Internet Explorer Vulnerability

Following concern about the Heartbleed bug, there has been an additional significant announcement from Microsoft about a security vulnerability in ALL versions of Internet Explorer. See https://technet.microsoft.com/en-US/library/security/2963983 for full details.

This is a pretty major vulnerability as it could enable someone to execute arbitrary code on someones PC. It does however require a user to visit a website that has been crafted to exploit this vulnerability. Users of Internet Explorer browsers should be especially vigilant about visiting unknown sites, phishing and following unrecognised links in emails or instant messages.

Both the US and UK governments have provided advice and are recommending that until the problem is resolved you should use an alternative browser, such as Google Chrome or Mozilla Firefox.

Safe4  also encourages our users to find an alternative to Internet Explorer until Microsoft has issued an update.

Please note this is in addition to our recommendation in a recent blog post to upgrade from Microsoft XP.

March winds and April Showers bring forth …

The Spring of 2014 has seen a raft of news about online document security – both good and bad. The year was ushered in by guidance from regulatory bodies and professional organizations including the Solicitors Regulation Authority (SRA) on cloud based document security and the Institute of Chartered Accountants with the ICAEW guide to cyber security in corporate finance.

As if this was a challenge, the barometric pressure around some key security vulnerabilities was building up as Spring started and the March winds began to blow.   April came, not just with rain, but with security showers and dire warnings about the need to protect the security of your valuable information.  3 significant events caused us all to check that our security raincoats were actually keeping the rain out:-

Heartbleed

First the Heartbleed vulnerability hit the headlines. This was possibly one of the most significant security vulnerabilities of recent years with two main characteristics causing it to be a real problem:

  • The vulnerability exposed the encryption keys used to secure information sent between your browser and many websites. Once someone has the encryption keys it is possible to read all of the information exchanged. This could include items such as passwords, credit cards, commercially or legally sensitive documents and other personal information.
  • The nature of the vulnerability also made it impossible for someone to know if their encryption keys, or other information exchanged has been intercepted. In light of this everyone who has been operating the vulnerable versions of the software needs to assume they have been compromised.

Unfortunately there was also a shower of poor advice about how to deal with Heartbleed. The most significant misdirection was the advice to immediately update your passwords in the belief this would protect your information – it wouldn’t necessarily. For this reason alone, it is worth reviewing what action was taken and whether it worked.

Did you deal effectively with Heartbleed?

If you are a user of a web site, the main imperative was to check with the provider of the services that you use that they patched the Heartbleed vulnerability before you updated your passwords. If they didn’t then you still may be at risk.

Reputable providers of web services have been very open with the status of their systems, whether they are affected, and what steps they have taken. Look for emails from the providers, or blogs on their websites. For example, we at Safe4 had a strong enough architecture and controls that our users were not at risk and we confirmed this with messages at system log in and with blog information on our website.

If you are uncertain about any of this, it is very easy to check whether the site you use is still vulnerable. Go to the free Qualys SSL Labs online test and put in the site URL. The result will tell you whether Heartbleed is still an issue or not with the site. Then, check directly with the site whether they were “clean” when you last updated your password. If this was before your last password update, then you should be safe. However, as it is good security to change your password periodically, then you might want to play absolutely safe and update it again anyway.

Windows XP and Internet Explorer 8

There was also a significant date during the month for those people who are still using Windows XP.On the 8th April Microsoft discontinued support for XP.

There may be no obvious immediate implications since the software will continue to run as before. However Microsoft will not be issuing any further security updates to XP. As time goes by, this operating system will become increasingly vulnerable.

Interestingly Windows XP already does not support a number of the modern information security protocols which have been developed to improve security.

Many companies, including Safe4, who have undertaken detailed reviews of their information security strategies, have decided to disable support for older security protocols – which unfortunately cannot be used by Internet Explorer 8 on Windows XP. Disabling support for Internet Explorer on Windows XP has enabled these companies to attain the highest possible ratings for security in independent analysis.

Safe4 therefore strongly recommends that companies and all users of secure online services look to upgrade from Windows XP to Windows 8 as soon as possible. In the meantime, if upgrading XP is not an available alternative, we would suggest using an alternative browser such as Google Chrome which will take advantage of the latest security protocols.

