manager: so the device can be located, locked, or reset if the mobile device is lost or stolen.


Application Manager: Identifies which applications are currently running, identifies installed applications, and enables custom whitelisting of approved apps.


For the entire list of MBAM Mobile features, please visit this webpage.

MBAM Mobile advantages

The MBAM Mobile press release mentioned that a custom-built detection engine similar to one used in their other products powered MBAM Mobile. I contacted Marcin Kleczynski, CEO and founder of Malwarebytes, and asked if he would explain what, if anything, is special about MBAM Mobile’s detection engine:

“For MBAM Mobile, we wrote all our own code and built our own malware signature database from scratch. That way we knew the database was accurate and relevant. And, we included only the essential security features.”

Next, Marcin explained something I was unaware of:

The native Android Device Manager already takes care of the phone location features typically found in mobile-security products, so it didn’t make sense to add those. The core is antimalware, with a couple other features that can detect apps that are violating your privacy or tracking your physical location.

Several times now, Marcin has mentioned that MBAM Mobile (free version only) is a no-frills application, strictly about getting rid of malware. Even so, MBAM Mobile offers features that other mobile-security apps do not in their free versions. For example, MBAM Mobile offers Privacy Manager, while other mobile-security apps require the user to purchase the premium version in order to get the privacy management feature.

What MBAM Mobile lacks

Several of the tech media outlets have mirrored what Marcin has been saying, calling MBAM Mobile lean. It might be interesting to see what is missing from MBAM Mobile when compared to other mobile security apps.

I’ll use Lookout as an example once again. Lookout backs up mobile-device data, employs online mobile device management, and will automatically take a user-facing picture if the number of log in attempts exceeds the configured amount. To be honest, I was surprised that MBAM Mobile wasn’t including these features.

I asked Marcin about the lack of features in MBAM Mobile. Here’s what he had to say:

“Our product is different in that it is simple and fulfills just a handful of purposes, allowing us to focus on actually detecting and protecting against malware, not features here and there that other products throw in to dilute themselves. Our focus is anti-malware, that’s it.”

Marcin mentioning that MBAM Mobile’s sole focus is antimalware reminded me of how I use MBAM for computers—as a supplement to my antivirus program. I asked Marcin if that’s what he had in mind when he developed MBAM Mobile. He said it was:

“We are indeed a complementary tool like MBAM for Windows. We are here to help your anti-virus out. We are working to be compatible with all other software on the Android device.”

Final thoughts

Quite simply, it’s a Malwarebytes product. It’s going to be good. The question then becomes whether you want lean and mean or feature-rich—actually, why not both?

 

Via: techrepublic

Browsium throws lifeline to XP users

Browsium Ion, which provides legacy Internet Explorer (IE) emulation, now supports multiple Java releases and IE8.

The product is used in desktop migrations from the Windows XP operating system (OS), which Microsoft will no longer support after April 2014.

The Ion software emulates older Microsoft browsers, such as like IE6 and IE7, which are used to run line-of-business browser-based applications on Windows XP.

But with end of support for XP looming, large organisations such as banks, governments and healthcare providers are facing the prospect of paying Microsoft for a hefty customer support agreement, or running the OS unsupported and putting the organisation at risk from a cyber attack.

“Enterprises continue to make slow, steady progress towards their Windows 7 migrations, but web application compatibility issues remain the number one blocker,” said Matt Heller, Browsium’s founder and CEO.

Browsium Ion 3.0 enables IT departments to run multiple versions of Java side by side on a single system. It also adds IE8 support to the list of legacy browsers.

According to Browsium, many software as a service (SaaS) providers, including Microsoft, Google and Salesforce.com, have dropped support for IE8, necessitating yet another browser migration for enterprises. Ion enables IT departments to deploy IE8-dependent web applications in IE10 on Windows 7, it said.

Gary Schare, president of Browsium, said: “Many larger organisations have procrastinated their way into a crisis. Now they’re scrambling to migrate before Microsoft ends support for XP in April.”

According to Schare, many businesses still running Windows XP have resigned themselves to paying for the first year of custom support, at a cost of $200 per PC. “They are scrambling to migrate before they have to pay for year two in April 2015,” he said.

In his experience, the XP and browser migration project can easily take 18 months.

Via: computerweekly