Dropbox and Box weblinks

As April gave way to May, there was emerging news that these two widely used free file sharing services were vulnerable to a web linking loophole exposing files to unauthorized access. The vulnerability, described here by independent security analyst  Graham Cluley, laid bare sensitive information including tax returns, mortgage applications and corporate information including a business plan.

The problem appears to be that Dropbox and Box did not always require users accessing a shared link to authenticate themselves.

Safe4 always requires valid authentication from a user and checks that the user has permission to access the particular file linked to. Safe4 Technical Director, Alistair Stubbs, commented “proper user authentication has always been a foundation of the Safe4 architecture, specifically to guard against potential problems such as this.”

What next for May?

Even a quick review of history will clearly show that wars have been won and lost, or empires fallen due to intercepted information.

We assume that you have used the information above to review the current security of your documents and information. For the future and without being overwhelmed by a further downpour of technical information, how do you handle the commercial implications of staying secure through the summer and beyond?

A simple risk based approach which can provide a framework to help an organisation review its commercial exposure and to take the most appropriate mitigating actions is further explored in another blog post by Safe4 Technical Director Alistair Stubbs.

Safe4 will continue to provide a top level of security for all confidential documents stored by its customers. We hope this summary has been useful and will enable you to use the March Winds and April Showers of the recent security scares to bring forth a May flowering of a robust security environment for your documents.

 

Posted by: Alistair Stubbs, Safe4 Information Management Technical Director

Dealing with the latest security threats

There has been a lot of attention in the media recently following the OpenSSL Heartbleed vulnerability. While Safe4 was never affected by this problem we have recently reviewed our security settings covering the security of the connection between your computer and our servers.

The SSL protocol which is used to encrypt the communication between a client computer and a server when a site specifies HTTPS has evolved over the past years, with 5 recent versions – SSL2.0, SSL3.0, TLS1.0, TLS1.1 and TLS1.2. Obviously the newer protocols are more secure than the earlier ones.

At our last review we took the decision to disable the SSL2.0 and SSL3.0 protocols. It was originally thought that this would only impact users of IE6 on Windows XP (Safe4 does not see this combination in our user base) but it also appears to affect IE8 on Windows XP since Internet Explorer relies on the operating system to secure the communication.

Safe4 would recommend upgrading from Windows XP at the earliest opportunity.  However this may not be an immediately available option, in which case Safe4 would recommend the use of an alternative browser such as Google Chrome which supports these latest security protocols and will help to keep your information secure.

Importantly Microsoft has discontinued support for Windows XP as of 8th April 2014 – see http://www.microsoft.com/windows/en-gb/xp/end-of-xp-support.aspx. Critically this means that Microsoft will not be issuing any further security patches or software updates – which means your PC and the information on it may become vulnerable in the future.

Dealing with Heartbleed

I am sure that everyone is aware of the news regarding the HeartBleed bug that has been discovered in some web sites. As usual the BBC has a well balanced report on the background – see http://www.bbc.co.uk/news/technology-26954540.

Happily I am very pleased to advise that the Safe4 service was not affected by this security bug as we do not and have never used the software, OpenSSL, to secure and encrypt the communication between your computers and Safe4.

In an environment where web attacks are increasingly common, there are a few things that made this problem so significant to propel it to headline news.

  • Principally it enabled access to the server’s private security / encryption keys. These keys are used to decrypt transmitted information. Once an attacker has these keys it is possible for them to decrypt all traffic that used those keys both for historically intercepted traffic and, until the keys have been changed, future traffic as well.
  • Many attacks leave a clear trace that the attack has taken place – in this specific case there is no means to detect that the attack has happened – therefore it is not possible for sites to detect if they have been the subject of an attack. Best practice therefore is to assume that sites using the affected versions of the software have been compromised.

These things combined have led to the advice for users to change their passwords in use on the internet. This is clearly a daunting task since if you follow best practice advice, which I would wholeheartedly endorse, then you probably have many tens of passwords to change. I would encourage you to consider using tools like 1Password,https://agilebits.com/onepassword‎, which help you to use much more secure passwords and manage and keep track of them securely.

Safe-4 is obviously built from the ground up around security of your information. We are proud that you trust your sensitive information to us. Although not affected by this bug we have, probably like many companies today, reviewed our system configurations and run some further tests to ensure we remain secure. As a result of the review we took the decision today to disable some outdated routines which were only used by older browsers. Independent testing has given us a clean bill of health.